CJIS SECURITY POLICY MODERNIZATION ARCHIVE

Howdy y’all,


Not only is October a spooky season, but it’s also Cybersecurity Awareness Month. One of the scariest cyber attacks is social engineering, especially when it comes to Criminal Justice Information (CJI). Attackers don’t need any fancy code or specialized tools; they just need you to trust their Halloween disguise, whether it’s impersonating your boss, IT, HR, or even your own family.

Hi everyone, 

Navigating the CJIS Security Policy can be challenging, especially when it comes to mobile devices. That’s why our team has created a handy Mobile Device Checklist to help streamline some of these requirements. 

Ready to get your copy?

Hey Y’all,

I always try to pick a topic that impacts the most folks and I think I have one. Almost everyone in our business carries a smartphone. Some of y’all even carry two (for good reason.) The CJISSECPOL has some things to say about smartphones that process, store or transmit CJI. If your agency is going to use smartphones related to CJI operations, you need to be on your game.

Hey Everyone!

This month, I want to provide an important update on recent changes to the CJIS Security Policy (CJISSECPOL) and how they affect one of our most common security controls: passwords.

First, you will notice a change in terminology. The updated policy now refers to passwords as  "Memorized Secret Authenticators." While it may seem a bit complex, this change clarifies that the standard applies not just to traditional passwords, but also to passphrases and purely numeric PINs.

It is important to note that the password standards many of us have followed for years are now outdated.

Hi all,

One of the newer control families in the CJIS Security Policy (CJISSECPOL) is Risk Assessment (RA).

While a Priority 2, RA-3 requires that you conduct a risk assessment that includes:

If you haven’t looked at the modernized CJIS Security Policy yet (and you should have by now), there are a boatload of new requirements (they’re called Controls these days). Even though we’re in version 6.0 now, I’m gonna talk about one issue that has been in the Security Policy since December ‘22 that we get questions on, so it’s not really new.

Hey Y’all,

So, now that they’ve finished the modernization, what’s next? We’ve been on this journey for about the past five years, and it's pretty much completed. The APB has started making “tweaks” and cleaning up “stuff” that was left over from the modernization.

In the meantime, we gotta get to work on doing the compliance thing. The “good” thing is that the APB gave us a bit of a map of what to focus on first.

Roses are red, violets are blue, 6.0 is here, don’t have CJIS compliance fear. 

If you’ve been keeping up with our newsletters, you may already know version 6.0 of the CJIS Security Policy just hit the streets and there are some new control families.

It’s Done….well it is, sorta kinda. The FBI CJIS ISO has released Version 6.0 of the CJIS Security Policy (CJISSECPOL), and in doing so made me a complete liar. From my previous experience with administration changes, i.e., new presidents, I wasn’t expecting to see this until late spring. They went ahead and sent it out.

When I say “it’s done”, I’m talking about the modernization of the CJISSECPOL.

So now that October 1st is in the rearview mirror and you’re starting to realize there are a whole bunch of “Priority 1” controls that need to be addressed, I just want to remind you that there are other things out there. 

I know y’all are thinking, “Larry, we got three years to prepare for those Priority 2, 3, & 4s.”

We are officially into October which means it is Cybersecurity Awareness Month and time for our annual Fall pun newsletter. Don’t worry, we’ll creep it short.

A number of controls from the CJIS Security Policy are now sanctionable from the following control families

Now that we’re unofficially done with Summer, temperatures have begun to drop, right? Not here in Florida, and on top of all that there’s a whole lot of new stuff that can be sanctionable starting next month that’ll definitely keep temperatures up.

Last month I reminded everyone that the new version 5.9.5 had been released for everyone’s reading (and compliance) pleasure. Don’t worry, nothing has come out since then, but there are some things that y’all really need to pay attention to.

Hope your summer is going well and you’re staying cool. It’s a tad warm here in North Florida as I’m sure it’s the same where you are.

Well, things are certainly heating up in the CJIS world with the release of the latest update to the CJIS Security policy, verison 5.9.5. I reckon with the summer all nice and warm, we’re all ready to “dive in” (yes, I know it’s sad, but I am dad, so I have an excuse.)

The good news is that there’s only one section or control family that will be updated: Section 5.7 Configuration Management.

Hey Y’all,

It’s been awhile since my last newsletter; my apologies. They keep me busy and I’m trying to understand the modernized CJIS Security Policy (CJISSECPOL) so I can pass it along to y’all. I’m sure by now you’re well aware that we’re in version 5.9.4 (see the last CJIS ACE Newsletter from March.) If you remember properly, this journey started about a year and a half ago with the release of 5.9.1 and I can say that we are almost done with the modernization.

Ladies and Gentlemen, 

With the most dramatic version yet, the newest edition of the CJIS Security Policy, 5.9.4, hit the streets on Leap Day. You may be feeling stressed and overwhelmed with all of the new changes happening, especially if you have an audit coming up soon. You may even be thinking “This changes everything”. 

We get it, we’ve been there, and we’re here to help you with your CJIS journey. 

Hello again,

Well it happened! CJIS Security Policy version 5.9.1 hit the streets on October 1st, and guess what? The world as we know it didn’t end; well, at least not yet. Don’t worry; there’s more coming.

In the next CJISSECPOL release, we’ll see the update to Section 5.6 Identification and Authentication or as the new control family is called “IA” (that’s easy, right?). This one is going to be a bit of a significant change. Heads-up, I will not be going as in-depth with this one like I did with MP. IA takes us from eight pages in the current policy to a little over 68 pages in the new one.

Hi Y’all,

If you’re reading this it's probably your first newsletter, or maybe you’re bored, or you’re hoping there’s going to be something good. Well, I reckon I have some news, whether it’s good or not will depend on your perspective.

As mentioned in last month’s newsletter, very solid intel says the update to the CJIS Security Policy (version 5.9.1) will be released on October 1st. Several things you need to know. First, and this may seem trivial but it is important, the current acronym for the CJIS Security policy is CSP, but once the update is out it will be CJISSECPOL. The main reason for this change is that in a future update, the term CSP will stand for credential service provider… more on that later.

Hey Y’all,

If it seems like this series is never ending, well, you’re close. There have been a lot of changes approved and more are on the way, and this is just part six of the first series! I’m hoping y’all are kinda paying attention to these “ramblings'' so you won’t be caught off guard. 

NOTE: These changes have been “approved”, not been published (as of 7/27/2022). We are waiting for the FBI Director’s signature to move forward. Additionally, there may be some minor differences in what I’ve pointed out and what gets published in the CJISSECPOL (by the way that’s the new acronym for the CJIS Security Policy.) I base these newsletters on the APB Topic Papers.

The Control for this newsletter is MP-6 Media Sanitization, and once again this one’s not really new. 

MP-6 Media Sanitization

Hey Y’all,

We’re still working our way through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. Just a quick heads up, there's still no word as to when the new policy will be released but we will be on the front lines and let you know when it appears. As soon as I hear something, I’ll send something out.

The Control for this newsletter is MP-5 Media Transportation, and it too, like the previous from the last newsletter (MP-4 Media Storage), is not really new. The BOLD emphasis is mine. And here we go...

MP-5 MEDIA Transportation

I’m back!

We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so. 

We continue to work through the Media Protection Controls that will become part of the CJISSECPOL in the near future. The Control for this newsletter is MP-4 Media Storage, and guess what? This one is not really new.

MP-4 MEDIA STORAGE