Statewide Information Management Manual (SIMM)

Required use

The SIMM is California’s central source for statewide technology policies, standards, instructions, forms, and templates.

Published by the California Department of Technology under the authority of the Director and State CIO. Maintained by the State IT Policy Office.

Questions? Contact ITPolicy@state.ca.gov.

Schedules and reporting requirements

Procedures, Instructions, Standards, Forms, Transmittals, and Certifications

17 California Project Management Framework (CA-PMF)

California Project Management Framework (CA-PMF) website replaces SIMM 17 and the California Project Management Methodology (CA-PMM) – Updated

18 IT Exemptions

A IT Contract Exemptions Associated with Executive Order S-09-09
B Cloud Computing Policy Exemption Instructions – Updated October 2023

19 Project Approval Lifecycle and Project Delivery Lifecyle

Project Approval Lifecycle and Project Delivery Lifecyle – Updated August 2025

22 COTS/SaaS Acquisition

A COTS/SaaS Acquisition Information Preparation Instructions (PDF) – Updated February 2015
B COTS/SaaS Acquisition Information Form (PDF) j– Updated February 2016

25 IT Accessibility Resource Guide

A Information Technology Accessibility Resource Guide (PDF) – Updated April 2025
B Website Accessibility Certificate Template (PDF) – Updated December 2023

30 Special Project Report (SPR)

Special Project Report Preparation Instructions (SPR) (PDF) – Updated June 2014
A SPR Executive Approval Transmittal (PDF) – Updated July 2021
B Project Summary Package (DOCX) – Updated January 2022
C SPR Economic Analysis Workbook (EAW) Package Instructions (PDF) – Updated June 2014

40 Internet Domain Name Taxonomy

A Internet Domain Name Taxonomy Instructions – Updated May 2023
B Frequently Asked Questions – Updated May 2023

45 Information Technology Project Oversight Framework

Information Technology Project Oversight Framework (PDF) – Updated April 2017
A Independent Verification & Validation (IV&V) Statement of Work (SOW) Template (DOCX) – Updated August 2017
Appendix A Project Management Risk Assessment Template (XLSX) – Updated May 2016
Appendix B Project Management Risk Assessment Preparation Instructions (PDF) – Updated July 2016
Appendix C Complexity Assessment (XLSX) – Updated December 2023
Appendix D Complexity Assessment Instructions (PDF) – Updated July 2016
Appendix E Project Status Reports Template (DOCX) – Updated February 2023
Appendix F Project Status Reports Preparation Instructions (PDF) – Updated December 2017
Appendix G Independent Project Oversight Report Template (DOCX) – Updated September 2023
Appendix H Project Delivery Lifecycle Project Status Report(DOCX) – Updated May 2025

50 Post Implementation Evaluation Report (PIER)

Post Implementation Evaluation Report Template (DOCX) – March 2023
PIER Cost Worksheets (XLS) – March 2023

55 Information Technology Cost Report

A – Information Technology Cost Report Instructions – Updated October 2025
B – SIMM-55B-IT-Cost-Report-Template – Updated October 2025
C – Information Technology Cost Report Transmittal (PDF) – Updated December 2020
D – Information Technology Cost Report FAQs – Updated September 2022

58 Statewide Enterprise Architecture

60 Agency Information Management Strategy (AIMS)

A AIMS Transmittal Letter (PDF) – Updated October 2019
B AIMS Annual Certification Letter (PDF) – Updated October 2019

66 Social Media Standards

B Social Media Standard (PDF) – Updated April 2011

71 Certification of Compliance with IT Policies

A Certification of Compliance with IT Policies Preparation Instructions (PDF)  – Updated March 2024
B Certification of Compliance with IT Policies Template (PDF) – Updated May 2025

80 California Software Management Policy Annual Statement of Compliance

California Software Management Policy Annual Statement of Compliance (PDF) – Updated April 2011

5300 Information Security

Statewide Information Management Manual (SIMM) Forms

SIMM 5300-A – State-Defined Security Parameters for NIST SP 800-53. Contains detailed security control content and classified as confidential and therefore it is available to designated personnel listed on SIMM 5330-A at OIS Extranet (Agency.Net). Vendor access will only be provided under Non-Disclosure Agreement during state entity procurement processes. Reach out to your CDT Account Lead for assistance with accessing ServiceNow or submit request through ServiceNow.
SIMM 5300-B – Foundational Framework (PDF)
SIMM 5300-B – Foundational Framework (XLSM)
SIMM 5300-C – Cybersecurity Maturity Metrics (XLSX) – Updated September 2025
SIMM 5305 – Risk Register and Plan of Action and Milestones FAQ (HTML) – Updated March 2022
SIMM 5305-A – Information Security Program Management Standard (PDF) – Updated September 2025
SIMM 5305-B – Risk Register and Plan of Action and Milestones Instructions (HTML) – Updated March 2022
SIMM 5305-C – Risk Register and Plan of Action and Milestones Worksheet (XLSX) – Updated October 2022
SIMM 5305-C- Risk Register and Plan of Action and Milestones Certification (DOCX) – New October 2022
SIMM 5305-F Generative Artificial Intelligence Risk Assessment (PDF) – Updated August 2025
SIMM 5310-A – Privacy Statement and Notices Standard (PDF) – Updated September 2022
SIMM 5310-B – Privacy Individual Access Standard (PDF) – Updated January 2018
SIMM 5310-C – Privacy Threshold Assessment and Privacy Impact Assessments (DOCX) – Updated July 2024
SIMM 5315-A – Email Threat Protections Standard – (PDF) – New May 2025
SIMM 5315-B – Cloud Security Standard – (PDF) – New August 2020
SIMM 5320-A – Phishing Exercise Standard (PDF) – Updated June 2025
SIMM 5325-A – Technology Recovery Plan Instructions (PDF) – Updated March 2023
SIMM 5325-B – Technology Recovery Program Certification (PDF) – Updated March 2023
SIMM 5330-A – Designation Letter (PDF) – Updated May 2025
SIMM-5330-B – Information Security and Privacy Program Compliance Certification (PDF) – New October 2023
SIMM 5330-C – Information Security Compliance Reporting Schedule (PDF) – Updated July 2025
SIMM 5330-D – Designation Letter Instructions (PDF) – Updated May 2025
SIMM 5330-F – Information Security and Privacy Program Compliance Certification – New January 2024
SIMM 5330-H – Information Security Policy Compliance and Enforcement Standard (PDF) – New November 2024
SIMM 5335-A – Security Event Notification and Response Standard (PDF) – New May 2023
SIMM 5335-B – Continuous Monitoring and Event Management Standard (PDF) – New August 2025
SIMM 5335-C MITRE ATT&CK Framework (XLSX) – New August 2025
SIMM 5340-A – Incident Reporting and Response Instructions (PDF) – Updated June 2018
SIMM 5340-C – Requirements to Respond to Incidents Involving a Breach of Personal Information (PDF) – Updated August 2025
SIMM 5345-A – Vulnerability Management Standard (PDF) – Updated April 2025
SIMM 5350-A – Zero Trust Architecture Standard (PDF) – New September 2025
SIMM 5350-B – Zero Trust Architecture Roadmap (XLSX) – New September 2025
SIMM 5355-A – Endpoint Protection Standard (PDF) – New January 2019
SIMM 5355-B Server Hardening Policy – New October 2024
SIMM 5360-A – Telework and Remote Access Security Standard (HTML) – Updated November 2024
SIMM 5360-B – Remote Access Agreement (PDF) – Updated January 2018
SIMM 5360-C – Multi-Factor Authentication (PDF) – New May 2023
SIMM 5360-D – Multi-Factor Authentication Supplemental – New May 2023

Office of Information Security (OIS) Documents

SAM 5300 – People, Process and Technology: A Navigational Guide for Agency/State Entities to Achieve Effective Information Security (PDF) – Updated September 2022
California Compliance and Security Incident Reporting System (CAL-CSIRS)
Cal-CSIRS Designee Request Form (DOCX) – Updated February 2020
Cal-CSIRS Designee Request Form Instructions – Updated July 2019
Cal-CSIRS Reset Instructions (PDF) – New July 2019
Cal-CSIRS FAQs (PDF) – Updated January 2018
SAFE Designee Request Form (DOCX) – Updated July 2019

Resources

SIMM Sections 110 through 180 provide valuable guidelines and resources to assist State agencies in managing their IT programs. While the use of these guidelines is optional, agencies are encouraged to refer to them when seeking support or direction in specific areas. For questions or further clarification, please contact the California Department of Technology IT Policy Office at ITpolicy@state.ca.gov.

110 AIMS Documentation Guidelines

AIMS Documentation Guidelines (PDF) 

120 Software Management Plan Guidelines

Software Management Plan Guidelines (PDF) 

130 Workgroup Collaboration Platform Guidelines

Workgroup Collaboration Platform Guidelines (PDF)  updated July 2025

140 Cloud Security Guide

SIMM 140 – Cloud Security Guide (PDF) – Updated May 2025

141 California Cloud Services Assessment Guide

SIMM 141 – California Cloud Services Assessment Guide (PDF) – Updated August 2025

150 Generative Artificial Intelligence Risk Assessment: EZ Forms

Generative Artificial Intelligence Risk Assessment for General Office Productivity (PDF) – Updated September 2025

158 Enterprise Architecture Practices

Statewide Enterprise Architecture Program

160 Maintenance & Operations Plan Guidelines

Maintenance & Operations Plan Guidelines (PDF) 

170 Requirements Guideline Set

A General Requirements Guidelines (PDF)  – New
- Exhibit A Strong Requirement Samples (PDF)  – New
B Project Requirements Development Instructions (PDF)  – New
- Exhibit B1 Expanded Requirements Sample (PDF)  – New
- Exhibit B2 Expanded Requirements Sample (PDF)  – New
- Exhibit B3 Expanded Requirements Sample (PDF)  – New
- Exhibit C Glossary Sample (PDF)  – New
- Exhibit D Requirements Development Workflow (PDF)  – New

Statewide Information Management Manual