Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and such rules and regulations around protecting said information are of paramount concern.
Here, we’ll discuss the FBI’s Criminal Justice Information Services division and its compliance requirements.
What Is the Criminal Justice Information Services (CJIS)?
Established in 1992, CJIS is the FBI’s largest division. It is tasked with being a tech hub for the law enforcement agency, much like the National Institute of Standards and Technology is for the federal government.
CJIS supplies data security guidelines to law enforcement agencies, procures tests, and develops cutting-edge digital tools to help them in that mission.
According to the “Criminal Justice Information Services (JIS) Security Policy,” the core document of CJIS compliance, the entire premise of CJIS is to “provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit.”
It’s essential to understand that CJIS serves several functions:
-
- Centralized Criminal Justice Database: CJIS manages a comprehensive, centralized database with criminal justice information. Law enforcement agencies across the United States use this database to share and access critical information.
- Overseeing National Crime Information Center (NCIC): CJIS manages the NCIC, one of the primary databases containing records of wanted persons, stolen property, missing persons, and other criminal justice information.
- Administering National Instant Criminal Background Check System (NICS): CJIS administers NICS, which performs background checks on individuals purchasing firearms from licensed dealers.
- Supporting the Uniform Crime Reporting (UCR): The UCR program collects and compiles crime statistics from law enforcement agencies nationwide, providing valuable data on crime trends and patterns.
- Supporting Integrated Automated Fingerprint Identification System (IAFIS): This system allows for the electronic processing and storage of fingerprint records, enabling quick and accurate identification of individuals.
- Defining Best Security Policies: CJIS establishes and enforces security policies and standards to protect the sensitive information in its databases. These policies ensure that only authorized personnel have access to the information and that it is used appropriately.
- Providing Training and Support: CJIS provides training, technical assistance, and support to law enforcement agencies to help them effectively use the systems and resources available.
Much like any other framework, that is a typical mission for security protocols in any industry or public service sector. However, as this document notes, local and state authorities increasingly rely on FBI information databases to locate or track criminals for the public good. That being said, it’s critical that controls and practices are in place to protect this information, no matter the person or the crime.
Accordingly, CJIS is not a required standard that these local or state authorities adopt but rather a required minimum. They may adopt measures that extend CJIS standards or a standalone security system for their locality–so long as it satisfies CJIS requirements at a minimum.
Changes to CJIS Requirements in 2024
Over the years, new requirements have been added to CJIS access policies. Some prominent changes were introduced in December 2023 as part of version 5.9.4. These changes include:
- The addition of six new Policy Areas: Systems and Services Acquisition, System and Information Integrity, Maintenance, Planning, Contingency Planning, and Risk Assessment.
- The new requirement is that any agency accessing CJI must implement Multi-Factor Authentication by October 1, 2024.
What Are the CJIS Policy Areas?
CJIS compliance is built around 19 policy areas that structure the practices expected of law enforcement. These policy areas aren’t built on specific technology pipelines. Rather, much like other systems like SOC 2 or HIPAA, its goal is to provide a technology-agnostic system that can set a minimum standard that individual agencies can meet as they can.
The 19 policy areas in CJIS are:
Policy Area 1: Information Exchange Agreements
Information shared through communication must be protected. Before the exchange, agencies shall specify security measures through mutual agreements covering personnel, encryption, access, etc. All information will be protected from unauthorized disclosure with proper handling requirements. All state and federal agencies interacting with CJIS databases will have written and signed agreements with the FBI confirming their conformity with CJIS statutes.
Policy Area 2: Security Awareness Training
Agencies must enact security awareness training within six months of their initial compliance assignment and then update those policies once every two years. These security awareness training systems will do so based on established CJIS baselines:
- Level 1: Covers topics such as training around expected behaviors handling CJI, knowledge or penalties around non-compliance, actions around incident response, and security around physical spaces.
- Level 2: On top of Level 1 topics, Level 2 will cover media protection, protection and destruction of physical records, proper marking and handling of CJI, prevention of social engineering, and more.
- Level 3: Includes Levels 1 and 2, plus knowledge of roles within a system, proper password usage and management, antivirus and malware protection, secure web usage, proper email usage, securing handheld devices, using encryption, using personal equipment, and more.
- Level 4: On top of Levels 1, 2, and 3, includes protection against advanced threats, access control measures, network protection, data backup and storage, and others.
Policy Area 3: Incident Response
When disaster or security threats strike, this policy area requires agencies to have plans to respond. This includes reporting security events, managing incident handling, investigating and mitigating issues related to the incident, and training around incident response.
Policy Area 4: Auditing and Accountability
It’s critical that agencies can demonstrate compliance from the organization’s perspective and that of its employees. This area calls for IT auditing systems to track system and user events in IT infrastructure. This includes immutable records with time stamps and backup controls to store documents for at least one year.
Policy Area 5: Access Control
All IT systems must have controls to control authorized access to system resources. This area includes strict role-based access control, account management, access enforcement, and the enactment of least privilege access.
Policy Area 6: Identification and Authentication
Simply put, how the system securely manages user identities, authenticates against those user identities, and secures identity information against hacks or theft. This area can include minimum password standards, use of PINs, multifactor authentication (MFA), or one-time passwords (OTPs).
Policy Area 7: Configuration Management
An agency must have plans and procedures to manage system updates, upgrades, or component replacements. This area includes isolating components to minimum functionality, managing network hardware topologies, and proper security system update plans.
Policy Area 8: Media Protection
All storage media, no matter the type, must have specific physical and digital security measures to protect that data. This includes encryption, hardware security, and physical media (paperwork, images). This area also includes the sanitation and disposal of hard drives containing CJI, including demagnetization and overwriting.
Policy Area 9: Physical Protection
In addition to protecting physical media, agencies must protect locations where CJI is handled and stored. This includes perimeters around offices, locks and cameras around storage areas and data servers, logging of any entrance or exit of the premises, and other controls around private access points.
Additionally, any individual with “unescorted access” either physically or digitally must have some minimum level of privacy training:
- Basic Training: A ground-level overview of CJIA security requirements.
- Awareness Training: Specific for people with physical access to information, like on-site clerks and secretaries.
- Additional Awareness Training: Design for those who can alter information, like dispatchers and officers.
- Advanced Awareness Training: This is for people handling critical infrastructure within the CJI system.
Policy Area 10: System and Communication Protection and Information Integrity
In short, data protection is stored and transmitted. Controls here include encryption (for data both at rest and in transit), firewalls, access controls around network access points, and other network security measures. These controls also apply to cloud computing, VoIP, and other forms of data transmission.
Policy Area 11: Formal Audits
All agencies must perform formal audits on their infrastructure and organization to ensure compliance. This includes any criminal justice agency (CJA) or noncriminal justice agency (NCJIS) with access to state or federal systems containing CJI.
Policy Area 12: Personnel Security
Agencies must identify any user accessing or working on their system, including personnel screening procedures, background checks, etc. Additionally, the agency must include security policies around transferring and terminating employees to control or restrict system access.
Policy Area 13: Mobile Devices
Agencies using mobile devices must use secured technologies, including 802.11 wireless protocols, secured Wi-Fi access points, and mobile device management for official purposes.
Policy Area 14: System and Services Acquisition
Organizations must have processes to protect the system’s integrity, including automatic software and firmware patch and update management.
Policy Area 15: System and Information Integrity
Agencies should continuously monitor systems to note vulnerabilities or attacks, software changes, or contained data changes.
Policy Area 16: Maintenance
Agencies accessing CJI or storing associated data must schedule, document, and record maintenance or equipment replacement. These maintenance events must have approval regardless of where they occur.
Policy Area 17: Planning
An agency should have plans to address emergency and non-emergency situations, including attacks, vulnerabilities, or updates. These plans must adhere to all CJIS privacy requirements.
Policy Area 18: Contingency Planning
Have a well-documented and tested contingency plan that spans the organization and addresses all defined IT missions, operational functions, or other requirements.
Policy Area 18: Risk Assessment
Any system containing CJI or related information should have a clearly defined risk management profile that identifies potential threats, vulnerabilities, and the system’s value or sensitivity.
Manage Your CJIS Compliance with Lazarus Alliance
CJIS compliance, like any other, requires regular vigilance and continuous management. You can find such management, expert support, and technical infrastructure with Lazarus Alliance.
To learn more, contact us.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
[wpforms id=”137574″]