In a recent Compass IT Compliance blog, we delved into the fundamentals of the Criminal Justice Information Services (CJIS) Security Policy (CSP), its applicability, and the criticality of CJIS Compliance, terminology, and the thirteen policy areas applicable at the time of that writing. Since then, the landscape of data security, particularly in CJIS compliance, has evolved significantly. In December 2023, the FBI introduced an updated version (5.9.4) of the CSP, augmenting thirteen policy areas with six new ones and refining language across the board. While certain new requirements will not face audits or sanctions until October 1, 2024, organizations must prepare to meet these evolving compliance standards. Additionally, anticipation surrounds the forthcoming release of Version 6.0 of the CSP. To recap, the FBI CJIS CSP delineates security standards applicable to entities accessing or supporting FBI CJIS Division services and information. Encompassing a spectrum of activities related to Criminal Justice Information (CJI), the CSP mandates minimum-security requisites for handling CJI, spanning creation, viewing, modification, transmission, dissemination, storage, and destruction. Every entity, whether a contractor, private entity, noncriminal justice agency, or member of a criminal justice entity, accessing or supporting criminal justice services and information falls under the purview of this policy. CJI encompasses a broad array of data types, including biometric, identity history, personal, organizational, property, and case/incident history data. This comprises data provided by the FBI's CJIS Division essential for civil agencies' mission execution, such as data utilized in hiring decisions. CJI warrants safeguarding until it is either publicly disclosed through authorized channels like crime reports or disposed of according to relevant record retention regulations. The CSP outlines requisite security measures to manage and uphold CJI integrity. Discerning between personally identifiable information (PII) and CJI is pivotal. While the latter refers to crime-associated data accompanied by PII, sans PII, it transforms into criminal statistics, falling outside the scope of the CJIS security policy. Formal audits of CJIS subscribers occur every three years, complemented by annual agency self-reports. Acknowledging organizational disparities, audits employ a "risk vs realism" paradigm, encouraging the identification of lacking requirements as risks with corresponding remediation plans. While no official "CJIS Certification" exists, Compass IT Compliance offers CJIS Readiness assistance, identifying improvement opportunities and devising action plans. Noncompliance with the CSP carries severe penalties, including criminal charges, denial of FBI database/CJIS system access, fines, formal disciplinary action, and suspension or revocation of CJI access. Instances of unauthorized CJIS data access or misuse underscore the gravity of safeguarding sensitive information. High-profile cases elucidate the risks, emphasizing the imperative for robust security measures and accountability frameworks. While specific instances of unauthorized access or misuse of CJIS data may not always be readily available due to the sensitive nature of the information involved, there have been notable cases where breaches or misconduct have occurred: These cases illustrate the potential risks associated with unauthorized access and misuse of CJIS data by individuals within law enforcement agencies or other organizations with access to CJI. They underscore the importance of robust security measures, strict access controls, oversight, and accountability measures to prevent the improper use of CJIS data and safeguard individuals' privacy rights. Law enforcement agencies and organizations must continuously educate their personnel about properly using sensitive information and enforce consequences for violations. Each state or territory has a CJIS Systems Agency (CSA). A CSA is a criminal justice agency that oversees the administration and usage of the CJIS Division programs within a state, district, territory, or country. As more law enforcement and other organizations migrate to cloud technology and rely on third parties as service providers, the obligation to be CJIS compliant extends to many businesses beyond the criminal and law enforcement sectors. As data security evolves, so do CJIS compliance standards. Organizations must familiarize themselves with existing and new requirements. The following are some basic controls that CJIS organizations should be aware of and adhere to: Required whenever the device is used to access CJI (whether from a corporate environment or a personal device). The LASO is the primary Information Security contact between a local law enforcement agency and the CSA, under which this agency interfaces with the FBI CJIS Division. They will oversee compliance with the more technical areas such as information system audit logs, system access controls, remote access, and media protection, as well as the use of firewalls, prompt installation of newly released software security patches, spam, virus, and spyware protections. To cater to different law enforcement agencies’ unique needs, CJIS Awareness Training is stratified into four levels, each with specific requirements. These levels are formulated to accommodate varying data types and corresponding security necessities. Thorough training at all levels protects CJI data and builds an organizational cybersecurity awareness culture. Additionally, all individuals who have unescorted access (e.g., vendors, support personnel, custodians) to the CJIS system, either physically or electronically, are required to take CJIS security training. Examples: personnel entering the secured area, such as maintenance and admin assistants. Examples: personnel handling paper – records clerks, filing clerks Examples: personnel running transactions on computers – dispatchers, officers Examples: personnel working on network and computers internal/city/government IT staff The FBI CJIS Division is authorized to conduct audits once every three years as a minimum. The audit scope encompasses policies, practices, data security, and physical/technical safeguards to assess agency compliance with applicable statutes, regulations, and policies. CSP v.5.9.4 encompasses nineteen policy areas, catering to diverse CJIS usage scenarios, from information exchange agreements to risk assessment protocols. Not every consumer of FBI CJIS services will encounter all the policy areas; therefore, the circ*mstances of applicability are based on individual agency/entity configurations and usage. The newest requirements in CSP v.5.9.4 are bolded: Management Control Agreement (MCA) is required if the agency is supported by city or county services (non-law enforcement) for IT, Consolidated Dispatch, Forensic Services, etc. Security Addendum: Required for agencies supported through third-party vendors or contractors when unescorted access or remote access is made available to CJI and legally binds the vendor to the requirements of the CSP. In an era marked by heightened cyber threats, CJIS compliance assumes paramount importance. Aligning with CSP best practices is not merely about compliance. Rather, it is about ingraining security within organizational DNA. As cyber threats proliferate, securing access to criminal justice data is foundational to preserving public safety and fortifying our cybersecurity posture. Need professional advice on CJIS compliance? Compass IT Compliance is your go-to source. Our experts are adept at strengthening security measures and guaranteeing compliance with various industry standards and regulations. We recognize the distinct hurdles your entity might encounter and provide personalized assistance to suit your particular requirements. Committed to your compliance path, Compass IT Compliance is here to help you tackle the intricacies of CJIS compliance, turning obstacles into chances for advancement and improved security. Reach out now to discover how we can support your journey towards CJIS compliance!Recapitulation
Defining Criminal Justice Information
Distinguishing Criminal Data from PII
Audits and Compliance
Noncompliance Ramifications
Illustrative Cases of Misuse
Year Location Type of Misconduct Details 2015 Virginia Department of Motor Vehicles Employee Misuse Employee was convicted of accessing the state's driver's license database without authorization. The employee used the database to conduct background checks on individuals for non-work-related reasons. 2016 Louisiana Sheriffs Improper Access by Family Members A Sheriff’s deputy was terminated and charged with malfeasance for allowing his wife to access the CJIS database without authorization. The deputy's wife used his credentials to conduct unauthorized searches on individuals, including her family members. 2017 Florida Unauthorized Access by Law Enforcement Personnel A former Florida police officer was sentenced to probation after pleading guilty to accessing a law enforcement database for personal use. The officer used the database to conduct background checks on individuals, including her boyfriend's ex-girlfriend, without proper authorization. 2018 Washington State Data Theft by Contractors A former Washington State Patrol contractor was charged with theft and computer trespass for stealing sensitive information, including CJIS data, from the agency's database. The contractor allegedly downloaded and copied thousands of files containing criminal history records. 2018 Florida Misuse of Database A former Florida Department of Law Enforcement crime analyst accessed the CJIS database to conduct unauthorized searches on individuals, including celebrities and local officials, out of curiosity. 2019 Minnesota Department of Public Safety Data Breach A data breach involving the unauthorized access of CJIS data affected approximately 1,500 individuals, exposing personal information stored in the state's driver's license database. 2019 Georgia Misuse by Government Employees A former Georgia court clerk was indicted for accessing and disseminating criminal records for personal gain. The clerk allegedly accessed the CJIS database to provide confidential information to a third party for a fee. 2020 Washington State Data Breach Washington State Patrol disclosed that a former employee had accessed and downloaded confidential CJIS data without authorization. The breach affected thousands of individuals. The Basics
Control Description Agreements Used at each CSA and/or local agencies such as Interchange Agreements, Memorandums of Understanding (MOU), and CJIS Security Addendums. Audit Trails Implement and retain audit trails for access to CJI. Authorized Personnel List Identify and maintain listings of those authorized to access, handle, or destroy CJI. Awareness Training Implement Awareness Training and maintain training records. Materials and training records must be completed prior to CJI access and every year thereafter. Encryption Employ full-device encryption to protect the confidentiality and integrity of information on full and limited-feature operating system mobile devices authorized to process, store, or transmit CJI. Incident Response Procedures to facilitate the implementation of the incident response policy addressing the Incident Response lifecycle. Multi-factor Authentication (MFA) The FBI requires all organizations that access CJI to implement Multi-factor Authentication (MFA) on all systems that contain CJI. This is effective as of October 1, 2024. Network Diagram Identifies all networks and information systems used to store, access, process, or transmit CJI for criminal and non-criminal justice purposes. Additionally, the network diagram must document encrypted segments and the level to which they are encrypted. The diagram must include the agency’s name, the date it was created/updated, and a “For Official Use Only” marking. Personnel Sanctions Employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. Physical and Environmental Controls Implement a formal disciplinary process for the misuse of CJI systems or data. Policies and Procedures Implement, document, and maintain a CSP addressing the 19 policy areas. Terminal Agency Coordinator (TAC) / Local Agency Security Officer (LASO) The TAC serves as the point of contact at the local agency for matters relating to CJIS information access. Understand the location of CJI CJI must remain within the physical boundaries of the US, US territories, Indian Tribes, & Canada. What are the Four Levels of CJIS Security Compliance?
Level Title Description 1 Basic Training Primarily intended for individuals needing rudimentary security training, focusing on the significance of security measures and adherence to CJIS policies. 2 Awareness Training Tailored for those with physical access to CJI, instructing on data access and handling protocols. 3 Additional Awareness Training Designed for authorized personnel who can alter or manage CJI, emphasizing responsibilities and security protocols. 4 Advanced Awareness Training Geared towards IT personnel and administrators responsible for overseeing the technical infrastructure supporting CJI systems, with education on system security, data integrity protection, and incident response. Enforcement Mechanisms
Summary of Policy Areas
Policy Area Title Description 1 Information Exchange Agreements Organizations sharing CJI with another organization or agency must establish a formal agreement to comply with CJIS security standards. 2 Awareness & Training All employees with access to CJI and those who can access, view, store, or process such information must have basic CJIS security awareness training upon hire or initial assignment and annually thereafter. The CSP describes four levels of training in more detail. 3 Incident Response Incident Response plans must be in place detailing the capabilities to identify, contain, mitigate, respond, and recover from a data breach or attack. 4 Auditing and Accountability Generate audit records of all systems for defined events, including monitoring all access to CJI. Monitoring should consider who is accessing CJI, when they are accessing it, and why the user is accessing that data. Administrators should monitor access. 5 Access Control Controls to secure and manage users’ access to information and systems within the network. 6 Identification and Authentication Implement authentication standards to access sensitive data, including multi-factor authentication (MFA). 7 Configuration Management Manage configuration changes to software updates and add or remove hardware. All procedures must be documented and protected from unauthorized access during configuration changes. 8 Media Protection Ensure the protection of CJI stored on all forms of media and the safe disposal of CJI when they are no longer in use. 9 Physical and Environmental Protection All physical locations of CJIS must have physical and personnel security controls to protect the CJI data (e.g., cameras, alarms, etc.). Environmental controls (such as proper HVAC levels) support the availability of systems and system components required to support organizational mission and business functions. 10 System & Communications Protection Implement network security and related components such as network segmentation, firewalls, anti-virus software, encryption, and intrusion prevention systems (IPS). 11 Formal Audits All organizations with users that store, process, transmit, or view CJI will be subject to occasional, formal security audits by the FBI CJIS Division to ensure all CJIS security measures are followed. 12 Personnel Security Conduct security screenings for all employees, contractors, and vendors accessing CJI. Screenings include a state of residence and national fingerprint-based record checks and execute a NLETS query (NLETS is the International Justice and Public Safety Network. NLETS inquiries provide state systems criminal histories, driver’s licenses, and motor vehicle registrations). 13 Mobile Devices All mobile devices, including smartphones, laptops, or tablets with access to CJI, must adhere to an acceptable use policy and may include additional security policies, including the pre-existing security measures for on-premises devices. 14 Systems & Services Acquisition Support the integrity of systems with updated software patches, firmware updates, replacement parts, and maintenance contracts. 15 System & Information Integrity Monitor systems to detect attacks and indicators of potential attacks. Employ integrity verification tools to detect unauthorized changes to software, firmware, and information systems that contain or process CJI. 16 Maintenance Schedule document, and review records of maintenance, repair, and replacement. Approve and monitor all maintenance activities, whether performed onsite or remotely. 17 Planning Plan and coordinate for emergency and non-emergency situations. Develop and implement security and privacy plans that describe how the controls and control enhancements meet the security and privacy requirements. Plans should include rules of expected behavior for use of all systems, including social media. 18 Contingency Planning Develop, document, implement, and periodically test a Contingency plan. The contingency plan should identify essential missions, business functions, and associated contingency requirements. 19 Risk Assessment Categorize the systems containing CJI and the information stored, processed, or transmitted. Identify threats and vulnerabilities to the system(s). Perform vulnerability scanning and monitoring. Closing Remarks
FAQs
What are the CJIS requirements for 2024? ›
The FBI CJIS Security Policy mandates that agencies, including state and local governments implement multi-factor authentication (MFA) for all personnel accessing Criminal Justice Information (CJI) by October 1st, 2024.
What are the new CJIS rules? ›The FBI requires all organizations that access CJI to implement Multi-factor Authentication (MFA) on all systems that contain CJI. This is effective as of October 1, 2024. Required whenever the device is used to access CJI (whether from a corporate environment or a personal device).
What are the requirements for CJIS compliance? ›CJIS — What It Is and How to Stay CJIS Compliant
- A limit of 5 unsuccessful login attempts by a user accessing CJIS.
- Event logging various login activities, including password changes.
- Weekly audit reviews.
- Active account management moderation.
- Session lock after 30 minutes of inactivity.
This instruction will conclude with personnel taking a 25-question test. Users must pass the test with a score of ____% or greater. Users will receive reminders from FCIC about their certification expiring beginning ____ days prior to their expiration date.
What are the requirements for CJIS advanced authentication? ›AA would comprise at least two of the following factors: 1) Something you know; 2) Something you are; and 3) Something you have. Something you know would be a password or PIN. Something you are would be a fingerprint, retina scan or hand geometry.
What is CJIS Level 4 certification? ›Level 4: Advanced Security Training
Geared towards IT personnel and administrators responsible for overseeing the technical infrastructure supporting CJI systems, with education on system security, data integrity protection, and incident response.
5.1.1.4 – Interagency and Management Control Agreements
A NCJA (government) designated to perform criminal justice functions for a CJA shall be eligible for access to the CJI. Access shall be permitted when such designation is authorized pursuant to executive order, statute, regulation, or inter-agency agreement.
Passwords shall be a minimum of twenty characters in length with no additional complexity requirements imposed (e.g., ASCII characters, emojis, all keyboard characters, and spaces will be acceptable).
What are the examples of CJIS data? ›CJI includes biometric, identity history, person, organization, property and case/incident history data. It also includes FBI's CJIS-provided data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
How often is CJIS audited? ›CAU audits all CSAs and repositories every three years. Resources permitting, the unit may conduct special audits upon request. The unit also selects local agencies at random, taking into account an agency's past performance, along with how long and how frequently the agency has been using CJIS services.
What is the CJIS security addendum? ›
All private contractors who process CUI must sign the CJIS Security Addendum. The CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps to ensure the security and confidentiality of CJI required by the Security Policy.
What is the difference between CJIS and NCIC? ›The National Crime Information Center (NCIC) is a database that contains information on criminals and criminal activity. The CJIS system is a set of databases that includes the NCIC, along with other databases containing information on fingerprints, wanted persons, missing persons, and stolen property.
What is CJIS testing? ›CJIS certification is a requirement for organizations that access or use criminal justice information. The certification is administered by the FBI and is designed to ensure that organizations have the necessary security measures in place to protect CJI.
How often is CJIS training required? ›After the initial training, the training must be completed every two years to remain compliant. The FBI CJIS Security Policy also requires that all training records must be kept current and be maintained by the State, Federal, or Local Agency Officer.
What is required for all automated criminal history systems? ›Automated Criminal History System (ACHS)
Additional requirements for access to this data: Fingerprint background check required. Curriculum Vitae for Principal Investigator. IRB Approval.
Answer. CJI personnel screening requires biometric and criminal history checks to maintain data integrity and ensure personnel are of good moral character. For personnel with access to Criminal Justice Information (CJI), screening requirements must include biometric and criminal history record checks.