CJIS Security Policy v. NIST Special Publication 800-53 – Does Anyone Have a Map?
If there is one area that the federal government does well in is its ability to produce a lot of policies that span a lot of pages! We are all very familiar with this with respect to a policy “near and dear to our hearts” – the FBI CJIS Security Policy.
Throughout these newsletters we’ve explored the FBI CJIS Security Policy and have become well aware of how expansive it is. For those who have not counted, the policy that mandates hundreds of security-related controls and documented policies and procedures on agencies and users of criminal justice systems clocks in at over 190 pages!
Don’t get me wrong, one of my life’s passions is information systems security which most certainly includes the evolution and implementation of this policy. A good foundational policy document like the FBI CJIS Security Policy is not only needed but is CRITICAL in helping ensure the confidentiality, integrity and availability of the criminal justice systems that are used every day. Protecting these systems are of utmost importance when it comes officer and public safety.
NIST Special Publication 800-53 outlines and documents security controls for federal information systems and organizations based on a risk management framework. These controls are required of all federal systems except those that are designated as and designed for national security.
Why is NIST Special Publication 800-53 important for you and your agency?
Some state CSOs and ISOs have adopted the NIST Special Publication 800-53 framework as a way of documenting security control compliance with the FBI CJIS Security Policy. Even if it has not been formally adopted/required in your state, knowing and documenting the security controls used to attain compliance is important. As such, identifying which sections of the 450+ page NIST document apply is extremely important. How do we begin to determine which sections apply to the FBI CJIS Security Policy?
Good question! Easy answer…
How do we use mapping you ask?
Another good question and another easy answer!
The FBI CJIS Information Security Officer (ISO) Program Office, has made this task a lot easier by completing the mapping process for us. The FBI has published a document titled, Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication 800-53 Revision 4, dated, 4/1/2015.
This document was produced by the FBI CJIS ISO Program Office at the request of the APB’s Security and Access Subcommittee to be used as a reference when determining how to implement required security controls set forth in the FBI CJIS Security Policy. Having a mapping from the security policy to the security controls document will help agencies in their compliance efforts and help shape and improve their overall compliance profile.
Want a copy of the FBI’s mapping document?
Come on over to the CJISACE.com web page and download your own copy.
Need help with a strategy to implement the controls listed in NIST Special Publication 800-53 or need help determining how they relate to the FBI CJIS Security Policy? Need to know what your agency’s overall Compliance Profile is?
Drop me a line or give me a call and we can talk about how CJIS ACE can help!
Until next time, be safe
William “Bill” Tatun, CISSP, CISM
Chief Information Security Officer
Diverse Computing Inc.