The Top 5 Difficulties in reaching “CJIS Compliance”
Ever wonder what the top issues are when it comes to CJIS-related audits and overall compliance with the security policy?
I have always been interested in knowing what the top issues were, especially on audits conducted by the FBI’s CJIS Audit Unit.
For one, I was always interested in knowing how my agency was doing with respect to our compliance efforts.
Further, as the CJIS Systems Agency (CSA) Information Security Officer (ISO) and later the CJIS Systems Officer (CSO) for New York State, knowing the top issues always helped me assist the other agencies in the state get “ahead of the curve” and move toward maintaining compliance with all the requirements.
Finally, as a Member of the FBI CJIS Advisory Policy Board (APB) and as Chairman of the Security and Access Subcommittee, knowing the results of the audits combined with feedback from the FBI CJIS auditors let me know if the policy was clear, concise and understandable and that we were accomplishing what was intended with the particular policy section. As you are aware, if the above isn’t true it can wreak havoc on your efforts to achieve compliance.
While I looked forward to hearing the latest stats for very specific reasons, for you, it may just provide a simple gauge on how your agency is doing, compliance-wise, compared to others. Either way, let’s take a look at the audit statistics that were presented at the last FBI CJIS-sponsored ISO Symposium:
Results: 2013-2014 Audit Cycle for Local Agencies
Results: 2013-2014 Audit Cycle for CJIS Systems Agencies (CSAs)
There’s a lot of information that can be garnered from the above statistics. The top issues clearly stand out with a noticeable overlap at both the local agency and the state levels.
How does your agency compare?
How many of the Top 5 “Most Wanted” CJIS Security Policy Compliance Issues for local agencies (Security Addendum, Media Disposal, Encryption, Security Awareness Training and Management Control Agreements) is your agency noncompliant with? Or to take the optimistic view — is your agency compliant with?
Are you sure?
There is no doubt that some of the of the agencies that were cited as noncompliant with each of the Top 5 Issues thought they were compliant. With noncompliance rates of 43%, 36%, 35%, 34% and 33%, respectively, it is clear that there are some major gaps somewhere. To better understand this compliance, we should take a closer look at what CJIS is.
What is CJIS?
The FBI Criminal Justice Information Services Division (CJIS) is a part of the United States Federal Bureau of Investigation (FBI). CJIS was first created in the early 90s and is currently the most influential division of the FBI.
The CJIS criminal justice system is made up of many departments including the FBI’s National Crime Information Center (NCIC), the Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS). The goal of CJIS is to minimize criminal and terrorist activities by maximizing the capability to provide critical criminal justice information to the FBI and local law enforcement.
There have been many changes to the way law enforcement handles sensitive data exchange since the inception of CJIS. Because of this, CJIS releases a new security policy every so often to keep agencies and CJIS data secure. Download the latest version (5.4) here.
Advanced Authentication – the “Most Wanted” Requirement
The FBI CJIS Security Policy is essentially a checklist of requirements that handlers of CJIS data must follow. Section 5.6 of the policy mandates advanced authentication for anyone who has access to CJIS data from an “unsecured location”.
The term “Authentication” refers to the process of verifying a user’s identity when requesting secure access to CJIS systems. Typical “One-Factor Authentication” is when a user logs in with only a username and password.
“Advanced Authentication” or “Two-Factor Authentication” requires an additional separate factor or credential in order to complete the log-in process. This second credential is often sent as a one time PIN (OTP) that is obtained by something that the user physically has in his or her possession (e.g. an app or SMS text to a cell phone, a hard token or a paper token). These OTPs cannot be memorized like standard passwords because they are designed to change every time the user logs in. More information on the CJIS Advanced Authentication mandate and solutions made to comply with it can be found here.
Are you still sure?
If not or if you’d like to verify where you stand, drop me a line and myself or someone on the CJIS ACE team will be happy to help.
Until next time, be safe.
William “Bill” Tatun, CISSP, CISM
Chief Information Security Officer
Diverse Computing Inc.
Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.
CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.