31 July 2024 – Tampa, FL: In 2023, the Florida Center for Cybersecurity at the University of South Florida (aka Cyber Florida at USF) conducted a statewide analysis to assess the cyber readiness of Florida’s critical infrastructure (CI) providers across 16 critical infrastructure sectors. The study – conducted on behalf of the State Legislature in fulfillment of Appropriation 2944B – offered several recommendations to improve cyber resilience and protect Florida’s people, property, and prosperity. Among these recommendations was a call to “Adopt a Florida-specific cyber maturity model for critical infrastructure providers.” Since those recommendations were offered in July of 2023, subsequent cyberattacks against CI providers in Florida have led to data breaches and service disruptions across several critical infrastructure sectors, including healthcare5, education6, the judicial system7, and essential government services8. While a commitment to maturity modeling may not prevent every such incursion, it is a critical step in improving cyber readiness across the state’s critical infrastructure sectors. Maturity models offer organizations a means to assess essential practices and metrics to guide cyber-management decisions strategically. In short, maturity models – like the Balanced Scorecard – help organizations to systematically measure the systems, processes, and practices that determine their cyber health because what gets measured, gets managed.

In recognition of the critical role that cyber resilience plays in protecting Florida’s people, property, and prosperity, this policy brief provides an overview of maturity modeling as well as some suggested steps state leaders may consider to ensure that Florida’s critical infrastructure providers are measuring the right things and deliberately aligning organizational practices with their cyber-readiness goals. This report provides (1) a brief overview of how maturity models work, including a summary of the most commonly employed models in key CI sectors; (2) a review of current cyber vulnerabilities among Florida’s critical infrastructure providers as well as an analysis of how maturity modeling can help CI providers overcome these vulnerabilities; and (3) specific recommendations for integrating maturity modeling into Florida’s ongoing cybersecurity initiatives. While there is no one-size-fits-all solution that will serve the diversity of Florida’s critical infrastructure sectors adequately, the goal of this policy brief is to provide state leaders with practical, data-driven guidance so that they can drive data analysis efforts and better incentivize and support the state’s CI providers in these increasingly critical efforts.