Technology Letter 23-01

May 2023

SUBJECT:

Multi-Factor Authentication Standard

REFERENCES:

Statewide Information Management Manual (SIMM) 5305-A

Federal Information Processing Standards (FIPS) 199

National Institute of Standards and Technology’s (NIST) Special Publication 800-63B

NIST Special Publication 800-207

Print page

BACKGROUND:

As California continues to mature their businesses and processes, there has been a heavy integration of information technology to ensure the confidentiality, integrity, and timeliness of serving the public. With the increased use of information technology, it also attracts cyber threat-actors to attempt to take advantage of vulnerabilities and compromise digital identities that provide access to sensitive information assets.

Threat-actors will utilize cyber-attacks and social engineering tactics to compromise digital identities within publicly accessible information assets and systems. Once compromised, threat-actors often attempt to carry out a wide range of malicious activities including financial fraud, exfiltrating government, personal or corporate data, and spreading malware.

To mitigate the risk of unauthorized access from compromised digital identities, Multi-Factor Authentication (MFA) provides an extra layer of security. MFA requires an additional form of authentication for user accounts, which makes it much more difficult for threat-actors to gain access to an information asset, even if a user account had their password stolen.

PURPOSE:

The purpose of this Technology Letter (TL) is to announce:

    • SIMM 5360-C is a new standard in support of SAM 5360, Identity and Access Management. It contains instructions, workflows, processes, and security controls to ensure compliant and secure authentication for information assets.
    • SIMM 5360-D contains frequently asked questions about the MFA Standard, SIMM 5360-C, and provides hypothetical real-world examples of how an entity would implement MFA based on the processes and workflows defined in SIMM 5360-C.
    • Any publicly accessible information asset that stores, processes, transmits or visually presents confidential, sensitive, or personal information will be subjected to SIMM 5360-C & D. Digital Identities for information assets will be required to have an additional form of authentication based on the information assets Authenticator Assurance Level defined in SIMM 5360 C & D. This will provide an additional layer of security, which will help reduce risk of nefarious activities by internal and external threats.
    • This TL also serves as a notice that all State entities must work toward a Zero Trust Architecture (ZTA) model as outlined in NIST 800-207. Refer to the Cybersecurity Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0. By May 2024, all State agencies/entities must have assessed, planned, and implemented the “Initial” maturity stage of each of the five pillars including Identity, Devices, Networks, Applications & Workloads, and Data.

QUESTIONS:

Direct questions regarding this Technology Letter to the Department of Technology, Office of Information Security at security@state.ca.gov.    

SIGNATURE:

On file
Liana Bailey-Crimmins, Director
California Department of Technology