If your organization is involved with government entities and operations, chances are you have heard of Criminal Justice Information Services (CJIS) compliance. The term is commonly used in law enforcement but can also apply to civil entities.
CJIS compliance requirements protect national security while protecting the civil liberties of individuals and businesses and safeguarding private and sensitive information. It is an integral part of securing organizations for law enforcement and civil agencies, with access to criminal justice information (CJI) and ensuring they do not become victims of cybercriminals looking to exploit CJI for ransom or cause public damage. CJI refers to all the FBI CJIS-provided data necessary for law enforcement and civil agencies to perform their missions, including but not limited to, biometric, identity history, biographic, property, and case/incident history data.
Established in 1992, CJIS is the largest division of the FBI and the primary source of information and services for all law enforcement, national security, and intelligence community partners. FBI CJIS is a division that provides a comprehensive database that helps law enforcement, national security, and intelligence community partners across the country and is comprised of several departments:
- Integrated Automated Fingerprint Identification System (IAFIS) – houses the most extensive collection of digital representations of fingerprint images, features from the digital fingerprint images, and criminal history information in the world
- Law Enforcement National Data Exchange (N-DEx) – an electronic repository of unclassified criminal justice records submitted by agencies nationwide that enables users to piece together seemingly unrelated data about people, places, and things and facilitates collaboration among agencies and investigators
- Law Enforcement Enterprise Portal (LEEP) – provides web-based investigative tools and analytical resources that support the strengthening of case development for investigators and enhance sharing between agencies
- National Crime Information Center (NCIC) – stores data on criminals and missing people
- National Instant Criminal Background Check System (NICS) – used for background checks on people who want to own a firearm or explosive
- Uniform Crime Reporting (UCR) – compiles statistics for use in law enforcement, students of criminal justice, researchers, media, and the public
Each state or territory has a CJIS Systems Agency (CSA) that oversees the administration and usage of the CJIS Division programs within a state, district, territory, or country.
Why is CJIS Important?
State and local government and non-criminal justice agencies (NCJAs) are becoming frequent targets for several reasons:
- Small local agencies can provide malicious actors with a portal into highly sensitive data within CJIS databases
- Government agencies are considered an easy target by malicious actors
- Law enforcement and public safety agencies, as well as their third-party vendors, are increasingly using mobile devices, many containing unauthorized use, to transmit and store CJIS data
- State and local governments are typically less secure (and less funded) than their federal counterparts
- The COVID-19 pandemic has resulted in more remote work, which challenges IT personnel to secure endpoints for remote workers
A data or infrastructure breach can damage national security and the civil liberties of individuals and businesses. Not prioritizing CJIS requirements and the policies that pertain to your organization could lead to sanctions, penalties, suspension, revocation, or monitoring of access to CJIS. The CJIS Security Policy (CSP) offers a set of security standards for all organizations, including cloud vendors, local agencies, and corporate networks, to protect CJIS data from cybersecurity threats. Failure to comply with the policy can result in denial of access to any FBI database or CJIS system, along with fines and even criminal charges. There have been several cases of non-compliance with CJIS. In April of 2021, a Lanesborough, MA, police officer was fired for improper use of the criminal records database. In September of 2022, a Freehold, NJ, officer illegally accessed information from a law enforcement (LE) database for personal use and was put on probation and fined. Fort Worth, TX, had an incident whereby employees with criminal convictions were allowed access to a confidential FBI criminal database.
Who Needs to Be CJIS Compliant?
The short, easy answer is: if your organization receives information from state bureau investigation organizations and/or the FBI, it is likely bound by CJIS requirements.
A word of caution - many vendors incorrectly state that their solution is “CJIS certified”. There is no such thing. A CJIS-compliant solution relies on shared responsibility between a vendor and the particular agency. Even if your CJIS data is accessed via a cloud service provider, it is important to remember that some of the requirements can only be met by those directly within your organization. By implementing and utilizing best practices as recommended by the CSP, organizations can maintain compliance, keep sensitive data secure, and enable more efficient operations within an agency. There is no central CJIS authorization body (e.g., the Office of Civil Rights for HIPAA or the Payment Card Security Standards Council for credit card processing), no accredited pool of independent assessors, nor a standardized assessment approach to determining if a particular solution is considered CJIS compliant. To that end, each state is individually responsible for compliance within their jurisdictions and individually accountable to the FBI. Since each state is responsible for compliance within its jurisdiction, no single entity can grant a national compliance seal of approval, and the FBI does not have the resources to manage a national certification process.
However, to ensure organizations are following the best practices outlined in the CSP, an assessment can help determine if an organization is compliant at the time. It is important to remember that compliance does not mean security. Security needs to be incorporated within business as usual and not just for the point in time an assessment is conducted.
NCJA – Defined
What is the difference between a Criminal Justice Agency (CJA) and NCJA? CJAs are law enforcement related, such as the FBI, police, correctional institutions, courts, etc. An NCJA is any agency or sub-unit thereof that provides services primarily for purposes other than the administration of criminal justice. Examples of services include, but are not limited to, employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances.
There are three categories of NCJAs:
|Government||A Federal, state, local, or tribal government agency or any subunit thereof whose charter does not include the responsibility to administer criminal justice but may have a need to process CJI.||A central IT organization within a state government that administers equipment on behalf of a state law-enforcement agency.|
|Private||A private agency or subunit thereof whose charter does not include the responsibility to administer criminal justice but may need to process CJI.||A local bank.|
|Public||A public agency or sub-unit thereof whose charter does not include the responsibility to administer criminal justice but may need to process CJI.||A county school board that uses criminal history record information to assist in employee hiring decisions.|
Other NCJAs examples include:
- 911 communications center that performs dispatching functions for a criminal justice agency
- Agency for Healthcare Administration
- Bank needing access to criminal justice information for hiring purposes
- City/County IT Department
- Data center or cloud service provider housing CJI
- Departments of Public Safety
- Outsourcing whereby another entity performs a given service/function on behalf of the authorized receipt to include storage of CJI, destruction of CJI, or IT support where access to CJI may be incidental but necessary
- Prosecuting attorney offices
- Public school districts, charter schools
- Transcription and translation companies
The CSP was developed based on presidential directives, federal laws, FBI directives, and guidance from the National Institute of Standards and Technology (NIST) 800-53: Security and Privacy Controls for Information Systems and Organizations. The policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. The most recent update to version 5.9.1 was released in October of 2022 and includes several appendices on topics such as best practices for virtualization, cloud computing, Voice over Internet Protocol (VoIP), mobile, incident response, etc.
The CSP provides CJAs and NCJAs with minimum security requirements for access to FBI CJIS Division systems and information and to protect and safeguard CJI. The policy applies to every individual contractor, private entity, NCJA representative, or member of a criminal justice entity with access to, or who operates in support of criminal justice services and information. One thing to note is that the CSP considers data, services, and protection controls that apply regardless of the architecture. Architectural independence is not meant to lessen the significance of systems but to provide for the replacement of one technology with another while ensuring the controls required to protect the information remain constant.
The FBI conducts government audits every three years for organizations and institutions that use the CJIS network to ensure that agencies are following the correct procedures for safeguarding sensitive information. Audits also include NCJAs with direct access to that data. During the audit, inspectors will review agency policies and procedures, interview agency personnel, observe data security practices, and test the physical security of facilities and computer systems. Although the audit results are confidential, agencies that fail to meet the standards outlined in the CSP may be required to take corrective action to ensure national security and the safety of the nation's criminal justice agencies.
Before discussing the policy areas within the CSP, it is important to understand additional terminology, such as Criminal History Record Information (CHRI), which is a subset of CJI and is sometimes referred to as restricted data. It includes information about the history of an individual's contact with law enforcement agencies. CJI and CHRI terms are used interchangeably, but due to its comparatively sensitive nature, additional controls are required for CHRI's access, use, and dissemination.
CHRI is defined by Title 28 Code of Federal Regulations (CFR) §20.3 as:
“..information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, information, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release. Information is considered CHRI if it is transferred or reproduced directly from CHRI received as a result of a national FBI check and associated with the subject of the record. This includes information such as conviction/disposition data as well as identifiers used to index records regardless of format”
CHRI must not be distributed to the general public. This includes maintaining CHRI in formats that are accessible by the public or within records that are subject to release through public record requests. Each state has its own laws about the information released based on a non-criminal justice criminal records inquiry.
Restricted files that should be protected as CHRI:
- Gang Files
- Historical Protection Order Files of the NCIC
- Identity Theft Files
- National Sex Offender Registry Files
- NICS Denied Transactions Files
- Person With Information (PWI) data in the Missing Person Files
- Protective Interest Files
- Supervised Release Files
- Threat Screening Center Files
- Violent Person Files
NCJAs authorized to receive CHRI for non-criminal justice purposes are subject to audit to ensure compliance with state and federal rules regarding fingerprint submissions and CHRI use. CHRI disseminated for non-criminal justice purposes shall be used only for the purposes for which it was given. Users shall not perform background checks to access criminal history record information on themselves for training purposes, as this is considered a misuse of CHRI and is a sanctionable offense.
The CSP defines thirteen areas with over 580 controls that CJAs and NCJAs must evaluate for consistency with CJIS requirements. These areas correspond closely to NIST 800-53, which is the basis for the Federal Risk and Authorization Management Program (FedRAMP). Therefore, organizations can leverage a FedRAMP audit to gain insight into CSP control implementation details relevant to the CSP requirements. Local agencies can complement the CSP with a local policy or develop their own standalone security policy, but the CSP should always be the minimum standard. Local policy can augment or increase the standards but not detract from them. Note that cloud service providers, such as Google Cloud, can support agencies in states that have executed a CJIS Information Management Agreement with Google.
Each policy area provides both strategic analysis and tactical implementation requirements and standards. Not every consumer of FBI CJIS services will encounter all policy areas. Therefore, the circumstances of applicability are based on individual entity configurations and use. While the major theme of the policy areas is concerned with electronic exchange directly with the FBI, it is understood that further dissemination of CJI to authorized recipients by various means (hard copy, e-mail, web posting, etc.) constitutes a significant portion of CJI exchanges. Regardless of its form, use, or method of dissemination, CJI requires protection throughout its life.
The following table provides a high-level description of each policy area:
|1||Information Exchange Agreements||Organizations sharing CJI with another organization or agency must establish a formal agreement to ensure that they comply with CJIS security standards.|
|2||Security Awareness Training||All employees with access to CJI must have basic security awareness training within six months of initial assignment. The CSP describes four levels of training in more detail.|
|3||Incident Response||Incident Response plans must be in place detailing the capabilities to identify, contain, mitigate, respond, and recover from a data breach or attack.|
|4||Auditing and Accountability||Generate audit records of all systems for defined events, including monitoring all access to CJI. Monitoring should consider who is accessing CJI, when they are accessing it, and why the user is accessing that data. Access to files, folders, privileged mailbox accounts, login attempts, permission changes, password modifications, and similar should be monitored by administrators.|
|5||Access Control||Controls to secure and manage users' access to information and systems within the network.|
|6||Identification and Authentication||Implement authentication standards to access sensitive data, including multi-factor authentication (MFA).|
|7||Configuration Management||Management of configuration changes to software updates and adding or removing hardware. All procedures must be documented and protected from unauthorized access during configuration changes.|
|8||Media Protection||Ensure the protection and safe disposal of CJI when they are no longer in use.|
|9||Physical Protection||All physical locations of CJIS must have physical and personnel security control to protect the CJI data (e.g., cameras, alarms, etc).|
|10||System & Communications Protection & Information Integrity||Implement network security and related components such as firewalls, anti-virus software, encryption, and intrusion prevention systems (IPS).|
|11||Formal Audits||All organizations with users that store, process, transmit, or view CJI will be subject to formal security audits once every three years to ensure all CJIS security measures are followed.|
|12||Personnel Security||Conduct security screenings for all employees, contractors, and vendors with access to CJI. Screenings include a state of residence and national fingerprint-based record checks with IAFIS.|
|13||Mobile Devices||All mobile devices, including smartphones, laptops, or tablets with access to CJI must adhere to an acceptable use policy and may include additional security policies, including the pre-existing security measures for on-premises devices.|
CJIS Requirements Companion Document
In addition to the CSP, the FBI provides a CJIS Requirements Companion document which is an additional resource within the CJIS Security Policy Resource Center and describes which party has the responsibility to perform the actions necessary to ensure a particular CJIS Security Policy. Responsibility is color-coded within the columns based on the agreed ability to perform the steps needed to meet requirements.
The document also contains the “cloud matrix” consisting of additional columns describing who has the technical capability to perform the actions necessary to ensure a particular requirement is being met. However, note that the agency is ultimately accountable for ensuring policy compliance.
Version 5.9.1, recently released, includes new requirements not yet auditable or sanctionable until October 1st, 2023. The following is a snippet from part of the Requirements Companion Document:
Whether your organization is considered a CJA or NCJA, if dealing with CJI is a regular part of the entity’s work, avoid taking unnecessary risks with sensitive information and ensure the CSP is followed. Knowing the various policy areas and how to best approach them is the first step to making sure your organization is adhering to the CSP guidelines. There is no such thing as spending too much on security to prevent the loss of vital information. Third-party consultants, such as Compass IT Compliance, can assist CJAs or NCJAs in a risk assessment to help identify gaps where controls may not be implemented. Contact us today to discuss your unique environment and challenges!
You May Also Like
These Related Stories
Colorado Protections for Consumer Data Privacy Act - What to Know
Get Email Notifications
No Comments Yet
Let us know what you think