Florida DMS Cybersecurity Programs and State Agency Requirements

The Florida Department of Management Services (DMS) serves as the primary administrative authority coordinating cybersecurity policy and program governance across Florida's executive branch agencies. This page covers the structure of DMS cybersecurity mandates, the compliance obligations placed on state agencies, the frameworks that govern state IT security, and the boundaries separating state-agency requirements from local government, private sector, and federal obligations. Understanding how DMS programs operate is essential for procurement officers, agency information security managers, and policy researchers navigating Florida's government cybersecurity landscape.

Definition and scope

The Florida DMS Cybersecurity Programs framework is grounded in Florida Statutes § 282.0041 and § 282.318, which designate DMS as the state's primary authority for setting information technology security standards for executive branch agencies. Under this statutory authority, DMS administers the Florida Cybersecurity Standards, a set of minimum security requirements that all executive branch agencies must satisfy. These standards align with the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, which provide the technical architecture for risk assessment, access control, incident response, and audit and accountability controls.

The scope of DMS authority covers all executive branch agencies as defined in Florida law — roughly 30 cabinet-level and line agencies including the Department of Health, the Department of Revenue, and the Department of Law Enforcement. This authority does not extend to the Florida Legislature, the Florida court system, state universities, or Florida's 67 county governments. For a broader map of how these jurisdictional boundaries are constructed, the Florida Cybersecurity Authority Index provides a structured entry point across all covered sectors.

Scope limitations: DMS programs apply exclusively to Florida executive branch entities. Local government bodies, special districts, constitutional officers, and private entities contracting with the state are governed by separate statutory provisions and, in some cases, federal overlay requirements. County and municipal cybersecurity governance is addressed at Florida Government Cybersecurity.

How it works

DMS cybersecurity governance operates through a layered compliance structure with four functional phases:

1. Standards promulgation — DMS publishes and updates the Florida Cybersecurity Standards (Rule 60GG-2, Florida Administrative Code), which specify minimum controls in areas including access management, encryption, vulnerability management, and incident reporting.

2. Agency security planning — Each covered agency must designate an Agency Information Security Manager (AISM) responsible for developing and maintaining an agency-specific Information Security Plan (ISP). The ISP must be updated annually and submitted to DMS for review.

3. Risk assessment and audit — Agencies conduct biennial risk assessments using methodologies consistent with NIST SP 800-30. DMS and the Auditor General of Florida retain authority to audit agency compliance with the standards, and audit findings can require corrective action plans with defined remediation timelines.

4. Incident reporting — Florida Statutes § 282.318(8) requires agencies to report cybersecurity incidents to the Florida Cybersecurity Operations Center (CSOC) within 12 hours of detection. The CSOC, administratively housed within DMS, coordinates response activities and escalates incidents to the Florida Department of Law Enforcement (FDLE) when criminal activity is suspected.

The Florida Statewide Cybersecurity Strategy provides additional context on how this compliance architecture connects to broader state-level risk priorities.

Common scenarios

DMS cybersecurity requirements engage in predictable operational scenarios across state agencies:

Vendor and third-party access: When an executive branch agency contracts with a technology vendor requiring access to state systems, the vendor must satisfy DMS-mandated security clauses embedded in state procurement contracts. These clauses reference Rule 60GG-2 controls and may require vendor-side attestation, penetration testing results, or SOC 2 Type II reports. This intersection with procurement risk is examined further at Florida Vendor and Third-Party Cybersecurity Risk.

Ransomware and data encryption incidents: Ransomware events affecting state agency systems trigger mandatory CSOC notification within 12 hours under § 282.318(8). Agencies must follow DMS incident response procedures that include isolation protocols, forensic preservation, and coordination with FDLE's cyber investigators. The threat landscape surrounding ransomware in Florida government contexts is covered at Florida Ransomware Threats.

Data breach involving personal information: When a state agency breach also implicates personal data subject to the Florida Information Protection Act (FIPA), dual notification obligations arise — CSOC notification under § 282.318 and consumer notification under FIPA's 30-day requirement. The intersection of these two frameworks is detailed at Florida Information Protection Act.

Security certification for agency personnel: AISMs and agency IT security staff must meet qualification standards referenced by DMS, which align with certifications including CISSP, CISM, and CompTIA Security+. Certification and licensing standards for Florida cybersecurity professionals are covered at Florida Cybersecurity Certifications and Licensing.

Decision boundaries

Distinguishing DMS authority from adjacent frameworks requires precision on three contrasts:

DMS standards vs. federal overlay requirements: Executive branch agencies handling federal data — such as Medicaid records under CMS or law enforcement databases under the FBI's CJIS Security Policy — must satisfy both DMS state standards and the applicable federal framework. Where federal requirements exceed DMS minimums, federal standards prevail. CJIS compliance, for example, is enforced through FDLE independently of the DMS standards cycle.

DMS programs vs. Florida Digital Service (FDS): DMS provides the security standards and compliance oversight function. The Florida Digital Service, created under Florida Statutes § 282.0051, focuses on enterprise IT modernization and shared services. The two bodies operate in parallel, with FDS addressing technology transformation and DMS retaining regulatory authority over security standards.

State agency obligations vs. local government obligations: County governments, municipalities, and school districts are not covered by Rule 60GG-2. They operate under separate provisions, including county-specific procurement rules and school board policies informed by the Florida Department of Education's guidance. Florida K-12 cybersecurity requirements are addressed at Florida K-12 School Cybersecurity.

For regulatory background linking DMS programs to the broader Florida cybersecurity legal framework, see Regulatory Context for Florida Cybersecurity.

References

• Florida Statutes § 282.318 – Information Technology Security
• Florida Administrative Code Rule 60GG-2 – Cybersecurity Standards
• Florida Statutes § 501.171 – Florida Information Protection Act
• Florida Statutes § 282.0051 – Florida Digital Service
• NIST Cybersecurity Framework
• NIST SP 800-53 Rev. 5 – Security and Privacy Controls
• NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
• Florida Auditor General
• Florida Department of Law Enforcement (FDLE)
• Florida Department of Management Services – Information Technology