Established in 1992, Criminal Justice Information Services (CJIS) is the single largest division of the FBI. Made up of several departments, including the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS), CJIS is tasked with monitoring criminal activity in local and international communities using analytics and statistics provided by various law enforcement teams. The resulting database provides a centralized source of criminal justice information (CJI) that is used on a daily basis by agencies around the United States.
CJI data is most commonly used when performing background checks, but it is also put to use catching criminals and generally tracking criminal activity. When the CJIS division was formed more than 25 years ago, most law enforcement officers could only access CJI data from an office terminal, but as mobile devices have proliferated, the jobs of police, fire crews and other emergency response teams have become more dependent (and more efficient) thanks to secure, real-time and reliable access to these databases using mobile devices out in the field. In fact, officers today can collect, organize, and share mission-critical data without being tied to a desk at all.
But making data so accessible doesn’t come without its own security risks. To prevent unauthorized access, strict standards were put in place to ensure that CJI data doesn’t get into the wrong hands. Those standards are known as Criminal Justice Information Services Security Policy, and it particularly addresses technology compliance standards for government agencies that interact with CJI in databases, on desktops, on laptops and mobile devices.
CJIS compliance requires that organizations keep this information protected, whether it is stored on a device or transferred to another party. This applies to law enforcement agencies, including local police forces as well as prosecuting attorneys’ offices who also have access to CJIS data.
13 Policies Safeguarding CJIS
Here are the 13 policy areas that apply to CJIS compliance:
- Information Exchange Agreements: A written agreement is required between any agencies that share CJIS-protect data.
- Security Awareness Training: Any employees handling CJIS data are required to undertake security training within the first six months of being assigned to their role and refreshers every other year.
- Incident Response: Safeguards must be in place to detect and contain any data breaches; data recovery measures must also be in place. Any data breach must be reported to the appropriate authorities.
- Auditing and Accountability: Audit controls are needed to monitor who is accessing data, when it is being accessed, and for what purpose.
- Access Control: Agencies must have the ability to control who has access to the data. This includes control of who can access, upload, download, transfer, and delete secure data. This impacts login management systems, remote access controls, and more.
- Identification and Authentication: To access CJIS data, users must align with CJIS login credential standards, meet password requirements, and use advanced authentication methods such as one-time passwords and multi-factor authentication.
- Configuration Management: Only authorized users can make configuration adjustments, such as system upgrades or modifications.
- Media Protection: CJIS-related data must be protected in all forms, digital and physical, both in transit and at rest. Equipment that is no longer used by an organization must be sanitized and disposed of appropriately.
- Physical Protection: The physical location for stored CJIS data must be secured at all times, preventing access from unauthorized persons.
- System and Communications Protection and Information Integrity: In addition to data protection, organizational systems and communications need to be protected. This includes encryption, network security, data breach detection measures, and more.
- Formal Audits: Any organization that uses and manages CJIS data may be subject to audits a minimum every three years.
- Personnel Security: All personnel in the organization, including employees and contractors, must submit to security screenings and national fingerprint-based background checks.
- Mobile Devices: Usage restrictions must be established for smartphones and tablets. Access to systems from these devices must be authorized, monitored, and controlled.
CJIS Compliance for Organizations
With all these rules, there are three things that organizations should consider about CJIS compliance.
1) Multi-factor Authentication and Encryption
When implementing a security solution to safeguard CJI data, agencies and other organizations should consider how 2FA or MFA will affect officer and employee workflows. In the fast-paced environment of law enforcement, it is imperative that any second factor authentication tools do not disrupt officer workflows or productivity. So, it may be best to use software applications or physical devices that generate unique, one-time passwords with time limits, and which only require one sign-on during a shift. At the same time, encrypting files and emails adds an extra layer of complexity for any criminals trying to gain access to CJI and other vital information.
3) Choosing Solutions that Support CJIS Requirements
CJIS Security Policy requires certain advanced authentication methods, such as smart cards, electronic token devices and finger biometrics. Selecting the ideal form of two-factor authentication depends on the needs of the organization. Deploying a solution with limited options may not serve all groups well.
3) Personnel Training
For CJIS best practices, staff training should be held frequently and with sufficient documentation and knowledge sharing to ensure that all employees – including contractors – are on the same page regarding complete compliance. This should include security protocols and password requirements that can be deployed across the entire organization.