What must be reported by a state entity?

All actual or suspected security incidents that negatively affect the security (confidentiality, integrity, or availability) of a state information asset must be reported. Incidents meeting the criteria for reporting an incident outlined in the SIMM 5340-A – Incident Reporting and Response Instructions (PDF) must be reported.