Miami Cybersecurity Public Resources and References

Cybersecurity resources for Miami-area organizations and residents span federal agencies, Florida state portals, and internationally recognized standards bodies — each operating at a different layer of authority. This page maps those layers, identifies authoritative primary texts, and establishes where practitioners, researchers, and policy-aware readers should begin their research. Understanding the structure of the resource landscape is a prerequisite for applying any single document accurately. The broader framework within which these resources operate is described on the Miami Cybersecurity: Conceptual Overview page.

Scope and Coverage Limitations

This page covers publicly accessible reference materials relevant to cybersecurity practice and compliance as it applies to entities operating in the City of Miami, Miami-Dade County, and the broader Miami metropolitan statistical area. Florida state statutes, federal law, and international standards all have bearing on Miami-based organizations, but this page does not provide legal interpretation of those instruments.

Coverage does not extend to private commercial databases, paywalled industry reports, or proprietary vendor documentation. Organizations operating in Broward County, Palm Beach County, or other South Florida jurisdictions adjacent to Miami-Dade may find partial overlap, but county-specific provisions are not the focus here. The regulatory framing specific to Miami-area compliance obligations is addressed separately on the Regulatory Context for Miami Cybersecurity page. Entities seeking jurisdiction-specific legal counsel or incident response coordination should engage qualified professionals directly — that function is outside the scope of this reference page.

How to Navigate the Resource Landscape

The cybersecurity resource ecosystem is organized across at least three distinct tiers: federal primary law and agency guidance, state-level statute and administrative code, and voluntary consensus standards. Conflating these tiers is the most common navigation error — a NIST publication carries no legal force on its own, while a Florida statute carries enforceable weight within the state.

Tier 1 — Federal statute and regulatory code: Instruments such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and Title III of the E-Government Act (FISMA) establish baseline obligations. The Electronic Code of Federal Regulations (eCFR) is the authoritative consolidated access point for all active federal regulations.

Tier 2 — Florida state law: Chapter 501, Part II of the Florida Statutes (the Florida Unfair and Deceptive Trade Practices Act) and the Florida Information Protection Act (FIPA, § 501.171, Florida Statutes) govern breach notification and data handling for entities doing business in the state. The Florida Legislature's Online Sunshine portal provides free, continuously updated access to current statutory text.

Tier 3 — Voluntary standards and frameworks: Publications from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Center for Internet Security (CIS) define technical and organizational practice baselines. These carry no direct legal force but are frequently incorporated by reference into contracts and regulatory guidance.

Practitioners navigating an unfamiliar compliance situation should identify which tier is controlling, then work downward to applicable standards. Terminology that appears across all three tiers — but with different definitions in each — is catalogued on the Miami Cybersecurity Terminology and Definitions page.

Official Starting Points

For federal guidance, the NIST Computer Security Resource Center (csrc.nist.gov) is the primary repository for the NIST Cybersecurity Framework (CSF), NIST Special Publication 800-series documents, and FIPS standards. NIST SP 800-53 Rev 5, "Security and Privacy Controls for Information Systems and Organizations," contains 20 control families and is used as a baseline by federal agencies and organizations seeking alignment with federal standards.

The Cybersecurity and Infrastructure Security Agency (CISA, cisa.gov) publishes advisories, known exploited vulnerability catalogs, and sector-specific guidance applicable to Miami's financial services, healthcare, and port infrastructure sectors. CISA's Known Exploited Vulnerabilities (KEV) catalog is updated continuously and represents a high-priority starting point for patch prioritization.

At the state level, the Florida Digital Service (FloridaDigitalService.fl.gov) coordinates cybersecurity standards for Florida state agencies and publishes the Florida Cybersecurity Standards (FCS), which state-funded entities are required to follow under Florida Statute § 282.318.

The Federal Trade Commission (ftc.gov) maintains guidance specific to GLBA Safeguards Rule compliance, which applies to a large segment of Miami's financial sector, including mortgage brokers, auto dealers with financing operations, and tax preparers.

Primary Texts and Databases

The following numbered breakdown identifies the core documents most directly applicable to Miami-area organizations:

1. NIST Cybersecurity Framework 2.0 — Released by NIST in 2024, this version expanded the framework's original five functions (Identify, Protect, Detect, Respond, Recover) to six by adding "Govern." Available at csrc.nist.gov/projects/cybersecurity-framework.
2. Florida Information Protection Act (FIPA), § 501.171, Florida Statutes — Requires breach notification within 30 days of determination for entities holding personal information on Florida residents. Available at Online Sunshine.
3. NIST SP 800-171 Rev 3 — Governs protection of Controlled Unclassified Information (CUI) in nonfederal systems, directly applicable to Miami defense contractors at PortMiami and at Florida International University research facilities.
4. CIS Controls v8 — Published by the Center for Internet Security, this 18-control framework is widely used by small and mid-sized organizations as an implementation roadmap. Available at cisecurity.org.
5. HHS HIPAA Security Rule (45 CFR Parts 160 and 164) — Governs electronic protected health information for Miami's substantial healthcare sector. Full text at hhs.gov.

The distinction between a framework (CSF, CIS Controls) and a regulation (FIPA, HIPAA Security Rule) is critical: frameworks describe recommended practice, while regulations impose enforceable obligations with defined penalties. FIPA, for example, authorizes the Florida Attorney General to seek civil penalties of up to $500,000 per breach incident under § 501.171(10).

Agency Portals

CISA Regional Resources: CISA Region 4 covers Florida and maintains direct liaison relationships with Miami-Dade County emergency management and critical infrastructure operators. The CISA homepage provides access to free vulnerability scanning services (CISA's Cyber Hygiene program) available to any U.S. organization operating critical infrastructure.

Florida Digital Service: The Florida Digital Service portal publishes the Florida Cybersecurity Standards document, incident reporting pathways for state entities, and workforce development resources aligned with the National Initiative for Cybersecurity Education (NICE) framework.

FBI Internet Crime Complaint Center (IC3): The IC3 (ic3.gov) accepts cybercrime reports from individuals and organizations. The Miami Field Office of the FBI coordinates with IC3 on regional investigations, particularly those involving business email compromise (BEC), a threat category in which Florida consistently ranks among the top 5 states by reported losses in the IC3 Annual Report.

FTC Business Center: The FTC's Business Center (ftc.gov/business-guidance) provides plain-language summaries of the Safeguards Rule, breach notification requirements, and data minimization guidance relevant to Miami's retail, financial, and hospitality industries.

Miami-Dade County Office of Emergency Management: The county-level portal coordinates with state and federal agencies on cyber-physical incident response. While its primary mission covers all hazards, it participates in tabletop exercises aligned with CISA's National Cyber Exercise program.

For a broader view of how Miami's industry sectors interact with these agency resources, the Miami Cybersecurity Industry Sectors and Threat Landscape page provides sector-by-sector analysis. Readers tracing the complete structure of Miami's cybersecurity ecosystem can begin at the Miami Cybersecurity Authority index, which links to all pages in this reference network.