April 24, 2020//Tony Howlett
Law Enforcement Agencies (LEAs) and other government entities and the companies that access or manage sensitive US Justice Department information need to ensure that their processes and systems comply with the FBI’s Criminal Justice Information Services (CJIS) policies for wireless networking, data encryption, and remote access.
The CJIS is the largest division of the FBI. It encompasses several key departments, including the National Crime Information Center (NCIC), the National Instant Criminal Background Check System (NICS), and the Integrated Automated Fingerprint Identification System (IAFIS). CJIS provides a centralized source of criminal justice data to agencies and authorized third-parties throughout the United States.
CJIS compliance is important for law enforcement and other federal, state, local, and tribal government agencies to protect national security while preserving the civil liberties of individuals and businesses in protecting private and sensitive information.
Because of this, CJIS compliance is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges.
To protect criminal justice information, the FBI’s CJIS Security Policy document defines implementation requirements and standards for the following 13 security policy areas:
CJIS policy includes procedures for how the information is handled and what should be in user agreements. Companies and agencies that use criminal justice information (CJI) must include specific processes and parameters in their information exchange agreements, including:
Anyone with access to CJI must undergo security awareness training within six months of receiving the CJI. The training needs to be repeated every two years. Individual training and topics covered are based on the access and interaction the individual has to the CJI.
All breaches and major incidents need to be reported to the Justice Department. Companies and agencies must establish procedures for detection, analysis, containment, recovery, and user responses for all breaches and incidents.
The following events must be audited:
The types of users, classifications, accountability, and associated account management must be defined. Access control criteria should be based on job, location, network address, and/or time restrictions.
Every one who is authorized to use CJIS must have unique identification and a standard authentication method such as a password, token or PIN, biometrics, or another type of multi-factor authentication.
Whether planned or unplanned, changes, and updates to the information system platform, architecture, hardware, software, and procedures must be documented. That documentation must be protected from unauthorized access.
You must have policies and procedures documented for how digital and physical media will be securely stored, accessed, transported, and destroyed.
Physical media (documents or digital media storage devices) need to be handled securely. Access to physical media needs to be limited and monitored.
Applications, services, and information systems must ensure data security, system, and network integrity. This includes defining and enforcing where and how information can travel within and between systems.
The FBI and other agencies may conduct formal audits to ensure compliance with the CJIS.
Anyone that will have access to unencrypted CJIS data must go through detailed security screening during hiring, termination, transfer, and other employees/vendor lifecycle events.
The CJIS outlines considerations and requirements for managing systems and network access via smartphones, tablets, and other mobile devices. This includes using wireless security protocols such as WEP and WPA, device certificates, etc.
Download our overview of CJIS requirements and use the interactive SecureLink CJIS Compliance checklist to help you determine if your network access is CJIS compliant.