The Modular Cybersecurity Rule
Why policy architecture beats policy length when a state cybersecurity standards rule meets federal mandates, specialized systems, and the limits of regulatory bandwidth.
Jason Walker
State CISO, Florida
Most state cybersecurity rules read like inventories. Page after page of enumerated controls, every system type addressed by name, every requirement spelled out for every condition the drafter anticipated. The drafter does it in good faith. The reviewer does it in good faith. The result is a rule three times the length it needs to be, fragile against framework updates, hostile to readers, and brittle against the systems it never anticipated.
There is a different way to write a state cybersecurity rule. It treats the rule as architecture rather than inventory. The rule names a baseline that applies to every agency information system based on the system's risk categorization, names overlays that apply only to systems with specific characteristics, names a harmonization mechanism for resolving conflicts among overlapping authorities, and is explicit about the boundary of state oversight relative to federal cybersecurity mandates that already govern federally regulated data.
Stated as a single design pattern: modular baseline plus conditional overlays plus deterministic selection plus explicit scope discipline.
The Baseline Carries the Weight
The federal cybersecurity controls catalog (NIST Special Publication 800-53 Revision 5) supplies more than a thousand controls. NIST Special Publication 800-53B allocates subsets of those controls into LOW, MODERATE, and HIGH baselines calibrated to the impact level of the information processed by the system.
A state rule that incorporates 800-53B by reference does not need to enumerate the controls in rule text. The rule names the baseline as the requirement. The agency implements to the federal catalog. When NIST publishes an update release, the rule rides through without amendment. The catalog itself holds the weight of the technical detail.
The rule remains short. The rule remains stable. The agency receives a predictable, federally tested set of controls.
Overlays Tailor for Reality
Generic baselines assume traditional information technology environments: scheduled patching, IT-grade authentication, constant network connectivity. Real-world environments break those assumptions.
A real-time controller running a wastewater treatment plant cannot be patched on the same cadence as a finance server. Patching the controller may require shutting down the plant. An artificial intelligence system has learned behavior that may be biased, drifting, or wrong in ways that traditional cybersecurity controls do not detect. A cloud-deployed system runs on shared infrastructure that the agency does not control.
Each of those conditions warrants a different control modification. An operational technology overlay tailors patch cadence and authentication requirements to OT operational constraints. An AI overlay adds requirements that traditional controls do not cover (model inventory, pre-deployment impact assessment, continuous drift monitoring, human-in-the-loop pathways for consequential decisions). A cloud authorization framework lets agencies inherit pre-verified controls from authorized cloud service providers rather than independently re-verifying.
Overlays sit on top of the baseline. They are conditional. A system carries zero overlays, one, or several depending entirely on its specific characteristics. The rule's complexity scales with the agency's environmental complexity, not with the drafter's anticipation.
The Selection Process Has to Be Deterministic
The architecture only works if it produces reproducible results across agencies. Two agencies operating the same system type should arrive at the same control set.
That requires a deterministic selection process. Categorize the system. Map the categorization to the federal baseline. Add per-tier mandatory enhancements that target gaps the baseline default does not address. Apply applicable overlays based on documented diagnostic questions. Apply the most-protective rule for any conflicts among baseline, enhancements, and overlays. Inherit common controls that the state provides as shared services. Document the selected control set in the system security plan. Assess the implemented controls using the federal assessment methodology.
Eight steps. Same inputs produce same outputs. Audit-defensibility is structural, not procedural.
Scope Discipline Is the Most-Distinctive Move
The most-distinctive policy design move in this pattern is what the rule does not do.
State agencies handling federally regulated data (criminal justice information, protected health information, federal tax information, payment card data, ACA-framework health and human services data) are already subject to federal cybersecurity requirements with their own oversight. The Federal Bureau of Investigation Criminal Justice Information Services Division audits CJIS compliance. The United States Department of Health and Human Services audits HIPAA Security Rule compliance. The Internal Revenue Service Office of Safeguards audits Publication 1075 compliance.
Most state cybersecurity rules avoid the federal-mandate question by silence. They neither acknowledge the federal authority nor disclaim it. The result is ambiguity that agencies experience as double oversight risk and that federal authorities experience as state intrusion on federal turf.
The modular rule pattern handles this differently. It states explicitly, on the face of the rule, that the state authority does not audit, assess, or accredit federal cybersecurity mandate compliance. The federal authority retains that oversight. The state rule recognizes the federal mandate for harmonization purposes only. Federal compliance evidence may satisfy overlapping outcomes under published crosswalk guidance.
The agency does the cybersecurity work once. Federal compliance artifacts travel directly into the state compliance assessment. No double-paying, no double audit, no rework.
What This Pattern Asks of the Drafter
The pattern shifts effort from the drafter to the architect. Anyone can write a long rule that enumerates everything. Writing a short rule that incorporates by reference, names overlays for the right conditions, prescribes a deterministic selection process, and disclaims oversight at the federal-state boundary requires understanding the architecture of the regulatory regime rather than its individual provisions.
The reward is a rule that survives framework updates, scales to systems the drafter never anticipated, and produces compliance work agencies can actually do. The cost is the architectural design effort up front and the political discipline to disclaim what the rule should not cover.
Cybersecurity is the example. The pattern generalizes. Any state regulatory regime that intersects federal authority and federally regulated data could be written this way: modular architecture, deterministic selection, explicit scope discipline. Most are not.