Last Updated on December 6, 2024 by Satyendra
What is CJIS Compliance?
CJIS, since its establishment in 1992, has served as a central repository for significant criminal justice records, including fingerprint records, criminal history data, and biometric data. The ‘CJIS’ division of the Federal Bureau of Investigation (FBI) gives law enforcement agencies access to a range of information, including criminal justice information and services.
CJIS compliance is defined as adhering to the security standards established by the FBI’s Criminal Justice Information Services(CJIS) division. By putting strong security procedures and controls in place, CJIS Compliance aims to protect the confidentiality, integrity, and availability (CIA) of this data.
CJIS compliance standards preserve private and sensitive data while defending individual and corporate civil liberties and national security. Access to criminal justice information (CJI) by law enforcement and civil agency organizations must be protected, and they must be shielded from cybercriminals who wish to use CJI to damage the public or demand ransom.
CJIS Compliance Requirements
According to the CJIS Security Policy 2018, there are 13 policy areas which organizations must be acquainted with in order to satisfy the CJIS compliance requirements, which include:
1. Information Exchange Agreements
Before sharing criminal justice information (CJI) with another agency, organizations must first make sure that they have established a formal agreement with them to ensure that they are complying with CJIS security standards. The agreements should include an assessment of the policy areas mentioned in this article.
2. Security Awareness Training
Employees who have access to CJI must be trained to comply with the CJIS compliance security standards within the first six months of assignment, and training should be carried out annually.
3. Incident Response
Organizations must have an Incident Response Plan (IRP) in place to ensure that they are able to identify, contain, eradicate and recover from a security incident in a timely manner. Any data breaches must be reported to the Justice Department.
4. Auditing and Accountability
Organizations must monitor all access to CJI, including who is accessing it, and when. They will also need information about why a user is accessing the data, to help them determine the legitimacy of the user’s actions. Organizations should keep a historical archive of all events involving CJI, to assist them in conducting a forensic analysis, were a security incident to unfold. Administrators should monitor access to files, folders and privileged mailbox accounts, login attempts, permission changes, password modifications, and so on.
5. Access Control
Organizations will need to implement Role-Based Access Control (RBAC), and include “roles” such as job type, location, IP address, and time restrictions in order to meet CJIS compliance standards.
6. Identification and Authentication
To access CJIS data, users are required to comply with the CJIS authentication standards, which compels agencies to use multi-factor authentication (MFA). MFA relies on two or more “factors” to authenticate the user. These factors include; something the user knows, something the user has, and something the user is (e.g. biometric data). The CJIS stipulates that a maximum of 5 unsuccessful login attempts are allowed, per user, after which their credentials will need to be reset. Additionally, passwords will need to be reset periodically.
7. Configuration Management
The CJIS security standards stipulate that only authorized users are allowed to make configuration changes to systems that store CJI, which includes performing software updates, and adding/removing hardware. Both the procedures for making such changes, along with any changes that are made, must be clearly documented, and shielded from unauthorized access.
8. Media Protection
To ensure data integrity and confidentiality, policies should specify how to securely store, move, and destroy physical and digital media that hold sensitive information. To stop unwanted access or tampering, physical media and storage spaces must be controlled and continuously monitored. Information, communications, and systems protection. To regulate access to both digital and non-digital media, organizations must make sure that media protection policies are applied and documented.
9. Physical Protection
Policies and processes must be in place for organizations that keep CJIS to guarantee that all media are safeguarded and disposed of safely after use. Security measures for server rooms should include cameras, alarms, and locks. Policies for physical protection should be established and followed to guarantee that CJI, hardware, and software are safeguarded.
10. Systems and Communications Protection and Information Integrity
This policy area relates to the overall security of an organization’s network. Organizations handling CJIS must have the necessary safeguards in place to ensure that all systems and communication protocols are protected from authorized access. They will need to implement perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS). They will need use techniques such as application blacklisting/whitelisting, and ensure that all CJI is encrypted, both at rest and in transit. The CJIS also sets out certain standards relating to the way data is encrypted. For example, organizations must use a minimum of 128 bit encryption, and the decryption keys must be at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters. If a user no longer needs access to the encrypted data, the keys must be changed.
11. Formal Audits
Organizations will be subject to formal security audits to ensure that they are complying with the CJIS security standards. The audits will be carried out at least once every three years, by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).
12. Personnel Security
Any employees, contractors and vendors, that will have access to CJI, must be subject to a rigorous screening process, which includes checking fingerprints against the Integrated Automated Fingerprint Identification System (IAFIS).
13. Mobile Devices
Organizations must establish an “acceptable use policy” relating to the way mobiles devices are used, including the websites they can access, and the applications they can install. The policy should cover any laptop, smartphone or tablet that has access to CJI. Such devices will be held to the same security standards as on-premise devices, although a number of additional security measures may be required. For example, the user will be required to ensure that their device is password protected. They may be required to install Mobile Device Management (MDM) software, remote wiping software, and use a device locator service (to help find the device if it is lost or stolen). If employees are using their device on an unsecured public Wi-Fi network, they may be forced to use a Virtual Private Network (VPN), to ensure that all data transmissions are encrypted.
Many of these tasks can be greatly simplified by using the right set of tools. For example, a sophisticated Data Security Platform will provide the means by which to monitor permission changes, suspicious file and folder activity, anomalous failed login attempts, privileged mailbox access, unauthorized password modifications, and a lot more.
All changes will be presented via single dashboard, which will include a detailed history of all events concerning CJI. Additionally, most solutions provide a set of pre-defined reports, which are customized to meet the CJIS reporting requirements of a wide range of data privacy standards, including those laid out by the CJIS.
If you would like to see how Lepide can help you align with CJIS compliance, schedule a demo with one of our engineers today.