The Critical Infrastructure Protection (CIP) Program builds on the success of the 2023 Critical Infrastructure Risk Assessment (CIRA) program funded by the Florida Legislature by continuing to provide Florida’s public and private critical infrastructure entities with access to a free, comprehensive online risk assessment. The CIP Program is intended to gather anonymous, aggregated data on critical infrastructure cybersecurity to help inform state-level policy, legislative, and funding decisions to enhance the cyber posture of Florida’s critical infrastructure. Participating organizations receive numerous, no-cost benefits for participating, and data gathered is anonymized and aggregated prior to review to protect participant’s privacy.
NEW POLICY BRIEF
31 July 2024 – Tampa, FL: In 2023, the Florida Center for Cybersecurity at the University of South Florida (aka Cyber Florida at USF) conducted a statewide analysis to assess the cyber readiness of Florida’s critical infrastructure (CI) providers across 16 critical infrastructure sectors. The study – conducted on behalf of the State Legislature in fulfillment of Appropriation 2944B – offered several recommendations to improve cyber resilience and protect Florida’s people, property, and prosperity. Among these recommendations was a call to “Adopt a Florida-specific cyber maturity model for critical infrastructure providers.” Since those recommendations were offered in July of 2023, subsequent cyberattacks against CI providers in Florida have led to data breaches and service disruptions across several critical infrastructure sectors, including healthcare5, education6, the …
WHO CAN PARTICIPATE?
The CIP program is available to any public- or private-sector critical infrastructure entities at no cost. Organizations providing goods and services related to the following sectors and operating within the state of Florida are eligible and encouraged to participate:
Communications
Energy
Water and Wastewater Systems
Food and Agriculture
Critical Manufacturing
Commercial Facilities
Dams
Defense Industrial Base
Financial Services
Chemical
Healthcare and Public Health
Transportation
Emergency Services
Government Facilities
Information Technology
Nuclear Reactors, Materials, and Waste
“The new 2.0 is awesome!…it gives 4 real world examples…Thanks for everything you and Cyber Florida do!”
“As a small business with limited budget, the CSET Tool has become the foundation of our governance, risk, and compliance program and we intend to continue using it as long as it is available.”
“The After-Action Review form will definitely be beneficial to keep track of what happened.”
THE FLORIDA CYBER RISK ASSESSMENT
Cyber Florida is pleased to provide the Florida Cyber Risk Assessment (FCRA), a customized instance of the Cyber Security Evaluation Tool (CSET®) developed by the Idaho National Laboratory (INL) on behalf of the Department of Homeland Security (DHS). This valuable tool is available at no cost to local government and critical infrastructure organizations, both public and private. The assessment covers the most common cybersecurity threats and vulnerabilities and provides several reports detailing an organization’s strength and weaknesses to help you determine how to allocate resources in the future.
The Entry-Level FCRA is the first step in the CIP Program. Leveraging the CSET®, this confidential online assessment consists of only 20 questions covering commonly reported challenges faced by smaller organizations. Find out how your organization stacks up in these common areas of concern and take the first step toward better cyber resiliency!
- No cost, confidential, secure
- 20 questions, about 30 minutes
- Start, save, return
- Help available
- Snapshot of common issues
This customized instance of the CSET® consists of 154 questions addressing a range of cybersecurity concerns outlined by the NIST Cybersecurity Framework. The survey should be completed by your IT/cybersecurity lead and their team members. Responses are confidential and securely stored (see FAQs for details) an users receive a set of seven customizes reports providing valuable insights on various aspects of your organizational cyber posture. If your organization doesn’t have on-staff expertise, Cyber Florida will connect you with an expert who can help you complete the assessment.
- No cost, confidential, secure
- 156 questions, about 2 hours
- Start, save, return later
- Help available
- Seven customized reports
- Prerequisite to apply for the State of Florida Local Cybersecurity Grant Program (SB2500.3013A)
GUIDES + PUBLICATIONS
Incident Response Planning Guide
This document is intended to help small organizations be better prepared to respond to and recover from cybersecurity incidents. Aligned to the standards of the National Institute of Standards and Technology (NIST), this guide can be used to help your organization establish an incident response policy. Download the fillable MS Word form and complete it with your senior leadership team to help your organization be more prepared to mitigate and recover from a cyber incident.
Cyber Decision-Making Matrix
This document (an MS Excel sheet) developed in partnership with the Florida Department of Emergency Management can help local government and other critical infrastructure organizations determine who is responsible for various areas of response before a cyber incident occurs. Review the list of likely actions needed in the wake of a cyber incident and assign roles in advance for a more coordinated response when the need arises.
Situation Manual Development Tabletop Exercise
Developed in partnership with the Florida Department of Emergency Management, use this guide (an MS Word doc) to host your own tabletop exercise with organizational leaders, helping them learn to plan and design an organizational situation manual for responding to a cyber incident. Assign roles and play through the exercise to explore some of the considerations and decisions an organization faces in the wake of cyber incident. Use the experience to help develop a situation manual for your organization.
Cybersecurity Emergency Support Function (ESF) Directory
Developed in partnership with the Florida Department of Emergency Management, the Cybersecurity Emergency Support Function Directory (an MS Word doc) is a repository for the state-provided support services available to you before, during, and after a cyber incident. Use this guide to help identify critical emergency actions and how to coordinate with appropriate state agencies during a cyber emergency.
Reports + Publications
Enhancing CI Cyber Resilience through Maturity Modeling
07.31.24
A policy brief advocating the adoption of sector-specific maturity modeling in Florida
Florida Critical Infrastructure Cybersecurity Intelligence Assessment
06.30.23
A review of the current cyber threats targeting Florida's critical infrastructure organizations
Florida Ransomware Incidents 2016-2019
10.21.20
A comprehensive review of ransomware attacks against Florida public entities between 2016 and 2019.
Cybersecurity: Are Florida’s Governments Ready?
11.12.19
A 2019 survey of Florida county and municipal IT managers to determine their needs and challenges.
RISK ASSESSMENT BENEFITS
For no-cost and a reasonable time commitment, the CSET® assessment allows you to evaluate your organization’s critical information technology, operational technology, and ransomware readiness using a systematic, disciplined, and repeatable approach. The tailored outputs – seven customized reports – provide prioritized, actionable information to mitigate the risks revealed by your assessment. Your assessment data will support Cyber Florida’s development of an interactive visualization capability to compare cyber risks across infrastructure sectors as well as an anonymized state-wide summary report, two resources that will provide valuable intelligence to the critical infrastructure community and state decision-makers.
Additionally, selected participants can opt in to access to a full suite of cyber workforce development toolsets that identify skills gaps, display training pathways for upskilling employees, and assist with finding the most qualified new cyber talent. To be considered for the no-cost analysis, interested participants must fully complete their CSET® assessment and express interest in receiving the workforce development analysis service through email to Cyber Florida or selecting the follow-on cyber workforce service question in CSET®.
Having trouble with the assessment? Watch the tutorial video below. If you need additional assistance, submit the Help is Here form.
FAQs
HELP IS HERE
We recognize that not every organization has a cybersecurity person on staff. If you have a question or would like assistance in completing the CSET, please submit the form and we will connect you with someone that can help.