California Cybersecurity Public Resources and References

Public cybersecurity resources published by government agencies, federal bodies, and academic institutions give California residents, businesses, and public-sector employees authoritative guidance without requiring private consultation. This page catalogs the major portals, educational programs, and statutory references organized by source type and jurisdiction. Understanding where reliable information originates — and which gaps fall outside any single source's scope — helps organizations apply the correct framework to their specific operating context. The resources listed here span federal standards bodies, California-specific statutes, and interagency coordination structures that collectively shape the state's cybersecurity environment.

Scope and Coverage Limitations

The resources documented on this page apply primarily to entities operating under California jurisdiction, including private businesses subject to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), state agencies governed by the California Department of Technology (CDT), and local governments bound by California Government Code obligations. Federal resources listed here apply nationally but are included because they set baseline standards that California law frequently incorporates by reference.

This page does not cover legal advice, sector-specific compliance roadmaps, or enforcement procedures — those boundaries are addressed in Regulatory Context for California Cybersecurity. International frameworks such as the EU's General Data Protection Regulation (GDPR) fall outside this page's scope unless their requirements intersect with CCPA cross-border data transfer provisions. Entities operating exclusively under federal contracts may face requirements from CMMC (Cybersecurity Maturity Model Certification) that are not fully reflected in state-level portals.

Readers building a foundational understanding of how state and federal layers interact should review How California Cybersecurity Works: Conceptual Overview alongside the resources below.

Agency Portals

State and federal agency portals serve as the authoritative starting point for compliance documentation, threat advisories, and statutory text.

California Department of Technology (CDT) — Office of Information Security (OIS)
The CDT OIS (cdt.ca.gov/security) publishes the Statewide Information Management Manual (SIMM) Section 5300, which establishes the information security policy framework binding on all state agencies. SIMM 5305-A specifies risk assessment requirements; SIMM 5340-A addresses incident response. These documents are publicly accessible and updated on a scheduled review cycle.

California Privacy Protection Agency (CPPA)
The CPPA (cppa.ca.gov) administers and enforces the CPRA. Its rulemaking page hosts proposed and finalized regulations under California Civil Code §1798.100 et seq. The Agency's public board meetings and regulatory notices are archived and searchable without registration.

Cybersecurity and Infrastructure Security Agency (CISA)
CISA (cisa.gov) coordinates federal civilian cybersecurity and publishes the Known Exploited Vulnerabilities (KEV) catalog, which lists vulnerabilities with confirmed exploitation in the wild. CISA's California regional office participates in critical infrastructure protection through the 16 National Critical Infrastructure Sectors framework. The California Critical Infrastructure Protection page explores that sector breakdown in detail.

Federal Trade Commission (FTC)
The FTC (ftc.gov/datasecurity) publishes data security guidance binding on commercial entities under Section 5 of the FTC Act. The Safeguards Rule (16 CFR Part 314), finalized with updated requirements effective June 9, 2023, applies to non-banking financial institutions and sets specific administrative, technical, and physical safeguard requirements.

Public Education Sources

Educational resources from recognized institutions and standards bodies provide methodology and vocabulary without statutory authority.

NIST National Cybersecurity Center of Excellence (NCCoE)
The NCCoE (nccoe.nist.gov) publishes practice guides (NIST SP 1800 series) addressing specific cybersecurity challenges, including identity management, data integrity, and mobile device security. These guides are freely downloadable and describe reference architectures with named commercial and open-source components.

NIST Cybersecurity Framework (CSF) 2.0
Released in February 2024, NIST CSF 2.0 (nist.gov/cyberframework) expanded the original five core functions — Identify, Protect, Detect, Respond, Recover — to six by adding "Govern." California state agencies are encouraged by CDT OIS to align with CSF as part of enterprise risk management. The framework's profile and tier system allows organizations to benchmark maturity without mandatory adoption at the state level.

Center for Internet Security (CIS)
CIS (cisecurity.org) publishes the CIS Controls (v8 as of this version), a prioritized set of 18 control groups covering asset inventory, data protection, secure configuration, and incident response. CIS Benchmarks for specific operating systems and platforms are freely available and widely referenced in California procurement requirements for technology vendors.

Readers seeking definitions of terms used across these frameworks should consult California Cybersecurity Terminology and Definitions.

Federal Resources

Federal resources set the legal and technical floor upon which California-specific requirements are layered.

  1. NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations (csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). Applies mandatorily to federal agencies under FISMA; used as a reference baseline by California state agencies through CDT policy.
  2. NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information in Nonfederal Systems. California defense contractors and university research institutions receiving federal grants must meet its 110 security requirements.
  3. CISA Shields Up (cisa.gov/shields-up) — Operational advisories issued during elevated threat periods, including actionable checklists for organizations of all sizes.
  4. FBI Internet Crime Complaint Center (IC3) (ic3.gov) — Accepts cybercrime reports and publishes annual Internet Crime Reports with state-level breakdowns. California ranked first in victim count and losses in the IC3 2023 Internet Crime Report, with losses exceeding $2.1 billion reported by California complainants (IC3 2023 Annual Report).
  5. Department of Health and Human Services Office for Civil Rights (HHS OCR) (hhs.gov/hipaa) — Publishes HIPAA Security Rule guidance and breach notification requirements affecting California's healthcare sector, which is further addressed in Healthcare Cybersecurity California.

State-Level Resources

California-specific statutes, agencies, and programs address the regulatory layer that applies within state borders.

California Civil Code §1798.29 and §1798.82 — Data Breach Notification
These statutes require businesses to notify affected California residents when unencrypted personal information is breached. The Office of the Attorney General's data breach report archive (oag.ca.gov/privacy/databreach) publicly catalogs breach notices received, providing a historical record of incident frequency and affected industries. Breach notification requirements are examined in depth on the California Data Breach Notification Requirements page.

California Government Code §11549.3 — OIS Authority
This code section grants the CDT Office of Information Security authority to establish statewide information security policy and to oversee compliance across state entities. The statute creates the accountability structure under which SIMM 5300 series policies carry regulatory weight.

Cal-CSIC (California Cybersecurity Integration Center)
Cal-CSIC (caloes.ca.gov/cybersecurity) operates under the California Governor's Office of Emergency Services (Cal OES) and serves as the primary threat intelligence sharing hub for state and local agencies. Cal-CSIC coordinates with CISA, the FBI, and sector-specific Information Sharing and Analysis Centers (ISACs).

California Cybersecurity Task Force
Established under the California Military Department, the Task Force coordinates workforce development, public-private partnerships, and threat awareness programs across California's 58 counties. Its public reports are available through the California Military Department portal.

SB 327 — IoT Security Law
California Civil Code §1798.91.04 (effective January 1, 2020) requires manufacturers of connected devices sold in California to equip each device with reasonable security features. This law was the first of its kind enacted in the United States. Full statutory analysis appears on the California IoT Security Law SB-327 page.

For an integrated view of how all these resources connect within the state's cybersecurity ecosystem, the California Cybersecurity Authority home provides a structured entry point organized by topic and audience type.

📜 3 regulatory citations referenced  ·  ✅ Citations verified Feb 25, 2026  ·  View update log

Explore This Site

Services & Options Types of California Cybersecurity Regulations & Safety Regulatory Context for California Cybersecurity
Topics (30)
Tools & Calculators Password Strength Calculator