This page is an index. The actionable items are the requirements below.
Standards this California adopts
California Confidentiality of Medical Information Act
Official sourceCalifornia medical information privacy and security law.
Adopts: HIPAA Security— CMIA aligns with HIPAA but adds California-specific obligations.
Requirements
Cybersecurity statutes (background)
In plain terms. California centralizes state cybersecurity in the Office of Information Security and runs detailed IT procurement rules through the State Administrative Manual.
Who it applies to. State agencies and their IT vendors. California references NIST/FIPS and participates in StateRAMP.
What it requires. State law establishes the Office of Information Security to set statewide security policy, and computer-crime law backs it. Agencies follow the State Administrative Manual for IT procurement and system-and-services acquisition.
Why it matters. Vendors selling IT to California must work within the Office of Information Security's policies and the State Administrative Manual's procurement and security rules.
Citation. Cal. Gov't Code (Office of Information Security); Cal. Penal Code (Larceny). References NIST/FIPS; participates in StateRAMP.
Regulations & policies (background)
In plain terms. California's vendor-facing IT rules live in DGS contract provisions and the State Administrative Manual.
Who it applies to. State agencies and their IT vendors.
What it requires. DGS general provisions for IT contracts and State Administrative Manual sections on IT procurement and system-and-services acquisition set the terms and security expectations for vendors.
Why it matters. Expect California's standard IT contract provisions and SAM acquisition rules to govern your engagement.
Citation. DGS PD-401 (General Provisions - Information Technology Contracts); State Administrative Manual (SAM) §§ 4800, 5210, 5230.4, 5305.8, and 5315.1 (System and Services Acquisition).