CJIS-C
CJIS Security Policy Compliance
Straightforward gap analysis and readiness services to assess compliance with the CJIS Security Policy, remedy gaps, and prepare for both scheduled and unannounced audits.
Overview
The Criminal Justice Information Services (CJIS) Division of the FBI shares invaluable Criminal Justice Information (CJI) with and between local law enforcement agencies to make them collectively more effective in fighting crime.
Given the value and sensitivity of this data, the FBI through CJIS imposes strict security and privacy standards on agencies that connect to CJIS systems. The CJIS Security Policy defines the controls required to protect CJI, at rest and in transit:
"The CJIS Security Policy provides guidance for the proper creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This policy applies to every individual — contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity — with access to, or who operates in support of, criminal justice services and information."
Enforcement of these requirements includes audits by CJIS.
Why you need Illumant's CJIS-C service
In its agency agreements, CJIS reserves the right to triennial security audits as well as ad hoc, unannounced audits. Non-compliance means loss of access to valuable databases and crime-fighting data. In cases of misuse, individuals may face suspension, loss of employment, and prosecution for state and federal crimes. Illumant's CJIS-C service brings deep CJIS Security Policy knowledge, experience, and expertise to your team to address compliance and prepare for audits.
Educate stakeholders, share accountability, drive security
Our CJIS-C service includes interviews with stakeholders to assess compliance — and to educate and inform about compliance requirements. This increases cross-departmental responsibility and accountability and helps drive security initiatives forward. You control who is involved in the interview process.
We reduce the burden, minimize the confusion
Illumant's CJIS-C service shifts much of the compliance burden away from you, distributes responsibility to appropriate personnel, and adds clarity and education to the process — what's needed to meet the standards, and what needs to be remediated to achieve compliance, avoid penalties, and avoid breaches.
How CJIS is administered
The CJIS Security Policy defines the minimum standard of security controls required for sharing CJI. Individual states interpret the policy. At the state level, a CJIS Systems Officer (CSO) is appointed to administer the policy and is responsible for interpreting and enforcing it for sub-agencies.
At the local level (city or county), a Terminal Agency Coordinator (TAC) — usually a commissioned officer — is the point of contact for all CJIS matters. The TAC's direct report is the Local Agency Security Officer (LASO). Often these and other roles are assumed by the same individual.
A triennial audit of each Criminal Justice Agency (CJA) is required to document compliance. This audit is usually administered by the state's ranking CJA under the purview of the CSO, and may be executed at the federal level by the FBI CJIS Audit Unit.
CJIS Security Policy
The 13 policy areas, in plain language.
Area 1
Information Exchange Agreements
Organizations must have executed, written agreements covering the degree to which CJI sharing will occur and the relevant security policies and procedures of each party. Sample exchange agreements appear in Appendix D of the CJIS Security Policy.
Area 2
Security Awareness Training
All personnel with access to CJI — and IT staff with logical access — must receive basic security training within 6 months of assignment and every two years thereafter. Training records must be maintained.
Area 3
Incident Response
Agencies must maintain incident detection, response, and handling capabilities — including reporting and tracking, containment, and recovery mechanisms.
Area 4
Auditing and Accountability
Adequate system event logging and review capabilities must be in place to support incident detection, response, and forensics.
Area 5
Access Control
Mechanisms to control access to sensitive information — authentication, remote access, VPNs — including wireless access (Wi-Fi and Bluetooth) for computers and mobile devices.
Area 6
Identification and Authentication
Unique identification of users and processes acting on their behalf, password and PIN policies, and advanced authentication requirements.
Area 7
Configuration Management
Only qualified, authorized individuals may initiate changes, upgrades, or modifications. Agencies must produce and maintain a current topological diagram of inter-connectivity to CJI systems and services (Appendix C).
Area 8
Media Protection
CJI must be secured at rest and in motion across electronic networks and physical locations, with guidelines for media sanitization and disposal.
Area 9
Physical Protection
Physically secure locations are defined by policies, physical controls, and personnel security controls sufficient to protect CJI.
Area 10
Systems and Communications Protection & Information Integrity
Pervasive safeguards across modern cybersecurity — encryption, antivirus, anti-spam, virtualization, VOIP, cloud — and version/patch management to gate releases into the network.
Area 11
Formal Audits
Criminal Justice Agencies (CJAs) and Non-Criminal Justice Agencies (NCJAs) are audited against the Policy at least triennially by the FBI CJIS Audit Unit (CAU) or the state's CSA.
Area 12
Personnel Security
State of residence and national fingerprint-based record checks for all personnel — including vendors and contractors — with physical or logical access to unencrypted CJI.
Area 13
Mobile Devices
Detailed guidance for cellular smartphones and tablets — minimum management functions and compensating controls to bridge inherent technical limitations of some devices.
Highlights
- Interviews with stakeholders, education
- Inspection and observation-based process
- Assessment of current security measures
- Assessment of compliance with CJIS Security Policy
- Review of policies and procedures
- Perimeter Security Assessment
- Physical Security Assessment
- Actionable remediation activities
- Optional CJIS-compliant security program development
- Documentation of results, evidence
- Final reports — executive and technical
Targets
- Criminal Justice Information (CJI)
- CJIS Security Policy
- Administrative, technical, physical controls
- Policies and procedures
- Information exchange agreements
- Security Awareness Training
- Incident Response
- Auditing
- Access Control, Identification, Authentication
- Configuration Management, System & Communications Protection
- Media Protection
- Physical Protection
- Personnel Protection
- Mobile Devices and Wireless networks
Case study
How we helped a mid-size US city improve its security posture.
Identified technical security weaknesses, tested employee awareness, performed cyber-attack simulation through black-box pen testing, and provided prioritized recommendations to bolster security against real-world attacks.
Municipalities & Government practice →Related security assessments
What we typically pair with a CJIS engagement.
PSA
Perimeter Security Assessment & Penetration Testing
Find the weaknesses in your perimeter before hackers do.
CASA
Critical Asset Security Assessment
Test the systems that, if breached, would hurt the most.
LANSA
LAN Security Assessment
Assume breach — then prove what an insider can reach.
SocEng
Social Engineering
Test employee awareness of cyber-security threats.
PhySA
Physical Security Assessment
Locks, badges, cameras, and the humans guarding them.
BBPen
Advanced Black Box Penetration Testing
Care for a game of capture-the-flag?
DLPA
Data Loss Prevention Assessment
Find sensitive data — then make sure it can't walk out.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.