State Issues Security Policy on Two-Factor Authentication

Published On: May 26, 2023

On Thursday (5/25/23), the Office of Information Security released Technology Letter 23-01 creating a Multi-Factor Authentication Standard for state agencies to follow.  In an email from the California Department of Technology, the memo states:

The California Department of Technology (CDT) released Technology Letter (TL) 23-01 announcing the new Statewide Information Management Manual (SIMM) Standards 5360-C & D, for Multi-Factor Authentication.

The purpose of this Technology Letter is to announce:

  • SIMM 5360-C, Multi-Factor Authentication, is a new standard in support of SAM 5360, Identity and Access Management. It contains instructions, workflows, processes, and security controls to ensure compliant and secure authentication for information assets.
  • SIMM 5360-D, Multi-Factor Authentication Supplemental, contains frequently asked questions about the MFA Standard, SIMM 5360-C, and provides hypothetical real-world examples of how an entity would implement MFA based on the processes and workflows defined in SIMM 5360-C.
  • Any publicly accessible information asset that stores, processes, transmits or visually presents confidential, sensitive, or personal information will be subjected to SIMM 5360-C & D. Digital Identities for information assets will be required to have an additional form of authentication based on the information assets Authenticator Assurance Level defined in SIMM 5360 C & D. This will provide an additional layer of security, which will help reduce risk of nefarious activities by internal and external threats.
  • This TL also serves as a notice that all Agencies/state entities must work toward a Zero Trust Architecture (ZTA) model as outlined in NIST 800-207. Refer to the Cybersecurity Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0. By May 2024, all Agencies/ state entities must have assessed, planned, and implemented the “Initial” maturity stage of each of the five pillars including Identity, Devices, Networks, Applications & Workloads, and Data.

TL 23-01 is available on CDT’s website located at

About the Author: Staff

Contact us, share tips and news: