Miami-Dade County and City of Miami Government Cybersecurity Programs
Miami-Dade County and the City of Miami operate layered cybersecurity programs that span municipal networks, critical infrastructure, and public-facing digital services. These programs sit within a broader regulatory context for Miami security that includes Florida state mandates, federal frameworks, and sector-specific compliance requirements. Understanding how local government cybersecurity is structured matters because failures in municipal systems affect hundreds of thousands of residents who depend on public utilities, permitting portals, court systems, and emergency services.
Definition and Scope
Miami-Dade County government cybersecurity programs encompass the policies, technical controls, staffing structures, and incident response capabilities maintained by county and city agencies to protect government-owned information systems and data. Miami-Dade County serves a population exceeding 2.7 million residents (U.S. Census Bureau, 2020 Decennial Census), making its digital infrastructure among the largest of any county government in the southeastern United States.
The scope of these programs includes:
- Enterprise IT systems — internal networks, email platforms, and enterprise resource planning (ERP) systems used across county departments
- Public-facing portals — online permitting, property tax payments, and court case management systems
- Critical infrastructure systems — water and wastewater control systems, traffic management, and public transit networks operated by Miami-Dade Transit and the Miami-Dade Water and Sewer Department (WASD)
- Law enforcement and emergency communications — systems shared between Miami-Dade Police Department (MDPD), Miami Fire Rescue, and regional 911 dispatch
The City of Miami maintains a separate cybersecurity posture through its own Department of Innovation and Technology, which governs city-managed systems distinct from county-level infrastructure. Both entities must comply with Florida's Florida Digital Service standards and the cybersecurity requirements established under Florida Statute §282.318, which mandates agency security plans, risk assessments, and reporting to the Florida Digital Service.
How It Works
Government cybersecurity at the county and city level operates through a multi-layer framework aligned to the NIST Cybersecurity Framework (CSF), which organizes protective activities into five functions: Identify, Protect, Detect, Respond, and Recover.
Miami-Dade County's Office of the Chief Information Officer (OCIO) coordinates security policy, while each large department — including WASD and the Miami-Dade Public Library System — maintains operational responsibility for systems within its purview. This distributed model creates accountability at the departmental level while centralizing policy governance.
Key operational phases:
-
Risk Assessment and Inventory — Agencies catalog IT assets and classify data sensitivity levels, consistent with NIST SP 800-171 guidance for controlled unclassified information where federal grant conditions apply. Asset inventories feed annual risk assessments required under §282.318.
-
Security Plan Development — Each agency submits an agency security plan to the Florida Digital Service. These plans address access controls, patch management cadence, and incident notification procedures.
-
Security Awareness Training — County employees complete mandatory cybersecurity awareness training. Florida Statute §282.318(3) explicitly requires training for personnel who access government information systems.
-
Continuous Monitoring — The OCIO deploys network monitoring tools to detect anomalous activity across county-managed infrastructure. Multi-factor authentication (MFA) deployment and endpoint detection tools represent baseline controls.
-
Incident Response and Notification — Florida law requires agencies to notify the Florida Digital Service within a defined window following a confirmed cybersecurity incident. Incidents affecting critical infrastructure may also trigger notification to the Cybersecurity and Infrastructure Security Agency (CISA) under federal reporting frameworks.
-
Third-Party Vendor Risk — Contracts with technology vendors include security addenda, particularly for systems that process sensitive resident data. Florida's data breach notification law, Florida Statute §501.171, sets a 30-day notification deadline to affected individuals following a confirmed breach (Florida Legislature, §501.171).
Common Scenarios
Three scenarios illustrate the practical operation of these programs:
Ransomware Targeting Municipal Networks — Local governments across the United States have experienced ransomware incidents that paralyzed permitting, payroll, and public safety systems. Miami-area governments have adopted offline backup strategies and network segmentation specifically in response to this threat pattern. The Miami ransomware response guide documents the response protocols relevant to this environment.
Water and Wastewater System Intrusions — Following the 2021 Oldsmar, Florida water treatment facility incident — in which an unauthorized actor remotely manipulated chemical dosing controls — CISA issued Alert AA21-042A and Florida municipal water operators, including those in Miami-Dade, reviewed operational technology (OT) network controls. WASD operates water treatment for a service area exceeding 480,000 accounts, making OT security a high-priority component of the county program.
Phishing and Credential Theft Against County Employees — Social engineering attacks targeting government email accounts represent a persistent vector. Miami-Dade has implemented email filtering, MFA for remote access, and phishing simulation exercises as standard countermeasures, consistent with CISA's Known Exploited Vulnerabilities catalog guidance on reducing attack surface.
Decision Boundaries
Not all cybersecurity responsibilities fall under county or city government programs. Clear boundaries determine which programs and obligations apply:
| Scenario | Governing Program |
|---|---|
| County-owned network infrastructure | Miami-Dade OCIO |
| City of Miami municipal systems | City Department of Innovation and Technology |
| Public schools and Miami-Dade County Public Schools (MDCPS) systems | MDCPS Office of Information Technology (separate entity) |
| Port of Miami (PortMiami) maritime systems | Miami-Dade Seaport Department, with USCG and TSA overlay |
| Private businesses operating in Miami-Dade | Not covered by government programs; subject to state and federal sector rules |
| Florida state agency offices located in Miami-Dade | Florida Digital Service jurisdiction, not county OCIO |
The distinction between county and city jurisdiction is operationally significant. PortMiami cybersecurity involves a distinct federal overlay through the U.S. Coast Guard's Maritime Cybersecurity Standards and the Transportation Security Administration, topics covered in detail within the broader Miami security resource index.
Businesses and organizations operating within Miami-Dade that are not government entities fall outside these programs entirely, though they may be subject to Florida-specific and federal regulations detailed in the regulatory context for Miami security.
References
- Florida Digital Service — Florida Department of Management Services
- Florida Statute §282.318 — Security of Data and Information Technology Resources
- Florida Statute §501.171 — Security of Confidential Personal Information
- NIST Cybersecurity Framework (CSF)
- NIST SP 800-171 — Protecting Controlled Unclassified Information
- CISA — Cybersecurity and Infrastructure Security Agency
- CISA Alert AA21-042A — Compromise of U.S. Water Treatment Facility
- U.S. Census Bureau — Miami-Dade County Profile
- CISA Known Exploited Vulnerabilities Catalog