FCS RiskAssessmentTool V1.0

Florida Cybersecurity Standards (FCS) 74-2, F.A.C.
FCS Risk Assessment Tool (V1.0)
PLEASE DO NOT MAKE ANY CHANGES TO THIS PAGE!
Instructions - Read this first.
Purpose: The purpose of this tool is to offer agencies a uniform way to comply with risk assessment requirements outlined in section 282.318, Florida Statutes, and the Florida
Cybersecurity Standards (74-1, Florida Administrative Code). Information populated into this risk assessment tool is confidential and exempt pursuant to section 282.318(5), Florida
Statutes. Any questions about how this tool works or suggestions can be directed to CISO@ast.myflorida.com (see hyperlink in LINKS section below)
How To Use: Complete cover sheet first. Then worksheets with gray shaded tab color (e.g. "Instructions" and "Exec. Mgmt. Graphs", etc.) are for informational or calculation purposes
only and should not be edited. There are a total of 22 input sheets, beginning with "ID.AM" and ending with "RC.CO", with tab colors to indicate which of the 5 FCS function unique
identifiers applies to the sheet. Input sheets contain pop-up comments that offer column guidance, which will appear when the mouse pointer hovers over a cell in the header rows.
On each input sheet, the only cells that need to be entered are initially unshaded (white). Shading of a cell indicates that no input is needed, or that data has already been entered
into that cell. Most input cells use drop-down interaction, while a small number require text or numeric input. Once the cell is updated, the cell color will change to gray indicating the
cell has been updated. As cells are updated, calculated cells and dashboards throughout the entire workbook will be automatically updated.
Please note: drop down menus left unselected will assume the maximum cell value (highest risk) for calculations. If there are circumstances that require adjusting a risk level to the
maximum when the primary threat source is not "adversarial", then the menu should be left unselected and comments added in the "Risk Assessment Consideration Comments" cell.
Exec. Mgmt. Graphs and ISM Graphs: Based on assessor selections, the assessment tool automatically populates a number of graphs and summaries on tabs labeled “Exec. Mgmt.
Graphs" and "ISM Graphs". These tabs are located near the end of the workbook, and require no assessor interaction. Please do not modify any cells in these tabs.
Risk Assessment Framework: This risk assessment tool is based on the Florida Cybersecurity Standards for information technology (IT) resources as documented in 74-1 F.A.C. This
rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014 and the Federal
Information Security Management Act of 2002 (44 U.S.C. §3541, et seq.).
The FCS addresses all cybersecurity domains. This tool uses risk aggregation to group similar remediation activities. While risk assessment activities vary, remediation strategies map
to one of the twenty-two FCS categories. For example, an assessor may find access control not properly managed, resulting in critical risk to the organization. Detail all tactical
remediation activities related to access control in the access control remediation recommendation cell (column L of input sheet). While there may be activities that affect other areas,
the primary mitigation objective shall fall into the most closely related category.
LINKS:
CISO@ast.myflorida.com
Florida Cybersecurity Standards, 74-2 F.A.C.
282.318, Florida Statutes
NIST Framework for Improving Critical Infrastructure Cybersecurity
Florida Cybersecurity Standards 74-2 F.A.C

Function and Category Codes
(worksheet colors correspond to function color)
Subcategories contain more detailed areas to be addressed within the associated category. And activities to be performed are
defined within the subcategories.
Category
Category Unique Subcategories are numbered after a hyphen (ID.AM-1)
Function Unique Identifier Function
Identifier Activities within subcategories have an additional suffix (ID.AM-
1.1)
ID.AM Asset Management
ID.BE Business Environment
ID Identify ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
PR.AC Access Control
PR.AT Awareness & Training
PR Protect
PR.DS Data Security
PR Protect
PR.IP Information Protection Processes & Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE.AE Anomalies & Events
DE Detect DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS.RP Response Planning
RS.CO Communications
RS Respond RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC.RP Recovery Planning
RC Recover RC.IM Improvements
RC.CO Communications
Maturity
Definition
Level
Cover Sheet
Agency Name: <Agency Name>

Point of Contact:
Completion Date:
Assessor Type: Select A Response
AST FASTdocs ID: AST-ISO-F-0001

Note: Submission date will be captured by SFTP server timestamp.
Cover Sheet
Cybersecurity Standards (FCS) 74-2, F.A.C.
red by SFTP server timestamp.

Post Assessment Activities
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: IDENTIFY (ID) Category: ASSET MANAGEMENT (AM)
<Agency Name>
Risk Severity By Subcategory Cost To Remediate By Subcategory

Low Medium High Critical $0 $1 $1
ID.AM-1 $0
ID.AM-1
ID.AM-2 $0
ID.AM-2
ID.AM-3 $0
ID.AM-3
ID.AM-4 $0
ID.AM-4
ID.AM-5
$0
ID.AM-5
ID.AM-6
$0
ID.AM-6
Risk Severity Cost
ID.AM (Rule 74-2.002, F.A.C.)

Each agency shall ensure that IT resources are identified and managed. Identification and
management shall be consistent with the IT resource’s relative importance to business
objectives and the organization’s risk strategy.
FCS ID FCS Category and Detail Description
(Uniform Criteria)
Identify and manage data, personnel, devices, systems, and facilities that
enable business objective achievement consistent with the asset’s relative
ID.AM importance to business goals and organization risk strategy.
Assess the organization's ability to:
ID.AM-1 Inventory and manage physical devices and systems.
ID.AM-2 Inventory and manage software platforms and applications.
ID.AM-3 Map and regulate data flows based on data classification.
ID.AM-4 Catalog interdependent external information systems.
Categorize, prioritize, and document information technology resources based on

ID.AM-5 their classification, criticality, and business value.
Establish cybersecurity roles and responsibilities for the entire workforce and third
ID.AM-6
party stakeholders
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
ID.AM-1 Risk Severity

Estimated Total Time and Total Cost
Function: IDENTIFY (ID) Category: BUSINESS ENVIRONMENT (BE)
<Agency Name>

Low Medium High Critical 0 1 1
ID.BE-1 ID.BE-1
$0
ID.BE-2 ID.BE-2
$0
ID.BE-3 ID.BE-3
$0
ID.BE-4
ID.BE-4
$0
ID.BE-5
ID.BE-5
$0
Risk Severity Cost
ID.BE (Rule 74-2.002, F.A.C.)

Each agency's cybersecurity roles, responsibilities, and IT risk management decisions
shall align with the agency's mission, objectives, and activities.
FCS Category and Detail Description
FCS ID
(Uniform Criteria)
Identify and manage data, personnel, devices, systems, and facilities that
enable business objective achievement consistent with the asset’s relative
ID.BE importance to business goals and organization risk strategy.
ID.BE-1 Identify and communicate the organization’s role in the business mission of the state.
ID.BE-2 Identify and communicate the organization’s place in critical infrastructure and
industry sector to inform internal stakeholders of strategy and direction.
ID.BE-3 Establish and communicate priorities for agency mission, objectives, and activities.
ID.BE-4 Identify system dependencies and critical functions for delivery of critical services
Establish cybersecurity roles and responsibilities for the entire workforce and third
ID.BE-5
party stakeholders
Average Maturity
ID.BE-1 Risk Severity
Function: IDENTIFY (ID) Category: GOVERNANCE (GV)
<Agency Name>

0 1 1
Low Medium High Critical
$0
ID.GV-1
ID.GV-1
ID.GV-2 $0
ID.GV-2
ID.GV-3 $0
ID.GV-3
ID.GV-4
$0
ID.GV-4
Risk Severity Cost
ID.GV (Rule 74-2.002, F.A.C.)

Each agency shall establish policies, procedures, and processes to manage and monitor
the agency’s regulatory, legal, risk, environmental, and operational IT requirements. Assessor Rating Risk Assessment Considerations
Procedures shall address providing timely notification to management of cybersecurity
risks.
Assessed
FCS Category and Detail Description Maturity Level Primary
Likelihood of
FCS ID (Top Row Auto- Threat
(Uniform Criteria) Threat
Calculates Occurrence
Average)
Understand policies, procedures, and processes used to manage and monitor

regulatory, legal, risk, environmental, and operational requirements and use
ID.GV the knowledge to drive management of cyber security risk. 1%
Select A Select A
ID.GV-1 Establish or adopt a comprehensive information security policy. Select A Response
Response Response
Coordinate and align information security roles and responsibilities with internal Select A Select A
ID.GV-2 Select A Response
roles and external partners. Response Response
Document and manage legal and regulatory requirements regarding cybersecurity, Select A Select A
ID.GV-3 Select A Response
including privacy, and civil-liberty obligations. Response Response
ID.GV-4 Ensure governance and risk management processes address cybersecurity risks Select A Response Select A Select A
Response Response
Function: IDENTIFY (ID) Category: RISK ASSESSMENT (RA)
<Agency Name>

ID.RA-1 $0
ID.RA-1
ID.RA-2
$0
ID.RA-2
ID.RA-3
$0
ID.RA-3
ID.RA-4
ID.RA-5 $0
ID.RA-4
ID.RA-6
$0
ID.RA-6
Risk Severity Cost
ID.RA (Rule 74-2.002, F.A.C.)

Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the approach outlined in section
Agencies are also required to consider the security objectives and determine what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity and availability. When det
these security objectives agencies will use the tablen from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004) and may be found at:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.
Each agency shall identify and manage the cybersecurity risk to agency operations (including
mission, functions, image, or reputation), agency assets, and individuals using the approach
outlined in section 74-2.002(4), F.A.C.
FCS ID
(Uniform Criteria)
Understand cybersecurity risk to operations (including mission, functions,

ID.RA image, or reputation), organizational assets, and individuals.
ID.RA-1 Identify and document asset vulnerabilities.
Use threat and vulnerability information from information sharing forums and
ID.RA-2
sources.
ID.RA-3 Identify and document internal and external threats.
ID.RA-4 Identify potential business impacts and likelihoods.
ID.RA-5 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.
Identify and prioritize risk responses, implement risk mitigation plans, and monitor
ID.RA-6
and document implementation of plans.
Function: IDENTIFY (ID) Category: RISK MANAGEMENT STRATEGY (RM)
<Agency Name>

ID.RM-1
ID.RM-1
ID.RM-2
ID.RM-2
ID.RM-3
ID.RM-3
Risk Severity
Cost
ID.RM (Rule 74-2.002, F.A.C.)

Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and
assumptions are established and used to support operational risk decisions.
FCS ID
(Uniform Criteria)
Establish priorities, constraints, risk tolerances, and assumptions to support

ID.RM operational risk decisions.
Establish and manage risk management processes in agreement with stakeholders
ID.RM-1 and management
ID.RM-2 Organizational risk tolerance is determined and clearly expressed.
Determine risk tolerance as necessary based upon analysis of risk specific sector,
ID.RM-3
industry, and agency role in state mission.
Function: PROTECT (PR) Category: ACCESS CONTROL (AC)
<Agency Name>

PR.AC-1 PR.AC-1
$0
PR.AC-2 PR.AC-2
$0
PR.AC-3
PR.AC-3
$0
PR.AC-4
PR.AC-4
$0
PR.AC-5
PR.AC-5
$0
Risk Severity Cost
PR.AC (Rule 74-2.003, F.A.C.)

Each agency shall ensure that access to IT resources is limited to authorized users,
processes, or devices, and to authorized activities and transactions.
FCS ID
(Uniform Criteria)
Access to IT resources is limited to authorized users, processes, or devices and

PR.AC used for authorized activities and transactions.
PR.AC-1 Manage identities and credentials for authorized devices and users.
PR.AC-2 Manage and protect physical access to IT resources.
PR.AC-3 Manage remote access to IT resources.
Manage access permissions while incorporating principles of least privilege and

PR.AC-4 separation of duties.
Protect network integrity while incorporating network segregation where
PR.AC-5
appropriate.
Function: PROTECT (PR) Category: AWARENESS & TRAINING (AT)
<Agency Name>

PR.AT-1 PR.AT-1
$0
PR.AT-2 PR.AT-2
$0
PR.AT-3
PR.AT-3$0
PR.AT-4
PR.AT-4
$0
PR.AT-5
PR.AT-5
$0
Risk Severity Cost
PR AT (Rule 74-2.003, F.A.C.)

Agencies shall provide all their workers cybersecurity awareness education and training so as to
ensure they perform their information security-related duties and responsibilities consistent with
agency policies and procedures
FCS ID
(Uniform Criteria)
Provide all workers cybersecurity awareness education and training to ensure

PR.AT performance consistent with policies and procedures.
PR.AT-1 Inform and train all users of information technology.
PR.AT-2 Ensure privileged users understand their roles and responsibilities.
Ensure third-party stakeholders (e.g., suppliers, customers, partners, etc.) understand

PR.AT-3
their roles and responsibilities.
PR.AT-4 Ensure senior executives understand their roles and responsibilities.
Ensure physical and information security personnel understand their roles and
PR.AT-5
responsibilities.
Function: PROTECT (PR) Category: DATA SECURITY (DS)
<Agency Name>

0 1 1
PR.DS-1 PR.DS-1
$0
PR.DS-2 PR.DS-2
$0
PR.DS-3 PR.DS-3$0
PR.DS-4 PR.DS-4
$0
PR.DS-5 PR.DS-5
$0
PR.DS-6 PR.DS-6
$0
PR.DS-7 PR.DS-7
$0
Risk Severity Cost
PR DS (Rule 74-2.003, F.A.C.)

Each agency shall manage and protect records and data, including data-at-rest, consistent with
the organization’s risk strategy to protect the confidentiality, integrity, and availability of
information. Agencies shall establish procedures, and develop and maintain agency cryptographic
implementations. Key management processes and procedures for cryptographic keys used for
encryption of data will be fully documented and will cover key generation, distribution, storage,
periodic changes, compromised key processes, and prevention of unauthorized substitution. Also,
key management processes must be in place and verified prior to encrypting data at rest, to
prevent data loss and support availability.
FCS ID
(Uniform Criteria)
Manage and protect records and data, including data-at-rest, consistent with
risk strategy to protect information confidentiality, integrity, and availability
PR.DS of information.
PR.DS-1 Protect data-at-rest.
PR.DS-2 Protect data-in-transit
PR.DS-3 Formally manage assets throughout removal, transfers, and disposition.
PR.DS-4 Maintain adequate capacity to ensure availability.
PR.DS-5 Implement protections against data leaks or unauthorized data disclosures.
Use integrity checking mechanisms to verify software, firmware, and information

PR.DS-6
integrity.
PR.DS-7 Maintain development and test environment(s) separate from production

environments.
Average Maturity
PR.DS-1 Risk Severity

Function: PROTECT (PR) Category: INFORMATION PROTECTION, PROCESSES &
PROCEDURES (IP)
<Agency Name>

PR.IP-1 PR.IP-1
$0
PR.IP-2 PR.IP-2
PR.IP-3
PR.IP-3
PR.IP-4
PR.IP-4
PR.IP-5
PR.IP-5
PR.IP-6
PR.IP-6
PR.IP-7
PR.IP-7
PR.IP-8
PR.IP-8
PR.IP-9
PR.IP-9
PR.IP-10
PR.IP-10
PR.IP-11
PR.IP-11
PR.IP-12
PR.IP-12
Risk Severity Cost
PR IP (Rule 74-2.003, F.A.C.)

Each agency shall ensure that security policies, processes and procedures are maintained and
used to manage protection of information systems and assets.
FCS ID
(Uniform Criteria)
Maintain and use security policies, processes, and procedures to protect

PR.IP information system assets.
Create and maintain a baseline configuration of information technology and
PR.IP-1 industrial control systems.
PR.IP-2 Implement a System Development Life Cycle to manage systems.
PR.IP-3 Establish configuration change control processes.
PR.IP-4 Conduct, maintain, and periodically test information backups.
PR.IP-5 Establish policy and regulations regarding physical operating environment for assets.
PR.IP-6 Manage and dispose of data according to regulatory and policy requirements.
PR.IP-7 Continuously improve protection processes.
PR.IP-8 Share effectiveness of protection technologies with stakeholders.
Establish and manage response plans (Incident Response and Business Continuity)
PR.IP-9
and recovery plans (Incident Recovery and Disaster Recovery).
PR.IP-10 Regularly test response and recovery plans.
Include cybersecurity in human resources practices (e.g. de-provisioning, personnel

PR.IP-11
screening, etc.).
PR.IP-12 Develop and implement a vulnerability management plan.
Average Maturity
PR.IP-1 Risk Severity

Function: PROTECT (PR) Category: MAINTENANCE (MA)
<Agency Name>

PR.MA-1 PR.MA-1
$0
PR.MA-2
PR.MA-2
$0
Risk Severity Cost
PR.MA (Rule 74-2.003, F.A.C.)

Each agency shall perform maintenance and repairs of information systems and components
consistent with agency-developed policies and procedures.
FCS ID
(Uniform Criteria)
Perform maintenance and repairs of information systems and components

PR.MA consistent with policies and procedures.
Perform and log maintenance and repair of assets in a timely manner with approved
PR.MA-1 and controlled tools.
Approve, encrypt, log, and perform remote maintenance of in a manner that
PR.MA-2
prevents unauthorized access.
Function: PROTECT (PR) Category: PROTECTIVE TECHNOLOGY (PT)
<Agency Name>

PR.PT-1 PR.PT-1
$0
PR.PT-2 PR.PT-2
$0
PR.PT-3
PR.PT-3
$0
PR.PT-4
PR.PT-4
$0
Risk Severity Cost
PR.PT (Rule 74-2.003, F.A.C.)

Agency shall ensure that technical security solutions are managed to ensure the security and
resilience of systems and assets, consistent with related policies, procedures, and agreements.
FCS ID
(Uniform Criteria)
Manage technical security solutions to ensure security and resilience of

PR.PT systems and assets consistent with related policies, procedures, and
agreements.
PR.PT-1 Determine and document required audit and log records and implement, protect,
and review in accordance with policy.
PR.PT-2 Protect removable media and restrict its use according to policy.
PR.PT-3 Control access to systems and assets, incorporating the principle of least trust.
Protect communications and control networks by establishing perimeter security

PR.PT-4 measures to prevent unauthorized connections to resources.
Average Maturity
PR.PT-1 Risk Severity

PR.PT-2 Risk Severity
Function: DETECT (DE) Category: ANOMALIES & EVENTS (AE)
<Agency Name>

DE.AE-1 DE.AE-1
$0
DE.AE-2 DE.AE-2
$0
DE.AE-3 DE.AE-3
$0
DE.AE-4
DE.AE-4
$0
DE.AE-5
DE.AE-5
$0
Risk Severity Cost
DE.AE (Rule 74-2.004, F.A.C.)

Each agency shall develop policies and procedures that will facilitate detection of anomalous
activity in a timely manner and that will allow the agency to understand the potential impact of
events.
FCS ID
(Uniform Criteria)
Develop policies and procedures that facilitate detection of anomalous

DE.AE activity in a timely manner and allow insight into event impact potential.
DE.AE-1 Establish and manage a baseline of network operations and expected data flows for
users and systems.
DE.AE-2 Detect and analyze anomalous events to determine attack targets and methods.
DE.AE-3 Aggregate and correlate event data from multiple sources and sensors.
DE.AE-4 Determine the impact of events.
DE.AE-5 Establish incident alert thresholds.
Average Maturity
DE.AE-1 Risk Severity
Function: DETECT (DE) Category: SECURITY CONTINUOUS MONITORING (CM)
<Agency Name>

DE.CM-1 $0
DE.CM-1
DE.CM-2 $0
DE.CM-2
DE.CM-3
$0
DE.CM-3
DE.CM-4
$0
DE.CM-4
DE.CM-5
$0
DE.CM-5
DE.CM-6
$0
DE.CM-6
DE.CM-7
$0
DE.CM-7
DE.CM-8
$0
DE.CM-8
Risk Severity Cost
DE.CM (Rule 74-2.004, F.A.C.)

Each agency shall determine the appropriate level of monitoring that will occur regarding IT
resources necessary to identify cybersecurity events and verify the effectiveness of protective
measures.
FCS ID
(Uniform Criteria)
Determine the appropriate level of monitoring of information technology

resources necessary to identify cybersecurity events and verify the
DE.CM effectiveness of protective measures.
DE.CM-1 Monitor network to detect potential cybersecurity events.
DE.CM-2 Monitor the physical environment to detect potential cybersecurity events.
DE.CM-3 Monitor user activity to detect potential cybersecurity events.
DE.CM-4 Monitor for malicious code.
DE.CM-5 Monitor for unauthorized mobile code.
DE.CM-6 Monitor external service provider activity to detect potential cybersecurity events.
DE.CM-7 Monitor for unauthorized personnel, connections, devices, and software.
DE.CM-8 Perform vulnerability scans
Average Maturity
DE.CM-1 Risk Severity

Function: DETECT (DE) Category: DETECTION PROCESS (DP)
<Agency Name>

DE.DP-1 DE.DP-1
$0
DE.DP-2 DE.DP-2
$0
DE.DP-3 DE.DP-3
$0
DE.DP-4
DE.DP-4
$0
DE.DP-5
DE.DP-5
$0
Risk Severity Cost
DE.DP (Rule 74-2.004, F.A.C.)

Each agency shall maintain and test detection processes and procedures to ensure timely and
adequate awareness of anomalous events
FCS ID
(Uniform Criteria)
Maintain and test detection processes and procedures to ensure timely and
DE.DP adequate awareness of anomalous events.
DE.DP-1 Define roles and responsibilities for detection ensure accountability.
DE.DP-2 Ensure that detection activities comply with all applicable requirements.
DE.DP-3 Test detection processes
Communicate event detection information to stakeholders that should or must

DE.DP-4
receive the information.
DE.DP-5 Continuously improve detection processes
Average Maturity
DE.DP-1 Risk Severity

Function: RESPOND (RS) Category: RESPONSE PLANNING (RP)
<Agency Name>

0 1 1
RS.RP-1 RS.RP-1
$0
Risk Severity Risk Severity
RS.RP (Rule 74-2.005, F.A.C.)

Each agency shall establish and maintain response processes and procedures and validate
execution capability to ensure timely agency response for detected cybersecurity events
FCS ID
(Uniform Criteria)
Establish and maintain processes and procedures and validate execution

RS.RP capability to ensure timely response for detected cybersecurity events.
RS.RP-1 Execute a response plan during or after an event.
Average Maturity
Function: RESPOND (RS) Category: COMMUNICATIONS (CO)
<Agency Name>

RS.CO-1 RS.CO-1
$0
RS.CO-2 RS.CO-2
RS.CO-3 RS.CO-3
RS.CO-4 RS.CO-4
RS.CO-5 RS.CO-5
Risk Severity Cost
RS.CO (Rule 74-2.005, F.A.C.)

Each agency shall coordinate response activities with internal and external stakeholders, as
appropriate, to include external support from law enforcement agencies
FCS ID
(Uniform Criteria)
Coordinate response activities with internal and external stakeholders,

RS.CO including law enforcement as appropriate.
RS.CO-1 Inform workers of their roles and order of operations when a response is needed.
RS.CO-2 Report events consistent with established criteria.
RS.CO-3 Share information consistent with response plans.
RS.CO-4 Coordinate with stakeholders consistent with response plans.
Establish communications with external stakeholders to achieve broader

RS.CO-5
cybersecurity situational awareness
Average Maturity
RS.CO-1 Risk Severity

Estimated Total Time and Total Cost
Function: RESPOND (RS) Category: ANAYLSIS (AN)
<Agency Name>

0 1 1
RS.AN-1
RS.AN-1
$0
RS.AN-2 RS.AN-2
$0.00
RS.AN-3 RS.AN-3
$0.00
RS.AN-4 RS.AN-4
$0.00
Risk Severity Cost
RS.AN (Rule 74-2.005, F.A.C.)

Each agency shall conduct analysis to adequately respond and support recovery activities.
FCS ID
(Uniform Criteria)
Conduct analysis to adequately respond to and support recovery activities.

RS.AN
RS.AN-1 Establish notification thresholds and investigate notifications from detection systems.
RS.AN-2 Assess and identify the impact of incidents.
RS.AN-3 Perform forensics as deemed appropriate.
RS.AN-4 Categorize incidents consistent with response plans.
Average Maturity
Function: RESPOND (RS) Category: MITIGATION (MI)
<Agency Name>

RS.MI-1 RS.MI-1
$0
RS.MI-2 RS.MI-2
$0
RS.MI-3 RS.MI-3
$0
Risk Severity Cost
RS.MI (Rule 74-2.005, F.A.C.)

Each agency shall perform incident mitigation activities.
FCS ID
(Uniform Criteria)
Perform incident mitigation activities that attempt to contain and prevent the
RS.MI recurrence of incidents.
RS.MI-1 Contain and prevent recurrence of incidents.
RS.MI-2 Mitigate incident effects and eradicate incidents.
RS.MI-3 Mitigate, or document as accepted, newly identified vulnerabilities.
Average Maturity
Function: RESPOND (RS) Category: IMPROVEMENTS (IM)
<Agency Name>

0 1 1
RS.IM-1 RS.IM-1
$0
RS.IM-2 RS.IM-2
$0
Risk Severity Cost
RS.IM (Rule 74-2.005, F.A.C.)

Each agency shall improve organizational response activities by incorporating lessons learned
from current and previous detection/response activities into response plans and updating
response strategies in accordance with established policy.
FCS ID
(Uniform Criteria)
Improve response activities by incorporating lessons learned from current and

RS.IM previous detection/response activities into response plans.
RS.IM-1 Incorporate lessons learned in response plans.
RS.IM-2 Update response strategies.

Function: RECOVER (RC) Category: RECOVERY PLANNING (RP)
<Agency Name>

0 1 1
RC.RP-1 RC.RP-1
$0
Risk Severity Cost
RC.RP (Rule 74-2.006, F.A.C.)

Each agency shall execute and maintain recovery processes and procedures to ensure timely
restoration of systems or assets affected by cybersecurity events.
FCS ID
(Uniform Criteria)
Execute and maintain recovery processes and procedures to ensure timely

RC.RP restoration of systems or assets affected by cybersecurity events.
RC.RP-1 Execute recovery plan during or after an event.
Average Maturity
Function: RECOVER (RC) Category: IMPROVEMENTS (IM)
<Agency Name>

RC.IM-1 RC.IM-1
$0
RC.IM-2 RC.IM-2
$0
Risk Severity Cost
RC.IM (Rule 74-2.006, F.A.C.)

Each agency shall improve recovery planning and processes by incorporating lessons learned into
future activities
FCS ID
(Uniform Criteria)
Improve recovery planning and processes by incorporating lessons learned

RC.IM into future activities.
RC.IM-1 Incorporate lessons learned into recovery plans.
RC.IM-2 Update internal recovery strategies.
Average Adjusted Maturity

Function: RECOVER (RC) Category: COMMUNICATIONS (CO)
<Agency Name>
RC.CO-1 RC.CO-1
$0
RC.CO-2 RC.CO-2
$0
RC.CO-3 RC.CO-3
$0
Risk Severity Cost
RC.CO (Rule 74-2.006, F.A.C.)

Each agency shall coordinate restoration activities with internal and external parties, such as
coordinating centers, Internet Service Providers, owners of attacking systems, victims, other
CSIRTs, and vendors
FCS ID
(Uniform Criteria)
Coordinate restoration activities with internal and external parties such as

coordinating centers, Internet service providers, owners of attacking systems,
RC.CO victims, other CSIRTs, and vendors.
RC.CO-1 Manage public relations.
RC.CO-2 Work to repair reputation after an event.
Communicate recovery activities to internal and external stakeholders as

RC.CO-3
appropriate.
Average Maturity
RC.CO-1 Risk Severity

Drop Down Menu Items and Values
Florida Cybersecurity Standards (FCS) 74-
DO NOT CHANGE ANY VALUES ON THIS PAGE!
Severity Levels Min Max FCS ID

Low 0 799 ID.AM
Medium 800 2799 ID.BE
High 2800 4999 ID.GV
Critical 5000 400000 ID.RA
ID.RM
PR.AC
PR.AT
Likelihood and Impact Weight PR.DS
Select A Response 100 PR.IP
Very Low 10 PR.MA
Low 25 PR.PT
Medium 50 DE.AE
High 75 DE.CM
Very High 100 DE.DP
RS.RP
RS.CO
Maturity Level Weight Progress RS.AN
Select A Response 1 0.01 RS.MI
Non-Existent 1 0.01 RS.IM
Initial 10 0.1 RC.RP
Developing 20 0.2 RC.IM
Defined 50 0.5 RC.CO
Managed 80 0.8
Optimized 90 0.9
Threat Weight
Select A Response 40
Environmental 10
Structural 20
Accidental 30
Adversarial 40
Incomplete For drop downs
Primary Risk Categories Abbreviations

Select A Response Unassigned
Expense Expense
Mission Mission
Public Trust Public Trust
Regulation and Compliance Reg. & Compliance
Revenue Revenue
Titles
Document Version Contro

Date Version By
8/1/2016 1.0 Kayren McIntyre Initial release FASTdocs # AST-IS
Please Note: Information populated into this risk assessment tool is confidential and exempt pursuant to s. 282.3
DO NOT CHANGE ANY VALUES ON THIS PAGE!

nu Items and Values
urity Standards (FCS) 74-2, F.A.C.
ssessment Tool (V1.0)
Function Category
Identity Asset Management
Identity Business Environment
Identity Governance
Identity Risk Assessment
Identity Risk Management Strategy
Protect Access Control
Protect Awareness & Training
Protect Data Security
Protect Information Protection Processes & Procedures
Protect Maintenance
Protect Protective Technology
Detect Anomalies & Events
Detect Security Continuous Monitoring
Detect Detection Processes
Respond Response Planning
Respond Communications
Respond Analysis
Respond Mitigation
Respond Improvements
Recover Recovery Planning
Recover Improvements
Recover Communications
Assessor Type
Select A Response
Agency Self-Assessed
Independent Third Party
Document Version Control

Comments
Initial release FASTdocs # AST-ISO-F-001
nd exempt pursuant to s. 282.318(5), F.S.

Abbreviated Description
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Training
Data Security
Info. Protection Processes
Maintenance
Protective Technology
Anomalies and Events
Continuous Monitoring
Detection Processes
Response Planning
Response Communications
Response Analysis
Response Mitigation
Response Improvements
Recovery Planning
Recovery Improvements
Recovery Communications
Executive Management Graphs
<Agency Name>
Remediation Distribution Across Primary Business Risk Categories
Distribution of Primary Business Risks
Expense Mission Public Trust Regulation and Compliance Revenue

Number of Control Categories Per Business Risk Cate-
gory
Risk Severity Distribution Across Remediation Strategies
Distribution of Risk Severity Levels

0 5 10 15
Critical
High0
Medium0
Low0
Number of Control Categories Per Severity Level

High0
Medium0
Low0
Number of Control Categories Per Severity Level
Breakout of Remediation Strategy Catego
CRITICAL HIGH
1 ID.AM: Asset Management
2 ID.BE: Business Environment
3 ID.GV: Governance
4 ID.RA: Risk Assessment
5 ID.RM: Risk Management Strategy
6 PR.AC: Access Control
7 PR.AT: Training
8 PR.DS: Data Security
9 PR.IP: Info. Protection Processes
10 PR.MA: Maintenance
11 PR.PT: Protective Technology
12 DE.AE: Anomalies and Events
13 DE.CM: Continuous Monitoring
14 DE.DP: Detection Processes
15 RS.RP: Response Planning
16 RS.CO: Response Communications
17 RS.AN: Response Analysis
18 RS.MI: Response Mitigation
19 RS.IM: Response Improvements
20 RC.RP: Recovery Planning
21 RC.IM: Recovery Improvements
22 RC.CO: Recovery Communications
Individual Time, Cost, and Severity Estimates fo
Top 5 Risk Severity - Priorities Cost To Remediate

$0
, $0
1
1
, $0
2
Risk Severity Priority
2
3 , $0
3
4 , $0
4
, $0
2

2

3 , $0
3
4 , $0
4
5
, $0
5
Risk Severity and Business Risk Cost
Total Estimated Remediation Costs and Time (with slic
Cost Estimates for Total and Top 5 Risks: Time Estimat
Top 5 Other
Total Cost Total T

$0
Combined Time, Cost, and Severity Estimates fo
Top 5 Risk Items: Time, Cost, and Risk Severity

$1
mediation Cost
$1
Remediation Cost $1
$0
0 1
Time To Remediate (Months) - bubble size and color represents s

Severity Leg- Low Medium High Critical
end:
5 Quickest Wins - Determined by
Quickest Wins
$1
Remediation Cost
$1
, [X VALUE]
$0
0 1
Time To Remediate (Months) - bubble size represents severity

Severity Leg- Quick WIns
end:
5 Least Expensive Wins - Determine
Least Expensive Wins

$1
Remediation Cost
$1
, [Y VALUE]
$0
0 1
Time To Remediate (Months) - bubble size represents severity

Severity Leg- Least Expensive
end:
Please Note: Information populated into this risk assessment tool is confidential and exempt pursu
nt Graphs
(FCS) 74-2, F.A.C.
ool (V1.0)
GES TO THIS PAGE!
ness Risk Categories
Risks
ce Revenue
s Risk Cate-
ation Strategies
vels
15 20
22
y Level
y Level
ation Strategy Categories Associated With Each Risk Severity Level
MEDIUM
Severity Estimates for the Top 5 Remediation Priorities (Per Overlay Priority Value)
Cost To Remediate The Top 5 Risks Time To Remediate The Top 5 Risks
$1 $1 0 1
,1
0
,2
0
,3
0
,4
0
,2
0

,3
0
,4
0
,5
0
Cost Time In Months
s and Time (with slice for Top 5 Remediation Priorities)
Time Estimates for Total and Top 5 Risks
Top 5 Other
Total Time Estimate (Months)

0
Severity Estimates for the Top 5 Remediation Priorities (Per Overlay Priority Value)
sk Severity
Risk Rank FCS-ID
1 Asset Management
2 Data Security
3 Info. Protection Processes
4 Risk Assessment
5 Continuous Monitoring
1
e and color represents severity

h Critical
Wins - Determined by Time Only (May Not Cover Most Urgent Risks)
Low Time Rank FCS-ID
1 Asset Management
2 Business Environment
3 Governance
4 Risk Assessment
5 Risk Management Strategy
e represents severity
ve Wins - Determined by Cost Only (May Not Cover Most Urgent Risks)
Low Cost Rank FCS-ID
1 Asset Management
2 Business Environment
3 Governance
4 Risk Assessment
5 Risk Management Strategy
e represents severity
nfidential and exempt pursuant to s. 282.318(5), F.S.

LOW
y Priority Value)
e To Remediate The Top 5 Risks

1 1
Time In Months
ay Priority Value)
Severity Cost Time

(Months)
Critical $0 0
Critical $0 0
Critical $0 0
Critical $0 0
Critical $0 0
s)
Time Cost Severity

(Months)
0 $0 Critical
0 $0 Critical
0 $0 Critical
0 $0 Critical
0 $0 Critical
isks)
Cost Time Severity

(Months)
$0 0 Critical
$0 0 Critical
$0 0 Critical
$0 0 Critical
$0 0 Critical
Summaries By Priority, Function, and Category
<Agency Name>
Risk Severity Level Counts
Risk Severity Level Counts by Category
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Critical; 6
High; 0
ID.AM
Medium; 0
Low; 0
Critical; 5
High; 0
ID.BE
Medium; 0
Low; 0
Critical; 4
High; 0
ID.GV
Medium; 0
Low; 0
Critical; 6
High; 0
ID.RA
Medium; 0
Low; 0
Critical; 3
High; 0
ID.RM
Medium; 0
Low; 0
Critical; 5
High; 0
PR.AC
Medium; 0
Low; 0
Critical; 5
High; 0
PR.AT
Medium; 0
Low; 0
Critical; 7
High; 0
PR.DS
Medium; 0
Low; 0
Critical; 12
High; 0
Critical; 5
High; 0
PR.AT
Medium; 0
Low; 0
Critical; 7
High; 0
PR.DS
Medium; 0
Low; 0
Critical; 12
High; 0
PR.IP
Medium; 0
Low; 0
Critical; 2
High; 0
PR.MA
Medium; 0
Low; 0
Critical; 4
High; 0
PR.PT
Medium; 0
Low; 0
Critical; 5
High; 0
DE.AE
Medium; 0
Low; 0
Critical; 8
High; 0
DE.CM
Medium; 0
Low; 0
Critical; 5
High; 0
DE.DP
Medium; 0
Low; 0
Critical; 1
High; 0
RS.RP
Medium; 0
Low; 0
Critical; 5
High; 0
RS.CO
Medium; 0
Low; 0
Critical; 4
High; 0
RS.AN
Medium; 0
Low; 0
Critical; 3
High; 0
RS.MI
Medium; 0
Low; 0
Critical; 2
High; 0
RS.IM
Medium; 0
Low; 0
Critical; 1
High; 0
RC.RP
Medium; 0
Low; 0
Critical; 2
High; 0
RC.IM
Medium; 0
Low; 0
Critical; 3
Critical; 1
High; 0
RC.RP
Medium; 0
Low; 0
Critical; 2
High; 0
RC.IM
Medium; 0
Low; 0
Critical; 3
High; 0
RC.CO
Medium; 0
Low; 0
# Items In Each Severity Level
Severity and Threat Counts
Severity Levels: FCS Sub-Category Item Counts

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80
Critical
High0
Medium0
Low0
# Subcategory Items (out of 98) Per Severity Level
Primary Threat Item Counts

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80
Environmental0
Structural0
Accidental0
Adversarial0
# Subcategory Items Associated With Primary Threat Type
Average Severity Values
Average Severity by Primary Threat Type
Environmental
Average Severity by Primary Threat Type
Environmental
Structural
Accidental
Adversarial
Average Severity Per Threat Type
Average Risk Severity by FCS Categor
ID.AM ID.BE ID.GV ID.RA ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.
Summaries at the Florida Cybersecurity Standards (FCS) FUN
Total Reme
Total Remediation Cost By FCS Function (Labe
(Amount Colors Depict FCS Func- 1
$1 tion) tion)
Total Remediation Cost By FCS Function (Labe
(Amount Colors Depict FCS Func- 1
$1 tion) tion)
Months
1
$1
0
$0 0
$0
ID: Identify $0
PR: Protect $0
DE: Detect $0
RS: Respond $0
RC: Recover ID: Identify PR
Summaries at the Florida Cybersecurity Standards (FCS) CAT
Remediation Time (Months) For All FCS Categories

(Colors Depict FCS Function)
0 1
ID.AM
0
ID.BE0
ID.GV
0
ID.RA
0
ID.RM
0
PR.AC
0
PR.AT0
PR.DS0
PR.IP
0
PR.MA
0
PR.PT0
PR.AC
0
PR.AT0
PR.DS0
PR.IP
0
PR.MA
0
PR.PT0
DE.AE0
DE.CM
0
DE.DP
0
RS.RP
0
RS.CO
0
RS.AN0
RS.MI
0
RS.IM
0
RC.RP
0
RC.IM
0
RC.CO
0
Time In Months
Remediation Costs For All FCS Categories

(Colors Depict FCS Function)
$0 $1
ID.AM
$0
ID.BE
$0
ID.GV
$0
ID.RA
$0
ID.RM
$0
PR.AC
$0
PR.AT
$0
PR.DS
$0
PR.IP
$0
PR.MA
$0
PR.PT
$0
DE.AE
$0
DE.CM
$0
DE.DP
$0
RS.RP
$0
RS.CO
$0
RS.AN
$0
DE.AE
$0
DE.CM
$0
DE.DP
$0
RS.RP
$0
RS.CO
$0
RS.AN
$0
RS.MI
$0
RS.IM
$0
RC.RP
$0
RC.IM
$0
RC.CO
$0
Cost
Please Note: Information populated into this risk assessment tool is confidential and exempt
nd Category
) 74-2, F.A.C.
V1.0)
O THIS PAGE!
15 16 17 18 19 20 21 22
unts
65 70 75 80 85 90 95 100
98
65 70 75 80 85 90 95 100
ype
e
e
rity by FCS Category
DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO
ndards (FCS) FUNCTION Level Risk Remediation Prio

Based on Severity
Overlay
Total Remediation Time By FCS Function Risk FCS
Category
(Label Colors Depict FCS Func- Priority
1 tion) 1 ID.AM
2 PR.DS
(Label Colors Depict FCS Func-
1 tion)
3 PR.IP
4 ID.RA
5 DE.CM
6 RS.MI
7 PR.AC
8 PR.AT
9 PR.MA
10 PR.PT
11 DE.AE
12 DE.DP
13 RS.RP
1
14 RS.CO
15 RS.AN
16 RS.IM
17 RC.RP
18 RC.IM
19 RC.CO
20 ID.BE
21 ID.GV
22 ID.RM
0
0 0 0 0 0
ID: Identify PR: Protect DE: Detect RS: Respond RC: Recover
ndards (FCS) CATEGORY Level
All FCS Categories

n)
1
l FCS Categories
on)
$1
fidential and exempt pursuant to s. 282.318(5), F.S.
Risk Remediation Priorities
Based on Severity
Risk
Severity Schedule Cost
(Months)
Level
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Post Assessment Activities

FCS RiskAssessmentTool V1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FCS RiskAssessmentTool V1.0

Uploaded by

Copyright:

Available Formats

Florida Cybersecurity Standards (FCS) 74-2, F.A.C.

FCS Risk Assessment Tool (V1.0)

PLEASE DO NOT MAKE ANY CHANGES TO THIS PAGE!

Instructions - Read this first.

Florida Cybersecurity Standards 74-2 F.A.C

Agency Name: <Agency Name>

AST FASTdocs ID: AST-ISO-F-0001

red by SFTP server timestamp.

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

ID.AM (Rule 74-2.002, F.A.C.)

ID.AM-1 Inventory and manage physical devices and systems.

ID.AM-2 Inventory and manage software platforms and applications.

ID.AM-3 Map and regulate data flows based on data classification.

ID.AM-4 Catalog interdependent external information systems.

Categorize, prioritize, and document information technology resources based on

ID.AM-1 Risk Severity

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

ID.BE (Rule 74-2.002, F.A.C.)

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

ID.GV (Rule 74-2.002, F.A.C.)

Understand policies, procedures, and processes used to manage and monitor

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

ID.RA (Rule 74-2.002, F.A.C.)

Understand cybersecurity risk to operations (including mission, functions,

ID.RA-1 Identify and document asset vulnerabilities.

ID.RA-3 Identify and document internal and external threats.

ID.RA-4 Identify potential business impacts and likelihoods.

ID.RA-5 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.

Risk Severity By Subcategory Cost To Remediate By Subcategory

ID.RM (Rule 74-2.002, F.A.C.)

Establish priorities, constraints, risk tolerances, and assumptions to support

ID.RM-2 Organizational risk tolerance is determined and clearly expressed.

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

PR.AC (Rule 74-2.003, F.A.C.)

Access to IT resources is limited to authorized users, processes, or devices and

PR.AC-2 Manage and protect physical access to IT resources.

PR.AC-3 Manage remote access to IT resources.

Manage access permissions while incorporating principles of least privilege and

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

PR AT (Rule 74-2.003, F.A.C.)

Provide all workers cybersecurity awareness education and training to ensure

PR.AT-1 Inform and train all users of information technology.

PR.AT-2 Ensure privileged users understand their roles and responsibilities.

Ensure third-party stakeholders (e.g., suppliers, customers, partners, etc.) understand

PR.AT-4 Ensure senior executives understand their roles and responsibilities.

Risk Severity By Subcategory Cost To Remediate By Subcategory

Risk Severity Cost

PR DS (Rule 74-2.003, F.A.C.)

PR.DS-1 Protect data-at-rest.

PR.DS-2 Protect data-in-transit

PR.DS-3 Formally manage assets throughout removal, transfers, and disposition.

PR.DS-4 Maintain adequate capacity to ensure availability.

PR.DS-5 Implement protections against data leaks or unauthorized data disclosures.

Use integrity checking mechanisms to verify software, firmware, and information

PR.DS-7 Maintain development and test environment(s) separate from production

PR.DS-1 Risk Severity

Risk Severity By Subcategory Cost To Remediate By Subcategory