Florida Cybersecurity in Local Context
Florida's cybersecurity regulatory environment operates across multiple overlapping layers — state statutes, federal mandates, sector-specific frameworks, and local government policies — that collectively shape how organizations and public agencies manage digital risk within the state. The geographic diversity of Florida, spanning 67 counties and more than 400 municipalities, produces meaningful variation in how cybersecurity obligations are interpreted and enforced at the local level. This page maps the structural relationships between state authority and local jurisdiction, identifies where local government action supplements or intersects with state law, and defines the scope of coverage relevant to Florida-based entities navigating this landscape. The Florida cybersecurity reference framework provides the broader context within which local-level analysis is situated.
Geographic scope and boundaries
Florida's cybersecurity governance applies to entities operating within the state's 65,758 square miles of land area, encompassing municipalities, counties, special districts, state agencies, private sector organizations, and critical infrastructure operators subject to Florida law. The Florida Digital Service (FDS), housed within the Department of Management Services, holds primary administrative authority over state agency cybersecurity under Florida Statute §282.0051. County and municipal governments operate under home rule authority granted by the Florida Constitution, Article VIII, which grants them independent regulatory capacity within limits set by state law.
Scope and coverage limitations: This page does not cover federal cybersecurity obligations that apply uniformly regardless of geography — including HIPAA enforcement by the U.S. Department of Health and Human Services, CISA directives, or SEC cybersecurity disclosure rules for publicly traded companies. Entities operating in Florida but incorporated in another state, or those whose data processing occurs outside Florida, may face obligations not addressed within this state-specific framework. Interstate commerce contexts and federal contractor obligations fall outside the geographic scope of Florida's state cybersecurity authority.
The Florida Cyber Florida Initiative, administered through the University of South Florida, provides regionally focused research and workforce development resources that follow county-level distributions of industry concentration, particularly in the Tampa Bay, Miami-Dade, and Orlando metropolitan statistical areas.
How local context shapes requirements
Local context in Florida affects cybersecurity obligations through three primary mechanisms: sector concentration, infrastructure classification, and municipal data governance policies.
1. Sector concentration by region
- Miami-Dade, Broward, and Palm Beach counties host the highest density of financial services firms subject to the Florida Financial Services Cybersecurity provisions and the Gramm-Leach-Bliley Act's Safeguards Rule enforced by the FTC.
- Hillsborough, Pinellas, and Orange counties contain major healthcare systems where HIPAA intersects with Florida's healthcare cybersecurity obligations under the Agency for Health Care Administration (AHCA).
- Duval, Escambia, and Bay counties contain significant defense contractor and military installation presence, creating overlapping CMMC (Cybersecurity Maturity Model Certification) and state reporting obligations.
- Port-adjacent counties — including Miami-Dade, Broward, Hillsborough, and Duval — have dedicated considerations under Florida port and maritime cybersecurity frameworks.
2. Critical infrastructure classification
Florida's 67 counties contain infrastructure assets that CISA categorizes across 16 critical infrastructure sectors. The density of power generation, water treatment, and transportation nodes varies substantially by county. Polk County's phosphate processing and Broward County's Fort Lauderdale-Hollywood International Airport represent distinct local-context examples where sector-specific federal guidance (NERC CIP for energy, TSA Security Directives for aviation) supplements Florida Statute Chapter 282 obligations.
3. Municipal data governance
Municipalities with populations exceeding 50,000 residents — including Jacksonville, Miami, Tampa, Orlando, St. Petersburg, and Hialeah — typically maintain independent IT security offices and adopted cybersecurity policies that extend beyond baseline state requirements. Smaller municipalities often rely on county IT infrastructure and may fall under county-level incident response frameworks rather than independent municipal protocols.
Local exceptions and overlaps
Florida law produces identifiable overlap zones where state statute, local ordinance, and federal regulation converge on the same operational requirement.
Public records exemptions create a notable local-specific layer. Under Florida Statute §119.0714, cybersecurity-related records held by local agencies may be exempt from public records disclosure. The scope of these exemptions — and how aggressively local agencies apply them — varies by municipality. Florida public records cybersecurity exemptions are administered at the agency level, meaning a county sheriff's office and a municipal utility in the same county may interpret the same statute differently.
Election security represents a distinct jurisdictional overlap. Florida's 67 Supervisors of Elections operate as independent constitutional officers under Florida Statute §98.015, subject to Division of Elections guidance from the Florida Department of State and CISA's Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). The Florida election cybersecurity framework reflects this layered authority, where county-level implementation of state-issued security standards is mandatory but enforcement pathways differ by county.
K-12 school districts illustrate another overlap: Florida's 67 school districts are independent special districts under Article IX of the Florida Constitution, subject to the Florida Department of Education's cybersecurity guidance, FERPA, and the Florida K-12 school cybersecurity standards. Miami-Dade County Public Schools, the fourth-largest district in the United States by enrollment, operates cybersecurity infrastructure at a scale comparable to mid-sized state agencies.
State vs local authority
The boundary between state and local cybersecurity authority in Florida follows a preemption-and-cooperation model rather than a strict hierarchical command structure.
State authority domains:
1. Statewide cybersecurity strategy and standards for state executive branch agencies (Florida Digital Service, §282.0056)
2. Data breach notification requirements under the Florida Information Protection Act (FIPA), which applies to all covered entities regardless of locality
3. Criminal statutes governing cybercrime under Florida cybercrime laws, Chapter 815, Florida Statutes
4. Oversight of the Florida Cybersecurity Operations Center (CSOC) for state agency incident response
Local authority domains:
1. Procurement and vendor security requirements for locally funded contracts
2. Municipal network architecture and access controls
3. Local agency public records exemption determinations
4. County-level emergency management cybersecurity annexes under the Florida Comprehensive Emergency Management Plan
The Florida Department of Management Services cybersecurity framework explicitly covers state agency networks but does not extend mandatory technical standards to county or municipal networks unless those entities receive state IT services or funding with attached conditions. Local governments retain independent authority over their cybersecurity posture except where state law expressly preempts or conditions local action — a distinction that frequently surfaces in Florida government cybersecurity compliance reviews.
Where state and local authority intersect on vendor and third-party cybersecurity risk, the applicable framework depends on the contracting entity: state agency contracts flow through DMS standards, while local government contracts are governed by local procurement ordinances subject to Florida's Consultants' Competitive Negotiation Act (§287.055) and general public procurement law.