Subject:
SIMM 5350-A Zero Trust Architecture Standard and SIMM 5350-B Zero Trust Architecture Roadmap
References:
Government Code (GC) Section 11549.3
State Administration Manual (SAM) 5350
State Information Management Manual (SIMM) 5350-A, 5350-B
Background
As outlined in Government Code (GC) Section 11549.3, the Office of Information Security (OIS) is entrusted with creating, issuing, and maintaining policies, standards, and procedures, overseeing information security risk management for agencies and state entities, providing information security and privacy guidance, and ensuring compliance with State Administrative Manual (SAM) Chapter 5300 and Statewide Information Management Manual (SIMM) section 5300.
SAM 5350 Operational Security requires state entities to develop and maintain network security architecture aligning with specified controls and best practices. To expand on the system architecture requirements in SAM 5350, two new additions to the SIMM library are being introduced: SIMM 5350-A Zero Trust Architecture Standard and SIMM 5350-B Zero Trust Architecture Roadmap. Zero Trust Architecture (ZTA) is crucial for state governments to ensure digital trust. By continuously validating every user, service, and device, whether inside or outside a network, ZTA reduces the risk of data breaches and cyberattacks.
Purpose:
The purpose of this Technology Letter (TL) is to announce two new entries to the SIMM library:
- SIMM 5350-A Zero Trust Architecture Standard, which includes:
- Definitions of the tenets of zero trust architecture from National Institute for Standards and Technology’s (NIST) Special Publication 800-207.
- Definition of Zero Trust Pillars designed to augment adherence to the zero trust tenets, as described in Cybersecurity & Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model documentation.
- The requirement to record the inability to implement a required SIMM 5350-B ZTA security control for any system identified as a risk in the Risk Register and Plan of Action Milestones (SIMM 5305-C).
- The requirement for entities to assess and report their progress in implementing ZTA principles, and descriptions for the four ZTA maturity levels.
- SIMM 5350-B Zero Trust Architecture Roadmap, which includes:
- Definitions of ZTA Core and Supporting components.
- A list of State Baseline and Optimized roadmap elements, grouped by Maturity Level, that entities should progress towards.
- Mapping between ZTA components and NIST 800-53 controls.
- Supplemental mapping between ZTA Components and NIST Cybersecurity Framework (CSF) 2.0.
Questions:
Direct questions regarding this Technology Letter to the Department of Technology, Office of Information Security at security@state.ca.gov.
Signature:
On file
Liana Bailey-Crimmins, State CIO and Director
California Department of Technology