Enhancing the Cyber Resilience of Florida's Critical Infrastructure through Maturity Modeling

POLICY BRIEF

ENHANCING THE CYBER RESILIENCE OF FLORIDA’S CRITICAL INFRASTRUCTURE THROUGH MATURITY MODELING.

Introduction: “What Gets Measured, Gets Managed”

Robert Kaplan and David Norton famously noted that “what gets measured, gets managed 1.” On this simple yet profound premise, they developed the “Balanced Scorecard,” a pioneering approach to strategic planning that revolutionized management across the private sector by helping organizations align financial metrics, customer perspectives, and internal processes. Thirty years later, the tool remains widely used by businesses worldwide to – among other things – maintain alignment between business activities and strategic goals. That innovation has been built on and followed by a host of strategic alignment initiatives – from Key Performance Indicators (KPI) and Total Quality Management (TQM) to Six Sigma and objectives-based management (OBM). Organizations across nearly every sector have wholeheartedly embraced these strategic alignment tools, and with them, the underlying truth that what gets measured, gets managed. However, when it comes to cybersecurity, many organizations have failed to adopt the strategic tools that would help them effectively measure and manage their cyber-readiness2

The resultant gap in cyber readiness has left many of our nation’s (and state’s) most critical service providers vulnerable to cyber intrusion. Over the past year, several high-profile cyberattacks have highlighted the consequences of service disruptions when these organizations fall victim to breaches. For example, in 2023, Tallahassee Memorial Healthcare suffered a cyberattack that forced the organization to take its computer systems offline and cancel scheduled (non-emergency) surgeries. Moreover, the cyberattack forced the hospital to divert emergency patients to other facilities during the incident, resulting in a potentially dangerous disruption of emergency medical services for patients in the region3. In the same year, the First Judicial Court of Florida suffered a ransomware attack that resulted in hackers gaining access to the social security numbers of employees as well as a “detailed map of the court’s systems.” The attack rendered several key systems inoperable – such as the court’s audio recording software – and impaired judges’ ability to access “certain electronic capabilities.”

In 2023, the Florida Center for Cybersecurity at the University of South Florida (aka Cyber Florida at USF) conducted a statewide analysis to assess the cyber readiness of Florida’s critical infrastructure (CI) providers across 16 critical infrastructure sectors. The study – conducted on behalf of the State Legislature in fulfillment of Appropriation 2944B – offered several recommendations to improve cyber resilience and protect Florida’s people, property, and prosperity4. Among these recommendations was a call to “Adopt a Florida-specific cyber maturity model for critical infrastructure providers.” Since those recommendations were offered in July of 2023, subsequent cyberattacks against CI providers in Florida have led to data breaches and service disruptions across several critical infrastructure sectors, including healthcare5, education6, the judicial system7, and essential government services8. While a commitment to maturity modeling may not prevent every such incursion, it is a critical step in improving cyber readiness across the state’s critical infrastructure sectors. Maturity models offer organizations a means to assess essential practices and metrics to guide cyber-management decisions strategically. In short, maturity models – like the Balanced Scorecard – help organizations to systematically measure the systems, processes, and practices that determine their cyber health because what gets measured, gets managed

In recognition of the critical role that cyber resilience plays in protecting Florida’s people, property, and prosperity, this policy brief provides an overview of maturity modeling as well as some suggested steps state leaders may consider to ensure that Florida’s critical infrastructure providers are measuring the right things and deliberately aligning organizational practices with their cyber-readiness goals. This report provides (1) a brief overview of how maturity models work, including a summary of the most commonly employed models in key CI sectors; (2) a review of current cyber vulnerabilities among Florida’s critical infrastructure providers as well as an analysis of how maturity modeling can help CI providers overcome these vulnerabilities; and (3) specific recommendations for integrating maturity modeling into Florida’s ongoing cybersecurity initiatives. While there is no one-size-fits-all solution that will serve the diversity of Florida’s critical infrastructure sectors adequately, the goal of this policy brief is to provide state leaders with practical, data-driven guidance so that they can drive data analysis efforts and better incentivize and support the state’s CI providers in these increasingly critical efforts.

Maturity Modeling: What Is It, and How Does It Work?

Like the Balanced Scorecard often adopted by business enterprises, maturity models provide a structured framework that organizations can use to evaluate their cyber capabilities and readiness and manage and mitigate cyber threats. These models define a series of increasing maturity stages, each representing a higher level of cybersecurity sophistication and readiness. By defining clear maturity stages, these tools provide organizations with a roadmap for continual improvement and building resilience against cyber threats. Well-established maturity models were designed by industry leaders and regulatory bodies to cover the breadth of cyber risks that today’s critical infrastructure organizations face, and their structured approach helps to ensure that organizations implement the necessary controls to mitigate cyber vulnerabilities. For example, maturity models are designed to help organizations:

1. Assess Their Current Capabilities: identify vulnerabilities in their cyber readiness and benchmark against best practices.

2. Prioritize Improvements: help organizations focus on eliminating vulnerabilities in critical areas that will offer the most significant risk reduction.

3. Measure Progress: track advancements in cybersecurity practices over time to ensure continuous improvement.

4. Enhance Resilience: build robust defenses that reduce the risk of significant disruptions from cyber incidents.

In other words, maturity modeling helps organizations know what to measure and provides them with actionable information to better manage cyber readiness. Indeed, the State of Florida has already supported investments in maturity modeling by funding Cyber Florida’s Critical Infrastructure Protection (CIP) Program9. Drawing from existing, nationally recognized cyber risk frameworks, assessments, and resources, Cyber Florida developed a

multi-assessment platform based on the NIST Cybersecurity Framework (CSF) maturity model with an integrated, nationally recognized maturity index to inform cyber risk statewide. The Florida Cyber Risk Assessment (FCRA) platform and accompanying dashboard (visualization tool) leverage the DHS Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Evaluation Tool (CSET®)10 NIST CSF Standard question set and Ransomware Readiness Assessment (RRA)11 modules along with the DHS-CISA-developed Cybersecurity Performance Goals (CPGs)12. The Florida Cyber Risk Assessment uses a graduated workflow approach, consisting of an entry-level question set covering Florida’s top-reported vulnerabilities, a mid-level question set measuring cybersecurity performance goals, and the full (NIST 2.0 CSF) question set. The assessment also leverages the Center for Internet Security’s (CIS®) National Cybersecurity Review (NCSR) Maturity Scale13. In addition to providing multiple result reports to submitters, the anonymized data provides important cyber risk information for state leadership.

Does Florida Really Need a Maturity Model Approach?

While a wide range of frameworks, tools, and resources are available to assist CI providers in measuring and managing their cyber readiness, the sheer volume of resources and knowledge constraints often inhibit the adoption and disciplined application of these tools. Data collected in the 2022-2023 Critical Infrastructure Risk Assessment (conducted by Cyber Florida at USF) suggest that many of Florida’s critical infrastructure providers remain highly susceptible to cyber intrusion and do not have sufficient risk management structures in place. For example:

1. While third-party interactions (such as supply chain and external vendors) represent one of the most significant threat vectors for critical infrastructure providers, only 39% of Florida’s critical infrastructure providers indicated that they conduct response and recovery planning with third-party providers. Moreover, only half (48%) of organizations routinely assess/audit third-party partners to confirm they meet their contractual cybersecurity obligations. Structured maturity models can help CI providers better understand the cyber threats associated with their internal operations and their external network of vendors and partners.

2. Many cyber intrusions occur due to avoidable errors (such as leaked passwords or clicking on infected links). However, nearly half of the state’s CI providers (49%) do not have a formal cybersecurity training program in place that exceeds basic awareness. Maturity modeling can help CI providers identify and address their organization’s most significant cybersecurity knowledge gaps. Moreover, maturity models can recommend developing and implementing comprehensive cybersecurity training programs that meet the organization’s unique needs based on its operating environment and prevailing threats within the sector.

3. Despite the importance of strategically managing their cyber readiness, nearly half (49%) of Florida’s CI providers have not assigned critical cyber services/responsibilities to a CISO or equivalent position. Maturity modeling can help organizations ensure that all critical cyber-management tasks are accounted for and appropriately assigned.

4. Less than half (48%) of the state’s CI providers reported performing incident response tabletop exercises at least twice a year. Maturity models will reinforce the importance of regular tabletop exercises and help organizations track performance improvement over time, allowing them to better understand how to test and refine their incident response plans to ensure preparedness for actual cyber incidents.

5. Six of the top ten weaknesses across all submitters were in the Risk Management sub-category under both the Identify and Protect categories. As part of a risk management strategy, maturity models can help organizations prioritize impactful practices to strengthen their cyber defenses.

6. According to the statewide Critical Infrastructure Risk Assessment, only half of the state’s critical infrastructure providers (53%) have determined their organizational risk tolerance. Maturity modeling is crucial in helping organizations identify risk exposure and tolerance.

When examined across unique service provider categories, the risk assessment results highlight some important differences that underscore the need for a sector-specific approach to maturity modeling throughout the state. For example, Figure 2 shows varying levels of cyber vulnerability among those sectors that participated most heavily in the October 2022 – June 2023 statewide risk assessment. Based on practices recommended by the NIST Cybersecurity Framework (CSF) 1.1, respondents were asked to indicate (Yes/No) whether their organization meets each standard. Figure 2 shows the aggregate percentage of “No” responses for each sector, with higher scores indicating greater levels of cyber vulnerability. Moreover, these vulnerabilities vary among sectors across each of the CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover (see Appendix A).

Sector by Sector Cyber Weaknesses (from Cyber Florida statewide risk assessment)

SECTOR-BY-SECTOR WEAKNESSES

Aggregatepercentage of “No” responses when asked whether theorganization met aparticular standard.A higherscore indicates a greater level of vulnerability.

These examples represent just a snapshot of the vulnerabilities identified through the statewide risk assessment. While maturity modeling alone won’t resolve all of the challenges faced by these organizations, it can help CI providers to better identify their vulnerabilities, as well as to strategically manage resource allocations and internal practices in order to optimize their risk-reduction and improve cyber readiness. Moreover, structured maturity modeling can help state leaders to identify and monitor trends within CI sectors and subsectors in order to inform policy formation and change. 05 10 15 20 25 30

Some Examples of Cyber Maturity Models

Although organizations that provide essential services to the public often lack the time, expertise, and resources to manage their cyber readiness effectively, the good news is that several validated and well-designed models already exist to assist them. By conducting/following structured self-assessments, CI providers can leverage these tools to measure and manage their own cyber readiness more effectively. However, several technical and resource-related barriers often undermine the adoption and use of these tools. Some well-designed and commonly used cyber maturity models include:

1. The NIST Cybersecurity Framework (CSF): The CSF is a highly flexible and widely used framework. It was designed by the National Institute of Standards and Technology (US Department of Commerce) to help organizations manage and reduce their cybersecurity risk. It is based on five core cybersecurity functions: Identify, Protect, Detect, Respond, and Recover. The State of Florida has already invested heavily in using NIST’s CSF 1.1, as it is a central component of the FCRA, used in Florida’s October 2022 – June 2023 statewide critical infrastructure assessment. Cyber Florida updated the FCRA to the NIST 2.0 CSF to include the new Governance function in May 2024.

2. HITRUST CSF: The HITRUST CSF was designed specifically for healthcare organizations by the Health Information Trust Alliance and integrates globally recognized standards, including ISO, NIST, PCI, and HIPAA, to ensure compliance and security.

3. NCSR Maturity Index: The National Cyber Security Review (NCSR) Maturity Scale with a seven-level index was created through a partnership between the Center for Internet Security (CIS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), with support from the US Department of Homeland Security (DHS). The index includes a self-assessment tool designed to help US state, local, tribal, and territorial (SLTT) governments evaluate their cybersecurity maturity. It measures cybersecurity practices across critical domains such as risk management, asset management, and incident response. It provides a detailed analysis of an organization’s cybersecurity posture, identifying strengths and areas for improvement. These assessment areas are based on the NIST Cybersecurity Framework (CSF).

4. The Cybersecurity Capability Maturity Model (C2M2): C2M2 is a framework developed by the US Department of Energy (DOE) – in collaboration with industry stakeholders – to help organizations in the energy sector and other critical infrastructure sectors assess and improve their cybersecurity capabilities. The model includes ten domains, including risk management, threat and vulnerability management, and situational awareness. It provides a structured approach to evaluating cybersecurity maturity through a series of maturity indicators across four maturity levels: Initiating, Developing, Managing, and Optimizing. The C2M2 aims to enhance organizations’ cybersecurity posture by identifying gaps and guiding the implementation of robust cybersecurity practices.

5. The Cybersecurity Maturity Model Certification (CMMC): CMMC is a framework established by the US Department of Defense (DoD) to enhance the cybersecurity posture of its supply chain, primarily contractors

handling Controlled Unclassified Information (CUI). The CMMC model consists of five maturity levels, ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 5), each building upon the previous one. It incorporates a wide range of cybersecurity practices and processes, including access control, incident response, and situational awareness. The CMMC requires third-party assessments for certification, ensuring that contractors meet the necessary cybersecurity requirements to protect sensitive information.

Recommendations: A Realistic Path Forward

To ensure the cyber readiness and resilience of Florida’s critical infrastructure providers, Cyber Florida at USF recommends that the state promote and incentivize a deliberate maturity modeling approach among the state’s critical infrastructure providers. While we recognize the need for such an approach to be flexible and amenable to the unique needs and challenges of the state’s varied critical infrastructure sectors, we also recognize the value of consistency in assessing and preparing for cyber risks. With this in mind, we recommend that the state ground its maturity modeling efforts in the well-established and proven NIST Cybersecurity Framework (CSF), recognized as an industry standard and allowing for the flexibility to address the universal and unique needs of organizations across diverse sectors. In other words, this approach should be tailored to the specific needs of each critical infrastructure sector while maintaining a cohesive, statewide strategy.

We offer the following recommendations as important steps toward achieving this goal:

1. Delegate Ownership of the State’s Maturity Modeling Efforts: In the interest of streamlining and ensuring the effective adoption and use of maturity modeling among Florida’s CI providers, it’s recommended that the state delegate responsibility for overseeing these efforts to the Florida Cybersecurity Advisory Council. Under the council’s leadership, the state can coordinate efforts among state agencies, regulatory bodies, and sector-specific organizations to ensure alignment and effective resource utilization and inform future policy formation. The Advisory Council can also serve as a central hub for sharing best practices, providing guidance, and facilitating sector-specific adaptations of the NIST CSF.

2. Adopt Sector-Specific Maturity Models: Where appropriate, the state should leverage existing maturity models that have tailored the NIST CSF to the unique needs of specific sectors. And where necessary, the state should leverage the flexibility of the NIST CSF to develop tailored maturity models for each critical infrastructure sector. This approach would be consistent with recently passed legislation in Florida, particularly HB 7055, which requires local government agencies within the state to adopt cybersecurity practices “consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology Cybersecurity Framework.”14 These models should incorporate sector-specific standards and regulatory requirements, addressing unique vulnerabilities and operational contexts. For instance, healthcare providers might integrate HITRUST CSF components, while energy sector organizations might use elements of the Cybersecurity Capability Maturity Model (C2M2) discussed above.

3. Conduct Comprehensive Assessments: Through the appropriate regulatory agencies and stakeholder partners, the state should seek to implement structured self-assessments across all critical infrastructure providers to establish a baseline of current cybersecurity capabilities. These assessments should identify gaps in compliance with the NIST CSF’s core functions: Identify, Protect, Detect, Respond, Recover, and Govern. The results will inform targeted improvement plans and prioritize resource allocation.

4. Prioritize Training and Awareness Programs: In the interest of protecting Florida’s people, property, and prosperity, we recommend that the state increase its investment in cybersecurity awareness and training programs tailored to the specific needs of each sector, with a particular emphasis on facilitated assessments in high priority sectors and subsectors. Given that human error is a significant factor in cyber incidents, regular, sector-specific training will help to reduce vulnerabilities. These efforts should emphasize the importance of practices such as multi-factor authentication, phishing awareness, and incident response and recovery planning.

5. Incentivize Compliance and Improvement: Where possible, the state should create and leverage incentives for critical infrastructure providers to adopt and maintain high cybersecurity standards. These incentives could include eligibility for state grants, public recognition programs, and access to specialized resources or funding for cybersecurity enhancements. Regulatory bodies should consider making compliance with sector-specific maturity models a requirement for receiving certain types of state or federal funding.

6. Enhance Incident Response and Recovery Capabilities: These efforts should strengthen critical infrastructure providers’ incident response and recovery capabilities by promoting participation in regular tabletop exercises and simulations. These exercises should help CI providers test the effectiveness of their incident response plans and improve readiness for actual cyber incidents. Additionally, these efforts should ensure that all providers have robust backup and recovery processes to minimize downtime and data loss.

7. Establish Metrics and Track Progress: To ensure the effectiveness of these efforts and investments, we recommend that the state develop key performance indicators (KPIs) and benchmarks to track the progress of maturity model adoption and cybersecurity improvements across sectors. Regularly reviewing and reporting on these metrics will ensure accountability and continuous improvement. Recognizing that what gets measured, gets managed, state officials and CI providers should use these insights to adjust strategies, develop policies, and allocate resources where they are most needed.

8. Foster Public-Private Partnerships: Given the shared burden and consequences of statewide cyber resilience, we encourage the state to pursue collaboration between the public and private sectors to share intelligence, resources, and best practices. Public-private partnerships can enhance collective cyber resilience by leveraging the strengths and expertise of all sectors. These efforts should include establishing information-sharing agreements and joint initiatives to address common threats and vulnerabilities.

9. Continue to Support Research and Innovation: We applaud the state’s investments in cyber resilience and recommend that state leaders continue to invest in research and innovation to develop advanced cybersecurity

technologies and methodologies and keep pace with the rapidly evolving threat environment. These efforts could include ongoing collaboration with academic institutions, private companies, federal national laboratories, and federal agencies to explore new approaches to cyber defense and support pilot programs to test innovative solutions in real-world settings.

10. Secure Funding and Resources: Finally, we recommend that the state ensure adequate funding and resources to support the implementation of maturity models and associated cybersecurity initiatives. Advocating for state and federal funding to bolster cybersecurity programs and infrastructure is critical in building sustainable cyber resilience. Additionally, we recommend that the state allocate resources strategically to address the most critical

The state can enhance its cyber readiness and resilience by adopting a maturity modeling approach tailored to the specific needs of Florida’s critical infrastructure sectors. These recommendations provide a structured path forward, ensuring that all critical infrastructure providers can effectively measure, manage, and improve their cybersecurity posture without being overburdened by adopting maturity modeling practices. Through coordinated efforts, sector-specific adaptations, and continuous improvement, Florida can continue to protect its people, property, and prosperity from emerging cyber threats.

Appendix

Figure A1.

SECTOR-BY-SECTOR WEAKNESSES

Financial Services

Healthcare/Public Health

Government Services

EmergencyServices

InformationTechnology

Aggregatepercentage of “No” responses when asked whether theorganization met aparticular standard.A higherscore indicates a greater level of vulnerability.

Figure A2.

SECTOR-BY-SECTOR “PROTECT” WEAKNESSES

Financial

Healthcare/Public Health

GovernmentServices

EmergencyServices

InformationTechnology

Aggregate percentage of “No” responses when asked whether theorganization met aparticular standard.A higher scoreindicates a greater level of vulnerability.

Figure A3.

Figure A4. Appendix

SECTOR-BY-SECTOR

“DETECT”

WEAKNESSES

Financial Services

Healthcare/Public Health

GovernmentServices

EmergencyServices

InformationTechnology

Aggregate percentage of “No” responses when asked whether theorganization met aparticular standard.A higher scoreindicates a greater level of vulnerability.

SECTOR-BY-SECTOR

“RECOVER”

WEAKNESSES

Financial Services

Healthcare/Public Health

GovernmentServices

EmergencyServices

InformationTechnology

Aggregate percentage of “No” responses when asked whether theorganization met aparticular

Appendix

Figure A5.

SECTOR-BY-SECTOR “RESPOND” WEAKNESSES

Financial Services

Healthcare/Public Health

GovernmentServices

EmergencyServices

InformationTechnology

Aggregate percentage of “No” responses when asked whether theorganization met aparticular standard.A higher scoreindicates a greater level of vulnerability.

Notes

1Kaplan, R. S., & Norton, D. P. (1996). The Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press.

2McKinsey and Company. (2021). Organizational Cyber Maturity: A Survey of Industries. https://www.mckinsey. com/‌capabilities/risk-and-resilience/our-insights/organizational-cyber-maturity-a-survey-of-industries

3Lyngaas S, Rind D. 2023. Apparent Cyberattack Forces Florida Hospital System to Divert Some Emergency Patients to Other Facilities. CNN, February 3, 2023. https://www.cnn.com/2023/02/03/politics/cyberattack-hospital-tallahassee-memorial-florida/index.html

4Due to the sensitive nature of the data, this report is confidential and only available to certain users upon request.

5Burlew J. 2023. What’s Going on at TMH? Experts Say Incident has Telltale Signs of a Ransomware Attack. Tallahassee Democrat, February 8, 2023. https://www.tallahassee.com/story/news/local/2023/02/08/tallahassee-hospital-it-security-event-has-signs-of-ransomware-attack/69882843007/

6Hildreth R. 2023. Florida schools latest target in escalating cyber attacks. Fox 35 (Orlando), October 11, 2013. https://www.fox35orlando.com/news/increase-reported-in-hackers-and-scammers-targeting-schools

7Johnson B. 2023. First Circuit Chief Judge Confirms Personal Data Was Breached in Courthouse Cyberattack. Pensacola News Journal, October 20, 2023. https://www.pnj.com/story/news/local/escambia-county/2023/10/20/alphvblackcat-claim-cyber-attack-on-escambia-santa-rosa-courts/71135573007/

8Riley E. 2023. Hackers Threaten to Release Washington County Sherrif’s Office Personal Data. My Panhandle, March 20, 2023. https://www.mypanhandle.com/news/local-news/hackers-threaten-to-release-washington-county-sheriffs-office-personal-data/

9https://cyberflorida.org/cip

10Cybersecurity and Infrastructure Security Agency. Downloading and Installing CSET https://www.cisa.gov /‌downloading-and-installing-cset

11Cybersecurity and Infrastructure Security Agency. 2021. CISA’s CSET Tool Sets Sights on Ransowmare Threat. https://www.cisa.gov/news-events/alerts/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat

12Cybersecurity and Infrastructure Security Agency. Cross Sector Cybersecurity Performance Goals https:// www.cisa.gov/cross-sector-cybersecurity-performance-goals

13Center for Internet Security (CIS). Nationwide Cybersecurity Review. https://www.cisecurity.org/ms-isac/ services/ncsr

14Florida House of Representatives. 2022. CS/HB 7055. https://www.flsenate.gov/Session/‌Bill/2022/‌‌7055/ BillText/er/PDF