For any organization, cybersecurity and data protection practices help safeguard financial stability and customer trust. For the criminal justice system, a data or infrastructure breach can be damaging to national security and the civil liberties of individuals and businesses. We must get this right.
The CJIS Security Policy (CSP) ensures the criminal justice system has a unique set of controls to manage these threats.
In this article, we’ll give an overview of CJIS compliance. We’ll share the most critical considerations for training, vetting vendors, proving compliance, and preparing for audits.
What is CJIS Compliance?
The policies and departments of CJIS were established in 1992 and make up the largest division of the FBI. The CJIS databases contain the necessary information for detaining criminals, performing background checks, and tracking criminal activity.
The CJIS Security Policy keeps professionals in criminal justice and law enforcement agencies at local, state, and federal levels in agreement with security standards for the use, transmission, storage, and processing of Criminal Justice Information (CJI). Compliance with the policy helps safeguard the integrity, confidentiality, and reliability of criminal justice systems.
Compliance requirements are created and updated regularly by the CJIS Advisory Policy Board (APB) with custodial oversight from the FBI.
Failure to comply can result in denial of any FBI database or system containing CJI data. Sanctions in the form of fines and criminal charges can result as well.
The 4 Critical Component of CJIS Compliance—Training, Vetting, Proving, Auditing
Any employee with access to CJI must be trained to comply with security awareness standards within the first six months of employment or contract start date—with annual renewal of the Security Awareness Training as a refresher. Security protocols should be standardized across the agency and any organization under its umbrella.
Some policy and procedure changes such as password strength will require brief explanations, while other protocols may require more extensive training. For a comprehensive list of training topics, download the CJIS Compliance Checklist.
It is crucial that agencies form partnerships with vendors that understand the requirements and policies of CJIS. It is the vendor’s products and services that can help agencies reach compliance.
The key to a successful agency compliance audit is founded in preparation. Policies, procedures, security, and data must be reviewed regularly. Files must be updated and kept organized. This way, when it comes time for an audit, you will be prepared with proof of compliance.
Auditing is an ongoing requirement of the CJIS Security Policy. Agency audits are federally mandated by the FBI, with the onus of responsibility on each individual state to perform compliance audits for entities using CJI data which includes an entity’s contracted vendors.
An audit will require proof of an entity’s compliance with specific requirements such as tracking data access, network authentication, and logging application activity at the user level. Login attempts, password changes, and other security procedures must be securely logged.
Most auditing requirements are mandated independently at the state and local levels. A state audit is required at least once every three years. The FBI and other agencies may conduct formal audits to ensure CJIS compliance with what is commonly referred to as the “Shall Statements” set forth in the CJIS Security Policy.
Agencies need to monitor all physical, logical, and virtual access to criminal justice information. This includes who is accessing it and when.
Data must also be kept about why a user is accessing the information. This helps determine the legitimacy of the user’s actions. A historical archive of all interactions with criminal justice information must be kept. Administrators should monitor access to files, folders, mailboxes, logins, password changes, and so on.
See a comprehensive list of what to track and where to track it.
Roles and Responsibilities
Audits are carried out by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA). Agencies should understand each audit process so that internal auditing and corrective actions, where necessary, can be performed as part of the agency’s preparation process.
The Terminal Agency Coordinator (TAC) should lead the audit for the agency. The Local Agency Security Officer (LASO) and the Information Technology (IT) manager should provide ongoing support to the TAC in maintaining compliance over time, which makes them key roles in the agency’s preparation for an impending audit.
The TAC, LASO, and IT manager should review the list of requirements in the CJIS Security Policy prior to the audit to define roles and responsibilities for each requirement.
Achieving CJIS Compliance
Reaching compliance is no small undertaking. It is the ongoing process of ensuring critical documents are safe and secure. Having the right people involved in the ongoing compliance management procedures for documentation in the lead-up to an audit is nearly as important as the documentation.
An agency’s efforts to stay secure do not end once a CJIS audit is passed. Threats from hackers continue to evolve and reliable security measures must be in place at all times.
Take a Systematic Approach
Take a systematic approach so that you’re always secure, compliant, and ready for an audit.
CABEM’s CJIS Manager can help. We offer a cloud-based platform to track CJIS compliance requirements for the agency, employees, and contracted vendors. We have deep domain expertise in CJIS Compliance and have earned the trust of your agency colleagues, as well as leaders of other highly regulated industries like healthcare, manufacturing, education, and government.