State of California

California Department of Technology

Office of Information Security

Host/Hosted Self-Certification

SIMM 5330-E

March 2023

REVISION HISTORY

REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Initial Release January 2020 Office of Information Security(OIS) NAME CHANGE: Parent/Child Relationship to Host/Hosted Relationship
Minor Update July 2022 OIS Added the “No Host/Hosted Relationship” requirement to update within 10-business days of any change in Host/Hosted Relationship status.
Minor Update March 2023 OIS Formatting changes

TO: Office of Information Security,
California Department of Technology
Attn: Security Compliance Reporting
P.O. Box 1810, Mail Stop Y- 01
Rancho Cordova, CA 95741

SUBJECT: Host/Hosted Self-Certification (Previously referred to as the Parent/Child Relationship)

Important: The Host/Hosted relationship is used for AUDIT & ASSESSMENT PURPOSES ONLY.

This certification identifies if there is a Host/Hosted Relationship and authorizes the Hosted entity to be included within a single³ Host entity's audit and/or assessment for a reduced fee. The signatures on this SIMM 5330-E must reflect the Information Security staff, as designated on the Designation Letter (SIMM 5330-A), for BOTH of the Host and Hosted entities.

In order to be considered a Hosted entity in a Host/Hosted relationship, the Hosted entity must meet ALL THREE of the below criteria:

  • POLICY BOUNDARY: Hosted entity does NOT have a separate information security policy boundary from the Host entity.
  • SECURITY BOUNDARY: Hosted entity is ENTIRELY contained within the security boundary of the Host entity.
  • ACTIVE DIRECTORY ENVIRONMENT: Hosted entity must meet at least one of the following:
    • does NOT have a separate Active Directory from the Host entity, and/or
    • has an Active Directory that is FULLY managed by the Host entity.

This form is submitted annually in accordance with the Information Security Compliance Reporting Schedule (SIMM 5330-C) and within 10-business days of any change, and certifies one of the following (select one):

ADDITIONAL INFORMATION: If it is determined at the time of an audit or assessment that the Hosted entity does not meet ALL THREE of the criteria above, the Hosted entity will still be audited or assessed and any amount billed or due will be direct billed to the designated Host entity

1. Previously referred to as the Parent/Child relationship.

2. "Audit" refers to the OIS Information Security Program Audit (ISPA). "Assessment" refers to the Independent Security Assessment (ISA) performed by the California Military Department or an approved third party.

3. In order to meet the Host/Hosted relationship, a Hosted Entity may not be supported by multiple entities. To be considered a Hosted Entity, the Hosted Entity must meet all of the Host/Hosted criteria and can only be supported by a SINGLE Host Entity

All state entities, including "Hosted" entities, must comply with all mandatory compliance reporting requirements. Separate compliance forms are required for ALL state entities regardless if they meet the criteria for a Host/Hosted relationship. The Host entity may assist the Hosted entity with meeting the compliance requirements.

This form must be signed by ALL Information Security staff listed below, as identified on the Designation Letter (SIMM 5330-A), for BOTH entities.

HOST ENTITY:

By signing this certification, my entity certifies that they are the Host entity and that the Hosted entity meets ALL THREE of the previously listed criteria to be a considered a Hosted entity. My entity fully accepts the role and the requirements that come with being the Host entity.

CHIEF INFORMATION OFFICER:

INFORMATION SECURITY OFFICER:

AGENCY CHIEF INFORMATION OFFICER:

AGENCY CHIEF INFORMATION SECURITY OFFICER:

HOSTED ENTITY:

By signing this certification, my entity certifies that they are the Hosted entity and meets ALL THREE of the previously listed criteria to be a considered a Hosted entity under the listed Host entity.

CHIEF INFORMATION OFFICER:

INFORMATION SECURITY OFFICER:

AGENCY CHIEF INFORMATION OFFICER:

AGENCY CHIEF INFORMATION SECURITY OFFICER: