A while back, Bill wrote about the Advisory Process (see “Taking Advantage of the Advisory Process – Schoolhouse Rock Style). This “Process” is how policy and procedures change at the national level. Contrary to popular belief, the FBI doesn’t sit back and write the CJIS Security Policy (CSP) or other criminal justice information related policy; every state has a part.
Every spring and fall, the CJIS Advisory Policy Board (APB) meets to review, discuss and vote on proposed changes to national CJIS related policy and procedures. Our favorites are the one that deal with the CJIS Security Policy (secretly, it’s your’s too; admit it.)
Twice a year, the APB considers changes to the CSP (and other CJIS related policies.) Like clockwork, starting in March, “the Process” begins with Working Group meetings. The Subcommittees come next, and finally the APB itself in June. Then it starts all over again in August and finishes in December.
Twice a year, the APB Process is most likely going to approve changes to the CSP, but only once a year are the FBI ISO folks going to update the CSP. Typically, we see the update come out in late summer. Sometimes it’s early, like this year when it came out in June.
Bottomline, the CSP is going to change. So, we’re going to see if we can help you manage this change a little bit by trying to get ahead of it.
We at CJIS ACE intend to review the APB topics that change the CSP, and let you know the outcomes from the APB. This will give you an idea what was approved, and nothing should catch you unaware (as long as you’re paying attention.)
One thing to know, and I’ll remind y’all as we go along, just because the APB approves a topic it doesn’t guarantee it will be in a future version of the CSP. The APB approvals are actually recommendation to the FBI Director, who does have ultimate override authority, but in my twenty-two years of involvement , I do not remember a “veto”.
Additionally, topics approved in the spring and fall of a given year are published in the CSP released in the following year, e.g., topics approved back in June (2016) and those that will be approved in December (2016), will show up in the CSP version that will be released in the summer of 2017 (version 5.6.)
As part of my review, I’m going to primarily focus on the topics that change the CSP. Usually there are other topics that may relate to the CSP or audits.
So, let’s get started. In June the APB met in Norfolk,Virginia. We lucked out in that there was only one topic that updates the CJIS Security Policy.
APB Item #15, SA (Security & Access Subcommittee) Issue #4 dealt with Clarifying Encryption Requirements in the CJIS Security Policy. This topic was approved by the APB.
This topic clarified the use of the type of encryption for CSP compliance. The key changes have to do with the type of encryption to be used. Current policy says that you have to use a FIPS 140-2 encryption module for transmitting CJI and FIPS 197 certified, 256-bit for CJI at rest.
The change: The APB approved change now specifies that the encryption module must use a symmetric cipher.
Symmetric encryption is a type of encryption where the same key is used to encrypt and decrypt a message. Symmetric encryption is also known as secure key encryption.
Does this affect you: It could. You will need to check your encryption modules that your agency is using to be compliant.
When will we see this: This change should show up in CSP version 5.6, summer of 2017.
If you would like to see the topic paper as it was presented to the APB, click here: Encryption Topic Paper.
There was another topic that will have an impact on almost everybody, but it’s requirements won’t be presented until the fall 2016: APB Item #15, SA Issue #5, Clarifying CJIS Security Policy Requirements for Cloud Storage of Criminal Justice Information (CJI).
This topic requires the CJIS ISO Program to create a topic paper for presentation during the Fall 2016 Working Groups that will detail specific cloud computing requirements intended for inclusion into Section 18.104.22.168 related to CJI processing and storage in a cloud environment.
So, although there were no changes to the CSP based on this topic, the APB has instructed the FBI CJIS ISO program to develop new policies regarding cloud services for CJI. This topic starts the APB process in August 2016, and will go before the APB in December 2016. It will be a big one for the January newsletter.
There you have it. No major changes, but one thing that you need to check and another that is on the horizon. I hope this helps as you go forward maintaining compliance.
Y’all take care.
Sr. Security Analyst
850.656.3333 ext. 288