Florida

In plain terms. Florida's State Cybersecurity Act centralizes cybersecurity standards in the Florida Digital Service inside the Department of Management Services, built around the NIST framework.

Who it applies to. State agencies and the IT vendors that serve them. Florida also uses StateRAMP and references NIST/FIPS standards.

What it requires. Under the Cybersecurity statute, the Florida Digital Service establishes cybersecurity standards (aligned to the NIST Cybersecurity Framework), and agencies conduct risk assessments and follow incident-reporting and security-control requirements. Separate law allows disqualification of IT vendors in defined circumstances, so a vendor's conduct and security posture can affect eligibility.

Why it matters. Vendors selling IT to Florida should expect NIST-aligned security requirements and the possibility of disqualification for noncompliance, plus StateRAMP for cloud services.

Citation. Fla. Stat. § 282.318 (Cybersecurity) and § 282.005 (Department of Management Services; Florida Digital Service); § 287.0591 (Information Technology; Vendor Disqualification). References NIST/FIPS; participates in StateRAMP.

In plain terms. Florida's IT rules implement the statute through an enterprise-architecture standard administered by the Florida Digital Service.

Who it applies to. State agencies and their IT vendors.

What it requires. The enterprise-architecture rule sets statewide technology and security architecture expectations that agencies — and the systems vendors build for them — are expected to meet, consistent with the NIST-based statutory standards.

Why it matters. Vendors should design to Florida's enterprise-architecture and security expectations, not just minimum contract terms.

Citation. Fla. Admin. Code r. 60GG-5.002 (Enterprise Architecture), implementing Fla. Stat. ch. 282.