Florida Statewide Cybersecurity Strategic Plan

Florida's statewide cybersecurity strategic plan establishes the governance architecture, priority objectives, and inter-agency coordination mechanisms that guide how state government and affiliated entities defend digital infrastructure. The plan operates under statutory authority and is administered through the Florida Department of Management Services and the Florida Digital Service. Understanding its structure is essential for government agencies, contractors, regulated industries, and researchers who interact with Florida's public-sector security posture.

Definition and scope

The Florida Statewide Cybersecurity Strategic Plan is a formal policy instrument that sets multi-year direction for protecting state information systems, critical infrastructure, and resident data. It is grounded in Florida Statute §282.318, which requires the Agency for State Technology (now consolidated into the Florida Department of Management Services, or DMS) to develop and maintain a statewide cybersecurity plan updated on a recurring cycle.

The plan's coverage extends to:

1. State executive agency networks and information systems
2. Enterprise technology platforms managed by the Florida Digital Service (FDS)
3. Data-sharing arrangements between state and local government entities
4. Cybersecurity workforce standards for state employment classifications
5. Incident reporting protocols that trigger escalation to the Florida Cybersecurity Operations Center (CSOC)

This page addresses the strategic plan as a policy and governance instrument. It does not cover federal cybersecurity mandates imposed on Florida agencies by bodies such as CISA or NIST, except where those frameworks are explicitly incorporated by reference into Florida's own planning documents. Local government cybersecurity requirements, private-sector obligations, and federal contractor standards fall outside the scope of this page — those areas are addressed in the regulatory context for Florida cybersecurity reference.

How it works

The plan operates through a tiered governance model. At the apex sits the Florida Chief Information Security Officer (CISO), a statutory role defined under §282.318, who is responsible for publishing the plan and reporting to the Florida Legislature on implementation progress. Below the state CISO, individual Agency Information Security Managers (AISMs) translate statewide priorities into agency-specific security programs.

The planning cycle follows three functional phases:

1. Assessment — The Florida Digital Service conducts enterprise risk assessments across state agency systems, benchmarked against the NIST Cybersecurity Framework (NIST CSF) and NIST Special Publication 800-53. Findings feed directly into priority-setting for the next planning period.
2. Prioritization — Identified risk areas are ranked by potential impact, threat likelihood, and resource feasibility. The plan groups priorities into categories: identity and access management, supply chain risk, incident response capacity, and workforce development.
3. Implementation and accountability — Agencies submit compliance documentation to DMS on a defined schedule. The Florida Cybersecurity Operations Center monitors real-time telemetry across state networks and functions as the coordination hub during active incidents. Details on the CSOC's operational structure are available through the Florida Department of Management Services cybersecurity reference.

The plan explicitly incorporates the Florida Cyber Florida Initiative, a university-based program housed at the University of South Florida, as the state's designated hub for cybersecurity research, workforce pipeline development, and small-business support. Cyber Florida's integration into the strategic plan distinguishes Florida's model from states that treat academic partnerships as supplementary rather than structural.

Common scenarios

Three recurring operational scenarios illustrate how the strategic plan functions in practice:

318](https://www.flsenate.gov/Laws/Statutes/2023/282.318)). The CSOC activates the Incident Response Plan, coordinates forensic support, and — if personally identifiable information is involved — coordinates with the requirements under the Florida Information Protection Act (FIPA), which governs breach notification timelines for affected individuals.

Ransomware affecting state or local government. Florida law, specifically §282.3185, prohibits state agencies from paying ransomware demands and requires immediate CSOC notification. This prohibition does not automatically extend to county or municipal governments, creating a compliance boundary that the strategic plan addresses through guidance rather than mandate. The distinct threat landscape is documented in the Florida ransomware threats reference.

Critical infrastructure interdependency. Florida's 15 designated seaports and major energy utilities operate infrastructure that intersects with state networks. The strategic plan's critical infrastructure annex coordinates with federal sector-specific agencies under Presidential Policy Directive 21, while the Florida Division of Emergency Management serves as the state-level coordination point. Sector-specific details appear in Florida critical infrastructure cybersecurity.

Decision boundaries

The strategic plan creates clear classification lines that determine how entities interact with Florida's cybersecurity governance structure.

State agencies vs. local governments. Entities under the state executive branch are directly bound by §282.318 and must align their security programs with DMS directives. Counties, municipalities, school districts, and special districts operate under separate statutory frameworks and are not compelled to adopt the state plan — though DMS publishes voluntary guidance applicable to local government, and the Florida government cybersecurity reference covers this distinction in detail.

Private sector vs. public sector. The strategic plan does not impose direct cybersecurity requirements on private businesses, financial institutions, or healthcare providers. Those entities operate under sector-specific frameworks — HIPAA for healthcare (HHS Office for Civil Rights), Gramm-Leach-Bliley for financial institutions — and under FIPA for breach notification. The broader Florida cybersecurity service landscape encompasses both public and private-sector frameworks.

Workforce classification boundaries. The strategic plan's workforce provisions apply to state employees in designated information security roles. Certification and licensing standards for private-sector cybersecurity professionals are addressed separately in Florida cybersecurity certifications and licensing.

References

• Florida Statute §282.318 — Cybersecurity
• Florida Department of Management Services — Cybersecurity
• Florida Digital Service
• NIST Cybersecurity Framework (CSF)
• NIST Special Publication 800-53, Rev. 5
• Cyber Florida — University of South Florida
• HHS Office for Civil Rights — HIPAA
• CISA — Critical Infrastructure Security
• Florida Statute §282.3185 — Ransomware Prohibition