BackFlorida and StateRAMP


The State of Florida Cybersecurity Standards (SFCS) are defined in Rules 60GG-2.001 through 60GG-2.006. These rules establish cybersecurity standards for information technology (IT) resources. Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, and the Federal Information Security Management Act of 2002 (44 U.S.C. ยง3541, et seq.).

The SFCS establishes minimum standards to be used by agencies as they seek to secure IT resources. The SFCS consists of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk, and include underlying key categories and subcategories for each function which contain specific IT controls. The SFCS requires that external service providers be contractually required to adhere to Agency security policies. The SFCS requires Florida to ensure that the written specifications for cybersecurity requirements in solicitations, contracts, and service-level agreements for IT Resources and information technology services meet or exceed the applicable standards, guidelines, and best practices outlined in the National Institute of Standards and Technology Cybersecurity Framework.