| The GenAI system workflow includes human verification to ensure accuracy and factuality of the output. |
| | |
| The GenAI system will not have the potential to degrade public services. |
| | |
| The GenAI system will not adversely impact the availability of resources and services provided by the State of California. |
| | |
| If the GenAI system is a shared system, is there an existing data-sharing agreement between parties including roles & responsibilities for data owner, custodian, user, etc.? |
| | |
| User accounts for the GenAI tool is managed by a state-owned identity access and management tool (e.g. Active Directory). |
| | |
| Business services are not contingent on the system's use. In the event of system failure or inaccurate results, the State of California can continue to provide the same level of services without disruption. |
| | |
| The state entity has safeguards in place to protect data used by the GenAI tool from being exposed to the internet. |
| | |
| The state entity uses safeguards that comply with the state-defined security parameters for NIST SP 800-53, SIMM 5300-A, and SAM Section 5300.5. |
| | |
| Cloud-based GenAI systems comply with Cloud Computing Policy SAM 4983.1 and Cloud Security Guide SIMM 140, which states that all data will remain in the United States and that no remote access will be allowed outside of the United States. |
| | |
| All remote access uses Multi-Factor Authentication (MFA) and complies with the Telework and Remote Access Security Standard (SIMM 5360-A). |
| | |
| All confidential, sensitive, or personal information is encrypted in accordance with SAM 5350.1 (Encryption) and SIMM 5305-A (Information Security Program Management Standard) and at the necessary level of encryption for the data classification pursuant to SAM 5305.5 (Information Asset Management). |
| | |
| All data, hardware, software, internal systems, and essential third-party software, including for on-premises, cloud, and hybrid environments, are aligned with a zero-trust architecture model in accordance with NIST 800-27. |
| | |
| All data is subject to Civil Code 1798.99.80-1798.99.89 and will not be sold or advertised to data brokers. |
| | |
| Unless specified in the contract, prompts or Generated Data resulting from such Prompts constitute a Work Product. Contractors may not use, copy, modify, distribute, or disclose any such Prompts or Generated Data for any purpose other than performing their obligations under the Contract unless expressly authorized by the State in writing. |
| | |
| To the extent any Prompts or Generated Data constitute Work Product, the State will retain Government Purpose Rights. |
| | |
| The GenAI system will opt out of any data collection and model training features that may be used to train commercial instances of GenAI systems. |
| | |
| GenAI output will not infringe on copyright or intellectual property laws and is compliant with open-source licenses, if applicable. |
| | |
| GenAI output will be cited (from credible sources) if any statements used as facts are generated and published for consumer use. All generated images and videos will cite any GenAI used in their creation, even if the images are substantially edited afterward. |
| | |
| The GenAI system will not spoof or engage in fraud, including deepfake creation, impersonation, phishing, other social engineering, or manipulation of other GenAI systems. |
| | |
| The GenAI system is designed to avoid generating or creating illicit content that may be controversial, subjective, or potentially not widely accepted by the public. |
| | |
| The GenAI system will not improperly systematically, indiscriminately, large-scale monitor, surveil, or track individuals. |
| | |
