The Ultimate Guide to
Criminal Justice Information Services(CJIS) Security Policy
What Criminal Justice Information Services (CJIS) Security Policy?
CJIS is the largest division of the FBI and the main source of information and services for all law enforcement, national security, and intelligence community partners. CJIS released a Security Policy that provides a minimum set of security requirements all government agencies and private entities handling Criminal Justice Information (CJI) need to meet in order to protect Criminal Justice Information from hackers and bad actors.
FBI’s Criminal Justice Information Service (CJIS) is a massive database of criminal justice information upon which law enforcement, intelligence, and civil agencies rely to perform their duties. The importance of the CJIS doesn’t end there–in fact, the civil liberties we enjoy as citizens, as well as our national security, can depend on the safeguarding of this primary source of information and services for all law enforcement, national security, and intelligence community partners.
Securing criminal justice information (CJI) is understandably a top Justice Department priority today, resulting in creating the strict CJIS Security Policy. This robust 230-page document draws on many sources–integrating material from presidential directives, federal laws, FBI directives, and the criminal justice community’s Advisory Policy Board (APB) decisions, along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council.
The CJIS Security Policy establishes minimum security requirements for all entities handling CJI. Compliance with these security requirements is mandatory for all government agencies, criminal justice agencies, or private entities, including cloud service providers who hold, process, or transmit CJI. Even secondary actors or contractors supporting government entities or criminal justice agencies fall under the compliance umbrella–an example being a county IT department that processes data for law enforcement.
Key Things to Know About the CJIS Security Policy
1. The CJIS Security Policy Applies to “Criminal Justice Information”
The CJIS Security Policy provides appropriate controls to protect the full life cycle of Criminal Justice Information (CJI) and provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI.
Criminal Justice Information, or CJI, is the term used to refer to all of the FBI CJIS-provided data necessary for law enforcement and civil agencies to perform their missions, including, but not limited to:
Examples of systems that contain CJI include:
Criminal History Record Information (CHRI), sometimes informally referred to as “restricted data”, is a subset of CJI. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. These additional controls are outlined in the CJIS Security Policy and in Title 28, Part 20, Code of Federal Regulations (CFR).
2. CJIS Security Policy Applies to Private Corporations Too
Compliance with the CJIS Security Policy isn’t just mandatory for government agencies; in fact, every cloud service provider that processes CJI must meet security requirements and controls laid out in the CJIS Security policy and sign a Security Addendum (more on this below).
In fact, CJIS Security Policy applies to every individual — contractor, private entity, noncriminal justice agency representative, or member of a criminal justice identity — with access to, or who operate in support of, criminal justice services and information.
The CJIS Security Policy applies whether you’re working with a criminal justice agency (e.g., police department) or a non-criminal justice agency (e.g., county IT department running criminal justice systems for a police department).
3. CJIS Security Policy Outlines 13 Areas that Private Contractors Must Evaluate
The CJIS Security Policy defines 13 areas that organizations selling products to government agencies must evaluate to determine if their service can be consistent with CJIS requirements. These areas correspond closely to NIST SP 800-53, which is also the basis for the Federal Risk and Authorization Management Program (FedRAMP).
The 13 areas are as follows: Information exchange agreements; security awareness training; incident response; audit and accountability; access control; identity and authentication; configuration management; media protection; physical protection over physical media; systems and communication protection and information integrity; formal audits; personal security; mobile devices.
4. All private contractors who process CUI must sign the CJIS Security Addendum.
The CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps to ensure the security and confidentiality of CJI required by the Security Policy. It also commits the contractor to maintaining a security program consistent with federal laws, regulations, and standards and limits the use of CJI to the purposes for which a government agency provided it.
The CJIS Security Addendum needs to detail how your organization’s security controls help protect the full lifecycle of data and ensure appropriate background screening of team members with access to CJI. State law enforcement authorities responsible for compliance with CJIS Security Policy will review the Security Addendum as part of their compliance verification process. Here’s the full Security Addendum for your reference.
CJIS Security Policy Areas of Evaluation
CJIS Security Policy compliance is based on 13 well-defined areas of evaluation which include:
1. Information exchange agreements
This section discusses the required practices concerning the handling and processing of CJI, including the “processes and parameters” to be included in information exchange agreements. These agreements must cover the following: Audits, Dissemination, Hit confirmation, Logging, Quality assurance, Pre-employment screening, Security, Timelines, Training, Systems usage, and Validation.
2. Security awareness training
This section introduces the four levels of security awareness training and LASO training. Training covers the individual responsibilities and expected behavior for those users with authorized access to CJI and is based on the nature of contact with CJI. Training must be received within 6 months of accessing CJI and repeated every two years.
3. Incident response
This section discusses the procedures all entities must institute to detect, analyze, contain, respond to, and recover from security incidents. It also mandates reporting all breaches and significant incidents to the Justice Department.
4. Auditing and accountability
This section outlines the auditing and monitoring controls necessary to increase the probability of authorized users adhering to the proper procedures in handling CJI. The following listed actions mandate audits: login attempts, changes to user account permissions, files, or directories, attempted changes to access controls, modifying or destroying history log files, and actions initiated through privileged accounts.
5. Access control
This section covers how authorized users and their level of access must be identified and monitored. The default standard of “least privileged access” prevails to reduce risk. Access will be provided on a “need to know basis” relating to job, network address, location, or time restrictions. This section also covers the lockout procedure (after 30 minutes of inactivity) and controls required for remote access.
6. Identification and authentication
The guidelines for identifying and validating users are discussed in depth throughout this section. Everyone authorized to access CJI must present unique identification based on multi-factor authentication principles, including passwords, PINS, biometrics, and advanced authentication methods.
7. Configuration management
This section explains the requirements concerning the documentation of all software, hardware, architecture, and system platform changes. Also, the need to protect configuration management from unauthorized access threats is discussed in this section.
8. Media protection
This section covers the documented policies and practices required for storing, accessing, transporting, and destroying digital and physical media.
9. Physical protection
This section covers the requirements and restrictions for accessing physical media, including media storage devices. All physical protection policies are defined to ensure a physically secure environment for all CJI, software, hardware, and media devices.
10. Systems and communications protection
This section sets the policy and procedural requirements to establish data security and network integrity by addressing how and where information can travel across systems, services, and applications. Security control practices such as patch management, encryption, and virtualization are discussed.
11. Formal audits
The need and case for conducting FBI-led triennial compliance audits are addressed in this section.
12. Personnel security
The critical area of personnel security is addressed in this section–the main takeaway is the need for anyone with access to unencrypted CJI data to undergo screening during hiring, transfer, termination, or 3rd-party lifecycle events.
13. Mobile devices
Last on the list, but not in importance, this section addresses the requirements for managing system access through mobile devices like smartphones and tablets. Wireless security protocols like Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA) are referenced.
How important is staying compliant with the CJIS Security Policy for any government or private entity?
In a word: extremely. CJIS Security Policy compliance requirements are some of the most comprehensive and stringent of any regulatory framework today due to the serious nature of protecting citizen’s rights and the potential national security impact. Those entities–government or civilian–failing to stay compliant stand to lose all access to the CJIS network as well as face possible fines and criminal charges.
The CJIS Compliance Audit
The CJIS Audit Unit (CAU) conducts government audits every three years to ensure CJIS compliance is maintained by government agencies–including all local, state, tribal, and federal agencies. Audits are beneficial for numerous reasons–they ensure the integrity and security of all system data, verify everyone in the user community is upholding a minimum standard of network safety, and raise the bar for law enforcement and public safety.
The audit process typically starts with the auditor reviewing CJI policies, procedures, practices, and data. Next, the auditor will choose local agencies as standard examples of compliance. By this time, your CSO should receive outlines of audit discussion points and lists of requested reports, leaving no excuse for lack of preparation. The auditor will then conduct an on-site interview to collect information on current policies and procedures and a data quality review. The auditor will complete the on-site phase with a facility tour to confirm the existence of all necessary physical security controls.
Finally, the audit will conclude with preparing a report that includes improvement recommendations to be presented to appropriate governing bodies like the Compliance Evaluation Subcommittee or Council’s Sanctions Committee. The CAU will then follow up to track the suggested improvements to completion, ensuring the highest degree of CJIS data protection across the organization.
The Importance of Knowing Your Security Program In Detail
Although private entities will not be audited by the CAU, they must also be truthful and diligent in maintaining CJIS compliance. CJIS enforcement happens at the state level, and most states have their own CJIS authorities. To provide your product or service to a state agency, the state-level CJIS authority will ask your company to sign the CJIS Security Addendum, a document which (1) details how your organization’s security controls help protect the full lifecycle of data and (2) signals your commitment to maintaining an effective security program and limiting the use of CJI to the purposes for which a government agency provided it.
Keeping track of all security controls (including how they work, who’s responsible for them, and how to test them) and collecting evidence of controls’ operating effectiveness can be incredibly tedious when you use homegrown systems and makeshift tools (e.g., Excel spreadsheets, ticketing systems, etc.). When controls aren’t well documented, the risk of not catching control deficiencies is quite high, and so is the risk of falling out of compliance with your contractual obligations with customers.
You can prevent control failures and maintain compliance much more efficiently by using a compliance software platform such as Hyperproof to organize and orchestrate all of your compliance work. Want more help? Get the ultimate guide to compliance operations.
CJIS: Frequently Asked Questions
Hyperproof for CJIS Compliance
See how Hyperproof can help you implement and maintain security controls that are compliant with the CJIS Security Policy as well as other applicable standards, regulatory frameworks, and statutes such as NIST SP 800-53, FedRAMP, ISO 27000 series, and more. Stay secure and compliant 24/7, 365 days a year.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CJIS ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.