13 CJIS Compliance Requirements (Criminal Justice Information Services)

What is CJIS Compliance?

CJIS, since its establishment in 1992, has served as a central repository for significant criminal justice records, including fingerprint records, criminal history data, and biometric data. The ‘CJIS’ division of the Federal Bureau of Investigation (FBI) gives law enforcement agencies access to a range of information, including criminal justice information and services.

CJIS compliance is defined as adhering to the security standards established by the FBI’s Criminal Justice Information Services(CJIS) division. By putting strong security procedures and controls in place, CJIS Compliance aims to protect the confidentiality, integrity, and availability (CIA) of this data.

CJIS compliance standards preserve private and sensitive data while defending individual and corporate civil liberties and national security. Access to criminal justice information (CJI) by law enforcement and civil agency organizations must be protected, and they must be shielded from cybercriminals who wish to use CJI to damage the public or demand ransom.

CJIS Compliance Requirements

According to the CJIS Security Policy 2018, there are 13 policy areas which organizations must be acquainted with in order to satisfy the CJIS compliance requirements, which include:

1. Information Exchange Agreements

Before sharing criminal justice information (CJI) with another agency, organizations must first make sure that they have established a formal agreement with them to ensure that they are complying with CJIS security standards. The agreements should include an assessment of the policy areas mentioned in this article.

2. Security Awareness Training

Employees who have access to CJI must be trained to comply with the CJIS compliance security standards within the first six months of assignment, and training should be carried out annually.

3. Incident Response

Organizations must have an Incident Response Plan (IRP) in place to ensure that they are able to identify, contain, eradicate and recover from a security incident in a timely manner. Any data breaches must be reported to the Justice Department.

4. Auditing and Accountability

Organizations must monitor all access to CJI, including who is accessing it, and when. They will also need information about why a user is accessing the data, to help them determine the legitimacy of the user’s actions. Organizations should keep a historical archive of all events involving CJI, to assist them in conducting a forensic analysis, were a security incident to unfold. Administrators should monitor access to files, folders and privileged mailbox accounts, login attempts, permission changes, password modifications, and so on.

5. Access Control

Organizations will need to implement Role-Based Access Control (RBAC), and include “roles” such as job type, location, IP address, and time restrictions in order to meet CJIS compliance standards.

6. Identification and Authentication

To access CJIS data, users are required to comply with the CJIS authentication standards, which compels agencies to use multi-factor authentication (MFA). MFA relies on two or more “factors” to authenticate the user. These factors include; something the user knows, something the user has, and something the user is (e.g. biometric data). The CJIS stipulates that a maximum of 5 unsuccessful login attempts are allowed, per user, after which their credentials will need to be reset. Additionally, passwords will need to be reset periodically.

7. Configuration Management

The CJIS security standards stipulate that only authorized users are allowed to make configuration changes to systems that store CJI, which includes performing software updates, and adding/removing hardware. Both the procedures for making such changes, along with any changes that are made, must be clearly documented, and shielded from unauthorized access.

8. Media Protection

To ensure data integrity and confidentiality, policies should specify how to securely store, move, and destroy physical and digital media that hold sensitive information. To stop unwanted access or tampering, physical media and storage spaces must be controlled and continuously monitored. Information, communications, and systems protection. To regulate access to both digital and non-digital media, organizations must make sure that media protection policies are applied and documented.

9. Physical Protection

Policies and processes must be in place for organizations that keep CJIS to guarantee that all media are safeguarded and disposed of safely after use. Security measures for server rooms should include cameras, alarms, and locks. Policies for physical protection should be established and followed to guarantee that CJI, hardware, and software are safeguarded.

10. Systems and Communications Protection and Information Integrity

This policy area relates to the overall security of an organization’s network. Organizations handling CJIS must have the necessary safeguards in place to ensure that all systems and communication protocols are protected from authorized access. They will need to implement perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS). They will need use techniques such as application blacklisting/whitelisting, and ensure that all CJI is encrypted, both at rest and in transit. The CJIS also sets out certain standards relating to the way data is encrypted. For example, organizations must use a minimum of 128 bit encryption, and the decryption keys must be at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters. If a user no longer needs access to the encrypted data, the keys must be changed.

11. Formal Audits

Organizations will be subject to formal security audits to ensure that they are complying with the CJIS security standards. The audits will be carried out at least once every three years, by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Any employees, contractors and vendors, that will have access to CJI, must be subject to a rigorous screening process, which includes checking fingerprints against the Integrated Automated Fingerprint Identification System (IAFIS).

13. Mobile Devices

Organizations must establish an “acceptable use policy” relating to the way mobiles devices are used, including the websites they can access, and the applications they can install. The policy should cover any laptop, smartphone or tablet that has access to CJI. Such devices will be held to the same security standards as on-premise devices, although a number of additional security measures may be required. For example, the user will be required to ensure that their device is password protected. They may be required to install Mobile Device Management (MDM) software, remote wiping software, and use a device locator service (to help find the device if it is lost or stolen). If employees are using their device on an unsecured public Wi-Fi network, they may be forced to use a Virtual Private Network (VPN), to ensure that all data transmissions are encrypted.