Technology Letter 23-04

December 2023

SUBJECT:

Information Security and Privacy Program Compliance Certification for Independent and Constitutional Offices

REFERENCES:

Government Code (GC) 7929.21, 11000 and 11549.3

State Administrative Manual (SAM) 5300.2

Statewide Information Management Manual (SIMM) 5305-C, 5330-B, 5330-C, and 5330-F

Print page

BACKGROUND

Pursuant to Government Code (GC) 11549.3(f), every independent and constitutional state agency, as defined in GC 11000, shall submit an annual self-certification to the California Department of Technology (CDT) by February 1st of their compliance with the policies, standards, and procedures adopted pursuant to this subdivision. Reporting and compliance requirements for those agencies now include:

    • Adopt and implement information security and privacy policies, standards, and procedures that adhere to the requirements of GC 11549.3 (f)(1)(A)
    • Perform a comprehensive independent security assessment every two years pursuant GC 11549.3 (f)(1)(B)
    • File a self-certification of compliance to CDT annually by February 1st pursuant to GC 11549.3(f)(4)(A)
    • File a Plan of Action and Milestones (POAM) to CDT annually pursuant GC 11549.3(f)(4)(A)

CDT has developed the self-certification, Statewide Information Management Manual (SIMM) 5330-F Information Security and Privacy Program Compliance Certification for Independent and Constitutional Offices, to help meet their new mandate and self-certification.

PURPOSE:

The purpose of this Technology Letter (TL) is to announce:

    • The Office of Information Security (OIS) has published the SIMM 5330-F, Information Security and Privacy Program Compliance Certification for Independent and Constitutional Offices.
    • SIMM 5330-F provides a self-certification for Independent and Constitutional agencies, defined by GC 11000, that:
      • Their information security and privacy policies, standards, and procedures adhere to GC 11549.3(f)(1)(A)
      • They perform a comprehensive independent security assessment every two years pursuant to
        GC 11549.3(f)(1)(B)
    • SIMM 5330-F outlines their reporting mandates to CDT pursuant to GC 11549.3(f)(4)(A), which includes a submission of their POAM. 
    • All other agencies/state entities under the executive branch are to continue to utilize 5330-B, Information Security and Privacy Program Compliance, as their self-certification and are to continue to report quarterly upon schedules outlined in SIMM 5330-C Information Security Compliance Reporting Schedule.
    • Agencies defined in GC 11000 will now be offered the same assistance and services that are provided to agencies/state entities under the executive branch and can leverage CDT to help meet their legal and compliance mandates. All services will be optional. Services that are offered include:
      • 24/7 Network Monitoring and Security Event and Vulnerability Notifications (Security Operations Center as a Service)  
      • Active Threat Hunting and Scanning  
      • Forensic Investigation and Malware Analysis – Through the California Cybersecurity Integration Center (Cal-CSIC) 
      • Counseling and consultation with the Office of Information Security (OIS) Advisory Program, including the Virtual Chief Information Security Office (CISO) program and Infusion Team.
      • Incident Management through the California Compliance and Security Incident Reporting System (Cal-CSIRS) 
      • Information Security Program Audits (ISPA)   
      • Independent Security Assessments (ISA) – Through the California Military Department (CMD)  
      • Organizational Risk Assessments with Security Risk Profiles and Maturity Metrics  
    • The Advisory Services Program Team at CDT will collaborate with agencies to facilitate the integration of services for participants who choose to opt in. 
    • CDT has launched an engagement initiative to direct awareness to the revised GC 11549.3, aiming to communicate with the affected agencies and to promote a collaborative working relationship to collectively fortify the cyber resiliency of California moving forward.

QUESTIONS:

Direct questions regarding this Technology Letter to the Department of Technology, Office of Information Security at security@state.ca.gov.

SIGNATURE:

On file

Liana Bailey-Crimmins, Director

California Department of Technology