Florida Digital Service scales up cyber
In just two years, the team is standing up a cybersecurity operations center and has standardized agency data sharing agreements and conducted critical infrastructure risk assessments.
In the two years since it launched, the Florida Digital Service, or FL[DS], has earned several wins, perhaps most evidenced by a historic infusion of cybersecurity funding in the 2022-23 fiscal budget.
The budget calls for $50 million in enterprise cybersecurity resilience funding for state agencies. It builds on the $30 million the service got last year and will enhance capabilities such as the state’s first security operations center (SOC).
“We have 30 agencies [out of a total 37] that are in some level of implementation of the cybersecurity operations center,” said James Grant, Florida’s chief information officer.
The budget also allocates $30 million in cybersecurity grant funding for local governments, which will go toward efforts supporting the round-the-clock SOC. The department has procured consulting help to run the grant program.
“There is no single vendor that will win,” Grant said. “The core requirement is the local government needs to participate in the SOC by sharing at least telemetry data so that we can support them in the event of an incident response. Importantly, we aren’t demanding they give us access to everything, all the time. Instead, we are providing them their own access to core cybersecurity capabilities from within our integrated marketplace. Perhaps as importantly, we do not want to be inside of their environment unless incident response activities demand it and until we have been invited into the environment,” he said in a follow-up email.
The idea is that local entities can continue to use what they have without the state mandating that they replace technologies.
“The local governments actually asked that we not send them money,” Grant said. “They’ve asked that we provide them services because they may not have the people and the resources necessary to manage a grant, the audits and all the things that come with it.”
When it comes to statewide purchases of enterprise software, “we’ve been able to do it in a way that’s inexpensive relative to history. Our first buy was about $16 million to look at the productivity environment and to start getting logs out of the productivity environment. We saved 25% off state term contract, which is supposed to be the best price the state can get, enabling us to put $4 million directly back into the program.”
Another big win for FL[DS] has been putting in place data-sharing agreements. Before this administration, no state agencies had ever collaborated with one another in real time on security, Grant said.
“Creating a standardized data-sharing agreement with each agency took a ton of work by our team, a ton of support from the governor’s office -- and it’s a huge win for Florida,” he said. “If you don’t have data-sharing agreements, you can’t get to true data interoperability and you can’t really run a security operations center. If you don’t have a security operations center, you can’t really do the proactive detection and, if needed, the recovery and response efforts.”
The budget also allocated $7 million to conduct a comprehensive cybersecurity risk assessment of critical infrastructure. Although this funding is appropriated to the Florida Center for Cybersecurity at the University of South Florida, FL[DS] signs off on any work. A contract for this effort is in the works now, Grant said.
“It should give us a good look at a risk assessment of all critical infrastructure in Florida,” he said, adding that “we will obviously not mandate that the private sector tell us where their vulnerabilities are and, as a result, make them less secure.”
Emphasizing the importance of this work, Grant pointed to the 2021 hack of the Oldsmar, Florida, water plant in which levels of lye were changed to poisonous amounts. Additionally, the recent blasts in the undersea Nord Stream 1 and 2 pipelines in Europe reinforced the urgency of protecting critical infrastructure.
No longer running a state data center counts as another win that Grant, a former state representative, highlighted. When he became CIO in 2020, 91 cents of every $1 appropriated to FL[DS] in the state budget went to the data center, with the remainder going to the Office of the CIO for issues like data interoperability and cyber.
The total budget was about $66 million. Now, it’s $148 million with all of the funds going toward modernization, cybersecurity, data management and other initiatives.
But as part of that shift, FL[DS] went from 185 full-time workers last year to 70 this year. Because it was no longer running the state data center, the office lost 145 state data center employees, Grant said. The service is now looking to hire 30 employees to bring the workforce up to that total of 70 that the budget calls for. They will be part of the Office of Data Management within the Department of Management Service, through which FL[DS] operates, he said.
Grant attributes all these successes – something that predecessors in the past 15 years have struggled to achieve – to support from leaders, including Gov. Ron DeSantis. “We have an opportunity that nobody’s ever had because of our executive backing,” he said.
He likens the progress to that of a new company.
“We’ve now made it past the startup phase. This is where you’ve identified a market problem and demonstrated that you can help solve the market problem,” he said. “Scale is where you make it or break it. That’s where cracks in communication and management show up. We’re really focused on scale right now. How do we make sure that we document processes, how do we take the lessons learned and put them into something that is sustainable and is repeatable?” he asked. “If we successfully address scale, I think we’ve changed the game for Florida forever.”
Stephanie Kanowitz is a freelance writer based in northern Virignia.