SIMM 5300 Information Security

Overview

Information security refers to the protection of information, information systems, equipment, software, and people from a wide spectrum of threats and risks.

Implementing appropriate security measures and controls to provide for the confidentiality, integrity, and availability of information, regardless of its form (electronic, optical, oral, print, or other media), is critical to ensure business continuity, and protect information assets against unauthorized access, use, disclosure, disruption, modification, or destruction.

SIMM 5300-A State-defined Security Parameters

SIMM 5300-A contains detailed security control content and classified as confidential and therefore it is available to designated personnel listed on SIMM 5330-A at OIS Extranet (Agency.Net). Vendor access will only be provided under Non-Disclosure Agreement during state entity procurement processes.

Reach out to your CDT Account Lead for assistance with accessing ServiceNow or submit a request through ServiceNow.

SIMM 5300-B Foundational Framework

• SIMM 5300-B Foundational Framework (PDF)
• SIMM 5300-B Foundational Framework (XLSM)

SIMM 5300-C Cybersecurity Maturity Metrics

• SIMM 5300-C Cybersecurity Maturity Metrics (XLSX) ^{Updated May 2025}

SIMM 5305 Series – Risk Management

• SIMM 5305-A Information Security Program Management Standard (PDF) ^{Updated September 2025}
• SIMM 5305-B Risk Register and Plan of Action and Milestones Instructions ^{Updated March 2022}
• SIMM 5305-C Risk Register and Plan of Action and Milestones Worksheet (XLSX) ^{Updated October 2022}
• SIMM 5305-C Risk Register and Plan of Action and Milestones Certification (DOCX) ^{Updated October 2022}
• SIMM 5305 B and C Risk Register and Plan of Action and Milestones FAQs ^{Updated March 2022}
• SIMM 5305-F Generative Artificial Intelligence Risk Assessment (PDF) ^{Updated August 2025}

SIMM 5310 Series – Privacy

• SIMM 5310-A Privacy Statement and Notices Standard (PDF) ^{Updated September 2022}
• SIMM 5310-B Privacy Individual Access Standard (PDF) ^{Updated January 2018}
• SIMM 5310-C Privacy Threshold Assessment and Privacy Impact Assessments (DOCX) ^{Updated September 2022}

SIMM 5315, 5320 Series – Email and Cloud Security

• SIMM 5315-A Email Threat Protections Standard (PDF) ^{Updated May 2025}
• SIMM 5315-B Cloud Security Standard (PDF) ^{Updated August 2020}
• SIMM 5320-A Phishing Exercise Standard (PDF) ^{Updated June 2025}

SIMM 5325 Series – Technology Recovery Plan (TRP)

• SIMM 5325-A Technology Recovery Plan Instructions (PDF) ^{Updated March 2023}
• SIMM 5325-B Technology Recovery Program Certification (PDF) ^{Updated March 2023}

SIMM 5330 Series – Information Security and Privacy Program Compliance

• SIMM 5330-A Designation Letter (PDF) ^{Updated May 2025}
• SIMM-5330-B Information Security and Privacy Program Compliance Certification (PDF) ^{Updated October 2023}
• SIMM 5330-C Information Security Compliance Reporting Schedule (PDF) ^{Updated July 2025}
• SIMM 5330-D Designation Letter Instructions (PDF) ^{Updated May 2025}
• SIMM 5330-F Information Security and Privacy Program Compliance Certification (for Independents and Constitutionals) ^{Updated January 2024 (PDF)}
• SIMM 5330-H Information Security Policy Compliance and Enforcement Standard (PDF) ^{Updated November 2024}

SIMM 5335 Series – Security Operations

• SIMM 5335-A Security Event Notification and Response Standard (PDF) ^{Updated May 2023}
• SIMM 5335-B Continuous Monitoring and Event Management Standard (PDF) ^{New August 2025}
• SIMM 5335-C MITRE ATT&CK Framework (XLSX) ^{Updated November 2025}

SIMM 5340 Series – Incident Response

• SIMM 5340-A Incident Reporting and Response Instructions (PDF) ^{Updated January 2024}
• SIMM 5340-C Requirements to Respond to Incidents Involving a Breach of Personal Information (PDF) ^{Updated August 2025}

SIMM 5345, 5350, 5355 Series – Security Architecture

• SIMM 5345-A Vulnerability Management Standard (PDF) ^{Updated April 2025}
• SIMM 5350-A Zero Trust Architecture Standard (PDF) ^{New September 2025}
• SIMM 5350-B Zero Trust Architecture Roadmap (XLSX) ^{Updated December 2025}
• SIMM 5355-A Endpoint Protection Standard (PDF) ^{Updated January 2019}
• SIMM 5355-B Server Hardening Standard ^{Updated October 2024}

SIMM 5360 Series – Telework, Remote Access, & Authentication

• SIMM 5360-A Telework and Remote Access Security Standard ^{Updated November 2024}
• SIMM 5360-B Remote Access Agreement (PDF) ^{Updated January 2018}
• SIMM 5360-C Multi-Factor Authentication (PDF) ^{Updated May 2023}
• SIMM 5360-D Multi-Factor Authentication Supplemental (PDF) ^{Updated May 2023}

Other OIS documents

• SAM 5300 People, Process and Technology: A Navigational Guide for Agency/State Entities to Achieve Effective Information Security (PDF) ^{Updated September 2022}
• California Compliance and Security Incident Reporting System (CAL-CSIRS)
• Cal-CSIRS Designee Request Form (DOCX) ^{Updated February 2020}
• Cal-CSIRS Designee Request Form Instructions (DOCX) ^{Updated July 2019}
• Cal-CSIRS Reset Instructions (PDF) ^{Updated July 2019}
• Cal-CSIRS FAQs (PDF) ^{Updated January 2018}
• SAFE Designee Request Form