Technology Letter 25-01

February 2025

Subject:

Information Technology (IT) Policies for Generative Artificial Intelligence (GenAI)

Reference:

Executive Order (EO): N-12-23

Assembly Bill (AB): 2013, 2885

Senate Bill (SB): 896

Government Code (GC): 11000, 11545, 11546, 11546.1(e), 11546.7, 11549.63, 11549.63(g), 11549.64, 11549.65, 11549.65(c), 11549.66

State Administrative Manual (SAM): 4819.24819.3549404983.1, 4986.14986.24986.34986.44986.54986.64986.74986.84986.94986.104986.114986.124986.1352105335

State Contracting Manual (SCM): SCM, Purchasing Authority Standards, 100.3

State Information Management Manual (SIMM): 18B, 19H, 22, 45, 50, 71A 71B 140, 141, 5305-F, 5310-C, 5325-A; 5325-B, 5335-A, 5340-A, 5340-C, 5345-A

California Civil Code:1798.29, 1798.3

National Institute of Standards and Technology (NIST) Artificial Intelligence (AI) Risk Management Framework (RMF), 800-53

Background

The California Executive Order N-12-23 (GenAI EO) signed by Governor Newsom on September 6, 2023, guides the state to prepare for the advancements and potential risks associated with Generative Artificial Intelligence (GenAI). Senate Bill (SB) 896 known as the GenAI Accountability Act aims to regulate and mitigate risks associated with GenAI technologies in California by requiring transparency, risk assessments, and clear communication when Artificial Intelligence (AI) is used in state government services. In addition, Assembly Bill (AB) 2013 mandates the public disclosure of the data used to train GenAI models, including summaries of the data sets and their sources. Lastly, AB 2885 establishes uniform definitions for AI in California law. Together with the GenAI EO, these new laws emphasize California’s commitment to leading the world in ethical, transparent, and responsible GenAI development and outline measures to ensure the safe and equitable deployment of GenAI.

The Department of Technology (CDT) recognizes the tremendous potential of AI and GenAI to improve the lives of California residents, support the state work force, and improve the efficiency of services delivered by the state. It also recognizes the use of AI and GenAI must be guided by principles of fairness, transparency, privacy, security, and accountability to ensure that the systems and technology used are protected.

The GenAI policies described below outline the requirements for the responsible and secure use of GenAI within the State of California. These GenAI policies aim to ensure efficiency, effectiveness, accessibility, confidentiality, integrity, security, and privacy of State data. These policies apply to all GenAI procured or developed by a state entity. Except as otherwise indicated in the specific GenAI policy, these GenAI policies apply to all State Entities, employees, contractors, and authorized users who access, use, or manage GenAI within the State, as applicable. Additionally, processes, procedures, forms, and contract language noted below have been created, revised or updated to align with the GenAI EO, legislation, and policies.   

Purpose:

The purpose of this Technology Letter (TL) is to announce the following new and revised policies, processes, procedures, forms, and contract language for GenAI that are effective as of February 20, 2025:

    • SAM 4819.2 Definitions: Updates the state Information Technology (IT) definitions based on new California legislation, AB 2885.
    • SAM 4986.1 GenAI Policy Introduction: Sets forth the requirements for the responsible and secure use of GenAI within the State. The policy focuses on minimizing risks while ensuring efficiency, confidentiality, and integrity to processes and operations.
    • SAM 4986.2 Definitions for GenAI: Provides the definitions specific to the GenAI policy.
    • SAM 4986.3 GenAI Use Identification and High-Risk Inventory: Outlines the requirements to identify, track, and maintain an inventory of high-risk GenAI for annual reporting to the State legislature.
    • SAM 4986.4 GenAI Training Data and Transparency: Requires transparency about the data used to train GenAI systems and services by posting relevant documentation on the state entity’s websites by January 1, 2026.
    • SAM 4986.5 GenAI Hosting: Mandates that any new, expanded, or refreshed GenAI must adhere to the Cloud Computing Policy, SAM 4983.1.
    • SAM 4986.6 GenAI Proof of Concept (POC) and Minimum Viable Product (MVP): Mandates that all GenAI POCs be hosted in a CDT “sandbox” environment and all MVPs in a CDT- approved production environment. POCs and MVPs must be tested for feasibility, performance validation, and risk mitigation strategies during these phases.
    • SAM 4986.7 IT Projects Utilizing GenAI Planning and Approval: Mandates specific assessments and project planning prior to procuring or developing an IT Project Utilizing GenAI.
    • SAM 4986.8 IT Projects Utilizing GenAI Project Management: Requires any State Entity approved to proceed with an IT Project utilizing GenAI to follow the SIMM 19H Project Delivery Lifecycle (PDL) to ensure proper management and oversight.
    • SAM 4986.9 GenAI Procurement: Requires compliance with GenAI procurement policies and disclosures as outlined below.
        • SCM, Volume 2, Chapter 23, including but not limited to, GenAI disclosure language for solicitations, updated ITGP (Cloud) and (Non-Cloud) with GenAI terms and conditions, new GenAI Special Provisions as needed, and
        • SAM 4986.9 including but not limited to compliance with security and privacy standards for GenAI and completion of SIMM 5305-F GenAI Risk Assessment.
        • All solicitations and contracts for IT and telecommunications goods and services require disclosure notification that applies to GenAI as a contract deliverable or when GenAI has a material impact on risk, functionality, or contract performance.
    • SAM 4986.10 Privacy for GenAI: Requires State Entities using or procuring GenAI to protect data privacy and security according to state and federal laws and policies.
    • SAM 4986.11 Security for GenAI: Outlines security incident reporting and compliance requirements for GenAI, including the State Entity’s Incident Response Plan, and prompt reporting of violations to CDT.
    • SAM 4986.12 Acceptable Use of GenAI: Requires education and compliance with the Acceptable Use Policy. Prohibits the use of GenAI for illicit, controversial, or biased content. Outlines acceptable use of GenAI.
    • SAM 4986.13 GenAI Workforce Training: Requires state personnel to complete the necessary GenAI training relevant to their roles to ensure the proper understanding and use of GenAI.
    • SIMM 19H Project Delivery Lifecycle (PDL): Introduces a flexible, innovative, and responsive approach that adapts to rapidly evolving business needs and technologies.
    • SIMM 71A Certification of Compliance with IT Policies Instructions: The instructions have been updated to include GenAI requirements.
    • SIMM 71B Certification of Compliance with IT Policies Template: The template has been updated to include GenAI requirements.
    • SIMM 5305-F GenAI Risk Assessment: Updates include format changes, revised questions, and risk assessment tables. There are two new sections to the document: safeguards and data types.
    • Form STD 1000 GenAI Reporting and Factsheet: This statewide form has been retired and is no longer required.

Questions:

Direct questions regarding this Technology Letter to the Department of Technology, State IT Policy Office at ITpolicy@state.ca.gov.

Signature:

On file

Liana Bailey-Crimmins, State Chief Information Officer and Director

California Department of Technology

Print page

Our department

Community of practice

State campaigns

Website Accessibility Certification