WATCHUR6 // CALIFORNIA SAM-5300 // AUDIT READINESS

California state entities must certify annually.
Contractors servicing state agencies inherit the requirements.

State Administrative Manual Chapter 5300 is California's executive branch policy authority for information security — binding every state agency, department, division, bureau, board, and commission defined in Government Code § 11546.1. The Statewide Information Management Manual (SIMM) 5300 series is the implementation backbone — California's specific application of NIST SP 800-53 Rev 5 with state-defined security parameters confidentially documented in SIMM 5300-A.

The Office of Information Security within the California Department of Technology administers compliance under Government Code §§ 11545-11549.4. State entities sign an annual SIMM 5330-B certification attesting to program compliance — the artifact OIS examines as the record of record. 2025-2026 has been an active update cycle, with Technology Letters introducing new standards for phishing exercises, continuous security monitoring, MITRE ATT&CK Framework adoption, and refreshed Zero Trust Architecture guidance.

For California state IT contractors, SAM-5300 / SIMM 5300 is a flow-down obligation through state contracts. CMAS holders carry these obligations as standing capability requirements demonstrable on contract performance and DGS reviews. WatchUr6 holds CMAS contract #3-25-06-1018 — the operator credentials California state contracting expects.

Book a SAM-5300 Strategy Call
SAM CH. 5300 / SIMM 5300 SERIES NIST 800-53 + CA TAILORING CMAS #3-25-06-1018 SDVOSB / DVBE / VETERAN-LED

// THE OIS OVERSIGHT REALITY

SIMM 5300 is just NIST 800-53 with California branding.
It's NIST 800-53 with California-specific parameters, a confidential parameter set, and an annual OIS-examined certification.

California's state cybersecurity regime is structurally distinctive in three ways that organizations new to SAM-5300 / SIMM 5300 frequently underestimate. First, the document hierarchy: SAM Chapter 5300 (Department of General Services policy) sits above SIMM 5300 (Department of Technology / Office of Information Security implementation), and the SIMM series itself splits into a public framework (SIMM 5300-B), a confidential California-specific parameter set (SIMM 5300-A), a maturity assessment (SIMM 5300-C), and a portfolio of operational standards (SIMM 5340-5360). The full picture only resolves once all the documents are read in their dependency order.

Second, the California-specific parameters in SIMM 5300-A are confidential. State entities receive them through their authorized Office of Information Security relationship; contractors with appropriate engagement receive them via the contracting state entity. This is operationally different from a generic NIST 800-53 implementation — California parameters define specific values for assignment statements, frequency requirements for periodic activities, and scope specifications that diverge from default NIST 800-53B baselines. Organizations that bring a generic NIST 800-53 implementation to a California state engagement and find their controls don't satisfy SIMM 5300-A parameters discover the gap late.

Third, the 2025-2026 update cadence has been active. Technology Letter 25-03 (June 2025) introduced SIMM 5320-A Phishing Exercise Standard. Technology Letter 25-04 (August 2025) introduced SIMM 5335-B Continuous Security Monitoring and SIMM 5335-C MITRE ATT&CK Framework. SIMM 5350-A Zero Trust Architecture was updated January 2026 with the SIMM 5350-B Roadmap (Dec 2025). SIMM 5340-A Incident Response was updated February 2026. SIMM 5330-A Designation Letter was updated April 2026. 2026 SIMM 5330-B certifications must reflect implementation of (or documented POA&Ms toward) these new and refreshed standards.

For contractors, the implication is that contractor gaps flow up into the state entity's annual SIMM 5330-B certification — meaning the contractor's security posture is operationally part of the state entity's compliance attestation. For state entities, the implication is that contractor selection has real compliance consequences and CMAS contracts with operators carrying demonstrable SIMM 5300 maturity reduce the entity's own certification risk.

// THE FOUR IMPLEMENTATION LAYERS

Policy. Framework. Controls. Annual Certification.

SAM-5300 / SIMM 5300 operates as four stacked implementation layers. SAM Chapter 5300 is the policy authority. SIMM 5300-B is the Foundational Framework agencies prioritize against. SIMM 5300-A is the California-specific NIST 800-53 parameter tailoring. The SIMM 5340–5360 series is the operational standards portfolio. All four roll up into the annual SIMM 5330-B certification — the artifact OIS actually examines.

The SIMM 5330-B Annual Certification + Foundational Framework pillar is the structural center of the program — the Foundational Framework drives how agencies prioritize the work, and the annual certification is what they attest to having done.

// LAYER 01 // SAM CHAPTER 5300

SAM Policy Authority

The State Administrative Manual Chapter 5300 — California's executive branch policy authority, owned by the Department of General Services. Establishes the top-level policy requirement that state entities maintain an information security program aligned with statewide standards.

Source: GC §§ 11545-11549.4 statutory authority. SAM Section 5100 + 5300 + 5320 set policy. The legal-policy anchor that gives the program enforceability.

Owner: DGS
Authority: Statutory (GC)
Scope: All state entities

// LAYER 02 // SIMM 5300-A

NIST 800-53 + CA Tailoring

SIMM 5300-A is California's confidential security parameter set for NIST SP 800-53 Rev 5 controls. Defines California-specific parameter values for assignment statements, frequency requirements, and scope specifications that diverge from default NIST 800-53B baselines.

Confidentiality: not publicly available. State entities receive through OIS relationship; contractors via the contracting state entity. Generic NIST 800-53 implementations don't automatically satisfy SIMM 5300-A.

Owner: CDT / OIS
Status: CONFIDENTIAL
Baseline: NIST 800-53 Rev 5 + 800-53B

// LAYER 03 // SIMM 5300-B + 5330-B STRUCTURAL CENTER

Foundational Framework + Annual Certification

The structural center. SIMM 5300-B is California's Foundational Framework — the prioritization framework agencies use to sequence security program development. SIMM 5330-B is the annual Information Security and Privacy Program Compliance Certification — the artifact OIS examines as the record of record.

Failure mode: incomplete SIMM 5330-B submissions, undocumented POA&Ms, or non-response to OIS Technology Letters in the reporting period. The certification cycle is where compliance is operationally evaluated.

Framework: SIMM 5300-B (public)
Certification: SIMM 5330-B annual
Schedule: SIMM 5330-C (Apr 2026)

// LAYER 04 // SIMM 5340-5360

Operational Standards Portfolio

The SIMM 5340–5360 series — California's specific operational standards layered on top of tailored NIST 800-53. Incident response (SIMM 5340-A), vulnerability management (SIMM 5345-A), Zero Trust Architecture (SIMM 5350-A + 5350-B Roadmap), endpoint protection (SIMM 5355-A), telework/MFA (SIMM 5360 series), and more.

2026 updates: SIMM 5340-A IR (Feb 2026), SIMM 5350-A ZT (Jan 2026), SIMM 5350-B Roadmap (Dec 2025), SIMM 5320-A Phishing (Jun 2025), SIMM 5335-B ConMon + 5335-C MITRE ATT&CK (Aug 2025).

Coverage: 15+ operational standards
Cadence: Tech Letters quarterly
2025-26: Active update cycle

// THE 2025-2026 SIMM UPDATE CYCLE + KEY REFERENCES

SIMM 5340-A // INCIDENT RESPONSE

Information Security Incident Response and Reporting. Updated February 2026. Refreshed IR and personal information breach response requirements.

SIMM 5350-A + 5350-B // ZERO TRUST

Zero Trust Architecture Standard (Jan 2026) + Zero Trust Architecture Roadmap XLSX (Dec 2025). State entities now expected on documented ZT roadmap.

SIMM 5335-B // CONTINUOUS MONITORING

Continuous Security Monitoring and Event Management Standard. Tech Letter 25-04 (Aug 2025). Moves entities toward operational SOC capability.

SIMM 5335-C // MITRE ATT&CK

MITRE ATT&CK Framework adoption. Tech Letter 25-04 (Aug 2025). State entities align detection and response capabilities against ATT&CK.

SIMM 5320-A // PHISHING EXERCISE

Phishing Exercise Standard. Tech Letter 25-03 (Jun 2025). Defensible simulated phishing program required against documented standards.

SIMM 5330-A // DESIGNATION LETTER

CISO and ISO designation. Updated April 2026. SIMM 5330-D Instructions updated May 2025. Who carries security responsibility — named.

★ // OIS OVERSIGHT

Office of Information Security (CDT) administers under GC § 11549.3. SIMM 5330-H establishes enforcement protocol with escalating steps for non-compliance.

★ // NIST CSF 2.0 ALIGNMENT

SIMM 5330-H explicitly references NIST CSF 2.0 Govern function. State entities' programs align across all six CSF functions: Govern, Identify, Protect, Detect, Respond, Recover.

⚐ // CONTRACTOR FLOW-DOWN

State contracts include SAM-5300 / SIMM 5300 flow-down clauses for IT services contractors. CMAS holders carry obligations as standing capability requirements.

⚐ // WATCHUR6 CMAS

CMAS #3-25-06-1018. CAGE 9CQZ9. SDVOSB / DVBE / SBE. Minority-owned. The operator credentials California state contracting expects.

⌖ // SIMM 5330-F

Parallel compliance certification for independent and constitutional offices. Same structural attestation against SAM 5300 + SIMM 5300 series.

⌖ // SIMM 5310-C

Privacy Threshold Assessment and Privacy Impact Assessments. Updated February 2026. The privacy-side artifact that complements the security-side SIMM 5330-B.

// THE SIMM 5300 COMPLIANCE LIFECYCLE

Six stages, annual cycle. From designation to OIS certification.

The SIMM 5300 lifecycle operates on an annual certification cadence with the maturity assessment running underneath. Amber milestones mark the two recurring external accountability moments: the SIMM 5300-C maturity assessment (the structured measurement of program maturity OIS uses to evaluate progress) and the SIMM 5330-B annual certification (the artifact-of-record the Office of Information Security examines).

DESIGNATION

SIMM 5330-A CISO + ISO Designation

WEEK 1–3

CISO and Information Security Officer designation letters authored per SIMM 5330-A (updated April 2026). Scope determined: covered systems, data classifications, contractor flow-downs.

FRAMEWORK

Foundational Framework Application

MONTH 1–2

SIMM 5300-B Foundational Framework applied to the entity's information security program. Prioritization sequence established. POA&M baseline drafted against current state.

CONTROLS

NIST 800-53 Controls + SIMM 5300-A Tailoring

MONTH 2–6

NIST SP 800-53 Rev 5 controls implemented with California-specific parameters from SIMM 5300-A. Operational standards layered: IR (5340-A), Vuln Mgmt (5345-A), Zero Trust (5350-A/B), ConMon (5335-B), MITRE ATT&CK (5335-C).

MATURITY

SIMM 5300-C Maturity Assessment

MONTH 6–8

Structured maturity assessment per SIMM 5300-C. Program scored against the Foundational Framework. Findings documented; POA&Ms updated. External accountability moment.

CERTIFY

SIMM 5330-B Annual Certification

ANNUAL

SIMM 5330-B Information Security and Privacy Program Compliance Certification signed by CISO and submitted per SIMM 5330-C schedule. Independent/constitutional offices use SIMM 5330-F. Artifact-of-record for OIS.

CONTINUOUS

Tech Letter Cadence + Contractor Mgmt

CONTINUOUS

OIS Technology Letters monitored and actioned (TL 25-03 Phishing, TL 25-04 ConMon + MITRE). Contractor flow-down compliance verified. SIMM updates tracked. POA&Ms refreshed continuously.

BLUE NODES = designation, framework application, controls implementation, and continuous operations (WatchUr6-led)  ·  AMBER NODES = the two external accountability moments. The maturity assessment is the structured measurement OIS uses to evaluate progress. The annual SIMM 5330-B certification is the artifact OIS examines as the record-of-record for SAM 5300 compliance.

// THE SAM-5300 / SIMM 5300 ENGAGEMENT MODEL

Six services. Three phases. One annual certification.

SAM-5300 / SIMM 5300 engagements are structured around the annual certification cadence: scoping and CISO designation first; controls implementation and operational standards in the middle; maturity assessment, SIMM 5330-B certification, and contractor flow-down management at the end. WatchUr6's CMAS #3-25-06-1018 anchors the operator credentials; the engagement team works both sides — state entities preparing for the annual OIS examination, and contractors satisfying flow-down obligations.

// PHASE 01

Scoping & Designation

APPLICABILITY · CISO · ISO DESIGNATION

// 01 // APPLICABILITY

Applicability & Statutory Scope Analysis

The first strategic step. For state entities: confirm coverage under Government Code § 11546.1, document the entity's organizational structure, identify the data classifications and systems in scope. For contractors: identify the specific state contracts driving flow-down obligations, the agencies and CMAS terms involved, the scope of services subject to SIMM 5300 requirements.

Statutory and policy anchor documented: GC §§ 11545-11549.4, SAM Section 5100 / 5300 / 5320 authority, applicable Technology Letters in force.

Output: an Applicability Memorandum that anchors the SIMM 5330-B certification scope.

// INCLUDES

COVERAGE ANALYSIS STATUTORY ANCHOR DATA CLASSIFICATION CONTRACT INVENTORY FLOW-DOWN MAP

// 02 // DESIGNATION

CISO + ISO Designation Letter (SIMM 5330-A)

SIMM 5330-A Designation Letter authored per the April 2026 refresh, with reference to SIMM 5330-D Designation Letter Instructions (May 2025). CISO designated; Information Security Officer designated; specific responsibilities documented including the SIMM 5330-B annual certification authority.

For state entities operating without a dedicated CISO function, designation can be supported through a service-provider Information Security Officer arrangement — an operational structure analogous to vCISO models in GLBA Qualified Individual designation. WatchUr6's veteran-led senior leadership can fill these designated roles when that's the right structural fit.

// INCLUDES

SIMM 5330-A LETTER CISO DESIGNATION ISO DESIGNATION RESPONSIBILITY MAP vCISO/ISO OPTION
// PHASE 02

Controls Implementation

FOUNDATIONAL FRAMEWORK · 800-53 · OPERATIONAL STANDARDS

// 03 // FRAMEWORK + 800-53

Foundational Framework + Tailored NIST 800-53

SIMM 5300-B Foundational Framework applied to sequence the program priorities. NIST SP 800-53 Rev 5 controls implemented with California-specific parameters from SIMM 5300-A (received via OIS or contracting state entity for confidential parameter access).

For organizations bringing existing NIST 800-53 maturity (~85% transfer): the work concentrates on the California parameter tailoring, the assignment statement value alignment, the frequency requirements specific to California. For cold-start entities: the full NIST 800-53 baseline implementation under California tailoring.

// INCLUDES

SIMM 5300-B FRAMEWORK 800-53 IMPLEMENTATION CA PARAMETER TAILORING POA&M BASELINE CONTROL EVIDENCE

// 04 // OPERATIONAL STANDARDS

SIMM 5340-5360 Operational Standards Portfolio

The operational standards layered on top of tailored NIST 800-53: incident response (SIMM 5340-A, Feb 2026), personal information breach response (SIMM 5340-C), vulnerability management (SIMM 5345-A), Zero Trust Architecture (SIMM 5350-A Jan 2026 + 5350-B Roadmap Dec 2025), endpoint protection (SIMM 5355-A), server hardening (SIMM 5355-B), telework/remote access (SIMM 5360-A), MFA standards (SIMM 5360-C/D).

Plus the 2025 additions: phishing exercise program (SIMM 5320-A Jun 2025), continuous security monitoring (SIMM 5335-B Aug 2025), MITRE ATT&CK Framework adoption (SIMM 5335-C Aug 2025), email threat protections (SIMM 5315-A May 2025).

// INCLUDES

IR (5340-A) ZT (5350-A/B) CONMON (5335-B) MITRE ATT&CK (5335-C) PHISHING (5320-A)
// PHASE 03

Certification & Sustainment

MATURITY · SIMM 5330-B · CONTRACTOR MGMT

// 05 // MATURITY + CERT

SIMM 5300-C Maturity Assessment + SIMM 5330-B Annual Certification

SIMM 5300-C structured maturity assessment performed. Program scored against the Foundational Framework. Findings logged; POA&Ms refreshed against current state. Material gaps documented for the annual certification.

SIMM 5330-B Annual Information Security and Privacy Program Compliance Certification authored. CISO signature obtained. POA&Ms attached. Submitted per the SIMM 5330-C reporting schedule (updated April 2026). Independent and constitutional offices use SIMM 5330-F. The artifact-of-record for the Office of Information Security.

// INCLUDES

SIMM 5300-C MATURITY POA&M REFRESH SIMM 5330-B AUTHORING CISO ATTESTATION OIS SUBMISSION

// 06 // TECH LETTER + CONTRACTOR

Technology Letter Cadence + Contractor Flow-Down Management

OIS Technology Letters monitored and actioned as issued: Tech Letter 25-03 (June 2025) Phishing; Tech Letter 25-04 (August 2025) Continuous Security Monitoring + MITRE ATT&CK. New letters trigger gap analysis, remediation, and POA&M updates feeding the next SIMM 5330-B.

Contractor flow-down management: for state entities, contractor security posture verified against contracted scope; gaps escalated. For contractors, the entity's flow-down obligations satisfied with evidence trail. Privacy Threshold Assessments and Privacy Impact Assessments (SIMM 5310-C, updated Feb 2026) authored for new systems.

// INCLUDES

TECH LETTER WATCH GAP REMEDIATION CONTRACTOR OVERSIGHT PRIVACY ASSESSMENTS EVIDENCE TRAIL

// CONNECTED INTELLIGENCE

SIMM 5300 sits on NIST 800-53. The operational layer keeps the certification defensible.

SIMM 5300 is California's tailored application of NIST 800-53. Most engagements connect to NIST 800-53 as the underlying control catalog, NIST CSF 2.0 as the structural framework (explicitly referenced in SIMM 5330-H), and the operational cybersecurity capability that keeps the annual certification defensible year over year. For California state contractors, the practice connects to the CMAS engagement model that anchors state contracting.

// PARENT SERVICE

Audit Readiness

SAM-5300 / SIMM 5300 is one framework inside Audit Readiness. California state entities and contractors typically need at least one alongside — NIST 800-53 as the underlying catalog, NIST CSF 2.0 as the alignment framework, and the broader portfolio for organizations also serving federal or commercial customers.

The operator who runs your SAM-5300 engagement is the same operator who would represent you in NIST 800-53, NIST CSF, or any federal audit work — with full crosswalk reuse.

Audit Readiness Brief

// UNDERLYING CATALOG

NIST 800-53

NIST SP 800-53 Rev 5 is the underlying control catalog SIMM 5300 is built on. ~85%+ direct transfer of control content. The California-specific work concentrates on parameter tailoring (SIMM 5300-A), Foundational Framework prioritization (SIMM 5300-B), and the operational standards layered on top.

Organizations holding both federal ATOs and California state engagements often run a unified 800-53 program with both federal baselines and California tailoring applied.

NIST 800-53 Brief

// OPERATIONAL LAYER

Cybersecurity-as-a-Service

SIMM 5330-B certification is the annual attestation. Sustained compliance is operational: continuous security monitoring (SIMM 5335-B), MITRE ATT&CK-aligned detection (SIMM 5335-C), Zero Trust roadmap execution (SIMM 5350-B), incident response readiness (SIMM 5340-A), phishing exercises (SIMM 5320-A).

Cybersecurity-as-a-Service runs the year-round cadence that keeps the OIS-examined certification defensible.

Cybersecurity Brief

// THE NUMBERS

SAM-5300 / SIMM 5300 by the numbers.

4–6 MO

Cold Start to First SIMM 5330-B

Applicability through Foundational Framework application, controls implementation, maturity assessment, and first annual certification. With existing NIST 800-53: 8–12 weeks. With NIST CSF 2.0 Tier 3+: 10–14 weeks.

Annual recertification thereafter on the SIMM 5330-C schedule.

15+ / 2025-26

Operational Standards / Active Updates

15+ standards in the SIMM 5340-5360 portfolio. 2025-2026 introduced Phishing (5320-A), Continuous Monitoring (5335-B), MITRE ATT&CK (5335-C); refreshed ZT, IR, Designation, Privacy Assessments.

Tech Letter cadence drives ongoing program evolution.

CMAS #3-25-06-1018

Operator Credentials

California Multiple Award Schedule contract. CAGE 9CQZ9. SDVOSB / DVBE / SBE / Minority Owned. SAM-registered.

The operator credentials California state contracting expects from a SAM-5300 readiness partner.

// THE OPERATOR TEAM

Fortune 500 senior CISO leads applicability analysis under GC §§ 11545-11549.4, CISO designation strategy under SIMM 5330-A, Foundational Framework application, and Office of Information Security relationship management. CISSP-credentialed cloud architect engineers NIST 800-53 Rev 5 controls under SIMM 5300-A California parameter tailoring, with specialization in the 2025-2026 priority areas: Zero Trust Architecture (SIMM 5350-A/B), Continuous Security Monitoring (SIMM 5335-B), MITRE ATT&CK adoption (SIMM 5335-C), and Incident Response (SIMM 5340-A).

The Information Security Officer role can be filled by our team as a service-provider ISO arrangement when that's the right structural fit. Army Special Forces communications sergeant (Green Beret, 18B/18C) leads operational standards implementation across the SIMM 5340-5360 portfolio, contractor flow-down management, and SIMM 5300-C maturity assessment coordination. Naval Special Warfare veteran runs the annual SIMM 5330-B authoring cycle, the Technology Letter watch, and the contractor evidence trail the state entity certification depends on.

CMAS #3-25-06-1018 · CAGE 9CQZ9 · SDVOSB · DVBE · SBE · Minority Owned · SAM-registered · veteran-led. The operator credentials California state contracting expects.

// SELF-QUALIFICATION CHECK

Does SAM-5300 / SIMM 5300 actually apply to you?

Three quick questions: whether you're covered (state entity or contractor), when you'd need certification by, and how much of the work reuses from frameworks you already run.

// 01 // APPLICABILITY

Are you covered by SAM-5300?

Coverage runs two ways: directly to California state entities, and through flow-down to IT contractors serving state agencies.

  • You're a California state entity — agency, department, division, bureau, board, or commission per GC § 11546.1.
  • You're an independent or constitutional office — covered via parallel SIMM 5330-F certification.
  • You're a California IT services contractor with state contracts that include SAM-5300 / SIMM 5300 flow-down clauses.
  • You're a CMAS holder — the obligations sit as standing capability requirements demonstrable on contract performance.
  • You're a subcontractor under a state-contract IT services prime — flow-down obligations frequently extend through the chain.

If any of the above applies, SIMM 5300 obligations apply at the level of detail appropriate to the work and the contract scope.

// 02 // TIMING

When do you need certification by?

SAM-5300 / SIMM 5300 is annual for state entities. For contractors, the deadline is whichever comes first.

  • Your annual SIMM 5330-B cycle — the reporting schedule in SIMM 5330-C (Apr 2026) sets the deadline.
  • A new Technology Letter from OIS requiring program updates within a defined response window.
  • An upcoming state contract bid where SAM-5300 / SIMM 5300 capability evidence is required.
  • A DGS contract compliance review on a CMAS or master contract relationship.
  • An incident response trigger requiring SIMM 5340-A reporting and SIMM 5340-C personal information breach response.

Work backward. Cold-start to first SIMM 5330-B: 4–6 months. With NIST 800-53: 8–12 weeks.

// 03 // FRAMEWORK LEVERAGE

What if you already run another framework?

SIMM 5300 is California's specific application of NIST 800-53 plus operational standards. Existing federal frameworks transfer substantially.

  • NIST SP 800-53 : ~85%+ direct transfer. The underlying catalog is identical; California work concentrates on parameter tailoring and operational standards.
  • NIST CSF 2.0 : ~75% structural alignment. SIMM 5330-H explicitly references the Govern function; Identify/Protect/Detect/Respond/Recover map directly.
  • FedRAMP : ~65% overlap. Federal cloud authorizations transfer significantly; California-specific parameters and SIMM operational standards are net-new.
  • ISO 27001 : ~55% overlap. ISMS structure helps; NIST 800-53 mapping and California-specific tailoring are net-new.
  • SOC 2 : ~50% overlap on operational controls. Net-new: NIST 800-53 specifically, California tailoring, annual SIMM 5330-B mechanics.

Existing NIST 800-53 makes SAM-5300 dramatically faster. The California parameter tailoring (SIMM 5300-A) and SIMM operational standards (5340-5360) are net-new for everyone.

// FREQUENTLY ASKED

The SAM-5300 / SIMM 5300 questions teams keep asking.

Does SAM-5300 / SIMM 5300 apply to us if we're not a California state agency?

Yes if you are a contractor providing IT services to California state entities, and the flow-down is contractual rather than nominally regulatory.

State Administrative Manual Chapter 5300 directly binds California state agencies, departments, divisions, bureaus, boards, and commissions as defined in Government Code § 11546.1. But state contracts uniformly include flow-down clauses requiring contractors providing information technology services to comply with applicable SAM-5300 / SIMM 5300 requirements at the level of detail appropriate to the work being performed. The California Multiple Award Schedule (CMAS), master service agreements, and individual agency contracts all carry these obligations.

The practical implication for IT contractors is that their security program must demonstrate alignment with the California-specific NIST 800-53 parameters in SIMM 5300-A, the operational standards in the SIMM 5340-5360 series, and the annual certification cadence per SIMM 5330-B for the contracted scope of work.

For organizations holding CMAS contracts specifically, the SAM-5300 flow-down is a standing capability requirement that must be demonstrable on contract performance and during California Department of General Services contract compliance reviews.

WatchUr6 holds CMAS contract #3-25-06-1018, which positions us to operate as both an SAM-5300-compliant contractor and a readiness partner for California state entities and other contractors carrying the same obligations.

What's the difference between SAM-5300, SIMM 5300, and the SIMM 5300-A / 5300-B / 5300-C documents?

Understanding the document hierarchy is essential because each layer plays a distinct role:

SAM Chapter 5300 is the policy authority. The State Administrative Manual is California's executive branch policy manual, owned by the Department of General Services. SAM 5300 establishes the high-level policy requirement that state entities maintain an information security program aligned with statewide standards. The legal-policy anchor that gives the program enforceability.

SIMM 5300 series is the implementation manual. The Statewide Information Management Manual is owned by the California Department of Technology and its Office of Information Security under Government Code § 11549.3. The SIMM 5300 series translates SAM policy into specific implementation standards.

SIMM 5300-A (confidential): California-specific security parameters for NIST SP 800-53 controls. Not publicly available because it contains sensitive control implementation details. Agencies receive it through their authorized OIS relationship.

SIMM 5300-B (public): Foundational Framework for Information Security. The prioritization framework agencies use to sequence their information security program development.

SIMM 5300-C: maturity assessments. The structured assessment tool agencies use to measure their information security program maturity against the framework.

The other SIMM 5300-series documents (5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350, 5355, 5360) are operational standards covering specific control areas.

How does SIMM 5300 relate to NIST SP 800-53?

SIMM 5300 is California's specific application of NIST SP 800-53 plus state-defined parameters and operational standards.

NIST SP 800-53 Rev 5 is the underlying control catalog California has adopted as the technical baseline for state cybersecurity. Where SIMM 5300 diverges from generic NIST 800-53 implementation is in three meaningful ways:

First, California-specific security parameters: SIMM 5300-A defines California's specific parameter selections for NIST 800-53 controls (parameter values for assignment statements, frequency requirements for periodic activities, scope specifications). These California-specific parameters are confidential and not publicly available.

Second, the Foundational Framework (SIMM 5300-B) provides California's specific prioritization of information security program activities, which differs from the generic NIST 800-53 baseline tiering.

Third, the operational standards (SIMM 5340-5360 series) layer specific implementation requirements on top of NIST 800-53 controls in areas California has prioritized for statewide consistency: incident response and reporting (SIMM 5340-A), vulnerability management (SIMM 5345-A), Zero Trust Architecture (SIMM 5350-A and 5350-B Roadmap), continuous security monitoring (SIMM 5335-B), MITRE ATT&CK Framework adoption (SIMM 5335-C).

Practical implication: organizations with mature NIST 800-53 programs have approximately 85% of the underlying technical foundation already in place; the SIMM-specific work concentrates on the California parameter tailoring, the operational standard layering, the annual compliance certification, and the OIS reporting cadence.

What is the annual SIMM 5330-B compliance certification and what does it involve?

SIMM 5330-B is the Information Security and Privacy Program Compliance Certification — the annual written attestation that the California Office of Information Security examines as the artifact-of-record for state entity compliance.

The certification is signed by the state entity's CISO and submitted on the schedule established in SIMM 5330-C (the compliance reporting schedule, most recently updated April 2026). Independent and constitutional offices submit through the parallel SIMM 5330-F certification.

The certification covers attestation that the entity has:

(1) Implemented SAM 5300 policy requirements; (2) Aligned the information security program with the Foundational Framework (SIMM 5300-B) prioritization; (3) Applied the California-specific NIST 800-53 parameters from SIMM 5300-A; (4) Implemented the applicable operational standards from the SIMM 5340-5360 series; (5) Conducted the maturity assessment required by SIMM 5300-C; (6) Designated CISO and Information Security Officer per SIMM 5330-A; (7) Documented material findings and gaps in Plans of Action and Milestones (POA&Ms); (8) Responded to applicable Technology Letters issued by OIS in the reporting period.

The certification is not just a checkbox: the SIMM 5330-H Information Security Policy Compliance and Enforcement Standard establishes OIS authority to address non-compliance through escalating enforcement steps.

For contractors providing IT services to state entities, the SIMM 5330-B mechanics matter because contractor performance feeds the state entity's certification — gaps in contractor security posture flow up into the state entity's annual attestation.

What changed in SIMM 5300 in 2025-2026 that we need to know about?

The 2025-2026 update cycle has been unusually active, with several material new standards and refreshes issued by OIS through formal Technology Letters.

Technology Letter 25-03 (June 2025): Introduced SIMM 5320-A Phishing Exercise Standard, establishing requirements for simulated phishing exercise plans including guidelines for collaboration with third-party vendors conducting phishing simulations. State entities must now run defensible phishing exercises against documented program standards.

Technology Letter 25-04 (August 2025): Introduced two related standards. SIMM 5335-B Continuous Security Monitoring and Event Management Standard moves California state entities meaningfully toward operational SOC capability. SIMM 5335-C MITRE ATT&CK Framework formalizes a threat-actor-behavior framework that state entities must align their detection and response capabilities against.

SIMM 5350-A Zero Trust Architecture Standard updated January 2026, with SIMM 5350-B Zero Trust Architecture Roadmap (XLSX format) updated December 2025. State entities are now expected to be on a documented Zero Trust roadmap.

SIMM 5340-A Information Security Incident Response and Reporting updated February 2026, refreshing IR and personal information breach response requirements.

SIMM 5330-A Designation Letter updated April 2026, with SIMM 5330-D Instructions updated May 2025 — refreshing who within the state entity is formally designated to carry information security responsibilities.

The cumulative implication: 2026 SIMM 5330-B certifications must reflect implementation of (or documented POA&Ms toward) these new and refreshed standards.

We hold a CMAS contract. What SAM-5300 / SIMM 5300 obligations do we actually carry?

CMAS contracts (California Multiple Award Schedule, administered by the DGS Procurement Division) carry SAM-5300 / SIMM 5300 obligations as standing capability requirements that must be demonstrable on contract performance and during DGS contract compliance reviews.

The specific obligations vary by the scope of services in your CMAS contract, but the standard pattern for IT services contractors:

First, the contractor's security program must align with the California-specific NIST 800-53 parameters in SIMM 5300-A at the level of detail appropriate to the services being performed.

Second, the contractor must comply with the operational standards in the SIMM 5340-5360 series that touch the contracted scope: if you're providing cloud services, SIMM 5315-B Cloud Security Standard applies; if you're providing endpoint management, SIMM 5355-A and 5355-B apply; if you're providing security operations, SIMM 5335-B Continuous Security Monitoring and SIMM 5340-A Incident Response apply.

Third, the contractor must support the state entity's annual SIMM 5330-B certification by providing evidence of security posture — contractor gaps flow up into the state entity's attestation.

Fourth, the contractor must respond to applicable Technology Letters as they are issued by OIS, even if those letters are addressed primarily to state entities.

Fifth, for contractors holding multiple state contracts simultaneously, the compliance burden compounds: each contracting agency may have additional flow-down requirements layered on top of the baseline CMAS terms.

WatchUr6's CMAS #3-25-06-1018 status reflects the operator credentials California state contracting expects, and our service to other CMAS holders and state entities is anchored on this practical knowledge of how the obligations actually flow.

// THE NEXT MOVE

The annual certification cycle is the deadline. The Tech Letter cadence sets the work.

Book a 30-minute SAM-5300 strategy call with a WatchUr6 advisor. Bring the state contract triggering this (CMAS, master agreement, agency-specific), the upcoming SIMM 5330-B reporting cycle, the recent Technology Letter you need to action, or the contractor flow-down obligation driving the question — and any existing framework you run (NIST 800-53, NIST CSF 2.0, FedRAMP, SOC 2).

You'll walk away with a tactical read on coverage scope, realistic timeline to a first SIMM 5330-B-defensible program, the operational standards that touch your contracted services, and your crosswalk math from existing frameworks — whether you hire us or not. CMAS #3-25-06-1018 means we can engage directly through state contracting.

Book a SAM-5300 Strategy Call