The CJIS Security Policy, FBI Databases, and Communication
November 29, 2021 | 5 minutes read
The Criminal Justice Information Services Security Policy or CJIS for short is a security management policy administered by the Federal Bureau of Investigation or FBI that contains “information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI)”. The purpose of the CJIS Security Policy was to protect the full lifecycle of Criminal Justice Information or CJI, whether this information is at rest or is in transit. To this point, the CJIS Security Policy also “provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI”.
What is CJIS Network compliance and why is it important?
As the CJIS is a division of the FBI, the division oversees and operates a number of different law enforcement databases. As such, law enforcement agencies around the country depend on the information that is collected and contained within these databases to perform their daily functions. Some of the databases contained within CJIS include the following:
- The National Crime Information Center or NCIC- The NCIC contains information relating to various law enforcement-related functions, including information concerning missing persons and the apprehension of fugitives.
- National Data Exchange or N-DEx- N-DEx is a system “which provides agencies with an online tool for sharing, searching, linking, and analyzing information across jurisdictional boundaries”.
- The National Instant Criminal Background Check Systems or NICS and the Next Generation Identification or NGI- The NICS and NGI are database systems that contain a “repository of biometric and criminal history information”.
As the information that is contained within the databases of the CJIS is so pivotal to the operations and functions of so many law enforcement agencies around the countries, the CJIS Security Policy is a means by which the FBI can ensure that this information is protected and safeguarded at all times. To this end, the CJIS Security Policy “contains thirteen separate policy and technical requirements covering numerous topics”. Some of the policy topics include policy and contractual requirements, as well as security awareness training, among a bevy of others. Alternatively, some of the technical topics include the “deployment of encryption to protect data in transit”, as well as the establishment of user access controls for the purposes of restricting users.
What are the compliance requirements for the CJIS Security Policy?
The thirteen requirements for CJIS Security Policy compliance are as follows:
- Information Exchange Agreements- Organizations must establish formal agreements with one another before sharing CJI.
- Security Awareness Training- “Employees who have access to CJI must be trained to comply with the CJIS security standards within the first six months of assignment, and training should be carried out annually”.
- Incident response- Organizations are responsible for developing an Incident Response Plan or IRP for the purposes of identifying, containing, eradicating, and recovering from security incidents in a timely fashion. Moreover, any data breaches or related security incidents must be reported to the Justice Department.
- Auditing and Accountability- “Organizations must monitor all access to CJI, including who is accessing it, and when. They will also need information about why a user is accessing the data, to help them determine the legitimacy of the user’s actions”.
- Access Control- Organizations are responsible for implementing Role-Based Acess Control or RBAC, including “roles such as job type, location, IP address, and time restrictions”.
- Identification and Authentication- “To access CJIS data, users are required to comply with the CJIS authentication standards, which compels agencies to use multi-factor authentication (MFA). MFA relies on two or more “factors” to authenticate the user”.
- Configuration Management- “The CJIS security standards stipulate that only authorized users are allowed to make configuration changes to systems that store CJI, which includes performing software updates, and adding/removing hardware”.
- Media & Physical Protection- Organizations that make use of CJIS data must develop policies and procedures that ensure “that all forms of media are protected and disposed of securely when they are no longer in use”. This principle constitutes two diffrent requirements, media and physical protection.
- Systems and Communication Protection and Information Integrity- “This policy area relates to the overall security of an organization’s network. Organizations handling CJIS must have the necessary safeguards in place to ensure that all systems and communication protocols are protected from authorized access”.
- Formal Audits- Organizations that utilize CJIS data will be subject to formal security audits that are designed to ensure that said organizations are maintaining compliance with all CJIS security standards.
- Personnel Security- “Any employees, contractors and vendors, that will have access to CJI, must be subject to a rigorous screening process, which includes checking fingerprints against the Integrated Automated Fingerprint Identification System (IAFIS)”.
- Mobile Devices- “Organizations must establish an “acceptable use policy” relating to the way mobiles devices are used, including the websites they can access, and the applications they can install”.
As the sharing of information has been pivotal to the development of civilizations throughout human history, databases such as the CJIS represent the technological equivalent of the various information networks that have been used in the past. As such, CJIS network compliance is a means by which the FBI can ensure that all CJIS data that is accessed by law enforcement agencies or related entities or organizations is protected from unauthorized use or harm at all times. By following the thirteen requirements stated above, law enforcement can ensure that they do not violate the confidentiality and integrity of CJIS data when performing their various functions and duties.