The CJIS Security Policy Areas You Need to Be Aware Of

Knowing what your organization needs in order to maintain CJIS compliance is difficult enough, but actually putting the necessary procedures into practice is an altogether different feat.

Since it’s critical to maintain the CJIS security policy protocols and requirements to access sensitive information, understanding what exactly the Criminal Justice Information Services is and what its thirteen security policies mean for your business is essential! Let’s dive in.

What is CJIS?

Known as CJIS, the Criminal Justice Information Services division of the FBI is a high-tech intelligence hub established in 1992. Linking nearly 18,000 law enforcement agencies across the country to a massive database of crime reports, fingerprints, and other agency data, the CJIS allows law enforcement, national security, and intelligence community partners to access the information they need to protect the United States, while preserving civil liberties.

As the largest division of the FBI, the CJIS comprises several departments such as the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS). Due to the ever changing rate and sophistication of cybersecurity threats, CJIS has developed security standards for organizations to follow for utmost protection.

Which Industries Must Maintain CJIS Compliance?

Essentially, Criminal Justice Management and Law Enforcement Agencies. But, others that maintain similar types of data as those agencies, and the IT providers that serve them must adhere to CJIS compliance standards as well  to make sure best security practices are being upheld for data encryption, multiple-step authentication, remote access, and wireless networks.

If your agency must ensure CJIS compliance, then it’s imperative you understand the thirteen CJIS security policy areas. Meeting these key requirements is necessary to satisfy CJIS compliance needs.

Understanding the 13 CJIS Security Policy Areas

There are thirteen policy areas which CJIS compliant organizations must be aware of and uphold. These include:

1. Information Exchange Agreements

Organizations sharing criminal justice information (CJI) with another such organization or agency must establish a formal agreement with each other to ensure that they are complying with CJIS security standards. These written agreements should document what compliance safeguards should be in place to ensure safety.

2. Security Awareness Training

All employees who have access to CJI will be required to have basic security awareness training within six months of initial assignment. Training should be conducted annually for all personnel with access to CJI information.

3. Incident Response

Organizations must have an Incident Response Plan (IRP) in place in the event of a malicious attack. This includes capabilities in order to identify, contain, analyze, and recover from a data breach or attack in a timely manner. Any incidents must be tracked and documented to be reported to the Justice Department.

4. Auditing and Accountability

Organizations must be capable of generating audit records of all systems for defined events. This includes monitoring all access to CJI, such as who is accessing it, when they are accessing it, and why the user is accessing that data. Access to files, folders, privileged mailbox accounts, login attempts, permission changes, password modifications, and similar should be monitored by administrators.

5. Access Control

Access Control is the practice of securing and managing certain users’ access to information and systems within the network. For organizations, this will look like implementing Role-Based Access Control (RBAC), and enact other controls for Wi-Fi and Bluetooth, for example.

6. Identification and Authentication

Users must comply with CJIS authentication standards to access sensitive data. This includes using multi-factor authentication (MFA), which uses two or more factors to authenticate users. According to CJIS requirements, a maximum of five unsuccessful login attempts are allowed per user, after which their credentials will need to be reset. Passwords should reset periodically using best security practices.

7. Configuration Management

Only authorized users are allowed to make configuration changes to systems with sensitive CJI data. This includes configuring changes to software updates, and adding or removing hardware. During any changes to configurations, all procedures must be documented and protected from unauthorized access.

8. Media Protection

Organizations with CJIS must ensure the protection and safe disposal of CJI when they are no longer in use.

9. Physical Protection

All physical locations of CJIS must have physical and personnel security control to protect the CJI data. This may look like server rooms secured with cameras, locks, and alarms.

10. Systems and Communications Protection and Information Integrity

This policy area refers to an organization’s overall network security and related components. Pervasive perimeter security solutions must be implemented by organizations handling CJIS, such as firewalls, anti-virus software, encryption, and Intrusion Prevention Systems (IPS). All CJI must be encrypted at certain standards. For instance, organizations must use a minimum of 128 bit encryption with decryption keys that are at least 10 characters long with a combination of upper and lowercase letters, numbers, and special characters.

11. Formal Audits

All CJIS compliant organizations will be subjected to formal security audits once every three years to ensure all CJIS security measures are being followed. These audits will either be enacted by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Organizations must provide security screenings for all employees, contractors and vendors that will have access to CJI. This includes a state of residence and national fingerprint-based record checks with the Integrated Automated Fingerprint Identification System (IAFIS).

13. Mobile Devices

All mobile devices, including smartphones, laptops, or tablets with access to CJI, must adhere to “acceptable use policy” and may include additional security policies including the pre-existing security measures for on-premise devices. For instance, this may mean there are certain restrictions regarding applications that employees can install or websites they can access with mobile devices. Or, this may look like requiring employees to use Virtual Private Network (VPN), to maintain that all data transmissions are encrypted.

How a CJIS Data Center Can Simplify Maintaining Compliance

While ensuring CJIS compliance may seem like a difficult feat, many of these necessary policy areas can be simplified with the right tools and solutions. One of the most effective ways to ensure your organization is upholding CJIS security standards is by working with a CJIS compliant data center.

Data centers who maintain CJIS compliance are experts who understand the ins and outs of compliance policy areas. This ensures that your organization maintains the right protocols, while allowing your internal team to focus on more pressing tasks at hand instead of devoting time to compliance.

Failing to be CJIS compliant can be a critical blow to your organization or agency – as well as jeopardize sensitive information. Finding a data center you can trust can be an effective long-term solution for organizations looking to streamline your CJIS compliance efforts without devoting the time and money to the necessary infrastructure and energy needed to follow all necessary requirements.

Turn to Thrive CJIS-Compliant Data Centers!

If you’re considering migrating your data to a CJIS-compliant data center, look no further than Thrive. As the only private disaster recovery data center contracted by the State of Florida, you can experience peace of mind in our security solutions! We ensure strict security protocols, 99.99%+ uptime, and meet compliance requirements for CJIS, HIPAA, PCI, SOC, and more.

Learn more about the Thrive cloud difference here, or contact one of our IT experts today for a free consultation.