PS 019 – Security Risk Register and Plan of Action and Milestones Reporting

Procedures and standards update

TO:

Agency Chief Information Officers (AIO)
Chief Information Officers (CIO)
Agency Information Security Officers (AISO)
Information Security Officers (ISO)

SUBJECT:

SECURITY RISK REGISTER AND PLAN OF ACTION AND MILESTONES (POAM) REPORTING

Print page

BACKGROUND:

The California Department of Technology (CDT) first released the Plan of Action and Milestones (POAM), SIMM 5305-C in August 2015 as a method for agencies/state entities to track information security risks and report to CDT on the status of remediation. All agencies/state entities are required to provide progress updates submitted to the Office of Information Security (OIS) every quarter on the last business day in January, April, July, and October.

This update provides agencies/state entities with a new integrated executive dashboard to help entity’s better gauge their progress responding to identified risks. This also provides enhanced reporting in the categories of risk ownership, funding, and resource barriers to remediation, as well as other user community requested functionality improvements.

PURPOSE:

The purpose of this Procedures/Standards update is to announce:

    • Updated SIMM Section 5305-C, Risk Register and POAM Standard which is used to report on an entity’s information security risk and status of remediation.
    • Updated SIMM Section 5305-B, Risk Register and POAM Standard Instructions.
    • Agencies/state entities must transition all identified entity risk items to this updated Risk Register and POAM (SIMM 5305-C) and include with their April 2022 submission.
    • The Host (as defined in SIMM 5330-E) and supporting entity (as designated in SIMM 5330-A) may use a copy of the Host or supporting entity’s submission when routing to the designated signatories for the hosted or supported entity.

REFERENCES:

The following reference materials are associated with this Procedures/Standards update. The Statewide Information Management Manual (SIMM) is available on CDT’s website located at the Policy section. The State Administrative Manual (SAM) is available on the Department of General Services website located at the State Administrative Manual section page.

    • SIMM Section 5305-B
    • SIMM Section 5305-C
    • SIMM 5305-C Frequently Asked Questions (FAQ)

QUESTIONS:

Questions regarding this announcement may be directed to the CDT, Office of Information Security (OIS) at security@state.ca.gov.