Florida Security Authority - State Cybersecurity Authority Reference

Florida sits at the intersection of three high-risk cybersecurity environments: a large public-sector infrastructure, a dense concentration of healthcare and financial institutions, and one of the highest volumes of identity theft complaints per capita in the United States (FTC Consumer Sentinel Network). This page documents the regulatory structure, operational frameworks, and reference resources that govern cybersecurity practice across Florida's public and private sectors. It covers state-specific statutes, agency mandates, applicable federal overlays, and the network of reference sites that provide deeper coverage of each domain. Readers building compliance programs, conducting risk assessments, or mapping Florida's cybersecurity authority landscape will find the classification structure and decision guidance below essential to that work.

Definition and scope

Florida's cybersecurity authority is distributed across statutory, executive, and regulatory layers. The primary statute is the Florida Digital Bill of Rights (Chapter 501, Part III, Florida Statutes), which became operative in 2024 and establishes data privacy and security obligations for controllers handling the personal data of Florida consumers. Alongside it, the Florida Information Technology Act (Section 282, Florida Statutes) assigns the Florida Department of Management Services (DMS) and the Florida Digital Service responsibility for statewide IT security policy, standards, and incident response coordination.

The Florida Cybersecurity Act (Section 282.318, Florida Statutes) requires all state agencies to maintain written cybersecurity plans, conduct annual risk assessments, and report material incidents to the Florida Digital Service within 48 hours of discovery — a requirement that mirrors but is distinct from federal FISMA obligations (CISA, State and Local Cybersecurity).

Scope extends across five domains:

1. State agency networks — Executive branch agencies governed by DMS standards
2. Local governments — Counties and municipalities with access to state data systems
3. Healthcare entities — Subject to both Florida statutes and federal HIPAA Security Rule (HHS, HIPAA Security Rule)
4. Financial institutions — Subject to Florida Office of Financial Regulation oversight and federal GLBA Safeguards Rule (FTC, Safeguards Rule)
5. Critical infrastructure operators — Subject to CISA cross-sector guidance and sector-specific requirements

The Florida Security Authority Reference is the dedicated state-level reference hub in this network, providing statute-mapped guidance for entities operating under Florida's layered cybersecurity framework. It covers both the Digital Bill of Rights compliance structure and the incident reporting obligations under Section 282.318.

For national context that situates Florida's regime within the broader US cybersecurity landscape, the National Cybersecurity Authority Reference provides federal program mapping, cross-agency coordination structures, and comparative state analysis. The National Security Authority Reference covers the intersection of national security frameworks with state-level implementation requirements.

Understanding Florida's scope requires fluency in the terminology that underlies statutory definitions. The Cybersecurity Terminology and Definitions reference on this site provides standardized definitions aligned with NIST and CISA glossaries, which are the definitional sources Florida's Digital Service references in its published standards.

How it works

Florida's cybersecurity governance operates through a three-tier structure: state policy authority, agency implementation, and sector-specific overlay.

Tier 1 — State Policy Authority

The Florida Digital Service publishes the Florida Cybersecurity Standards (aligned to NIST SP 800-53, Rev. 5) that all state agencies must implement (NIST SP 800-53, Rev. 5). These standards are not voluntary — Section 282.318 mandates written adoption and annual testing. The Florida Digital Service also coordinates the Florida Cybersecurity Operations Center (FLCOC), which provides 24/7 threat monitoring for executive branch networks.

Tier 2 — Agency Implementation

Each state agency designates an Agency Information Security Manager (AISM) responsible for:

1. Maintaining the agency's written cybersecurity plan
2. Conducting annual risk assessments using a methodology consistent with NIST SP 800-30
3. Reporting incidents to FLCOC within 48 hours
4. Completing annual security awareness training for all personnel with system access
5. Ensuring third-party vendors handling state data meet equivalent security standards

Tier 3 — Sector-Specific Overlay

Private-sector entities in Florida face additional obligations depending on industry. Healthcare providers comply with the HIPAA Security Rule administered by the HHS Office for Civil Rights. Financial institutions comply with the FTC's Safeguards Rule and the Florida Office of Financial Regulation examination standards. Public utilities follow NERC CIP reliability standards for operational technology.

Cloud Compliance Authority addresses how cloud service models — IaaS, PaaS, and SaaS — interact with Florida's vendor security requirements and the shared responsibility frameworks that NIST SP 800-144 defines for government cloud adoption. Cyber Compliance Authority maps the compliance workflow across Florida's overlapping federal and state frameworks, particularly for entities that are simultaneously subject to HIPAA, GLBA, and state statute.

For organizations seeking to understand how the overall cybersecurity framework operates at a conceptual level before diving into Florida-specific requirements, the How Cybersecurity Works — Conceptual Overview provides the foundational architecture that underlies all state and federal implementations.

The process mechanics — risk assessment cycles, incident response workflows, and audit cadences — are documented in detail at the Regulatory Context for Cybersecurity reference, which covers the federal statutory overlay that applies to Florida entities operating in regulated industries.

Cyber Audit Authority covers the audit frameworks — including FISMA, SOC 2, and state-mandated assessments — that Florida agencies and contractors must navigate when demonstrating compliance. Network Audit Authority focuses specifically on the technical audit methodologies for network infrastructure, which are the most commonly deficient domain in Florida agency assessments.

Common scenarios

Scenario 1: State Agency Incident Response

A Florida executive branch agency discovers ransomware on a file server containing personally identifiable information (PII) for 12,000 state employees. Under Section 282.318, the AISM must notify FLCOC within 48 hours. If the data qualifies as a "breach of security" under Section 501.171, Florida Statutes, affected individuals must be notified within 30 days, and the Florida Attorney General must be notified if the breach affects 500 or more individuals (Florida AG, Data Breach).

Ransomware Authority provides technical and procedural reference for ransomware incident classification, including the distinction between encryption-only events and data exfiltration events — a classification that determines whether Section 501.171 notification is triggered. Data Recovery Authority covers the technical recovery frameworks applicable when state or municipal systems are compromised, including backup architecture and restoration sequencing.

Scenario 2: Healthcare Provider Compliance

A Florida hospital system with operations in Miami and Orlando must align with both HIPAA Security Rule requirements and the Florida Digital Bill of Rights for any consumer health data that falls outside HIPAA's covered entity definition. The HHS Office for Civil Rights enforces HIPAA, while the Florida Attorney General enforces the Digital Bill of Rights for non-HIPAA data.

Miami Security Authority provides jurisdiction-specific reference for entities operating in Miami-Dade County, including local government cybersecurity requirements that layer on top of state and federal mandates. Orlando Security Authority covers Orange County and the Orlando metro's specific regulatory environment, including the cybersecurity requirements applicable to hospitality and tourism sector technology systems.

Data Security Authority addresses the technical controls — encryption at rest, access control, audit logging — required under both HIPAA and the Florida Digital Bill of Rights. Encryption Authority provides reference-grade coverage of encryption standards, including the NIST-approved algorithms that satisfy Florida's data-at-rest protection requirements for state agency data.

Scenario 3: Local Government Cyber Risk

A Florida county government with access to state criminal justice information systems must comply with FBI CJIS Security Policy requirements in addition to Florida DMS standards. The CJIS Security Policy requires multi-factor authentication, audit logging, and media protection controls that exceed general-purpose state baseline requirements (FBI, CJIS Security Policy).

Network Security Authority covers the network segmentation and access control architectures required when local government networks carry both general municipal traffic and sensitive criminal justice data. Endpoint Security Authority addresses the device-level controls — including managed detection and response, full-disk encryption, and patch management — required by CJIS and Florida DMS standards for devices accessing sensitive state systems.

Scenario 4: Private Sector Financial Institution

A Florida-chartered bank must comply with the FTC Safeguards Rule (effective June 2023 for the expanded provisions), the Florida Office of Financial Regulation examination standards, and NIST Cybersecurity Framework guidance. The