CJIS compliance requirements and the 13 security policy areas

If you have any involvement with government entities and operations, chances are you’ve heard of CJIS compliance. It’s the largest division of the FBI and the primary source of information and services for all law enforcement, national security, and intelligence community partners. And, most importantly to us at Imprivata, it’s what keeps government agencies safe from suspicious cyber activity and digital threats. CJIS released a Security Policy that outlines 13 policy areas all government agencies should follow to stay compliant and protected from hackers with malintent. Let’s take a deeper look at what CJIS is, the role it plays within government cybersecurity, and how the 13 CJIS Security Policy areas help maintain compliance within government institutions.

What is CJIS compliance?

CJIS compliance is an important compliance standard for law enforcement at the local, state, and federal levels, and is designed to ensure data security in law enforcement. The Criminal Justice Information Services Division is the largest division of the Federal Bureau of Investigation. CJIS provides a centralized source of criminal justice data to agencies and authorized third parties throughout the United States. It encompasses several key departments, including the National Crime Information Center (NCIC), the National Instant Criminal Background Check System (NICS), and the Integrated Automated Fingerprint Identification System (IAFIS). Government entities that access or manage sensitive information from the US Justice Department need to ensure that their processes and systems comply with CJIS policies for wireless networking, data encryption, and remote access, especially since phishing, malware, and hacked VPNs or credentials are the most common attack vectors used to hack into government networks. The CJIS compliance requirements help proactively defend against these attack methods and protect national security (and citizens) from cyber threats.  Because of this, CJIS compliance is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges. Knowing the various policy areas and how to best approach them is the first step to making sure your government entity is adhering to the CJIS Security Policy guidelines. 

The FBI CJIS security policy

To protect criminal justice information, the FBI created the CJIS Security Policy document - a hefty 230-page read - that defines implementation requirements and standards for the following 13 security policy areas:

  1. Information exchange agreements

    The CJIS Security Policy includes procedures for how the information is handled and what should be in user agreements. Companies and agencies that use criminal justice information must include specific processes and parameters in their information exchange agreements, including:
    • Audits
    • Logging
    • Quality assurance
    • Pre-employment screening
    • Security
    • Timeliness
    • Training
    • Use of systems
  2. Security awareness training

    Anyone with access to criminal justice information must undergo security awareness training within six months of receiving the information. The training must be repeated every two years to meet CJIS compliance standards. Individual training and topics covered are based on the access and interaction the individual has to the criminal justice data.
  3. Incident response

    To meet CJIS compliance, all breaches and major incidents need to be reported to the Justice Department. Companies and agencies must establish procedures for detection, analysis, containment, recovery, and user responses for all breaches and incidents.
  4. Auditing and accountability

    The following events must be audited:
    • Login attempts
    • Assessments, creation, or changing/editing of permissions on user accounts, files, directories, and other system resources
    • Attempts to modify passwords
    • Actions by privileged accounts
    • Attempts to access, modify, or destroy history/log files
  5. Access control

    Users who have access to criminal justice information and the types/levels of access must be identified, monitored, and tracked.Least privileged access should be enforced when necessary to reduce risk to the information. Access control criteria should be given on a need-to-know/need-to-share basis and provided based on job, location, network address, and/or time restrictions.
  6. Identification and authentication

    Each person who is authorized to use CJIS must have unique identification and a standard authentication method such as a password, token or PIN, biometrics, or another type of multi-factor authentication.
  7. Configuration management

    Whether planned or unplanned, changes and updates to the information system platform, architecture, hardware, software, and procedures must be documented. That documentation must be protected from unauthorized access.
  8. Media protection

    You must have policies and procedures documented for how digital and physical media will be securely stored, accessed, transported, and destroyed.
  9. Physical protection

    Physical media (documents or digital media storage devices) needs to be handled securely. Access to physical media needs to be limited and monitored.
  10. Systems and communications protection and information integrity

    Applications, services, and information systems must ensure data security and system and network integrity. This includes defining and enforcing where and how information can travel within and between systems.
  11. Formal audits

    The FBI and other agencies may conduct formal audits to ensure CJIS compliance.
  12. Personnel security

    Anyone that will have access to unencrypted CJIS data must go through detailed security screening during hiring, termination, transfer, and other employees or third-party vendor lifecycle events.
  13. Mobile devices

    The FBI CJIS security policy outlines considerations and requirements for managing systems and network access via smartphones, tablets, and other mobile devices. This includes using wireless security protocols such as WEP and WPA, device certificates, etc.

The CJIS compliance audit

The CJIS Audit Unit (CAU) conducts government audits every three years to ensure CJIS compliance is being met in government institutions and agencies. The CAU will select a sample of agencies to review as a reflection of how compliance is followed and regulated within local jurisdictions. The CJIS auditor will physically visit the government entity or agency, conduct an interview on current processes, perform a data review, and tour the facility. Sounds like an easy afternoon at the office, right? The truth is, it can be! Though the CJIS compliance audit can seem intimidating at first, there is some good news for governments: The CAU provides documentation outlining the discussion points of the CJIS audit and the reports that will be requested, so you can prepare in advance for everything an auditor will request. Another silver lining is that resources like the Imprivata Seven considerations for achieving CJIS compliance whitepaper are available for download, so you can determine if your network is CJIS compliant and will meet compliance requirements from the CAU.  CJIS compliance requirements protect national security while preserving the civil liberties of individuals and businesses and protecting private and sensitive information. It’s an important part of securing government institutions and making sure they don’t become victims of cybercriminals who are looking to exploit criminal justice information for ransom or to cause societal damage.