CYBER REGULATORY HARMONIZATION
The Florida Center for Cybersecurity (Cyber Florida)
The Florida Center for Cybersecurity was established within the University of South Florida in 2014 under Florida statute 1004.444. The goals of the center are to: position Florida as a national leader in cybersecurity and its related workforce through education, research, and community engagement; assist in the creation of jobs in the state’s cybersecurity industry and enhance the existing cybersecurity workforce; act as a cooperative facilitator for state business and higher education communities to share cybersecurity knowledge, resources, and training; seek out partnerships with major military installations to assist, when possible, in homeland cybersecurity defense initiatives; attract cybersecurity companies to the state with an emphasis on defense, finance, health care, transportation, and utility sectors.
Introduction
The National Cybersecurity Strategy has outlined critical areas of focus that ambitiously seek to improve the cybersecurity posture of the nation and protect American citizens, businesses, and infrastructure from bad actors in cyberspace. In order to achieve this, it is crucial to identify and implement a common set of clearly defined, actionable cybersecurity standards that can be applied across all agencies and critical infrastructure sectors. Further, it is necessary to utilize a risk-based approach to determine any additional cybersecurity requirements for each specific sector and operationalize such requirements through education and training. Finally, nonpunitive, con -
tinuous assessment of the implementation and application of the required cybersecurity standards is essential to ensure successful execution and ultimately minimize risk. The Office of the National Cyber Director may also consider exploring methods to incentivize participation. Cyber Florida commends the Office of the National Cyber Director for its prioritization of harmonizing cybersecurity regulations, as we strongly believe this to be a crucial starting point in addressing the vast cybersecurity needs of the nation.
Common Set of Cybersecurity Standards
The National Cybersecurity Strategy aims to equitably distribute risk and responsibility across critical sectors to facilitate a more collaborative, consistent defense against cybersecurity risks and reinforce the nation’s cyber resilience. In order to do so, a common set of cybersecurity standards must be implemented. Among the existing standards that can be broadly applied is the NIST cybersecurity framework, which offers widely applicable cybersecurity objectives and a riskbased, outcome-driven approach, allowing for a fully customizable cybersecurity program based on the unique needs of the organization. Designating the NIST cybersecurity framework, or a similar model, as a common requirement across sectors will create a consistent, actionable cybersecurity standard, but also allow for variability where necessary.
Assessment & Training
To ensure successful implementation and effective execution of cybersecurity standards, the Office of the National Cyber Director may consider coordinating an assessment and training program. In 2022, Cyber Florida was tasked by the Florida legislature to conduct a cybersecurity risk assessment of the state’s critical infrastructure and offer data-driven recommendations for improving Florida’s cyber readiness. Cyber Florida partnered with Idaho National Laboratory (INL), a world leader in securing critical infrastructure systems, and customized their well-established and widely used online assessment tool, known as CSET, to achieve the goals of this initiative. Guided by the NIST cybersecurity framework and industry standards, the tool allows participants to identify their cybersecurity strengths and deficiencies, areas of greatest impact and/or vulnerability, and to determine appropriate security improvements. Additionally, Cyber Florida worked with the MITRE Corporation, a leader in cybersecurity and national security consulting, to conduct a series of detailed interviews and guided discussions to collect more nuanced qualitative data about the risks and challenges facing Florida’s critical infrastructure. Based on the findings of the assessment, Cyber Florida was not only able to offer recommendations to the Florida legislature aimed at improving the cybersecurity posture of the state as a whole, but also assist critical infrastructure participants in enhancing their cybersecurity programs and addressing any vulnerabilities that were discovered. Through this initiative, we learned that offering nonpunitive assessment as a means to support organizations in their duty to become cyber secure fosters an environment of trust and information sharing and ultimately facilitates collaboration and willful participation in such a dire effort. Furthermore, successful implementation of cybersecurity standards is comparatively dependent upon the knowledge and skillset of the workforce. As such, offering guidance related to the adaptation of regulations and incorporating additional training where necessary is crucial. Cyber Florida determined that we will continue our assessment program because it is necessary to maintain an accurate depiction of the cybersecurity needs of the state, as cyber threats are constantly evolving. The nation could drastically benefit from a similar, continuous assessment program conducted on a larger scale with optional guidance and training based on assessment results.
Questions & Responses
1. Conflicting, mutually exclusive, or inconsistent regulations – If applicable, please provide examples of any conflicting, mutually exclusive, or inconsistent federal and SLTT regulations affecting cybersecurity – including broad enterprise-wide requirements or specific, targeted requirements - that apply to the same information technology (IT) or operational technology (OT) infrastructure of the same regulated entity. Be as clear, specific, and detailed as possible.
a. Please include specific examples with legal citations or hyperlinks to the particular federal or SLTT cybersecurity rules or enforceable guidance that impose conflicting, mutually exclusive, or inconsistent requirements, and explain the specific conflicts or inconsistencies you identify.
Data Breach Notification Laws:
In the event of unauthorized access to personal data, responsible entities are required by law to notify affected parties. Each state has their own specific statutes, such as the Florida Information Protection Act of 2014 (Fla. Stat. § 501.171) which mandates notification to individuals within 30 days of unauthorized data access. Similarly, Georgia (Georgia Code 10-1-912) requires notification to residents within 24 hours of a data breach. However, complying with multiple state standards can be a challenge for businesses, particularly small ones that may have collected personal information from residents of several states.
For healthcare entities, compliance with federal law is required through the Health Insurance Portability and Accountability Act (HIPAA). Notification of a breach must occur within 60 days, which is longer than some state requirements and may create conflicting timelines.
In 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law by President Biden. The law requires covered entities in industries classified among the 16 Critical Infrastructure Sectors defined by CISA to report “covered cyber incidents” to the Department of Homeland Security (DHS) within 72 hours, including personal data breaches which state laws may not cover. This shorter reporting deadline is an important step towards protecting personal data.
Information Security and Data Encryption
Various federal and state regulations exist to ensure the security of information and data encryption for different entities. For example, financial service providers are required to inform their customers about their information-sharing practices and protect their personal data under the Gramm-Leach-Bliley Act. Federal agencies are governed by the Federal Information Security Management Act (FISMA) regarding their information security practices.
At the state level, businesses operating in New York and California are subject to information security regulations such as the SHIELD Act and the California Consumer Privacy Act (CCPA), respectively. In Massachusetts, the law (201 CMR 17.00) specifically mandates the encryption of any personal information stored on a computer system belonging to a resident, which is not explicitly stated in other laws.
Data Privacy:
In the financial services and consumer reporting industries, the GLBA and FCRA laws are important for ensuring data privacy requirements are met. The recently implemented CPRA, which amends the CCPA, is also crucial as it applies to personal data not covered by the GLBA and can even affect those who are not California residents. It should be noted, however, that the Colorado Privacy Act specifically exempts data that falls under existing federal regulations, including the GLBA.
e. Please include specific examples with legal citations or hyperlinks to the particular federal or SLTT cybersecurity rules or enforceable guidance that impose conflicting, mutually exclusive, or inconsistent requirements, and explain the specific conflicts or inconsistencies you identify.
Infrastructure Security for Utilities:
Utilities rely on their IT and OT infrastructure to safeguard themselves against cyber threats. To ensure the security of bulk power systems, the Federal Energy Regulatory Commission (FERC) has jurisdiction at the federal level, while the North American Electric Reliability Corporation (NERC) sets the Critical Infrastructure Protection Standards. At the state level, each state has its utility regulators, such as the Public Service Commission (FPSC) in Florida, who have the authority to enforce cybersecurity measures. However, this could potentially lead to conflicting regulations, causing overlapping jurisdictions.
Cyber Incident Reporting Rules:
It is a legal requirement for companies to inform their customers and the relevant state or federal agencies about any incidents of cyber-attacks or data breaches. In the financial services sector, it may be necessary to file multiple reports in the event of a data breach.
i. How can future regulations address any prohibitive costs which lead to meaningful security gaps?
Data breaches have become a growing concern for businesses in recent years, with the average cost of such an incident being reported by IBM at $4.45 million in 2023 (and may climb more). As a result, companies are now required to adhere to increasingly complex compliance standards, with financial institutions spending almost 40% of their time preparing and submitting regulatory compliance reports. This has resulted in a significant cost of regulatory security compliance, which was reported at $3.5 million in 2011 and has likely increased due to new state and federal regulations.
One potential solution to this issue is the Financial Services Sector Cybersecurity Profile (FSP), which could be adopted in other sectors. This framework aligns “over 30 federal, state, and global regulations and incorporates a systemic process that allows for the mapping of additional regulations at any time.” Developed by the Cyber Risk Institute, this framework has the potential to ease the financial burden of compliance in healthcare, technology, and critical infrastructure by synthesizing regulations. By streamlining regulatory compliance, businesses can focus on their core operations and avoid costly data breaches.
j. How can future regulations address any prohibitive costs which lead to meaningful security
• Rather than penalizing non-compliance, regulations could provide incentives for proper and consistent reporting and security measures, ultimately applying preventative rather than punitive measures that will reduce the overall incidence of security incidents. Future regulations could follow the FERC model, which introduced something similar for utilities
• Expand CISA’s public-private partnership program to increase information sharing, joint training, and collaborative standard development. This could be especially useful for small businesses
• Work with international bodies like the EU to harmonize regulation. For example, the General Data Protection Regulation (GDPR), which passed in 2018, has imposed significant costs on US companies
• Encourage, enable, and expand the use of open-source cybersecurity solutions
3. Use of Existing Standards or Frameworks – The practice of using existing standards or frameworks in setting regulatory requirements can reduce burdens on regulated entities and help to achieve the goals of regulatory harmonization. Under existing law, Federal executive agencies use voluntary consensus standards for regulatory activities unless use of such standards is inconsistent with law or otherwise impractical. In a recent report from the President’s National Security Telecommunications Advisory Council (NSTAC) that addressed cybersecurity regulatory harmonization, the NSTAC noted that “even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements.”
A. To what extent are cybersecurity requirements applicable to your industry or sector based on, consistent with, or aligned with existing standards or frameworks?
Cybersecurity requirements are crucial in the academic research sector, where Cyber Florida exists, as they support studies on cybercrime, privacy, user behavior, and organizational needs, which contribute to our nation’s competitive edge. Such requirements are essential in crafting policies at the local, state, and national levels for the benefit of all. Therefore, it is imperative to prioritize cybersecurity requirements in this sector to ensure the safety and security of all stakeholders involved.
Additionally, Cyber Florida was recently tasked with conducting statewide cybersecurity training and a cyber risk assessment. Cybersecurity requirements that align with the NIST cybersecurity framework have provided the foundation for such initiatives and have aided in the development and implementation of widely applicable, comprehensive cybersecurity recommendations and guidelines.
B. To what extent are cybersecurity requirements applicable to your industry or sector based on, consistent with, or aligned with existing standards or frameworks?
There are a variety of frameworks that have been applied to this sector in order to promote cybersecurity regulatory harmonization and compliance. The top frameworks used tend to be:
• NIST Cybersecurity Framework
o The NIST Cybersecurity Framework was established in response to an executive order by former President Obama — Improving Critical Infrastructure Cybersecurity — which called for greater collaboration between the public and private sector for identifying, assessing, and managing cyber risk. While compliance is voluntary, NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations.
• ISO 27001 and ISO 27002
o Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are considered the international standard for validating a cybersecurity program — internally and across third parties. With an ISO certification, companies can demonstrate to the board, customers, partners, and shareholders that they are doing the right things with cyber risk management. Likewise, if a vendor is ISO 27001/2 certified it’s a good indicator (although not the only one) that they have mature cybersecurity practices and controls in place.
• FISMA
o The Federal Information Security Management Act (FISMA) is a comprehensive cybersecurity framework that protects federal government information and systems against cyber threats. FISMA also extends to third parties and vendors who work on behalf of federal agencies. The FISMA framework is aligned closely with NIST standards and requires agencies and third parties to maintain an inventory of their digital assets and identify any integrations between networks and systems. Sensitive information must be categorized according to risk and security controls must meet minimum security standards as defined by FIPS and NIST 800 guidelines. Impacted organizations must also conduct cybersecurity risk assessments, annual security reviews, and continuously monitor their IT infrastructure.
C. What, if any, additional opportunities exist to align requirements to existing standards or frameworks and, if there are such opportunities, what are they?
The NIST framework is a valuable resource for organizations seeking to improve their cybersecurity measures. Although it is designed to be implemented voluntarily, certain entities are required to use it, such as U.S. federal government agencies, insurance organizations, and various federal, state, and foreign governments. Additionally, some organizations may require it for their customers or within their supply chain.
Organizations can utilize the framework in a variety of ways. It helps to raise awareness and communicate with stakeholders, including executive leadership. The framework also promotes communication across organizations, facilitating sharing of cybersecurity expectations with business partners, suppliers, and sectors. By adhering to the framework’s standards, guidelines, and best practices, organizations can demonstrate their commitment to maintaining strong cybersecurity measures.
Furthermore, the framework is a useful tool for reconciling internal policy with legislation, regulation, and industry best practices. It can be employed as a strategic planning tool to assess risks and evaluate existing practices. The Resources and Success Stories sections provide examples of how different organizations have successfully utilized the framework to improve their cybersecurity measures.
3. Third-Party Frameworks – Both the government (for example, through the NIST Cybersecurity Framework) and non-government third parties have developed frameworks and related resources that map cybersecurity standards and controls to cybersecurity outcomes. These frameworks and related resources have also been applied to map controls to regulatory requirements, including where requirements are leveled by multiple agencies.
a. Please identify such frameworks and related resources, both governmental and non-governmental, currently in use with respect to mitigating cybersecurity risk.
• NIST Cybersecurity Framework
• ISO 27001 and ISO 27002
• FISMA
b. How well do such frameworks and related resources work in practice to address disparate cybersecurity requirements?
NIST, in particular, focuses on 5 main functions to promote cybersecurity:
1. Identify. Companies must first examine and categorize their supply chain and work environment to better understand which cybersecurity risks their systems, assets, data, and frameworks are exposed to. This process is also known as a cybersecurity risk assessment, and it provides a baseline for day-to-day risk.
2. Protect. Organizations must develop and implement appropriate safeguards to limit the effects of cybersecurity events. Protection includes cybersecurity monitoring programs, firewalls, and physical security controls such as locking the door to your data center. Protection requires continuous monitoring to be efficient and safe.
3. Detect. Organizations must implement appropriate procedures to identify cybersecurity events as soon as possible. A clear methodology should be established, so everyone within the organization knows what to do in case of a cyber attack.
4. Respond. Have an incident response team in place before you need it. Assure that all stakeholders are involved in this part of the planning and that a clear chain of command exists from when an attack is identified until it’s mitigated.
5. Recover. Mitigation is a big part of recovery. It includes plans for restoring crucial functions and services and a catalog of temporary security controls to implement as soon as a cybersecurity event has compromised your systems.
7. Cloud and Other Service Providers – Information technology, as a sector, is not regulated directly by the Federal government. However, regulated entities’ use of cloud and other service provider infrastructure is often regulated. To date, regulators have typically not directly regulated cloud providers operating in their sector. Rather, regulatory agencies have imposed obligations on their regulated entities that are passed along by contract to the cloud provider/service provider.
Cloud services and providers have become increasingly vital in our society. As a result, regulators and policymakers are taking note of the benefits and risks associated with this technology. However, the regulatory landscape of cloud computing is quite complex due to its growing significance in numerous societal and economic functions, as well as the continuous advancements in technology. To unlock the full potential of cloud services responsibly, it is crucial to understand the emerging issues in this context (Carnegie, 2020). The NIST Cybersecurity Framework and Small Business Corner provide a comprehensive list of regulatory rules to ensure compliance and promote cloud services’ safe and ethical use.
8. State, Local, Tribal, and Territorial Regulation. State, local, tribal and territorial (SLTT) entities often impose regulatory requirements that affect critical infrastructure owners and operators across state lines, as well as entities that do not neatly fall into a defined critical infrastructure sector. The New York Department of Financial Services, for example, established cybersecurity requirements for financial services companies. California similarly passed a cybersecurity law requiring manufacturers of the internet-of-things (IOT) devices to take certain measures. Dozens of states have followed suit to date. Companies that operate in multiple states are often required to comply with a variety of overlapping state and federal cybersecurity requirements.
a. Please provide examples where SLTT cybersecurity regulations are effectively harmonized or aligned with Federal regulations.
NIST Framework Adoption: The NIST Framework for Improving Critical Infrastructure Cybersecurity, last updated in 2018, has been adopted by a number of states.
On education data, Florida law is in line with the Department of Education’s Family Educational Rights and Privacy Act (FERPA). According to Florida statute, chapter 1002.22(2) of Title XLVIII, public educational institutions and agencies must safeguard the education records of students and their parents as per FERPA guidelines. However, the state board of education has the authority to inform the Legislature about any changes in FERPA that might necessitate an exemption to the requirements of s. 24(a), Art. I of the State Constitution.
b. Please provide examples of regulatory reciprocity between federal and SLTT regulatory agencies.
When it comes to infrastructure security for utilities, there are different authorities at the federal and state levels. The Federal Energy Regulatory Commission (FERC) holds jurisdiction over bulk power systems, which are subject to the Critical Infrastructure Protection Standards established by the North American Electric Reliability Corpo-
ration (NERC). Meanwhile, individual states have their own utility regulators, such as the Florida Public Service Commission (FPSC), which ensure that state-level utility providers offer fair prices to consumers. It’s worth noting that while the FPSC oversees utility regulation in Florida, it does not directly dictate cybersecurity standards, as that responsibility falls under the purview of the FERC.
c. Please highlight any examples or models for harmonizing regulations across multiple SLTT jurisdictions, to include Federal support for such efforts.
Individuals and organizations looking to implement the NIST Cybersecurity Framework in SLTT settings can benefit from the valuable resources it provides. Furthermore, positive feedback from those who have already implemented it serves as a testament to its effectiveness.
Contributing Authors
Jordan Deiuliis
Cyber Program and Policy Analyst
Cyber Florida: The Florida Center for Cybersecurity
Chandler Myers
Associate Pallas Advisors
Contact Information
Ernie Ferraresso eferraresso@cyberflorida.org
813 974 1869 Director
Cyber Florida: The Florida Center for Cybersecurity