Law Enforcement Agencies (LEAs) and other government entities and the companies that access or manage sensitive US Justice Department information need to ensure that their processes and systems comply with the FBI’s Criminal Justice Information Services (CJIS) policies for wireless networking, data encryption, and remote access.
CJIS Compliance Checklist
CJIS compliance is important for law enforcement institutions and vendors who interact with sensitive intelligence data. Download our interactive CJIS compliance checklist to help determine if your network access is CJIS compliant.
CJIS compliance is important for law enforcement and other federal, state, local, and tribal government agencies to protect national security while preserving the civil liberties of individuals and businesses in protecting private and sensitive information.
Because of this, CJIS compliance is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges.
The CJIS security policy includes procedures for how the information is handled and what should be in user agreements. Companies and agencies that use criminal justice information (CJI) must include specific processes and parameters in their information exchange agreements, including:
Use of systems
Security awareness training
Anyone with access to CJI must undergo security awareness training within six months of receiving the CJI. The training needs to be repeated every two years. Individual training and topics covered are based on the access and interaction the individual has to the CJI.
All breaches and major incidents need to be reported to the Justice Department. Companies and agencies must establish procedures for detection, analysis, containment, recovery, and user responses for all breaches and incidents.
Auditing and accountability
The following events must be audited:
Assess, create, write, delete, and change permissions on user accounts, files, directories, and other system resources
Attempts to modify passwords
Actions by privileged accounts
Attempts to access, modify, or destroy history/log files
The types of users, classifications, accountability, and associated account management must be defined. Access control criteria should be based on job, location, network address, and/or time restrictions.
Identification and authentication
Every one who is authorized to use CJIS must have unique identification and a standard authentication method such as a password, token or PIN, biometrics, or another type of multi-factor authentication.
Whether planned or unplanned, changes, and updates to the information system platform, architecture, hardware, software, and procedures must be documented. That documentation must be protected from unauthorized access.
You must have policies and procedures documented for how digital and physical media will be securely stored, accessed, transported, and destroyed.
Physical media (documents or digital media storage devices) need to be handled securely. Access to physical media needs to be limited and monitored.
Systems and communications protection and information integrity
Applications, services, and information systems must ensure data security, system, and network integrity. This includes defining and enforcing where and how information can travel within and between systems.
The FBI and other agencies may conduct formal audits to ensure CJIS compliance.
Anyone that will have access to unencrypted CJIS data must go through detailed security screening during hiring, termination, transfer, and other employees/vendor lifecycle events.
The CJIS outlines considerations and requirements for managing systems and network access via smartphones, tablets, and other mobile devices. This includes using wireless security protocols such as WEP and WPA, device certificates, etc.