Lepide Blog: A Guide to IT Security, Compliance and IT Operations

13 CJIS Compliance Requirements (Criminal Justice Information Services)

13 Compliance Requirements for Criminal Justice Information Services (CJIS)

CJIS compliance is an important factor in keeping sensitive criminal justice data protected and secure from threats. The Criminal Justice Information Services (CJIS) is the largest division of the United States Federal Bureau of Investigation (FBI), and is comprised of several departments, including the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS).

CJIS provides law enforcement agencies across the United States with a centralized source of criminal justice information (CJI), which can be used to assist them in carrying out background checks and investigations, as well as analyzing crime-related statistics.

Securing CJI and ensuring that the data is accessible to the relevant law enforcement agencies, is crucial for them to fight crime, and thus keep US citizens safe. As data breaches became more prevalent, and security threats continued to evolve at a rapid pace, the CJIS was promoted to develop a set of security standards, which relevant organizations must comply with.

According to the CJIS Security Policy 2018, there are 13 policy areas which organizations must be acquainted with in order to satisfy the CJIS compliance requirements, which include:

1. Information Exchange Agreements

Before sharing criminal justice information (CJI) with another agency, organizations must first make sure that they have established a formal agreement with them to ensure that they are complying with CJIS security standards. The agreements should include an assessment of the policy areas mentioned in this article.

2. Security Awareness Training

Employees who have access to CJI must be trained to comply with the CJIS compliance security standards within the first six months of assignment, and training should be carried out annually.

3. Incident Response

Organizations must have an Incident Response Plan (IRP) in place to ensure that they are able to identify, contain, eradicate and recover from a security incident in a timely manner. Any data breaches must be reported to the Justice Department.

4. Auditing and Accountability

Organizations must monitor all access to CJI, including who is accessing it, and when. They will also need information about why a user is accessing the data, to help them determine the legitimacy of the user’s actions. Organizations should keep a historical archive of all events involving CJI, to assist them in conducting a forensic analysis, were a security incident to unfold. Administrators should monitor access to files, folders and privileged mailbox accounts, login attempts, permission changes, password modifications, and so on.

5. Access Control

Organizations will need to implement Role-Based Access Control (RBAC), and include “roles” such as job type, location, IP address, and time restrictions in order to meet CJIS compliance standards.

6. Identification and Authentication

To access CJIS data, users are required to comply with the CJIS authentication standards, which compels agencies to use multi-factor authentication (MFA). MFA relies on two or more “factors” to authenticate the user. These factors include; something the user knows, something the user has, and something the user is (e.g. biometric data). The CJIS stipulates that a maximum of 5 unsuccessful login attempts are allowed, per user, after which their credentials will need to be reset. Additionally, passwords will need to be reset periodically.

7. Configuration Management

The CJIS security standards stipulate that only authorized users are allowed to make configuration changes to systems that store CJI, which includes performing software updates, and adding/removing hardware. Both the procedures for making such changes, along with any changes that are made, must be clearly documented, and shielded from unauthorized access.

8 & 9. Media & Physical Protection

Organizations that store CJIS must have policies and procedures in place to ensure that all forms of media are protected and disposed of securely when they are no longer in use. Server rooms should be secured using locks, alarms, cameras, etc.

10. Systems and Communications Protection and Information Integrity

This policy area relates to the overall security of an organization’s network. Organizations handling CJIS must have the necessary safeguards in place to ensure that all systems and communication protocols are protected from authorized access. They will need to implement perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS). They will need use techniques such as application blacklisting/whitelisting, and ensure that all CJI is encrypted, both at rest and in transit. The CJIS also sets out certain standards relating to the way data is encrypted. For example, organizations must use a minimum of 128 bit encryption, and the decryption keys must be at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters. If a user no longer needs access to the encrypted data, the keys must be changed.

11. Formal Audits

Organizations will be subject to formal security audits to ensure that they are complying with the CJIS security standards. The audits will be carried out at least once every three years, by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Any employees, contractors and vendors, that will have access to CJI, must be subject to a rigorous screening process, which includes checking fingerprints against the Integrated Automated Fingerprint Identification System (IAFIS).

13. Mobile Devices

Organizations must establish an “acceptable use policy” relating to the way mobiles devices are used, including the websites they can access, and the applications they can install. The policy should cover any laptop, smartphone or tablet that has access to CJI. Such devices will be held to the same security standards as on-premise devices, although a number of additional security measures may be required. For example, the user will be required to ensure that their device is password protected. They may be required to install Mobile Device Management (MDM) software, remote wiping software, and use a device locator service (to help find the device if it is lost or stolen). If employees are using their device on an unsecured public Wi-Fi network, they may be forced to use a Virtual Private Network (VPN), to ensure that all data transmissions are encrypted.

Many of these tasks can be greatly simplified by using the right set of tools. For example, a sophisticated Data Security Platform will provide the means by which to monitor permission changes, suspicious file and folder activity, anomalous failed login attempts, privileged mailbox access, unauthorized password modifications, and a lot more.

All changes will be presented via single dashboard, which will include a detailed history of all events concerning CJI. Additionally, most solutions provide a set of pre-defined reports, which are customized to meet the CJIS reporting requirements of a wide range of data privacy standards, including those laid out by the CJIS.

If you would like to see how Lepide can help you align with CJIS compliance, schedule a demo with one of our engineers today.