CJIS compliance guide: 13 policy areas to know

April 24, 2020//Tony Howlett

Law Enforcement Agencies (LEAs) and other government entities and the companies that access or manage sensitive US Justice Department information need to ensure that their processes and systems comply with the FBI’s Criminal Justice Information Services (CJIS) policies for wireless networking, data encryption, and remote access. 

What is CJIS?

The CJIS is the largest division of the FBI. It encompasses several key departments, including the National Crime Information Center (NCIC), the National Instant Criminal Background Check System (NICS), and the Integrated Automated Fingerprint Identification System (IAFIS). CJIS provides a centralized source of criminal justice data to agencies and authorized third-parties throughout the United States. 

CJIS compliance is important for law enforcement and other federal, state, local, and tribal government agencies to protect national security while preserving the civil liberties of individuals and businesses in protecting private and sensitive information. 

Because of this, CJIS compliance is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges.

CJIS Security Policy Areas

To protect criminal justice information, the FBI’s CJIS Security Policy document defines implementation requirements and standards for the following 13 security policy areas:

  1. Information exchange agreements

    CJIS policy includes procedures for how the information is handled and what should be in user agreements. Companies and agencies that use criminal justice information (CJI) must include specific processes and parameters in their information exchange agreements, including:

    • Audits 
    • Dissemination
    • Hit confirmation
    • Logging
    • Quality assurance
    • Pre-employment screening
    • Security
    • Timeliness
    • Training
    • Use of systems
    • Validation
  2. Security awareness training

    Anyone with access to CJI must undergo security awareness training within six months of receiving the CJI. The training needs to be repeated every two years. Individual training and topics covered are based on the access and interaction the individual has to the CJI.

  3. Incident response

    All breaches and major incidents need to be reported to the Justice Department. Companies and agencies must establish procedures for detection, analysis, containment, recovery, and user responses for all breaches and incidents.

     

  4. Auditing and accountability

    The following events must be audited:

    • Login attempts
    • Assess, create, write, delete, and change permissions on user accounts, files, directories, and other system resources
    • Attempts to modify passwords
    • Actions by privileged accounts
    • Attempts to access, modify, or destroy history/log files
  5. Access control

    The types of users, classifications, accountability, and associated account management must be defined. Access control criteria should be based on job, location, network address, and/or time restrictions.

     

  6. Identification and authentication

    Every one who is authorized to use CJIS must have unique identification and a standard authentication method such as a password, token or PIN, biometrics, or another type of multi-factor authentication.

  7. Configuration management

    Whether planned or unplanned, changes, and updates to the information system platform, architecture, hardware, software, and procedures must be documented. That documentation must be protected from unauthorized access.

  8. Media protection

    You must have policies and procedures documented for how digital and physical media will be securely stored, accessed, transported, and destroyed.

  9. Physical protection

    Physical media (documents or digital media storage devices) need to be handled securely. Access to physical media needs to be limited and monitored.

     

  10. Systems and communications protection and information integrity  

    Applications, services, and information systems must ensure data security, system, and network integrity. This includes defining and enforcing where and how information can travel within and between systems.

  11. Formal audits

    The FBI and other agencies may conduct formal audits to ensure compliance with the CJIS.

  12. Personnel security

    Anyone that will have access to unencrypted CJIS data must go through detailed security screening during hiring, termination, transfer, and other employees/vendor lifecycle events.

  13. Mobile devices

    The CJIS outlines considerations and requirements for managing systems and network access via smartphones, tablets, and other mobile devices. This includes using wireless security protocols such as WEP and WPA, device certificates, etc.

CJIS compliance checklist

Download our overview of CJIS requirements and use the interactive SecureLink CJIS Compliance checklist to help you determine if your network access is CJIS compliant.

Leave a Comment

close close