Our nation’s state and local law enforcement agencies have looked to the FBI’s Criminal Justice Information Services (CJIS) Security Policy for many years to set the standard for security requirements in the industry. The CJIS Policy dictates the minimum level of security requirements while providing guidelines and agreements for organizations to protect the transmission, storage and generation of criminal justice information (CJI).
The Policy applies to the full lifecycle of CJI including its creation, viewing, modification, transmission, dissemination, storage and eventual destruction. The release of CJIS Policy Version 5.3 in August of this year takes into account the sweeping changes mobile technology has brought to the front lines of public safety services.
The CJIS Security Policy is an unfunded Federal mandate defining the minimum standard of security controls required for interacting with criminal justice information. The Policy applies to every individual — contractor, private entity, non-criminal justice agency (NCJA) representative, or member of a criminal justice entity — with access to, or who would operate in support of, criminal justice services and information. This means that when interacting with CJI we must do so in a manner that is compliant with the Policy.
The Policy is left to the individual states to interpret. At the state level, an internal CJIS Systems Officer (CSO) is appointed to administer the policy within that state. The CSO interprets, maintains and enforces the Policy for subordinate agencies. This role often falls to a State’s Chief Security Officer. The CSO’s direct report is designated the CJIS Systems Agency Information Security Officer (CSA ISO).
At the local level, a Terminal Agency Coordinator (TAC), usually a commissioned Officer, is designated as the point of contact for all CJIS matters. The TAC’s direct report is designated the Local Agency Security Officer (LASO).
Often these and other roles are assumed by the same individual.
A triennial audit of each Criminal Justice Agency (CJA) is required to document compliance with the CJIS Security Policy. This audit is usually administered by the state’s ranking CJA under the purview of the CSO. This audit can be executed at the federal level by the FBI CJIS Audit Unit.
What follows is a high level overview and purposeful oversimplification of the 13 policy areas of the CJIS Security Policy v5.3.
Policy Area Summaries
Policy Area 1 — Information Exchange Agreements
Organizations exchanging CJI must have signed written agreements between them documenting the extent of their interaction and the relevant security policies and procedures in place between them to ensure appropriate safeguards. Examples of Exchange Agreements can be found in Appendix D of the Policy.
Policy Area 2 — Security Awareness Training
Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI. Records of individual basic security awareness training and specific information system security training shall be documented and kept current.
Policy Area 3 — Incident Response
Agencies must establish an operational incident handling capability for malicious computer attacks against agency information systems to include adequate preparation, detection, analysis, containment, recovery and user response activities. Agencies must also track, document and report incidents to appropriate agency officials.
Policy Area 4 — Auditing and Accountability
Agencies must provide for the ability to generate audit records of their systems for defined events.
Policy Area 5 — Access Control
Access control is the practice of defining, securing and managing user’s access to information and systems throughout the network. One of the more complex Policy Areas, an Agency’s IT organization, will implement multiple mechanisms addressing login management systems, remote access, virtual private network (VPN) solutions certified to the FIPS 140-2 standard and enact policies and controls for Wi-Fi, Bluetooth and cellular devices.
Policy Area 6 — Identification and Authentication
Agencies must uniquely identify users and processes acting on behalf of users. This section details password and PIN policies as well as advanced authentication requirements.
Policy Area 7 — Configuration Management
The goal is to allow only qualified and authorized individuals’ access to information system components for purposes of initiating changes, including upgrades and modifications.
In addition, agencies are required to produce a complete topological drawing depicting the inter-connectivity of the agency network to criminal justice information, systems and services. This diagram must be maintained in a current status. Examples of network diagrams can be found in Appendix C of the Policy.
Policy Area 8 — Media Protection
Agencies must secure CJI data in all its forms, both at rest and in motion as it traverses
electronic networks and physical locations.
Here you’ll also find guidelines for physical and electronic media sanitization and disposal.
Policy Area 9 — Physical Protection
Physically secure locations are defined by the implementation of both policies and physical and personnel security controls sufficient to protect CJI. This Policy Area defines a secure location and dictates the controls that must be in place to make it so.
Policy Area 10 — Systems and Communications Protection and Information Integrity
This section addresses all the components of modern cybersecurity. Pervasive IT systems and communications safeguards must be employed to ensure the security and integrity of data across the network both in motion and at rest. Components covered include traditional areas like encryption, antivirus and spam and also advanced technologies like virtualization, Voice over IP (VOIP) and cloud computing.
The agency must provide for version control, i.e. patch management functionality, to ensure changes, updates or upgrades are not released into the network without proper approval.
Policy Area 11 — Formal Audits
CJAs and NCJAs will be audited against the Policy triennially, at a minimum. These audits will be executed by the either the FBI CJIS Audit Unit (CAU) or the state’s lead CJIS Systems Agency (CSA).
Policy Area 12 — Personnel Security
Agencies must provide security screenings consisting of state of residence and national fingerprint-based record checks for all personnel with either physical or logical access to unencrypted CJI. This applies to agency personnel, vendors and contractors.
Policy Area 13 — Mobile Devices
Long overdue; this section provides detailed guidance regarding employing mobile devices, e.g. cellular enabled smartphones and tablets. Here you’ll find minimum functions required to manage mobile devices and an introduction to the concept of compensating controls in order to bridge the inherent technical limitations of some devices.