Process Framework for California Cybersecurity

California's cybersecurity compliance landscape spans multiple intersecting legal frameworks, agency mandates, and technical standards that together define how organizations must identify, respond to, and remediate security risks. This page maps the process architecture that governs cybersecurity work in California — covering the decision points, review stages, triggering conditions, and completion criteria that apply across regulated sectors. Understanding this framework is essential for entities subject to California law, from small businesses to critical infrastructure operators, because procedural failures carry independent legal consequences separate from the underlying security incidents. For foundational context on how these rules operate in practice, the Conceptual Overview of California Cybersecurity provides the underlying mechanisms behind each process layer.

Scope and Coverage Limitations

This page covers cybersecurity process frameworks applicable under California state law and California-specific agency guidance. It does not address federal-only regulatory regimes (such as FISMA for federal agencies, or HIPAA enforcement by HHS at the federal level) except where California law explicitly incorporates or supplements those standards. Entities operating exclusively outside California, federally chartered institutions not subject to California jurisdiction, and tribal entities on sovereign lands fall outside the scope of state-level California frameworks described here. Adjacent federal compliance requirements are treated in the Regulatory Context for California Cybersecurity section of this authority.

Decision Gates

Decision gates are formal checkpoints at which an organization must evaluate whether a cybersecurity event, risk finding, or control gap requires escalation, notification, or documented remediation. California law establishes at least four distinct gate categories:

1. Materiality determination — Under California Civil Code §1798.29 and §1798.82, a suspected breach must be assessed for whether personal information of California residents was, or is reasonably believed to have been, acquired by an unauthorized party. This gate determines whether the breach notification timeline (45 days under Cal. Civ. Code §1798.82(f) for businesses) is triggered.

2. Risk classification — The California Department of Technology (CDT) Security Framework, aligned with NIST SP 800-37 Risk Management Framework, requires state agencies to classify systems as low, moderate, or high impact. Classification at each gate determines which control baselines apply and which approval chains are mandatory.

3. Vendor and third-party assessment — The California Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (CPPA), requires businesses to conduct risk assessments before sharing personal data with service providers. This gate is triggered by any new data-sharing relationship involving sensitive personal information.

4. Incident severity triage — California Government Code §11549.3 tasks the California Department of Technology's Office of Information Security (OIS) with coordinating state agency incident response. The severity triage gate classifies incidents across a five-level scale, from minor anomalies to critical infrastructure events, and routes response authority accordingly.

Contrast between Tier 1 (self-contained) incidents and Tier 4–5 (cross-agency) incidents is significant: Tier 1 events may be handled within a single agency's IT security team, while Tier 4–5 events require mandatory OIS notification within one hour under CDT Policy SIMM 5310-A.

Review and Approval Stages

After a decision gate routes an issue for action, the review and approval process begins. For California state agencies, CDT SIMM 5305-A establishes a structured security plan review cycle requiring formal approval from the agency Information Security Officer (ISO) and, for high-impact systems, CDT OIS sign-off before production deployment.

For private-sector entities subject to CPRA, California Cybersecurity Terminology and Definitions clarifies that a "cybersecurity audit" — now required annually for businesses that meet CPPA-defined thresholds — must be reviewed by a qualified independent auditor and submitted to the CPPA upon request. The CPPA's proposed regulations (first released in draft form in 2023) specify that audit scope must cover administrative, technical, and physical safeguards.

For IoT device manufacturers operating under SB-327 (codified at California Civil Code §1798.91.04–.06), the review stage involves verifying that each device ships with a unique pre-programmed password or a mechanism requiring the user to generate a new means of authentication before access is granted. This review must occur at product release, not retroactively.

What Triggers the Process

Triggering conditions fall into three broad categories:

• Incident-based triggers: Discovery of unauthorized access, ransomware deployment, or confirmed data exfiltration initiates breach notification and incident response procedures simultaneously. Under Cal. Civ. Code §1798.82, notification to affected California residents must occur in the most expedient time possible, capped at 45 days absent a law enforcement delay request.
• Regulatory-calendar triggers: Annual CPRA cybersecurity audits, biennial risk assessments for businesses processing sensitive personal information at CPPA-defined scale, and periodic CDT security reviews for state systems are time-scheduled, not event-driven.
• Change-management triggers: Any material change to system architecture, data classification, or third-party data-sharing agreements restarts the vendor assessment and risk classification gate sequence, regardless of whether an incident has occurred.

The California Cybersecurity Incident Response Protocols page details the specific procedural steps that follow incident-based triggers.

Exit Criteria and Completion

A cybersecurity process in California is considered complete when all of the following conditions are documented and verifiable:

1. All affected parties have been notified within statutory deadlines, with notification records retained per Cal. Civ. Code §1798.82 requirements.
2. Risk findings from the triggering event or audit have been formally accepted, mitigated, or transferred, with written sign-off from the designated ISO or equivalent authority.
3. Remediation controls have been tested and validated against the applicable baseline — NIST SP 800-53 Rev 5 for state agencies, or the CIS Controls framework where adopted by policy.
4. Regulatory submissions required by the CPPA, CDT, or the California Attorney General's office have been filed and confirmed received.
5. A lessons-learned record has been created and incorporated into the next planning cycle, as required under CDT SIMM 5310-A for state entities.

For entities seeking the broader compliance landscape that informs these exit requirements, the home authority provides cross-framework context, and the Regulatory Context page maps the agency and statutory sources behind each criterion.