Cyber Florida’s Critical Infrastructure Protection (CIP) Program is a state-funded initiative to provide Florida’s public and private critical infrastructure entities with no-cost access to vetted, best-practice resources to help enhance their cybersecurity posture.

A national model for state investment in collective infrastructure cybersecurity.

Announcing a valuable new tool in Cyber Florida’s CIP Program portfolio:

Cyber Bulls-i is a first-of-its-kind tool built for Florida’s critical infrastructure organizations! A user-friendly, no-cost way to strengthen your cybersecurity, Cyber Bulls-i can help your organizations meet compliance requirements and reduce risk. Whether you’re a public agency, small business, utility, school, or hospital, this tool is here to help!

How it works: three easy steps

Complete the Florida Cyber Risk Assessment (FCRA): Answer straightforward questions to get a custom report.
Secure a personalized cybersecurity plan: Receive a tailored map of free resources and expert help.
Continue to improve: Track progress, get updates, and strengthen your defenses over time.

Why This Matters

Recent assessments show that half of organizations lack a recovery plan and nearly half lack formal cybersecurity training. Many also face limited time, staff, and budgets. Cyber Bulls-i helps fix this, making it easier to protect your mission and stay compliant without added costs.

What makes Cyber Bulls-i different?

Completely free to use, thanks to state funding
Florida-specific plan tailored to your needs
Keeps your data private and secure – it is only used to help you

Key benefits

Build stronger defenses against cyber threats
Meet compliance and insurance requirements
Save time and money with ready-to-use tools
Get ongoing support to stay protected
Start or update your journey today. There are no costs or strings attached. Your participation is a crucial step toward building a safer, more resilient Florida.

START THE CYBER BULLs-i PATH TO BETTER RESILIENCE

WHO CAN PARTICIPATE?

The CIP program is available to any public- or private-sector critical infrastructure entities at no cost. Organizations providing goods and services related to the following sectors and operating within the state of Florida are eligible and encouraged to participate:

Communications
Energy
Water and Wastewater Systems
Food and Agriculture
Critical Manufacturing
Commercial Facilities
Dams
Defense Industrial Base
Financial Services
Chemical
Healthcare and Public Health
Transportation
Emergency Services
Government Facilities
Information Technology
Nuclear Reactors, Materials, and Waste

THE FLORIDA CYBER RISK ASSESSMENT

Cyber Florida offers select modules from the Cyber Security Evaluation Tool (CSET®) developed by the Idaho National Laboratory (INL) on behalf of the Department of Homeland Security (DHS) as part of the Florida Cyber Risk Assessment (FCRA). This assessment platform uses the DHS’s CSET® NIST Cybersecurity Framework (CSF) 2.0 Standard Question Set and Ransomware Readiness Assessment (RRA) modules, developed by the Idaho National Laboratory for the DHS. The Florida Cyber Risk Assessment is accessible to all organizations, regardless of their cybersecurity maturity. The NIST CSF 2.0 adds governance to its core guidance, helping organizations meet their cybersecurity goals and comply with Florida statutes, and is Step 1 along the Cyber Bulls-i path to better resiliency. The assessment covers the most common cybersecurity threats and vulnerabilities and responses are secure and confidential.

The Entry-Level FLORIDA CYBER Risk Assessment

START THE ASSESSMENT

The Entry-Level FCRA is the first step in the CIP Program. Leveraging the CSET®, this confidential online assessment consists of only 20 questions covering commonly reported challenges faced by smaller organizations. Find out how your organization stacks up in these common areas of concern and take the first step toward better cyber resiliency!

No cost, confidential, secure
20 questions, about 30 minutes
Start, save, return
Help available
Snapshot of common issues

The FULL FLORIDA CYBER Risk Assessment

START THE ASSESSMENT

This customized instance of the CSET® consists of 154 questions addressing a range of cybersecurity concerns outlined by the NIST Cybersecurity Framework. The survey should be completed by your IT/cybersecurity lead and their team members. Responses are confidential and securely stored (see FAQs for details). If your organization doesn’t have on-staff expertise, Cyber Florida will connect you with an expert who can help you complete the assessment.

No cost, confidential, secure
154 questions, about 2 hours
Start, save, return later
Help available
Prerequisite to apply for the State of Florida Local Cybersecurity Grant Program (SB2500.3013A)

GUIDES + MANUALS*

Incident Response Planning Guide

This document is intended to help small organizations be better prepared to respond to and recover from cybersecurity incidents. Aligned to the standards of the National Institute of Standards and Technology (NIST), this guide can be used to help your organization establish an incident response policy. Download the fillable MS Word form and complete it with your senior leadership team to help your organization be more prepared to mitigate and recover from a cyber incident.

DOWNLOAD THE INCIDENT RESPONSE PLANNING GUIDE

Cyber Decision-Making Matrix

This document (an MS Excel sheet) developed in partnership with the Florida Department of Emergency Management can help local government and other critical infrastructure organizations determine who is responsible for various areas of response before a cyber incident occurs. Review the list of likely actions needed in the wake of a cyber incident and assign roles in advance for a more coordinated response when the need arises.

DOWNLOAD THE CYBER DECISION-MAKING MATRIX

Situation Manual Development Tabletop Exercise

Developed in partnership with the Florida Department of Emergency Management, use this guide (an MS Word doc) to host your own tabletop exercise with organizational leaders, helping them learn to plan and design an organizational situation manual for responding to a cyber incident. Assign roles and play through the exercise to explore some of the considerations and decisions an organization faces in the wake of cyber incident. Use the experience to help develop a situation manual for your organization.

DOWNLOAD THE SITUATION MANUAL TTX

Cybersecurity Emergency Support Function (ESF) Directory

Developed in partnership with the Florida Department of Emergency Management, the Cybersecurity Emergency Support Function Directory (an MS Word doc) is a repository for the state-provided support services available to you before, during, and after a cyber incident. Use this guide to help identify critical emergency actions and how to coordinate with appropriate state agencies during a cyber emergency.

DOWNLOAD THE ESF Directory

HELP IS HERE

We recognize that not every organization has a cybersecurity person on staff. If you have a question or would like assistance in getting started with the Cyber Bulls-i initiative, please submit this form and a team member will reach out.

FAQs

Why should my organization participate?

In addition to receiving a free risk assessment for your organization, the data gathered will establish a baseline to guide future planning, policies, and expenditures to strengthen the state’s critical infrastructure assets. This could yield additional state-provided resources and tools for your organization. Additionally, up to 150 participating organizations will get free access to the CyberKnights and Cyber-CHAMP programs, which use the assessment data to help your organization identify and improve cyber skills gaps in your workforce.

We don't have a cybersecurity person on staff. Can someone help us answer the questions?

Yes! Cyber Florida at USF has partnered with Idaho National Labs to offer free assistance to organizations that may need assistance navigating the questions. Complete the contact form to request assistance.

Where is my data going?

The Florida Cyber Risk Assessment is housed on a server at the University of South Florida (USF) in Tampa.

How is my data protected?

The USF IT Department uses the NIST Cybersecurity framework to manage its technical and administrative controls. The university has a complete set of security policies, procedures, and standards based on the NIST 800-171 security guidelines.

In addition to these administrative controls, USF employs many technical controls, including but not limited to several physical and cloud-based Palo Alto firewalls, the complete Microsoft Defender stack of products (including EDR), Beyond Trust Privileged access management, Microsoft MFA, Splunk for Enterprise Security SIEM, and regular penetration tests and risk assessments performed by both internal staff, state auditors, and 3rd-party companies.

The University of South Florida is a Carnegie Research-1 University with numerous federal grants dealing with medical, personal, and DoD-restricted non-classified data that is secured and monitored 24/7 by USF staff as well as two external SOCs.

Will the state get my data?

Cyber Florida at USF aggregates the data collected to look for trends and findings that are reported anonymously and in aggregate and shared only with designated state officials, such as the Governor, the Speaker of the House, and the President of the Senate. Individual organization information is not reported or shared anywhere.

Will my vulnerabilities be documented?

The Florida Cyber Risk Assessment survey does not ask detailed questions about your systems or policies and procedures. We ask yes or no questions at a high level, such as, “Do you have a cybersecurity training program?” “Do you use multifactor authentication?” etc. These questions are designed to help guide future state investments and educational efforts and do not require sharing any information about specific technical vulnerabilities.

We've completed a risk assessment with a third-party vendor, why should we do this one?

You may have completed a risk assessment with a third-party vendor, but that information will not be included in the overall Florida critical infrastructure risk score, which may impact the policies and potential funding for Florida critical infrastructure. The survey is short and easy to use. You will not be asked to reveal protected company details, your information will be strictly protected as critical infrastructure information.

We've completed a risk assessment with the CSET tool, why should we complete another one?

Within the CSET tool, there are a variety of options based on the type of standard being measured. For this reason, we ask all critical infrastructure owners/operators to participate in the survey to be counted and heard so the leaders of Florida can get as accurate a picture as possible to guide Florida’s future investments to make Florida a safe and secure state to live, work, and play.

Is it really free? What's the catch?

Yes, it’s really free! Florida is serious about cybersecurity, and the Florida Legislature provided funding for this initiative so they could gain a better understanding of Florida’s critical infrastructure cyber strengths and weaknesses. The information gathered will help inform future legislation and funding opportunities to help organizations throughout the state, while helping your organization immediately identify potential risks.

*These publications are made available by The Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization's specific needs. Use of this guide does not create any special or fiduciary relationship between you and The Florida Center for Cybersecurity or the University of South Florida.

CRITICAL INFRASTRUCTUREPROTECTION PROGRAM