The critical-infrastructure protection program assessment aligns with the recently released
National Institute of Standards and Technology cybersecurity framework 2.0

Cyber Florida, in partnership with Idaho National Laboratory (INL), has updated its critical
infrastructure protection program to align with the recently released National Institute of
Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, widely used to reduce
cybersecurity risk across public and private sectors and subsectors. Cyber Florida’s multi-
assessment platform leverages the Department of Homeland Security (DHS) cybersecurity
evaluation tool containing both the CSF 2.0 standard question set and ransomware readiness
assessment (RRA) modules. The tools and resources available through the program are state-
funded and provided at no charge for Florida’s private and public critical infrastructure
organizations.

The CSF 2.0 is designed for all audiences, businesses, critical infrastructure sectors, and
organizations, regardless of their degree of cybersecurity sophistication. The NIST has added
governance to the CSF’s core guidance to help organizations assess and achieve their
cybersecurity goals.

“Since October 2022, more than 655 Florida organizations, companies, businesses, and
government agencies have participated in the program,” said Bryan Langley, lead program
manager at Cyber Florida. “We continue to support, develop, and adopt greater cybersecurity
measures and services to support Florida’s public and private sector owners and operators.”

The Florida Legislature has funded the risk assessment effort to support the state’s public and
private sector entities with numerous, no-cost benefits for participating organizations,
companies, and businesses. The assessment covers the CSF 2.0 desired outcomes and provides
several reports detailing an organization’s strengths and weaknesses to determine and leverage
cyber risk reduction resources from Florida agencies, universities, and colleges. Measuring
success comes from both the improvements made by the participants based on their individual
reports and using the customized statewide dashboard (visualization tool) developed by INL to
analyze sector/subsector risk across the state.

The program is intended to assist small- and medium-sized enterprises and resource-constrained
county and municipal government entities in implementing basic cybersecurity protocols and
policies to achieve a fundamental cybersecurity posture. This comprehensive initiative is
designed to fortify the cybersecurity resilience of public and private critical infrastructure across
the state.

In an era of increasing cyber threats and incidents, safeguarding critical infrastructure is
paramount. The program aims to empower organizations by providing high-quality cybersecurity
resources, training, and support to defend against evolving cyber risks and recover from
incidents. The resources available on the platform include the following:

– A 20-question RRA based on the most reported cybersecurity gaps from the initial statewide
risk assessment period between October 2022 and June 2023.
– A cybersecurity incident response plan template to help organizations think through and plan
how to recover from a cyber incident.
– A 154-question assessment that covers key cybersecurity desired outcomes and practices
outlined in CSF 2.0 and the RRA.

To learn more about the program and how an organization can participate, please visit the
program’s official webpage at www.cyberflorida.org/cip or contact the program lead, Bryan
Langley, at bjlangley@cyberflorida.org.

The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as
Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to
position Florida as a national leader in cybersecurity through comprehensive education, cutting-
edge research, and extensive outreach. Cyber Florida leads various initiatives aimed at inspiring
and educating both current and future cybersecurity professionals, advancing industry research,
and enhancing cybersecurity awareness and safety of individuals and organizations.