We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors.
Another area of security and data privacy is law enforcement. It’s perhaps unsurprising that law enforcement and other national security agencies would handle private information, and such rules and regulations around the protection of said information are of paramount concern.
Here, we’ll discuss the FBI’s Criminal Justice Information Services division and its compliance requirements.
What Is the Criminal Justice Information Services (CJIS)?
Established in 1992, CJIS is the FBI’s largest division. It is tasked to be a tech hub for the law enforcement agency, much like the National Institute of Standards and Technology is for the federal government writ large.
Not only does CJIS supply guidelines for data security to law enforcement agencies, but it also procures, tests, and develops cutting-edge digital tools to help in that mission.
According to the “Criminal Justice Information Services (JIS) Security Policy,” the core document of CJIS compliance, the entire premise of CJIS is to “provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit.”
It’s essential to understand what Criminal Justice Information, or CJI, is:
- Biographic Data: information associated with individuals with a unique case, and not necessarily connected to identity.
- Case or Incident History: The criminal history of an individual.
- Property Data: Information about vehicles, property, and other owned items connected with a crime and personally identifiable information (PII).
- Biometric Data: Data derived from inherent physical traits for purposes of identification.
- Identity History Data: Textual data corresponds with biometric data to provide a criminal or civil history.
Much like any other framework, that is a typical mission for security protocols in any industry or public service sector. However, as this document notes, there is an ever-expanding reliance of local and state authorities on FBI information databases to locate or track criminals for the public good. That being said, it’s critical that controls and practices are in place to protect this information, no matter the person or the crime.
Accordingly, CJIS is not a required standard that these local or state authorities adopt but rather a required minimum. They may adopt measures that extend CJIS standards or a standalone security system for their locality–so long as it satisfies, at a minimum, CJIS requirements.
What Are the CJIS Policy Areas?
CJIS compliance is built around 13 policy areas that structure the practices expected of law enforcement. These policy areas aren’t built on specific technology pipelines. Rather, much like other systems like SOC 2 or HIPAA, its goal is to provide a technology-agnostic system that can set a minimum standard that individual agencies can meet as they can.
The 13 policy areas in CJIS are:
Policy Area 1: Information Exchange Agreements
Information shared through communication must be protected. Before the exchange, agencies shall specify security measures through mutual agreements covering personnel, encryption, access, etc. All information will be protected from unauthorized disclosure with proper handling requirements. All state and federal agencies interacting with CJIS databases will have written and signed agreements with the FBI confirming their conformity with CJIS statutes.
Policy Area 2: Security Awareness Training
Agencies must enact security awareness training within six months of their initial compliance assignment and then update those policies once every two years at the minimum. These security awareness training systems will do so based on established CJIS baselines:
- Level 1: Covers topics such as training around expected behaviors handling CJI, knowledge or penalties around non-compliance, actions around incident response, and security around physical spaces.
- Level 2: On top of Level 1 topics, Level 2 will cover media protection, protection and destruction of physical records, proper marking and handling of CJI, prevention of social engineering, and more.
- Level 3: Includes Levels 1 and 2, plus knowledge of roles within a system, proper password usage and management, antivirus and malware protection, secure web usage, proper email usage, securing handheld devices, using encryption, using personal equipment, and more.
- Level 4: On top of Levels 1, 2, and 3, includes protection against advanced threats, access control measures, network protection, data backup and storage, and others.
Policy Area 3: Incident Response
When disaster or security threats strike, this policy area calls for agencies to have plans in place to respond. This area includes reporting security events, managing incident handling, investigating and mitigating issues related to the incident, and training around incident response.
Policy Area 4: Auditing and Accountability
It’s critical that agencies can demonstrate compliance, both from the perspective of the organization and its employees. This area calls for IT auditing systems to track system and user events in IT infrastructure. This includes immutable records with time stamps and backup controls to store documents for a minimum of one year.
Policy Area 5: Access Control
All IT systems must have controls to control authorized access to system resources. This area includes strict role-based access control, account management, access enforcement, and the enactment of least privilege access.
Policy Area 6: Identification and Authentication
Simply put, how the system securely manages user identities, authenticates against those user identities, and secures identity information against hacks or theft. This area can include minimum password standards, use of PINs, multifactor authentication (MFA), or one-time passwords (OTPs).
Policy Area 7: Configuration Management
An agency must have plans and procedures to manage system updates, upgrades, or component replacements. This area includes isolation of components to minimum functionality, management of network hardware topologies, and proper plans around security system updates.
Policy Area 8: Media Protection
All storage media, no matter type, must have specific physical and digital security measures to protect that data. This includes encryption, hardware security, and physical media (paperwork, images). This area also consists of the sanitation and disposal of hard drives that contain CJI, including demagnetization and overwriting.
Policy Area 9: Physical Protection
On top of protecting physical media, agencies must protect locations where CJI is handled and stored. This includes perimeters around offices, locks and cameras around storage areas and data servers, logging of any entrance or exit of the premises, and other controls around private access points.
Policy Area 10: System and Communication Protection and Information Integrity
In short, the protection of data is stored and transmitted. Controls here include encryption (for data both at rest and in transit, firewalls, access controls around network access points and other network security measures. These controls also apply to cloud computing, VoIP, and other forms of data transmission.
Policy Area 11: Formal Audits
All agencies must perform formal audits on their infrastructure and organization to ensure compliance. This includes any criminal justice agency (CJA) or noncriminal justice agency (NCJIS) with access to state or federal systems containing CJI.
Policy Area 12: Personnel Security
Agencies are required to identify any user accessing or working on their system, including personnel screening procedures, background checks, and others. Additionally, the agency must include security policies around transferring and terminating employees to control or restrict system access.
Policy Area 13: Mobile Devices
For official purposes, agencies using mobile devices must use secure technologies, including 802.11 wireless protocols, secured Wi-Fi access points, and mobile device management.
Manage Your CJIS Compliance with Lazarus Alliance
CJIS compliance, like any other, requires regular vigilance and continuous management. CJIS standards aren’t tied to specific technologies but rather to a set of minimal services and an expectation around risk management and context-specific security controls. You can find such management, expert support, and technical infrastructure with Lazarus Alliance.
Working With CJIS Compliance Requirements?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.