Decoding Florida's Government Cybersecurity Requirements – HB 7055, CIRCIA, and Penalties for Non-Compliance
Government security compliance is a complex, rapidly changing beast that requires dedicated experts to properly track and understand. Florida has enacted strict guidelines with recent bills like the Local Government Cybersecurity Act, or HB 7055. In addition to this new Florida requirement, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has been spearheaded by CISA and mandated at the federal level. In addition to all of this – existing Cyber Liability Insurance compliance requirements have been growing annually.
Cybersecurity is no longer a simple function of IT. Cybersecurity is an entirely separate organizational unit, with separate goals and techniques designed to protect and secure sensitive resources within the organization. When several new requirements are pushed in roughly the same timeframe, organizations relying on overtaxed IT resources will find it nearly impossible to implement the required changes. Implementation of these requirements often feels as complex as the legislation itself, and navigating these hazardous waters requires skilled and certified partners alongside dedicated security resources.
The Mandate of HB 7055
The Local Government Cybersecurity Act was brought to life in July 2022 and disallows ransom payments. It requires local governments to align with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) by Jan 1, 2024, for populations above 25K and Jan 1, 2025, for those below. It insists on incident reporting within a strict timeline and enforces data security measures. In addition, it requires cybersecurity awareness training for all employees.
No More Ransomware Payments. – Conventional ransomware attacks are financially motivated. HB 7055 seeks to disarm the attackers by making it a felony for a state or local employee to pay the ransom. Assuming payment cannot be made, the encrypted and stolen data is now solely reliant on backup and security measures to sanction recovery.
Aligning with NIST CSF – NIST Cybersecurity Framework (CSF) follows 5 overall functions: Identify|Prevent|Detect|Respond|Recover. As part of the requirements outlined in HB 7055, Florida state and local government will be required to align their security governance with NIST CSF. This timeline is aggressive, with the top ~half of counties and municipalities (by population) required to comply by Jan 1st, 2024, and the bottom half by Jan 1st, 2025. The best way to kick off this process is consultation and risk assessment.
Regular Cybersecurity Training.
Users are one of the primary vulnerabilities in all organizations. Training will be required under HB 7055.
Mandated Reporting
Reporting cybersecurity incidents has always been required in one way or another due to the potential to access sensitive data such as taxpayer PII, sensitive citizen data, and documentation excluded from the Sunshine Laws. HB 7055 reuires the reporting of incidents within 48 hours (12 for ransomware) to Florida Digital Service (FLDS).
CIRCIA: Federal Incident Reporting
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is anticipated to take effect in March 2024. CIRCIA offers new guidelines for ransomware attack reporting and payments and leverages CISA resources for combating ransomware. The act mandates swift reporting, requiring incidents to be reported to CISA within 72 hours and shared by federal agencies within 24 hours.
Effective: Estimated March 2024 New rules concerning ransomware attack reporting and payments. CISA resources available for ransomware combat. Critical Infrastructure-specific CSF.
Requirements: Report to CISA within 72 hours, Federal Agencies must share received reports within 24 hours, a Cyber Incident Reporting Council at CISA.
Navigating Insurance Requirements
Maintaining cyber liability coverage is a vital task for government organizations. From proper governance to implementing Multi-Factor Authentication (MFA) and conducting regular training sessions, the checklist is extensive.
Current Cyber Liability Insurance Requirements demand organizations to maintain baseline cybersecurity measures. There is an increasing emphasis on cyber liability coverage to mitigate risks to avoid costly payouts by the carriers. As in CIRCIA and HB 7055, these requirements underscore proper governance as the highest priority.
At a technical level, insurance firms are looking for the implementation of the following: Multi-Factor Authentication (MFA) across all systems, comprehensive training, Endpoint Detection and Response (EDR) with Managed Services, Security Information and Event Management (SIEM), the establishment of a Security Operations Center (SOC), and a Disaster Recovery and Business Continuity (DRBC) plan to ensure resilience against cyber threats.
An Effective Roadmap: The Scarlett Cybersecurity Strategy
So how does a Florida local or state organization navigate these extensive requirements? Alignment with NIST CSF is a fundamental step, and this is where a comprehensive assessment becomes critical. It offers an invaluable perspective on your system and prepares a roadmap for future solutions.
GSA Highly Adaptive Cybersecurity Services are specifically oriented towards tackling services such as these. Our GSA HACS services at Scarlett include High Value Asset (HVA) Assessment, Cyber Hunt, Incident Response, and Risk and Vulnerability Assessment (RVA) – all intended to fortify your cybersecurity posture.
Scarlett Cybersecurity is ready to help local, state, and federal government organizations adhere to these complex standards. Our certified auditors and staff are equipped to ensure you are prepared to identify, protect, detect, respond, and recover from cybercrime effectively.
Reach out to us at 844.727.5388 or visit www.scarlettcybersecurity.com to learn more.
