|Date of Release
|Summary of Changes
|California Information Security Office
|New FAQ in support of SIMM 5305-B and 5305-C
|California Information Security Office
|Revision in support of updates to SIMM 5305-B and 5305-C
|California Information Security Office
|Additional questions added
Why are we being asked to do this? This seems to be more work without a purpose.
The purpose is to provide state entities with a tool and associated procedures to record and report deficiencies in a standardized way so that the Office of Information Security (OIS) may better track gaps and completion of remediation activities and provide a means to better measure the State’s overall risk. Where possible, OIS may also be able to better assist the state entity with their challenges.
The new design provides an Executive Summary dashboard on risk identification and remediation progress and allows for additional documentation of risk response to include treatment, compensating controls, transfer, acceptance, and avoidance. It also provides improved functionality requested by the stakeholder community and calculation of days open and documentation of Budget Change Proposal (BCP) progress.
Why are we being asked for the director signature?
Ultimately, the state entity head is responsible for policy compliance. The State Leadership Accountability Act (SLAA) (GC 13405) requires the state entity head to identify and report all inadequacies or weaknesses in a state agency’s systems of internal control. The POAM supports this reporting requirement. Each Agency/state entity director should be knowledgeable about the information requirements and information management practices of the Agency/state entity and should provide active leadership in the exploration of new opportunities to use IT. (SAM 4800, 5300.3, 20070)
The details you are asking for are minimal and not of sufficient detail for the OIS to manage the risks.
It is the responsibility of each state entity to manage their risks. This tool is designed to collect the most basic of information and provide a statewide view of California’s cyber security risks. This view will be enhanced, when necessary, by contacting the state entity. The data derived from the tool will also provide a means to assess state entity’s prioritization of information security activities and their tasking individuals to address program gaps and areas of noncompliance in a timely manner.
Our department already has a plan on file with the OIS, but it is not in this format. Will those suffice until completed or do I need to resubmit using this new format?
All existing plans must be updated to the new format for consistency and data correlation and submitted to OIS by April 30, 2022.
Our department is already using an enterprise-wide system to collect this information and so much more. Can we simply submit a report generated by our system?
No. You must transfer information from your system to this tool. We kept the number of reporting cells to a minimum to limit impact. It is the goal of OIS to implement a statewide system in the future that will provide all state entities a robust, web-based reporting, tracking, and managing capability. Until that is available, this reporting tool will be used.
I’m still not sure exactly what I am to report on. Audit findings only?
OIS requires state entities to submit a Risk Register and POAM for all security compliance deficiencies and significant Information Security and Privacy risks that cannot be immediately addressed. These risks can be identified during numerous activities, including ISP Audits, ISAs, third-party assessments, project-identified, or self-assessments.
Here are some examples:
- Your entity has an overlap in a designated position such as the Information Security Officer and the Technology Recovery Program Coordinator.
- The California Department of the Military performs an ISA, and the report lists 23 systems (clients and servers) that do not have the latest security patch installed and you will not be able to patch these systems immediately. You will not report 23 deficiencies. Using the tool, you will report on 2 rows, 1 for the clients and 1 for the servers.
- The California Department of the Military performs an ISA, and the report lists a high phishing rate of over 15%.
- Each year, your entity completes a Risk Management and Privacy Program Compliance Certification (SIMM 5330-B). Your entity is not able to certify 100% compliance to all sections of SAM and SIMM.
- Your entity has received an Information Security Program (ISA) Audit Report that lists 25 findings. You will report each finding in its own row, for a total of 25 rows. Include the Finding #, and specific “Condition” language of the finding.
- You have reported 9 critical systems on the Technology Recovery Program Certification (SIMM 5325-B) but have not completed a risk assessment for each system in Cal-CSIRS.
- You submit a Technology Recovery Plan to OIS and receive feedback indicating an area where you are lacking minimum requirements.
- An information security incident occurs, and you find that a control is missing that allowed the incident to occur. Your entity is not able to immediately “fix” that missing control.
- During the annual update and testing of your TRP, your entity discovers a critical step in recovering your mission critical computer systems is missing.
- Microsoft announces they will no longer support a specific server operating system after a future date, and you have several such servers in production. Although that end-of-life (EOL) date has not arrived, your department will likely not retire the EOL system in time. Begin reporting this as a risk in the POAM report as soon as that determination is formulated.
How often does the department need to provide progress updates?
Unless otherwise directed, progress updates must be submitted to OIS every quarter on the last business day (Jan, Apr, Jul, Oct). Due to the nature of the information, submitters are to use the SAFE system provided for this purpose.
Do we submit a separate POAM for each risk, each SIMM certification, or each audit/assessment; or do you want a single consolidated POAM?
The latter. Reporting entities shall maintain only one master POAM that records all applicable security audit findings, compliance deficiencies, security risks, incident remediation activities, or other gaps in the entities’ information security program. This master POAM must be kept updated at all times. Each distinct audit and military ISA finding should be entered on a separate line.
We have CMD ISA findings. How do we document these on the POAM?
In column F select “CMD ISA” as the source. Enter each task on a separate finding line. In column D enter the information provided to you about the most recent finding by CMD for each task from your CMD report. Include the Task number (i.e. Task 10.1).
We have ISP Audit findings. How do we document these on the POAM?
In column F select “ISP Audit” as the source. Enter each audit finding on a separate finding line. In column D enter the information provided to you about the finding by advisory services. Include the ID number (i.e. ID.BE-5).
We have repeat ISP Audit findings or CMD ISA Findings from previous years that we had marked as completed. How do we document these on the POAM?
Please do not add a new finding. Enter the data in the previous POAM entry (completed items should be hidden, not removed). In column D enter the current information provided to you about the repeat finding. Do not change When First Identified Field (Column N) or Start Date (Column O). All other fields may be updated as necessary.
We deleted a finding that we had marked as completed. How do we document these on the POAM?
Refer to your past POAM submissions and add the original finding to your current submission.
What do the different Risk Response Categories mean in column G?
Mitigate (See POAM) should be selected if you intend to remediate the risk.
Compensating Controls (Interim) should be selected if you are using compensating controls to reduce the risk but you are not able to completely address the risk at this time. Compensating Controls are meant to be temporary. Enter the compensating controls in Column H and revisit the item not less than quarterly. Add the last date of review in column I after plan documentation. Change the status in column U to “Completed.”
Transfer of risk is an agreement in which one party agrees to pay another to take responsibility to mitigate specific losses that may or may not occur, such as cybersecurity insurance. Risk cannot be transferred in its entirety. Residual risk is documented in column I. You must revisit the item not less than quarterly. Add the last date of review in column I after plan documentation. Change the status in column U to “Completed.”
Accept is selected after it is determined acceptance is within the state entities risk tolerance as aligned with the state entity-wide information security, privacy and risk management strategy. Which includes documentation and use of a clear expression of risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, and a process for consistently evaluating risk across the organization with respect to the state entity’s risk tolerance, and approaches for monitoring risk over time. Risk Acceptance is approved by entity program business area/directorate and entity director with the understanding of risks associated with taking no remediation actions (data breach, system disruption, data loss, loss of revenue, etc.). Review applicable policy and standards to ensure that the risk acceptance and requisite documentation is in alignment (SAM 5305, SAM 5305.1, SAM 5305.2, SAM 5305.6, SAM 5305.7, SAM 5305.9). Projected remediation cost identified from the risk assessment must still be entered. You must revisit the finding quarterly and note the last date of review in Plan of Action column I. Change the status in column U to “Completed.” (See NIST SP 800-53: Risk Assessment (RA))
Avoid is selected if you have stopped using the technology associated with the risk. Change the status in column U to “Completed.”
Once we report a risk as “Completed” may we remove it?
No, however you can hide Completed findings using the hide functionality in Excel. Do not hide those that must be revisited quarterly.
Can we sort fields?
Yes, each field enables you to sort your findings and limit the display of findings.
The finding belongs in many NIST families. Can I select more than one?
No, please select only one, the one that is most applicable to the risk. Use the Overview of Domains Tab to see all available NIST families.
How do I determine Projected Remediation Cost?
If actual costs are known, enter actual costs. If the finding is from an ISA, the estimated costs may be in your ISA report. For all other findings, please enter your best estimate. Include personnel hours, vendor and consultant costs, hardware and software, training (both end-user and technical), ongoing maintenance costs (such as yearly licensing and support) and any other related costs in your analysis.
How do we submit a BCP?
The Department of Finance provides resources to help you navigate the process. An example of a BCP Process at the Department of General Services is also provided below:
California’s Budget Process (Department of Finance)
Basic overview of a BCP Process (Example) (Department of General Services) Good Budget Change
Proposals Overview (Department of Finance)
How to Write an Effective Budget Change Proposal (Department of Finance)
BCP Search (Department of Finance)
Do we need to provide a projected remediation cost (column W) for the completed deficiencies/risks or is that only required for items that are still in progress?
Projected remediation cost (column W) is only required for items that have not been remediated. Items that are currently being mitigated or must be revisited require projected remediation cost.
If we do not have a BCP what should we put in the BCP columns?
Columns X through AB should be left blank. If the barrier is budget or staff resource related and a BCP is not in progress, address the plan to overcome the barrier in the Plan of Action column (column I).
Under SAM & SIMM Policies (Column C) there is an option for 5310.8 SECURITY SAFEGUARDS. However, SAM lists 5310.8 PRIVACY THRESHOLD AND PRIVACY IMPACT ASSESSMENTS. Which is correct?
5310.8 PRIVACY THRESHOLD AND PRIVACY IMPACT ASSESSMENTS. An update will be made. Until then, for SAM 5310.8, select 5310.8, SECURITY SAFEGUARDS.
How is the Risk Rating determined?
Table 1: Impact Rating
|Very high risk means that a threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, the State, or the Nation.
|High risk means that a threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, the State, or the Nation.
|Moderate risk means that a threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, the State, or the Nation.
|Low risk means that a threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, the State, or the Nation.
|Very low risk means that a threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, the State, or the Nation.
Table 2: Risk Rating Chart
Questions regarding the implementation of SIMM 5305-C may be sent to:
California Department of Technology
Office of Information Security
Office of Information Security
Risk Register and Plan of Action and Milestones
Frequently Asked Questions (FAQs)| April 2022