California and StateRAMP
The California Department of Technology (Department of Technology) has enabled a process whereby agency and state entities can use COTS and SaaS products (some exemptions apply), and if the agency/state entity Information Security Officer (ISO) certifies that there are auditable and traceable artifacts that support compliance. Government Code Section 11545 states that the California Department of Technology (Department of Technology) must develop an annual California IT Strategic Plan which guides the acquisition, management, and use of Information Technology (IT). Per State Administrative Manual (SAM) Section 4819.34, information regarding the acquisition of Commercial-off-the-Shelf (COTS) software and Cloud Software-as-a-Service (SaaS) solutions must be submitted to the California Department of Technology (Department of Technology). However, this authority can be delegated to individual agencies provided that system qualifies.
- California requires that each state entity use FIPS-199 and National Instutute of Standards and Technology (NIST) Special Publication SP 800-53 in the planning, development, implementation, and maintenance of their information security programs.
- California's Chief Information Security Officer has also adopted additional standards and procedures to address more specific requirements or needs unique to California. These additional standards are referenced in the applicable policy section and maintained in the Statewide Information Management Manual (SIMM).
- Organizations providing technology products to the state are required to ensure their security control selections and tailoring, at a minimum, comply with the State-defined Security Parameters for NIST SP 800-53 (SIMM 5300-A) and the prioritization of their information security program development and implementation align with the Foundational Framework for Information Security (SIMM 5300-B). (The SIMM 5300-A is confidential and can be requested via your CDT account lead.
- SAM Section 5100 requires state entities to use the American National Standards Institute (ANSI) and the FIPS standards in their information management planning and operations. Implementation Controls: ANSI; FIPS; NIST SP 800-53; SIMM 5300-A (limited distribution) and SIMM 5300-B
Governing Provisions: SAM Section 5100 requires state entities to use the American National Standards Institute (ANSI) and the FIPS standards in their information management planning and operations.