Cyber Florida is pleased to announce an new effort under the CyberSecureFlorida program: the Critical Infrastructure Protection (CIP) Program. Stemming from the success of the recently completed Critical Infrastructure Risk Assessment (CIRA) program funded by the Florida Legislature in 2022, the CIP program takes the next step to provide no-cost resources, tools, and guidance to Florida’s public and private critical infrastructure entities to help mitigate their cyberattack vulnerabilities. The CIP Program is intended to assist small and medium-sized enterprises and resource-constrained county and municipal government entities in implementing basic cybersecurity protocols and policies to achieve a fundamental cybersecurity posture.

WHO CAN PARTICIPATE?

The CIP program is available to any public- or private-sector critical infrastructure entities at no cost. Organizations providing goods and services related to the following sectors and operating within the state of Florida are eligible and encouraged to participate:

Communications
Energy
Water and Wastewater Systems
Food and Agriculture
Critical Manufacturing
Commercial Facilities
Dams
Defense Industrial Base
Financial Services
Chemical
Healthcare and Public Health
Transportation
Emergency Services
Government Facilities
Information Technology
Nuclear Reactors, Materials, and Waste

RESOURCES

These resources are available at no cost to assist small and medium-sized local governments and critical infrastructure organizations in assessing their current cybersecurity stance and taking steps toward improving their cyber resiliency, that is, their ability to prevent, withstand, and recover from a cyber incident. We intend to continually add and update resources over time. If there is a specific resource you’d like to see or an aspect of cyber resilience you’d like help with, please let us know using the Help is Here form below.

The Florida CSET® Entry-Level Risk Assessment

START THE ASSESSMENT

The Entry-Level Assessment is the first step in the CIP Program. Leveraging the Florida CSET® managed by Idaho National Laboratory, this confidential online assessment consists of only 20 questions covering commonly reported challenges faced by smaller organizations. Find out how your organization stacks up in these common areas of concern and take the first step toward better cyber resiliency!

No cost, confidential, secure
20 questions, about 30 minutes
Start, save, return
Help available
Snapshot of common issues

The Florida CSET® Critical Infrastructure Risk Assessment

START THE ASSESSMENT

The Florida CSET® Critical Infrastructure Risk Assessment is managed by Idaho National Laboratory through a customized instance of their established and highly regarded Cyber Security Evaluation Tool (CSET)®, the assessment consists of 156 questions addressing a range of cybersecurity concerns outlined by the NIST Cybersecurity Framework. The survey should be completed by your IT/cybersecurity lead and their team members. Responses are confidential and securely stored (see FAQs for details) an users receive a set of seven customizes reports providing valuable insights on various aspects of your organizational cyber posture. If your organization doesn’t have on-staff expertise, Cyber Florida will connect you with an expert who can help you complete the assessment.

No cost, confidential, secure
156 questions, about 2 hours
Start, save, return later
Help available
Seven customized reports

Incident Response Plan Template*

This document is intended to help small organizations be better prepared to respond to and recover from cybersecurity incidents. Aligned to the standards of the National Institute of Standards and Technology (NIST), this guide can be used to help your organization establish an incident response policy. Download the fillable MS Word form and complete it with your senior leadership team to help your organization be more prepared to mitigate and recover from a cyber incident.

RISK ASSESSMENT BENEFITS

For no-cost and a reasonable time commitment, the Florida CSET® assessment allows you to evaluate your organization’s critical information technology, operational technology, and ransomware readiness using a systematic, disciplined, and repeatable approach. The tailored outputs – seven customized reports – provide prioritized, actionable information to mitigate the risks revealed by your assessment. Your assessment data will support Cyber Florida’s development of an interactive visualization capability to compare cyber risks across infrastructure sectors as well as an anonymized state-wide summary report, two resources that will provide valuable intelligence to the critical infrastructure community and state decision-makers.

Additionally, selected participants can opt in to access to a full suite of cyber workforce development toolsets that identify skills gaps, display training pathways for upskilling employees, and assist with finding the most qualified new cyber talent. To be considered for the no-cost analysis, interested participants must fully complete their CSET® assessment and express interest in receiving the workforce development analysis service through email to Cyber Florida or selecting the follow-on cyber workforce service question in CSET®.

Having trouble with the CSET®? Watch the tutorial video below. If you need additional assistance, submit the Help is Here form.

FREQUENTLY ASKED QUESTIONS

Why should my organization participate?

In addition to receiving a free risk assessment for your organization, the data gathered will establish a baseline to guide future planning, policies, and expenditures to strengthen the state’s critical infrastructure assets. This could yield additional state-provided resources and tools for your organization. Additionally, up to 150 participating organizations will get free access to the CyberKnights and Cyber-CHAMP programs, which use the assessment data to help your organization identify and improve cyber skills gaps in your workforce.

We don't have a cybersecurity person on staff. Can someone help us answer the questions?

Yes! Cyber Florida has a network of staff and volunteers available to assist organizations in completing the assessment. They can connect virtually or in-person to help you submit your assessment. Complete the contact form to request assistance.

We've completed a risk assessment with a third-party vendor, why should we do this one?

You may have completed a risk assessment with a third-party vendor, but that information will not be included in the overall Florida critical infrastructure risk score, which may impact the policies and potential funding for Florida critical infrastructure. The survey is short and easy to use. You will not be asked to reveal protected company details, your information will be strictly protected as critical infrastructure information.

We've completed a risk assessment with the CSET tool, why should we complete another one?

Within the CSET tool, there are a variety of options based on the type of standard being measured. For this reason, we ask all critical infrastructure owners/operators to participate in the survey to be counted and heard so the leaders of Florida can get as accurate a picture as possible to guide Florida’s future investments to make Florida a safe and secure state to live, work, and play.

How is my data protected?

The data is gathered anonymously and stored on physical servers at the University of South Florida. The University of South Florida uses the NIST Cybersecurity framework to manage its technical and administrative controls. The university has a complete set of security policies, procedures, and standards based on the NIST 800-171 security guidelines. In addition to these administrative controls, the university employs a great number of technical controls including but not limited to: A number of physical and cloud-based Pal Alto Firewalls, the complete Microsoft Defender Stack of products including EDR, Beyond Trust Privileged access management, Microsoft MFA, Splunk for Enterprise Security SIEM, and regular penetration tests and risk assessment performed by both internal staff, state auditors, and 3rd party companies.

The University of South Florida is a Carnegie Research-1 University with numerous federal grants dealing with Medical, Personal, and DoD restricted non-classified data that is secured and monitored 24/7 by USF staff as well as two external SOCs.

Is it really free? What's the catch?

Yes, it’s really free! Florida is serious about cybersecurity, and the Florida Legislature provided funding for this initiative so they could gain a better understanding of Florida’s critical infrastructure cyber strengths and weaknesses. The information gathered will help inform future legislation and funding opportunities to help organizations throughout the state, while helping your organization immediately identify potential risks.

HELP IS HERE

We recognize that not every organization has a cybersecurity person on staff. If you have a question or would like assistance in completing the CSET, please submit the form and we will connect you with someone that can help.

*This guide is made available by The Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization's specific needs. Use of this guide does not create any special or fiduciary relationship between you and The Florida Center for Cybersecurity or the University of South Florida.