Chapter 4 – Information Technology

The purpose of this policy is to establish guidelines and requirements for the appropriate use of Generative Artificial Intelligence (GenAI) within the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), hereinafter referred to as the department.

The use of GenAI and related technologies shall align with organizational mission, department standards, and State and Federal policies, regulations, and laws.

The objectives for this policy are to:

• Define the acceptable use of GenAI within the department, including:

  • Guidance to ensure GenAI is safe and effective prior to initial use and continuously thereafter, including identification of prohibited uses;

  • Requirements for the department to use GenAI in a manner that protects against discriminatory outputs.

  • Protecting confidentiality, integrity, and availability of the data used with, or generated by, GenAI, is protected.

  • Requirements for the department to use GenAI processes that include human alternatives, human consideration, and human failsafe points.

• Outline the GenAI training, including but not limited to role-based training, CDCRCalifornia Department of Corrections and Rehabilitation personnel are required to undergo prior to, and as a result of using, GenAI.

• Ensure that members of the public are properly noticed, in accordance with applicable federal and State laws and policy, for communication generated by GenAI pertaining to CDCRCalifornia Department of Corrections and Rehabilitation benefits or services.

The scope of this policy extends to all information assets owned or operated by the department, as well as information assets owned or operated by third parties on behalf of the department.

This policy covers all applications, tools, and systems that utilize GenAI for department operations including, but not limited to, content creation, data analysis, and decision-making.

This policy also applies to the use of GenAI, including the data, prompts, or other content as inputs to GenAI applications, tools, and systems, and the generation or dissemination of outputs produced by them.

This policy applies to all department personnel.

The department shall ensure:

• All content used to directly communicate with a person regarding government services and benefits that is created or substantially altered by GenAI must have a specified disclosure that the content is generated or substantially altered using GenAI.

• All GenAI proof of concepts must be first tested in a CDT approved “sandbox” environment, in accordance with State Administrative Manual (SAMState Administrative Manual) Section 4986.6, or its subsequent iteration. Testing shall include, but not be limited to:

  • evaluation for model bias,

  • hallucinations,

  • bad actors,

  • equity,

  • data quality issues,

  • privacy, and

  • security concerns.

• Prior to any potential use of, or solicitation for, technologies that involve GenAI components, the technologies undergo a formal review to assess risk and verify alignment with official business goals per State procurement and policy requirements specific to GenAI.

• All potential use of, or solicitation for, GenAI and related technologies must be approved by the department’s Chief Information Officer (CIO) prior to use by department personnel. Only uses of GenAI that are for official department purposes shall be considered for approval.t involve GenAI components, the technologies undergo a formal review to assess risk and verify alignment with official business goals per State procurement and policy requirements specific to GenAI.

• All GenAI input and output data shall be reviewed to prevent biases and misuse. The review must be supplemented with human verification of accuracy and factuality of the input and output data to prevent misinformation.

• All GenAI applications, tools, and systems including those deemed “high-risk automated decisions systems” pursuant to Government Code (GCGovernment Code) Section 11546.45.5, subdivision (a)(5), and those deemed “high-risk” pursuant to the required risk assessment in State Information Management Manual (SIMM) 5305-F, shall be documented and inventoried.

• Prior to their involvement in any potential use or use of GenAI that may utilize department data and information assets, all personnel shall undergo appropriate GenAI training according to their roles and responsibilities.

• All GenAI and related technologies are implemented with documented and appropriate security controls, as determined by the CIO.

• Individuals consuming processes or services utilizing GenAI applications, tools, and systems shall have access to a non-GenAI alternative that ensures the ability to opt out of automated systems in favor of a non-GenAI alternative where appropriate.

• Access to human review and remedy through a fallback and escalation process when an individual contests or appeals a GenAI-assisted outcome.

In accordance with SAMState Administrative Manual Section 4986.12, the department shall ensure:

• Users only use State approved or provided accounts on State approved or provided equipment for State work.

• Users are prohibited from entering confidential and sensitive State data into commercially available GenAI.

• Users may employ GenAI to enhance the efficiency and effectiveness of public services.

• Users must review and verify GenAI output for relevance before use to ensure it aligns with its intended purpose and to mitigate risks such as hallucinations, misinformation and bias.

• Users must not infringe on any copyright or intellectual property laws and must comply with open-source licenses as applicable.

• Users must use the “opt-out” option on data collection and model training features that GenAI might offer if available. (e.g. ChatGPT).

• Users waive all rights of ownership to GenAI outputs that are created on behalf of California and used for public related services to California.

• Users must not use State email or other State identifying information to register unsupported tools.

• Users must not label content created from GenAI as their own.

• Users must report the unauthorized use or disclosure of confidential and sensitive State data in GenAI to the Information Security Officer (ISOInformation Security Officer).

Department Chief Information Officer (CIO) or designee.

• The CIO shall determine risk response for all GenAI usage and procurements, whether intentional or whether the procurement or use of the GenAI was incidental to the primary procurement or use. This includes the authority to approve or disapprove any and all potential use of GenAI by CDCRCalifornia Department of Corrections and Rehabilitation personnel. This responsibility cannot be designated.

• The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• The CIO or Designee is required to audit and assess compliance with this policy at least once every two years.

• The CIO or Designee shall ensure that GenAI risks are continuously monitored and managed.

• The CIO or Designee shall determine the appropriate security controls for GenAI and related technologies.

Department ISOInformation Security Officer.

• The ISOInformation Security Officer shall:

  • Participate in risk assessments associated with GenAI and related technologies. Risk assessments must adhere to State and Federal policy requirements.

  • Ensure the department inventories its use of “high risk automated decision systems” as defined in GCGovernment Code Section 11546.45.5, subdivision (a)(5), or its subsequent iteration, and “high-risk” GenAI systems as identified by the risk assessment required by SIMM 5305-F. This includes ensuring such inventories are made available to the California Department of Technology, as specified in GCGovernment Code Section 11546.45.5 and applicable State policy.

• The ISOInformation Security Officer shall ensure that all use of GenAI and related technologies is approved prior to implementation.

Department owners of information assets and program management.

• Owners of information assets shall ensure that personnel under their purview undergo GenAI training according to their roles and responsibilities, prior to their involvement in any potential use or use of GenAI that may utilize department data and information assets.

• Owners of information assets shall ensure all GenAI applications under their purview that are deemed “high risk automated decision systems” as defined in GCGovernment Code Section 11546.45.5, subdivision (a)(5), or its subsequent iteration, and “high-risk” GenAI systems as identified by the risk assessment by SIMM 5305-F are documented.

• Owners of information assets, in collaboration with Information Asset Custodians, shall ensure that all GenAI output under their purview used for decision making are reviewed regularly to prevent biases and misuse. The review shall include verification of accuracy and factuality of the input and output data to prevent misinformation.

Department Information Asset Custodians

• Information Asset Custodians in collaboration with Owners of Information Assets shall implement, maintain, and monitor GenAI access and security controls for any GenAI usage under their purview.

Department Information Asset Users

• Users of department information assets shall be aware of and adhere to all department information security and privacy policies.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual (DOMDepartment Operations Manual) Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State and Federal laws and policies may include departmental and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal Actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California GCGovernment Code Section 11549.3.

The CIO or Designee shall ensure that the contents of this article are current and accurate.