Critical Infrastructure Program (CIP) is sponsored by Cyber Florida at USF. This opportunity supports mission-aligned projects and measurable outcomes.

Critical Infrastructure Protection | Cyber Florida at USF An effort to enhance Florida's public- and private-sector critical infrastructure entities' cyber resilience Critical Infrastructure Protection Cyber Florida 2026-02-20T08:42:24-05:00 Cyber Florida’s Critical Infrastructure Program (CIP) is a state-funded initiative to provide Florida’s public and private critical infrastructure entities with no-cost access to vetted, best-practice resources to help enhance their cybersecurity posture.

A national model for state investment in collective infrastructure cybersecurity. Questions about CMMC? Watch this webinar with Cyber Florida and FloridaMakes reviewing some fundamental aspects of CMMC Level 2.

Announcing a valuable new tool in Cyber Florida’s CIP portfolio: Cyber Bulls-i is a first-of-its-kind tool built for Florida’s critical infrastructure organizations! A user-friendly, no-cost way to strengthen your cybersecurity, Cyber Bulls-i can help your organization meet compliance requirements and reduce risk. Whether you’re a public agency, small business, utility, school, or hospital, this tool is here to help!

How it works: three easy steps Complete the Florida Cyber Risk Assessment (FCRA) : Answer straightforward questions to get a custom report. Secure a personalized cybersecurity plan: Receive a tailored map of free resources and expert help. Continue to improve: Track progress, get updates, and strengthen your defenses over time.

Recent assessments show that half of organizations lack a recovery plan and nearly half lack formal cybersecurity training. Many also face limited time, staff, and budgets. Cyber Bulls-i helps fix this, making it easier to protect your mission and stay compliant without added costs.

What makes Cyber Bulls-i different? Completely free to use, thanks to state funding Florida-specific plan tailored to your needs Keeps your data private and secure – it is only used to help you Build stronger defenses against cyber threats Meet compliance and insurance requirements Save time and money with ready-to-use tools Get ongoing support to stay protected Start or update your journey today. There are no costs or strings attached.

Your participation is a crucial step toward building a safer, more resilient Florida. START THE CYBER BULLs-i PATH TO BETTER RESILIENCE The CIP is available to any public- or private-sector critical infrastructure entities at no cost.

Organizations providing goods and services related to the following sectors and operating within the state of Florida are eligible and encouraged to participate: Water and Wastewater Systems Healthcare and Public Health Nuclear Reactors, Materials, and Waste Cyber Florida offers select modules from the Cyber Security Evaluation Tool (CSET®) developed by the Idaho National Laboratory (INL) on behalf of the Department of Homeland Security (DHS) as part of the Florida Cyber Risk Assessment (FCRA) .

This assessment platform uses the DHS’s CSET® NIST Cybersecurity Framework (CSF) 2. 0 Standard Question Set and Ransomware Readiness Assessment (RRA) modules, developed by the Idaho National Laboratory for the DHS. The Florida Cyber Risk Assessment is accessible to all organizations, regardless of their cybersecurity maturity.

The NIST CSF 2. 0 adds governance to its core guidance, helping organizations meet their cybersecurity goals and comply with Florida statutes, and is Step 1 along the Cyber Bulls-i path to better resiliency. The assessment covers the most common cybersecurity threats and vulnerabilities and responses are secure and confidential.

The Florida Cyber Risk Assessment This customized instance of the CSET® consists of 154 questions addressing a range of cybersecurity concerns outlined by the NIST Cybersecurity Framework . The survey should be completed by your IT/cybersecurity lead and their team members. Responses are confidential and securely stored (see FAQs for details).

If your organization doesn’t have on-staff expertise, Cyber Florida will connect you with an expert who can help you complete the assessment. No cost, confidential, secure 154 questions, about 2 hours Start, save, return later Prerequisite to apply for the State of Florida Local Cybersecurity Grant Program (SB2500.

3013A) GUIDES + REPORTS + MANUALS* Florida Ransomware Incidents 2020-2024 A study of 30 ransomware incidents between 2020 and 2024 Florida CI: 2025 Cybersecurity Intelligence Assessment An intelligence-driven analysis of the most urgent cyber threats facing Florida’s critical infrastructure Readiness + Resilience: Cyber Florida’s CMMC Level 1 Guide A breakdown of CMMC Level 1 for small businesses Artificial Intelligence Threats: What Everyone Should Know Recommendations for legislators and critical infrastructure organizations Enhancing CI Cyber Resilience through Maturity Modeling A policy brief advocating the adoption of sector-specific maturity modeling in Florida Closing the Ransomware Readiness Gap This policy brief builds on findings from a 2023 statewide assessment of cyber-readiness across Florida’s critical infrastructure sectors.

Florida Critical Infrastructure Cybersecurity Intelligence Assessment A review of the current cyber threats targeting Florida's critical infrastructure organizations Florida Ransomware Incidents 2016-2019 A comprehensive review of ransomware attacks against Florida public entities between 2016 and 2019.

MANUALS + INTERACTIVE GUIDES Incident Response Planning Guide Be better prepared to respond to and recover from cybersecurity incidents. Aligned to NIST standards, this guide can help you establish an incident response policy. Download the fillable MS Word form and complete it with your senior leadership team to help your organization be more prepared to mitigate and recover from a cyber incident.

Cyber Decision-Making Matrix Developed with the Florida Department of Emergency Management, this planning sheet can help local government and other critical infrastructure organizations determine who is responsible for various areas of response before a cyber incident occurs. Review the list of likely actions needed in the wake of a cyber incident and assign roles in advance for a more coordinated response when the need arises.

Situation Manual Development Tabletop Exercise Developed with the Florida Department of Emergency Management, this guide can help you host your own tabletop exercise, where leaders can learn to plan and design a situation manual for responding to a cyber incident. Assign roles and play through the exercise to explore some of the considerations and decisions an organization faces in the wake of cyber incident.

Use the experience to help develop a situation manual for your organization. Cybersecurity Emergency Support Function (ESF) Directory Developed with the Florida Department of Emergency Management, the Cybersecurity Emergency Support Function Directory is a repository for the state-provided support services available to you before, during, and after a cyber incident.

Use this guide to help identify critical emergency actions and how to coordinate with appropriate state agencies during a cyber emergency. Nuclear Reactors, Materials, and Waste Water & Wastewater Systems Healthcare & Public Health Transportation Systems-Logistics We recognize that not every organization has a cybersecurity person on staff.

If you have a question or would like assistance in getting started with the Cyber Bulls-i initiative, please submit this form and a team member will reach out. Why should my organization participate? In addition to receiving a free risk assessment for your organization, the data gathered will establish a baseline to guide future planning, policies, and expenditures to strengthen the state’s critical infrastructure assets.

This could yield additional state-provided resources and tools for your organization. Additionally, up to 150 participating organizations will get free access to the CyberKnights and Cyber-CHAMP programs, which use the assessment data to help your organization identify and improve cyber skills gaps in your workforce. We don't have a cybersecurity person on staff.

Can someone help us answer the questions? Yes! Cyber Florida at USF has partnered with Idaho National Labs to offer free assistance to organizations that may need assistance navigating the questions.

Complete the contact form to request assistance. The Florida Cyber Risk Assessment is housed on a server at the University of South Florida (USF) in Tampa. How is my data protected?

The USF IT Department uses the NIST Cybersecurity framework to manage its technical and administrative controls. The university has a complete set of security policies, procedures, and standards based on the NIST 800-171 security guidelines.

In addition to these administrative controls, USF employs many technical controls, including but not limited to several physical and cloud-based Palo Alto firewalls, the complete Microsoft Defender stack of products (including EDR), Beyond Trust Privileged access management, Microsoft MFA, Splunk for Enterprise Security SIEM, and regular penetration tests and risk assessments performed by both internal staff, state auditors, and 3rd-party companies.

The University of South Florida is a Carnegie Research-1 University with numerous federal grants dealing with medical, personal, and DoD-restricted non-classified data that is secured and monitored 24/7 by USF staff as well as two external SOCs. Will the state get my data?

Cyber Florida at USF aggregates the data collected to look for trends and findings that are reported anonymously and in aggregate and shared only with designated state officials, such as the Governor, the Speaker of the House, and the President of the Senate. Individual organization information is not reported or shared anywhere. Will my vulnerabilities be documented?

The Florida Cyber Risk Assessment survey does not ask detailed questions about your systems or policies and procedures. We ask yes or no questions at a high level, such as, “Do you have a cybersecurity training program? ” “Do you use multifactor authentication?

” etc. These questions are designed to help guide future state investments and educational efforts and do not require sharing any information about specific technical vulnerabilities. We've completed a risk assessment with a third-party vendor, why should we do this one?

You may have completed a risk assessment with a third-party vendor, but that information will not be included in the overall Florida critical infrastructure risk score, which may impact the policies and potential funding for Florida critical infrastructure. The survey is short and easy to use. You will not be asked to reveal protected company details, your information will be strictly protected as critical infrastructure information.

We've completed a risk assessment with the CSET tool, why should we complete another one? Within the CSET tool, there are a variety of options based on the type of standard being measured.

For this reason, we ask all critical infrastructure owners/operators to participate in the survey to be counted and heard so the leaders of Florida can get as accurate a picture as possible to guide Florida’s future investments to make Florida a safe and secure state to live, work, and play. Is it really free? What's the catch?

*These publications are made available by The Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization's specific needs.

Use of this guide does not create any special or fiduciary relationship between you and The Florida Center for Cybersecurity or the University of South Florida.