The Critical Infrastructure Protection (CIP) Program builds on the success of the 2023 Critical Infrastructure Risk Assessment (CIRA) program funded by the Florida Legislature by continuing to provide Florida’s public and private critical infrastructure entities with access to a free, comprehensive online risk assessment. The CIP Program is intended to gather anonymous, aggregated data on critical infrastructure cybersecurity to help inform state-level policy, legislative, and funding decisions to enhance the cyber posture of Florida’s critical infrastructure. Participating organizations receive numerous, no-cost benefits for participating, and data gathered is anonymized and aggregated prior to review to protect participant’s privacy.

NEW POLICY BRIEF

  • 31 July 2024 – Tampa, FL: In 2023, the Florida Center for Cybersecurity at the University of South Florida (aka Cyber Florida at USF) conducted a statewide analysis to assess the cyber readiness of Florida’s critical infrastructure (CI) providers across 16 critical infrastructure sectors. The study – conducted on behalf of the State Legislature in fulfillment of Appropriation 2944B – offered several recommendations to improve cyber resilience and protect Florida’s people, property, and prosperity. Among these recommendations was a call to “Adopt a Florida-specific cyber maturity model for critical infrastructure providers.” Since those recommendations were offered in July of 2023, subsequent cyberattacks against CI providers in Florida have led to data breaches and service disruptions across several critical infrastructure sectors, including healthcare5, education6, the

WHO CAN PARTICIPATE?

The CIP program is available to any public- or private-sector critical infrastructure entities at no cost. Organizations providing goods and services related to the following sectors and operating within the state of Florida are eligible and encouraged to participate:

Communications
Energy
Water and Wastewater Systems
Food and Agriculture
Critical Manufacturing
Commercial Facilities
Dams
Defense Industrial Base
Financial Services
Chemical
Healthcare and Public Health
Transportation
Emergency Services
Government Facilities
Information Technology
Nuclear Reactors, Materials, and Waste

“The new 2.0 is awesome!…it gives 4 real world examples…Thanks for everything you and Cyber Florida do!”

“As a small business with limited budget, the CSET Tool has become the foundation of our governance, risk, and compliance program and we intend to continue using it as long as it is available.”

“The After-Action Review form will definitely be beneficial to keep track of what happened.”

THE FLORIDA CYBER RISK ASSESSMENT

Cyber Florida is pleased to provide the Florida Cyber Risk Assessment (FCRA), a customized instance of the Cyber Security Evaluation Tool (CSET®) developed by the Idaho National Laboratory (INL) on behalf of the Department of Homeland Security (DHS). This valuable tool is available at no cost to local government and critical infrastructure organizations, both public and private. The assessment covers the most common cybersecurity threats and vulnerabilities and provides several reports detailing an organization’s strength and weaknesses to help you determine how to allocate resources in the future.

The Entry-Level FLORIDA CYBER Risk Assessment

The Entry-Level FCRA is the first step in the CIP Program. Leveraging the CSET®, this confidential online assessment consists of only 20 questions covering commonly reported challenges faced by smaller organizations. Find out how your organization stacks up in these common areas of concern and take the first step toward better cyber resiliency!

  • No cost, confidential, secure
  • 20 questions, about 30 minutes
  • Start, save, return
  • Help available
  • Snapshot of common issues

The FULL FLORIDA CYBER Risk Assessment

This customized instance of the CSET® consists of 154 questions addressing a range of cybersecurity concerns outlined by the NIST Cybersecurity Framework. The survey should be completed by your IT/cybersecurity lead and their team members. Responses are confidential and securely stored (see FAQs for details) an users receive a set of seven customizes reports providing valuable insights on various aspects of your organizational cyber posture. If your organization doesn’t have on-staff expertise, Cyber Florida will connect you with an expert who can help you complete the assessment.

GUIDES + PUBLICATIONS

Incident Response Planning Guide

This document is intended to help small organizations be better prepared to respond to and recover from cybersecurity incidents. Aligned to the standards of the National Institute of Standards and Technology (NIST), this guide can be used to help your organization establish an incident response policy. Download the fillable MS Word form and complete it with your senior leadership team to help your organization be more prepared to mitigate and recover from a cyber incident.

Cyber Decision-Making Matrix

This document (an MS Excel sheet) developed in partnership with the Florida Department of Emergency Management can help local government and other critical infrastructure organizations determine who is responsible for various areas of response before a cyber incident occurs. Review the list of likely actions needed in the wake of a cyber incident and assign roles in advance for a more coordinated response when the need arises.

Situation Manual Development Tabletop Exercise

Developed in partnership with the Florida Department of Emergency Management, use this guide (an MS Word doc) to host your own tabletop exercise with organizational leaders, helping them learn to plan and design an organizational situation manual for responding to a cyber incident. Assign roles and play through the exercise to explore some of the considerations and decisions an organization faces in the wake of cyber incident. Use the experience to help develop a situation manual for your organization.

Cybersecurity Emergency Support Function (ESF) Directory

Developed in partnership with the Florida Department of Emergency Management, the Cybersecurity Emergency Support Function Directory (an MS Word doc) is a repository for the state-provided support services available to you before, during, and after a cyber incident. Use this guide to help identify critical emergency actions and how to coordinate with appropriate state agencies during a cyber emergency.

Reports + Publications

  • Enhancing CI Cyber Resilience through Maturity Modeling

    07.31.24

    A policy brief advocating the adoption of sector-specific maturity modeling in Florida

  • Florida Critical Infrastructure Cybersecurity Intelligence Assessment

    06.30.23

    A review of the current cyber threats targeting Florida's critical infrastructure organizations

  • Florida Ransomware Incidents 2016-2019

    10.21.20

    A comprehensive review of ransomware attacks against Florida public entities between 2016 and 2019.

  • Cybersecurity: Are Florida’s Governments Ready?

    11.12.19

    A 2019 survey of Florida county and municipal IT managers to determine their needs and challenges.

RISK ASSESSMENT BENEFITS

For no-cost and a reasonable time commitment, the CSET® assessment allows you to evaluate your organization’s critical information technology, operational technology, and ransomware readiness using a systematic, disciplined, and repeatable approach. The tailored outputs – seven customized reports – provide prioritized, actionable information to mitigate the risks revealed by your assessment. Your assessment data will support Cyber Florida’s development of an interactive visualization capability to compare cyber risks across infrastructure sectors as well as an anonymized state-wide summary report, two resources that will provide valuable intelligence to the critical infrastructure community and state decision-makers.

Additionally, selected participants can opt in to access to a full suite of cyber workforce development toolsets that identify skills gaps, display training pathways for upskilling employees, and assist with finding the most qualified new cyber talent. To be considered for the no-cost analysis, interested participants must fully complete their CSET® assessment and express interest in receiving the workforce development analysis service through email to Cyber Florida or selecting the follow-on cyber workforce service question in CSET®.

Having trouble with the assessment? Watch the tutorial video below. If you need additional assistance, submit the Help is Here form.

FAQs

In addition to receiving a free risk assessment for your organization, the data gathered will establish a baseline to guide future planning, policies, and expenditures to strengthen the state’s critical infrastructure assets. This could yield additional state-provided resources and tools for your organization. Additionally, up to 150 participating organizations will get free access to the CyberKnights and Cyber-CHAMP programs, which use the assessment data to help your organization identify and improve cyber skills gaps in your workforce.

Yes! Cyber Florida at USF has partnered with Idaho National Labs to offer free assistance to organizations that may need assistance navigating the questions. Complete the contact form to request assistance.

The Florida Cyber Risk Assessment is housed on a server at the University of South Florida (USF) in Tampa.
The USF IT Department uses the NIST Cybersecurity framework to manage its technical and administrative controls. The university has a complete set of security policies, procedures, and standards based on the NIST 800-171 security guidelines.

In addition to these administrative controls, USF employs many technical controls, including but not limited to several physical and cloud-based Palo Alto firewalls, the complete Microsoft Defender stack of products (including EDR), Beyond Trust Privileged access management, Microsoft MFA, Splunk for Enterprise Security SIEM, and regular penetration tests and risk assessments performed by both internal staff, state auditors, and 3rd-party companies.

The University of South Florida is a Carnegie Research-1 University with numerous federal grants dealing with medical, personal, and DoD-restricted non-classified data that is secured and monitored 24/7 by USF staff as well as two external SOCs.

Cyber Florida at USF aggregates the data collected to look for trends and findings that are reported anonymously and in aggregate and shared only with designated state officials, such as the Governor, the Speaker of the House, and the President of the Senate. Individual organization information is not reported or shared anywhere.

The Florida Cyber Risk Assessment survey does not ask detailed questions about your systems or policies and procedures. We ask yes or no questions at a high level, such as, “Do you have a cybersecurity training program?” “Do you use multifactor authentication?” etc. These questions are designed to help guide future state investments and educational efforts and do not require sharing any information about specific technical vulnerabilities.

You may have completed a risk assessment with a third-party vendor, but that information will not be included in the overall Florida critical infrastructure risk score, which may impact the policies and potential funding for Florida critical infrastructure. The survey is short and easy to use. You will not be asked to reveal protected company details, your information will be strictly protected as critical infrastructure information.

Within the CSET tool, there are a variety of options based on the type of standard being measured. For this reason, we ask all critical infrastructure owners/operators to participate in the survey to be counted and heard so the leaders of Florida can get as accurate a picture as possible to guide Florida’s future investments to make Florida a safe and secure state to live, work, and play.

Yes, it’s really free! Florida is serious about cybersecurity, and the Florida Legislature provided funding for this initiative so they could gain a better understanding of Florida’s critical infrastructure cyber strengths and weaknesses. The information gathered will help inform future legislation and funding opportunities to help organizations throughout the state, while helping your organization immediately identify potential risks.

HELP IS HERE

We recognize that not every organization has a cybersecurity person on staff. If you have a question or would like assistance in completing the CSET, please submit the form and we will connect you with someone that can help.


*This publication is made available by The Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization's specific needs. Use of this guide does not create any special or fiduciary relationship between you and The Florida Center for Cybersecurity or the University of South Florida.