California Statewide Information Management Manual (SIMM) 5300, Complete Guide, 2025

In California, the Statewide Information Management Manual (SIMM) 5300 series is one of the most important yet least understood information security resources available today.

Most of the confusion surrounding § 5300 can be attributed to confidentiality. Because it contains sensitive information about specific security controls for compliance, SIMM 5300-A is not publicly available online.

This guide explains what SIMM 5300 is, why it matters, how it connects to California law, and what agencies need to know to actually apply it in practice.

What Is SIMM 5300?

CA SIMM 5300 is the control framework and implementation guide for California’s information security requirements. It turns the policy set by statewide cybersecurity laws like the State Administrative Manual (SAM) into step-by-step action.

SIMM § 5300 includes:

- SIMM 5300-A
- SIMM 5300-B
- SIMM 5300-C
- SIMM 5300 Supporting Documentation

The 5300 series is an important frontline defense against threats that could disrupt services or expose millions of California residents’ personal data. But, for many organizations, it’s also a compliance requirement.

What Is the California Statewide Administrative Manual (SAM)?

The SAM is the official statewide policy manual for California’s executive branch. It specifies the actions that agencies must take to comply with statutory standards, covering everything from General Policy in Chapter 100 to the Auditing of State Agencies in Chapter 20000.

What is SAM 5300?

In Chapter 5300, Information Technology – Office of Information Technology, the SAM sets statewide information security policies for covered entities. Its sections articulate Information Security Program (§ 5305), Risk Management (§ 5305.6), Risk Assessment (§ 5305.7), and Privacy (§ 5310) requirements, among others.

In Section 5300.5, Minimum Security Controls, the SAM identifies National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 as the minimum information security control requirements to support implementation and compliance with the Federal Information Processing Standards (FIPS).

What is the California Statewide Information Management Manual (SIMM)?

The Statewide Information Management Manual provides the standards, instructions, forms, and templates created to help agencies comply with the SAM. SIMM Section 5300 contains resources to comply with the statewide Information Technology policy specifically.

Essentially, it’s the tailored implementation guide for NIST SP 800-53 that helps organizations implement and regulators enforce standardization for security controls across California state.

What Is SIMM 5300 Compliance?

Complying with SIMM 5300 means following the instructions laid out across the standards, forms, and templates that comprise the state’s Information Technology (IT) policy. However, not all organizations need to comply with SIMM § 5300.

Who Must Comply with SIMM 5300?

California state entities and state agencies must comply with SIMM 5300. More specifically, compliance requirements apply to:

Any California state office, department, division, or bureau.
California State University systems.
The Board of Parole Hearings.
Any board or other professional licensing and regulatory body under the Department of Consumer Affairs.

The University of California system is otherwise excluded until its Regents adopt the standards voluntarily.

Likewise, local governments are not legally required to follow SAM/SIMM. However, many adopt state practices voluntarily to improve resilience and coordination.

To align with SIMM 5300, local governments can:

Use Cal-Secure as a roadmap. Apply statewide priorities (e.g., Zero Trust, workforce development, resilience) to shape local strategies.
Join Cal-CSIC programs. Participate in state-led threat intelligence sharing and incident coordination (Gov. Code §§8592.35–8592.45).
Adopt CSF-Based sssessments. Voluntarily use NIST CSF–aligned tools like SIMM 5300-C to benchmark and track cybersecurity maturity.
Align privacy & breach protocols. Follow Civil Code §1798.29 for breach notification to keep local processes consistent with state standards.

What Are California’s Information Security Requirements?

Together, the following laws make cybersecurity mandatory for covered entities in the state of California:

§ 11545-11546.45: Established the CDT within the Government Operations Agency, led by the State CIO; gives the CDT authority over enterprise IT governance, statewide policies, project oversight, and enterprise architecture; requires every agency to designate a CIO and an Information Security Officer (ISO) to enforce accountability at the agency level.

§ 11549-11549.4: Established the OIS within CDT, under which the State CISO must:

Publish statewide security and privacy policies in the SAM.
Oversee agency ISOs.
Direct disaster recovery planning and testing.
Require independent security assessments for NIST SP 800-53, FIPS 199, and FIPS 200.
Collect annual compliance certifications under SIMM 5330-B.

§ 8592.30-8592.50: Established the California Cybersecurity Integration Center (Cal-CSIC), housed in Cal OES; initially created by EO B-34-15 and later codified in law; coordinates statewide cyber incident response, information sharing, and critical infrastructure defense.

Privacy and Breach Notification

Civil Code § 1798 (the Information Practices Act of 1977) establishes baseline privacy requirements for state agencies handling personal data.

Civil Code § 1798.29 requires state agencies to notify affected individuals and the California State Attorney General after a breach.

Penal Code § 502 makes unauthorized system access a crime for an additional legal backstop.

How Is Cybersecurity Compliance Enforced in California?

California takes a multi-agency approach to enforcing its statewide cybersecurity requirements. It divides authority among technology leaders, statewide security offices, emergency managers, and law enforcement partners.

However, most oversight sits with the California Department of Technology (CDT), the State Chief Information Officer (CIO), and the Office of Information Security (OIS).

The CDT and State CIO

Under Gov. Code §§11545–11546.4, the California Department of Technology and State CIO use SAM/SIMM policies and oversight reviews to ensure agency compliance for IT projects, enterprise architecture, and statewide information security programs.

The OIS and Statewide CISO

The Office of Information Security and Statewide CISO publish statewide cybersecurity policies in SAM under Gov. Code §§11549-11549.4. Tools available for compliance include:

SIMM 5330-B: Compliance Certification

Independent Security Assessments (ISAs): Required for agencies to validate the implementation of NIST SP 800-53 and FIPS standards.

Cal-CSIC and the Cal OES

The California Cybersecurity Integration Center and the California Office of Emergency Service (Cal OES) lead statewide incident response and cyber threat intelligence. Under EO B-34-15 and Gov. Code §§8592.30-8592.50, they support state and local government agencies through the Cal-Secure strategy and mandatory incident reporting.

Law Enforcement Partners

Multiple law enforcement agencies assist with compliance enforcement California’s cybersecurity requirements. Under Civil Code §1798.29 for breach notification enforcement and Penal Code §502 for computer crime provisions:

The California Department of Justice and the California Highway Patrol enforce state privacy and cybercrime laws.
Federal partners like the FBI and DHS collaborate on investigations and national cyber threat intelligence sharing.

What Are SIMM 5300 Requirements?

SAM requires covered organizations to apply specific NIST SP 800-53 security and privacy controls.

Under SIMM 5300, agencies must:

Categorize IT systems based on sensitivity and risk.
Apply NIST SP 800-30 controls using specific parameters.
Measure security maturity using standardized assessments.
Document and manage risks in a statewide risk register.
Coordinate incident response according to state procedures.

SIMM 5300 Forms

Some SIMM 5300 forms are publicly accessible, and some aren’t. Here’s a closer look at each CA SIMM § 5300 form, whether it’s confidential or not, and a brief explanation of why.

SIMM 5300-A (Confidential)

CA SIMM Section 5300-A sets California-specific rules for each NIST SP 800-53 control to help agencies and vendors secure state systems. It covers key areas like:

Encryption for data at rest and in transit
Authentication and access controls by user role
Minimum logging and monitoring for critical systems
Configuration baselines for servers, endpoints, and networks
Incident response procedures and defensive measures

However, because it contains specific details about security controls, SIMM 5300-A is confidential and only available to authorized state personnel or approved vendors under NDA.

SIMM 5300-B (Public)

The California SIMM 5300-B outlines a structured approach to statewide cybersecurity priorities, with 30 key security objectives across multiple domains. It includes key domains like:

Application Security: Secure development, patching, and code review.

Contingency Planning: Business continuity and disaster recovery.

Change and Configuration Management: Standardized system updates.

Data Security: Encryption, classification, and access controls.

Security Governance: Policies, risk management, and oversight.

Endpoint Security: Device hardening, monitoring, and incident response.

Identity and Access Management: Authentication, authorization, and role-based controls.

Mobile Security: Secure device management and policy enforcement.

Security Analytics and Continuous Monitoring: Event logging, threat detection, and SIEM.

Network Security: Firewalls, segmentation, and intrusion detection.

Physical Security: Protecting infrastructure and sensitive areas.

Vulnerability Management: Scanning, remediation, and tracking weaknesses.

To support transparency, SIMM 5300-B publishes the public Foundational Framework mapped to NIST domains.

SIMM 5300-C (Public)

Section 5300-C of the SIMM is the statewide assessment tool that aligns with NIST Cybersecurity Framework (CSF) functions to help agencies evaluate maturity and track progress. Its key functions include:

Identify: Governance, system, and data categorization, risk assessment, and vulnerability scanning.

Protect: Account management, encryption, configuration baselines, and access controls.

Detect: Network and endpoint monitoring, anomaly detection, and logging.

Respond: Incident response plans, testing, and escalation procedures.

Recover: Technology Recovery Plans, disaster recovery testing, and remediation tracking.

SIMM 5300 Supporting Documents (Public)

The SIMM 5300 series also includes an extensive list of supporting resources that define requirements for security, privacy, risk management, and incident response.

The Complete SIMM 5300 Checklist for Agencies

Implementing SIMM 5300 means aligning governance, policies, technical controls, and evidence with statewide standards. A simple implementation guide can help organizations comply with CA SIMM 5300.

Confirm Scope and Roles

SIMM 5300 coverage depends on statutory definitions. “State entities” (§11546.1) and “state agencies” (§11546.45.5(a)(6)(A)). Agencies must also designate and document leadership.

File CIO and ISO designations with SIMM 5300-A.
Update letters when personnel change.
Publish an information security charter per SAM ch. 5300.

Establish the Policy Baseline (SAM 5300)

Agencies must adopt statewide security policies covering governance, risk, and operations. These policies set the foundation for controls and oversight.

Cover domains including risk management, access, response, recovery, privacy, and vendors
Map each policy to procedures, owners, and a review cadence
Reference the California-specific NIST SP 800-53 baseline

Implement the Control Baseline (NIST 800-53, FIPS 199/200)

Controls must align with federal standards and state-defined parameters. Documentation is mandatory for compliance validation.

Categorize systems using FIPS 199 and apply FIPS 200 minimums.
Implement and record controls in a System Security Plan (SSP).
Apply confidential SIMM 5300-A parameters.

Assess Maturity with SIMM 5300-C (2025)

SIMM 5300-C measures program maturity against NIST CSF functions. Agencies must collect evidence and plan remediation.

Complete the statewide workbook across Govern, Identify, Protect, Detect, Respond, and Recover.
Gather evidence artifacts listed in “Information Sources.”
Document gaps and remediation timelines in the POA&M.

Risk Management & POA&M (SIMM 5305)

Risk management is continuous and must be formally documented.

Maintain a risk register and POA&M with SIMM 5305-B and 5305-C.
Use SIMM 5305-F for generative AI risk assessments.
Review risks and update POA&M at least quarterly.

Incident Reporting and Coordination

Incident handling must align with statewide standards for escalation and reporting.

Define severity levels, timelines, and contact trees.
Test processes with tabletop exercises.
Submit incidents via Cal-CSIRS and coordinate with Cal-CSIC.

Technology Recovery Planning (TRP)

Recovery planning ensures continuity during major outages.

Develop a TRP using SIMM 5325-A and certify with SIMM 5325-B.
Test plans regularly and log corrective actions.
Align TRPs with Gov. Code §8592.35 incident response duties.

Training, Phishing, and Awareness

Training builds baseline security culture across all staff.

Deliver awareness training within 30 days of hire and annually thereafter.
Provide role-based training for privileged or specialized staff.
Conduct phishing simulations under SIMM 5320-A.

Privacy Requirements (SIMM 5310)

Agencies must protect personal information and support transparency.

Publish privacy statements under SIMM 5310-A and Gov. Code §§11015.5, 11019.9.
Process access requests with SIMM 5310-B.
Complete PTAs/PIAs using SIMM 5310-C for systems handling personal data.

Email and Cloud Security Baselines

Security baselines extend to hosted services and communications.

Implement the Email Threat Protections Standard (SIMM 5315-A).
Apply the Cloud Security Standard (SIMM 5315-B).
Incorporate requirements into vendor contracts and reviews.

Annual Certification (SIMM 5330-B)

Certification provides statewide accountability.

Submit the SIMM 5330-B compliance certification annually.
Attach a current POA&M (§11549.3(f)(4)).
Retain supporting evidence for audits.

Independent Security Assessments (ISAs)

Annual assessments validate technical and procedural controls.

Undergo OIS-directed ISAs; at least 35 entities annually (§11549.3(c)(2)(A)).
Ensure validation of NIST 800-53 and FIPS compliance.
Submit results and remediate findings to closure.

Project and Procurement Controls

Security must be embedded in project planning and contracts.

Integrate controls into all IT projects and procurements (§11546).
Use contract terms requiring incident reporting, TRP alignment, and evidence production.
Note CDT authority to suspend or terminate non-compliant projects.

Continuous Monitoring and Metrics

Metrics help track program effectiveness and inform leadership.

Define KPIs such as patch timelines, log retention, and identity hygiene.
Track California Cybersecurity Vulnerability Metric (CCVM) scores.
Review dashboards with leadership and adjust POA&Ms accordingly.

Documentation and Retention

Clear records are critical for compliance and audits.

Maintain policies, assessments, POA&Ms, TRPs, incident reports, and certifications
Organize approvals and evidence systematically
Follow retention requirements under the State Records Management Act

The Complete SIMM 5300 Checklist for Vendors

Vendors supporting covered agencies must be able to prove that California state cybersecurity requirements are embedded directly into their services, contracts, and operations. Preparation activities fall into several key areas.

Confidential Access

Vendors often need access to sensitive state-defined control parameters in SIMM 5300-A. Access requires strict confidentiality.

Sign NDAs before reviewing confidential materials.
Maintain secure handling and limit distribution of state-provided parameters.

Standards Alignment

Vendors must demonstrate compliance with federal and state frameworks. Evidence should map clearly to required standards.

Show implementation of NIST SP 800-53 and FIPS 199/200.
Provide supporting documentation, such as control matrices or CSF-mapped reports.

Contractual Obligations

Contracts with California entities carry explicit cybersecurity requirements. Vendors must be prepared to accept and enforce them.

Include clauses for incident reporting and TRP alignment (Gov. Code §11546).
Ensure sub-vendors and partners accept the same contractual obligations.

Audit Readiness

Vendors must remain audit-ready with documentation mapped to SAM and SIMM requirements.

Maintain current POA&Ms, training records, and security assessment results.
Keep evidence organized to demonstrate compliance on request.

Cloud and Email Baselines

Baseline protections extend to common hosted services. Vendors must meet statewide minimums.

Implement SIMM 5315-A (Email Threat Protections) and SIMM 5315-B (Cloud Security Standard).
Apply these baselines consistently in subcontractor reviews and onboarding.

Why Use a California SIMM 5300 Compliance Software?

Managing SIMM 5300 compliance with spreadsheets, PDFs, and scattered documents is inefficient and risky. State agencies must demonstrate alignment with SAM 5300 policy, implement NIST SP 800-53 controls with California-defined parameters, track maturity through SIMM 5300-C, and maintain evidence for OIS oversight and Cal-CSIC coordination.

Doing this manually creates three major problems:

Fragmented oversight: Risk registers, vendor questionnaires, and recovery plans are spread across formats, making it difficult to prepare certifications like SIMM 5330-B or to respond to Independent Security Assessments.
Static reporting: Without real-time visibility into security posture, compliance evidence is always out of date by the time it reaches CDT or OIS.
Weak adoption: When CIOs and ISOs rely on ad hoc processes, staff participation is inconsistent, leaving compliance certifications incomplete or late.

A dedicated SIMM 5300 compliance platform solves these challenges. It centralizes assessment templates, inventories, risk registers, and reporting, allowing agencies to:

Run structured self-assessments aligned with SIMM 5300-C and NIST CSF functions.
Maintain system, vendor, and asset inventories required under FIPS 199, SIMM 5305, and SIMM 5315.
Generate audit-ready evidence packages for annual certifications and ISAs.
Track remediation through a live POA&M linked to SIMM risk management standards.

Isora GRC for California SIMM 5300 Compliance

Isora GRC is the GRC Assessment Platform™ purpose-built for security teams in regulated environments like California state agencies. Unlike legacy GRC suites that are slow to deploy or audit-automation tools that stop at evidence collection, Isora provides structured, usable workflows aligned to SIMM requirements.

How Isora GRC supports SIMM 5300 compliance:

Assessment Management

Run structured questionnaires mapped to SIMM 5300-C and SAM 5300 policies. Collect evidence, identify gaps, and generate POA&Ms that tie directly into SIMM 5305 requirements.

Inventory Management

Maintain up-to-date inventories of systems, vendors, and assets. Map each to FIPS 199 categories and SIMM control baselines, ensuring complete scope coverage.

Risk Register & POA&M Tracking

Document risks, assign remediation tasks, and update progress in a live collaborative register, making ISA preparation and SIMM 5330-B certification straightforward.

Reporting & Oversight

Produce real-time scorecards and compliance dashboards aligned with NIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). Share audit-ready reports with CDT, OIS, and Cal OES.

For CIOs and ISOs, Isora GRC offers fast adoption and practical usability, ensuring SIMM 5300 requirements are operationalized across teams instead of being buried in documents. For CDT and OIS, it ensures agencies can provide consistent, evidence-based compliance certifications.

FAQs

How often is SIMM 5300 updated, and how should agencies track revisions?

SIMM 5300 is updated annually and sometimes multiple times per year by the California Department of Technology (CDT) and Office of Information Security (OIS). Updates reflect new statutory mandates, standards such as NIST SP 800-53 Rev. 5, and emerging risks like AI (SIMM 5305-F). Agencies must track revisions via CDT’s policy portal and maintain crosswalks in their compliance documentation to map changes into their POA&Ms.

What is the relationship between SIMM 5300 and the Cal-Secure strategy?

Cal-Secure (Gov. Code §§8592.30–8592.50) is California’s statewide cybersecurity strategy, emphasizing Zero Trust, workforce development, and critical infrastructure resilience. SIMM 5300 operationalizes Cal-Secure by embedding its priorities into control baselines, recovery requirements (SIMM 5325), vendor security standards (SIMM 5315), and maturity metrics (SIMM 5300-C). Agencies use SIMM as the compliance mechanism to prove alignment with Cal-Secure’s objectives.

How does SIMM 5300 interact with federal cybersecurity mandates like CISA directives?

California law (§11549.3(f)) requires agencies to implement NIST SP 800-53, FIPS 199, and FIPS 200. SIMM 5300 incorporates these baselines and adds state-specific parameters in SIMM 5300-A. When CISA issues Binding Operational Directives (BODs) or emergency mandates, OIS integrates them into SIMM or related standards (e.g., SIMM 5345-A for vulnerability management), ensuring state compliance with federal priorities.

What common challenges do California agencies face when implementing SIMM 5300?

Agencies often struggle with keeping accurate system inventories, completing the SIMM 5300-C maturity workbook with full evidence, and coordinating incident reporting through Cal-CSIRS. Vendor contracts may also lag behind SIMM 5315 security standards. Agencies using spreadsheets or manual tracking frequently miss SIMM 5330-B certification requirements because documentation is incomplete or inconsistent.

What are the penalties or consequences for agencies that fail to comply with SIMM 5300 requirements?

Under Gov. Code §11549.3(c)(2)(A), at least 35 entities undergo ISAs annually, and findings are reported to OIS and Cal OES. Non-compliance can result in CDT suspending or terminating IT projects (§11546), increased audit oversight, and mandatory corrective actions in SIMM 5330-H (Compliance & Enforcement). Agencies that fail to remediate may face reporting to the Joint Legislative Budget Committee (JLBC) within 30 days.

How can agencies prepare for annual compliance certifications under SIMM 5330-B?

SIMM 5330-B requires a signed Information Security & Privacy Program Compliance Certification with an updated POA&M. Agencies should:

Complete SIMM 5300-C maturity metrics across Govern, Identify, Protect, Detect, Respond, Recover.
Submit current TRP certification (SIMM 5325-B).
Ensure risk registers (SIMM 5305-C) and privacy assessments (SIMM 5310-C) are current.
Maintain evidence packages for audit readiness, as CDT validates submissions against NIST SP 800-53.

How should agencies document and retain evidence to support SIMM 5300 compliance?

Agencies need organized records like System Security Plans (SSPs), Technology Recovery Plan (TRP) certifications, incident reports through Cal-CSIRS, and annual training logs. Privacy impact assessments (SIMM 5310-C) and risk registers (SIMM 5305-C) must be current. All evidence must be retained under the State Records Management Act and be audit-ready for CDT and OIS reviews.