Understanding The Criminal Justice Information Services – CJIS

Upcoming Changes to CJIS requirements

The Criminal Justice Information Services (CJIS) is a division of the Federal Bureau of Investigation (FBI) responsible for providing a wide range of information services to support law enforcement agencies at the local, state, federal, and international levels. CJIS oversees the management and security of criminal justice information, including sensitive data such as criminal histories, fingerprints, and other biometric information.

CJIS compliance is an important compliance standard for law enforcement at the local, state, and federal levels, and is designed to ensure data security in law enforcement. Government entities that access or manage sensitive information from the US Justice Department need to ensure that their processes and systems comply with CJIS policies for wireless networking, data encryption, and remote access. The CJIS compliance requirements help proactively defend against attacks.

CJIS compliance is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges. Knowing the various policy areas and how to best approach them is the first step to making sure your government entity is adhering to the CJIS Security Policy guidelines.

CJIS periodically updates its policies and requirements to adapt to evolving technologies, emerging threats, and the changing landscape of law enforcement. These updates are designed to enhance the security and integrity of the criminal justice information system and ensure the confidentiality of sensitive data. This article examines the components of CJIS and a few of the latest changes to these policies and requirements.

What are the 4 primary focus areas of CJIS requirements?

In general, CJIS requirements have focused on the following areas:

1. Security – CJIS has stringent security requirements to protect the confidentiality, integrity, and availability of criminal justice information. These requirements cover areas such as access controls, encryption, auditing, incident response, and physical security measures.
2. Authentication – CJIS requires strong authentication mechanisms to verify the identities of individuals accessing criminal justice information systems. This typically involves multi factor authentication (MFA) or two-factor authentication (2FA) to ensure that only authorized personnel can access sensitive data.
3. Training and Awareness – CJIS emphasizes the importance of training and awareness programs to educate personnel about security best practices, handling of sensitive data, and the potential risks associated with unauthorized access or disclosure of information.
4. Auditing and Compliance – CJIS mandates regular audits and assessments to ensure compliance with its security requirements. Law enforcement agencies must demonstrate their adherence to CJIS policies through audits conducted by authorized entities.

As technology advances and new cybersecurity threats emerge, CJIS will continue to evolve its requirements to address these challenges. It is important for law enforcement agencies and personnel to stay updated on the latest CJIS policies and implement necessary measures to maintain compliance and protect the integrity of criminal justice information. To obtain the most current and accurate information about upcoming changes to CJIS requirements, it is recommended to visit the official CJIS website or consult with the relevant authorities within the law enforcement community.

What upcoming changes are taking place for CJIS Security?

Organizations are going to do some mass requirement date expiration changes.  All CJIS Security Awareness training will be required annually and will be sanctionable starting October 1, 2023. The training addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. It is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. The updates include procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls. It designates organizational personnel with information security awareness and training responsibilities to manage the development, documentation, and dissemination of the awareness and training policy and procedures.

The policy indicates that the Security Awareness Training will:

• Provide literacy training on recognizing and reporting potential indicators of insider threat.
• Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
• Provide role-based security and privacy training to personnel with the following roles and responsibilities: all individuals with unescorted access to a physically secure location, general users, and privileged users.

Additionally, the latest policy is now requiring that IT firmware be verified for integrity and monitored for unauthorized changes. Firmware is the software embedded in hardware devices, including laptops, servers, routers, and storage devices, that controls how they operate. Failure to comply with it can lead to denial of access to information in the CJIS system, as well as monetary fines.

Guidance related to media protection, personnel screening, identity and access management, awareness and training, and system and information integrity has been updated and is now more closely related to NIST 800-53 controls. The NIST Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

What are the general areas covered by the CJIS Security policy?

The CJIS Security Policy, often referred to as CJIS SECPOL, outlines the security requirements and guidelines that must be followed by law enforcement agencies and organizations accessing and handling criminal justice information. These requirements are designed to protect the integrity, confidentiality, and availability of sensitive data within the criminal justice system.

1. Information Security Management – The CJIS Security Policy defines the roles and responsibilities of personnel involved in managing and protecting criminal justice information. It outlines the need for effective information security management practices, including risk assessments, security planning, and incident response procedures.
2. Personnel Security – This section focuses on personnel screening, background checks, and the need to ensure that only authorized individuals have access to criminal justice information. It provides guidance on the appropriate level of security clearance for personnel based on their roles and responsibilities.
3. Access Control – The CJIS Security Policy specifies access control requirements, including the need for unique user identification, strong authentication mechanisms, and least privilege principles. It emphasizes the importance of implementing access controls to prevent unauthorized access to sensitive information.
4. Audit and Accountability – This section outlines requirements for auditing and monitoring activities related to criminal justice information. It includes provisions for log management, audit trails, and the need for regular review of access logs to detect and respond to security incidents.
5. Physical Security – The CJIS Security Policy addresses the physical protection of systems and facilities that house criminal justice information. It covers aspects such as secure storage, environmental controls, visitor control, and media protection.
6. System and Communications Protection – This section focuses on the security measures required to protect information systems and networks. It covers areas such as encryption, firewalls, intrusion detection and prevention systems, malware protection, and secure remote access.
7. Incident Response – The CJIS Security Policy provides guidance on incident response planning, including reporting and handling security incidents involving criminal justice information. It emphasizes the need for timely response, containment, investigation, and recovery from security breaches.

These are general areas that the CJIS Security Policy addresses, but it’s important to note that the specific requirements and details may vary in different versions of the policy.

CABEM Technologies offers a new way to track CJIS compliance. The CABEM CJIS Manager guides, tracks, and reports compliance with an online experience that steps your employees and vendors through the process, provides real-time visibility, and keeps you prepared for audits on an ongoing basis.

Here’s how it works:

1. Configure your CJIS requirements. We set the default requirements for you, and it’s easy to edit to your needs.
2. Manage security addendums, fingerprints, background checks, and security awareness training records. It’s all structured to help your team understand exactly what they need to do. Use our system, and you’re implementing the program correctly.
3. Get real-time status—anytime, anywhere. Share reports that go beyond saying you are compliant. Now you can prove compliance by confirming physical records (like fingerprints) within the tool or exported in reports that you can submit to the state.

CJIS Manager Benefits

• Prevent possible sanctions due to non-compliance
• Easily track fingerprints with a submitted status to the FBI
• Quickly determine the status of a vendor employee’s access compliance
• Save time for CJIS administrators by automating information flow and eliminating the need for manual spreadsheets or paper-based systems
• Avoid any lapse in permissions with automatic reminders for renewal dates
• Pass audits with easy to use reporting
• Flexible enough to accommodate varying state to state requirements

Software should be able to do business the way you want to. CABEM has 21+ years of experience providing highly flexible business solutions across a wide array of industries including manufacturing, healthcare, education, and government. We can help you manage CJIS compliance the right way. Let us show you how, visit our website today.