California State Government Cybersecurity Standards and Requirements

California state government agencies operate under a layered set of cybersecurity mandates issued by the California Department of Technology (CDT), the California Military Department's Office of Information Security, and the California Government Operations Agency. This page covers the specific standards, frameworks, and compliance obligations that apply to California executive branch departments, with particular attention to the Statewide Information Management Manual (SIMM) series, the California Cybersecurity Integration Center (Cal-CSIC), and the interplay between state-level requirements and federal frameworks. Understanding these boundaries matters because California manages more than 150 executive branch departments and agencies, each responsible for protecting systems that hold sensitive data on tens of millions of residents.

Definition and scope

California state government cybersecurity standards are the mandatory technical and administrative controls that executive branch departments must implement, document, and maintain. The primary governing authority is the California Department of Technology, which publishes binding requirements through the SIMM series — specifically SIMM 5305-A, the Information Security Program policy, and SIMM 5310-A, which covers Risk Management. These documents define minimum-baseline expectations for access control, incident response, contingency planning, configuration management, and audit logging.

The California Government Code §11549.3 formally designates the CDT Director as the state Chief Information Officer and grants rulemaking authority over information security policy across all executive branch entities. Legislative authority for specific breach notification requirements appears in California Civil Code §1798.29, which applies to government agencies, and §1798.82, which applies to businesses.

Scope coverage: These standards apply to California executive branch departments, boards, commissions, and offices under the Governor's direct authority. They do not automatically apply to the California Legislature, California courts, the University of California system (which operates under its own regents), or California State University campuses (governed separately by the CSU Board of Trustees). Local governments — counties, municipalities, and special districts — face different requirements detailed on the California Cybersecurity for Local Governments page. Federal agencies operating within California boundaries are outside this scope and are governed by FISMA and NIST frameworks at the federal level.

How it works

California state cybersecurity compliance operates through a structured annual cycle coordinated by the CDT. The mechanism breaks into five discrete phases:

1. Risk Assessment — Each department conducts an annual information security risk assessment aligned to SIMM 5305-A. Assessments must reference the NIST Risk Management Framework (RMF), as directed by CDT guidance that explicitly incorporates NIST SP 800-37 and NIST SP 800-53.
2. Security Plan Development — Departments document their control environments in a System Security Plan (SSP). The SSP must address all 20 control families listed in NIST SP 800-53 Rev 5 and map identified gaps to a Plan of Action and Milestones (POA&M).
3. Annual Reporting — Departments submit a Security Compliance Assessment (SCA) to the CDT each fiscal year. CDT aggregates departmental submissions to produce a statewide security posture report presented to the Legislature.
4. Incident Notification — Agencies must report confirmed or suspected security incidents to Cal-CSIC within one hour of identification under CDT policy. Cal-CSIC, which sits within the California Military Department, coordinates state response alongside the California Highway Patrol's High Technology Theft Apprehension and Prosecution Program (HTTAPP).
5. Continuous Monitoring — The CDT operates the Security Operations Center (SOC) service available to departments. Enrollment is mandatory for departments classified as Tier 1 critical systems under SIMM 5305-A definitions.

For a broader conceptual walkthrough of how California's cybersecurity governance model functions end-to-end, the How California Cybersecurity Works: Conceptual Overview provides additional context on interagency coordination.

Common scenarios

Three operational scenarios illustrate how these standards activate in practice.

Scenario 1 — New system deployment: A California Department of Public Health division deploys a new case management system. Before go-live, the department must complete a Security Authorization (formerly called Certification and Accreditation), including a Privacy Impact Assessment (PIA) required under California's Information Practices Act (Civil Code §1798 et seq.). The system must meet CDT's cloud security standards if hosted on a third-party platform — a requirement grounded in SIMM 5305-A Section 7. Cloud-specific compliance considerations are covered further on California Cloud Security Compliance.

Scenario 2 — Data breach involving personal information: If a state agency discovers unauthorized access to a database containing Social Security numbers, California Civil Code §1798.29 requires notification to affected individuals "in the most expedient time possible." There is no hard statutory deadline expressed in days for government agencies under §1798.29 (unlike some private-sector breach laws in other states), but CDT's own incident response policy requires internal escalation within one hour and formal breach determination within 72 hours. The California Data Breach Notification Law page addresses notification mechanics in depth.

Scenario 3 — Third-party vendor access: A state department contracts with a software vendor for payroll processing. Under SIMM 5305-A, the department retains security responsibility even when data is processed externally. The contract must include security requirements, right-to-audit clauses, and breach notification obligations binding on the vendor. This intersects with the California Third-Party Vendor Risk Management framework.

Decision boundaries

Understanding what distinguishes state government cybersecurity requirements from adjacent frameworks prevents compliance confusion.

State government vs. private sector: California private-sector organizations are not subject to SIMM or CDT policy. They operate under the California Consumer Privacy Act (CCPA) and its successor provisions — the CPRA — enforced by the California Privacy Protection Agency (CPPA). The CPPA's enforcement role is documented on California Privacy Protection Agency Cybersecurity Role. State agencies, by contrast, are exempt from CCPA under Civil Code §1798.145(c)(1) but must comply with the older California Information Practices Act.

Mandatory vs. advisory controls: SIMM 5305-A distinguishes between mandatory baseline controls (labeled "SHALL" in the text) and recommended enhancements ("SHOULD"). Departments cannot self-exempt from SHALL requirements without formal CDT waiver approval. This mirrors the NIST SP 800-53 "required" vs. "organization-defined" control structure.

Sector-specific overlays: Departments handling health data must satisfy both CDT requirements and the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 164). HIPAA's requirements in healthcare contexts are addressed on California Healthcare Cybersecurity. Departments involved in financial transactions may also face the federal Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which the FTC administers.

Cal-CSIC vs. CDT roles: CDT sets policy and enforces compliance through the SCA process. Cal-CSIC operates as the operational threat intelligence and incident response hub, sharing indicators of compromise with departments but not issuing binding policy. This division is analogous — though not identical — to the federal CISA/OMB split, where CISA handles operational response and OMB enforces policy through FISMA.

Readers building a working vocabulary around these distinctions will find the California Cybersecurity Terminology and Definitions reference useful. For the full regulatory context, including federal-state coordination mechanisms, see Regulatory Context for California Cybersecurity. The site index provides a structured map of all topic areas covered across this resource.

References

• California Department of Technology — SIMM Series (Information Security)
• California Government Code §11549.3 — CDT Director Authority
• California Civil Code §1798.29 — Government Agency Breach Notification
• California Civil Code §1798.82 — Business Breach Notification
• California Cybersecurity Integration Center (Cal-CSIC)
• NIST SP 800-53 Rev 5 — Security and Privacy Controls
• NIST SP 800-37 Rev 2 — Risk Management Framework
• HHS — HIPAA Security Rule (45 CFR Part 164)
• FTC — Gramm-Leach-Bliley Act Safeguards Rule
• California Privacy Protection Agency