If you have trouble viewing this message please click here

Policy/Guidelines Update
DATE ISSUED: January 2019
TO: Chief Information Officers (CIO)
Information Security Officers (ISO)
Agency Chief Information Officers (AIO)
Agency Information Security Officers (AISO)
SUBJECT: Endpoint Protection Standard


The California Department of Technology (CDT) Office of Information Security (OIS) has developed the Endpoint Protection Standard (SIMM 5355-A). This policy introduces required minimum endpoint protection standards as part of a defense in depth security strategy. Effective immediately, Agency/state entities must ensure that endpoints for their respective organization(s) include the endpoint protections outlined in SIMM 5355-A. If an Agency/state entity has already acquired or implemented a solution that does not currently meet this standard, the Agency/state entity must identify the deficiency and include a remediation plan in its next Plan of Action and Milestones (POAM) submission.


The purpose of this Policy/Guidelines Update is to announce:
  • New SIMM Section 5355-A Endpoint Protection Standard which includes minimum requirements for endpoint protection.

  • Updated SAM Section 5355 to include reference to Endpoint Protection Standard (SIMM 5355-A).


The following reference materials are associated with this Policy/Guidelines Update. Statewide Information Management Manual (SIMM) is available on CDT’s website located at: https://cdt.ca.gov/policy/simm/. The State Administrative Manual (SAM) is available on the Department of General Services website located at:http://sam.dgs.ca.gov/.
  • SAM Section 5355
  • SIMM Section 5355-A

Questions regarding this announcement should be directed to the Department of Technology,
Office of Information Security at security@state.ca.gov.

(PG 19-004)