Contact Us:

(850) 656-3333

support@diversecomputing.com

3717 Apalachee Parkway, Suite 102 Tallahassee, FL 32311

By using our site you agree to the terms of our privacy policy.

  • LinkedIn - Black Circle
  • Black Instagram Icon
  • Black Facebook Icon

©2019 by Diverse Computing, Inc.

Newsletter archive

They’re At it Again!

 

Hope y’all had a Merry Christmas or other festive holiday celebration! I figured to get in a newsletter before the end of the year. As you are well aware, the FBI CJIS Advisory Policy Board (APB) met early in the month of December for one of their biannual meetings.

 

I’ve been telling y’all from the get-go that they’re gonna have topics that will affect the CJIS Security Policy in every meeting, and this time ain’t no difference (you grammar enforcers out there can calm down about double negatives.)

 

The SA Chair presented several topics, of which two (2) had a direct impact on the CJIS Security Policy. Both were approved by the APB.

 

Time for the disclaimers! First, the goal of this newsletter is to help keep y’all ahead of what’s going on so that you aren’t surprised by the changes.

 

Second, this a quick reminder about approved APB topics; just because they were approved does not guarantee that they will be part of the CSP. There is an extremely good possibility that they will become part of the CSP, but the FBI Director does have final override or veto authority. The information below is provided as a heads-up, but it is not “written in stone”.

 

APB Item #17, SA Issue #1 titled – CJIS Security Policy Language Changes in Section 5.12 (Personnel Security), This topic was approved by the APB.

 

This topic talked about making changes to the language in the policy regarding “access” to CJI.

 

-The change:  The words that are bold, italicized, and underlined are the new wording. The words that are strikethrough are being deleted. Since there is so much, I’m excluding any of paragraphs with numbering only changes. There’s a lot to this, but I want y’all to see the agreed upon changes.

 

5.12 Policy Area 12: Personnel Security

 

Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section’s security terms and requirements apply to all personnel who have unescorted access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.

 

5.12.1 Personnel Screening Requirements for Individuals Requiring Unescorted Access to Unencrypted CJI Security Policy and Procedures

 

5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:

 

  1. To verify identification, state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment prior to granting access to CJI for all personnel who have direct unescorted access to unencrypted CJI and or unescorted access to physically secure locations or controlled areas (during times of CJI processing). those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a Nlets CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances. When appropriate, the screening shall be consistent with:

 

(i) 5 CFR 731.106; and/or

(ii) Office of Personnel Management policy, regulations, and guidance; and/or

(iii) agency policy, regulations, and guidance.

 

(See Appendix J for applicable guidance regarding noncriminal justice agencies performing adjudication of civil fingerprint submissions.) Federal entities bypassing state repositories in compliance with federal law may not be required to conduct a state fingerprint-based record check.

 

See Appendix J for applicable guidance regarding noncriminal justice agencies performing adjudication of civil fingerprint submissions.

 

  1. If a felony conviction of any kind exists, the hiring authority in the Interface Agency shall deny access to CJI. However, the hiring authority may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance.
     

  2. If a record of any other kind exists, access to CJI shall not be granted until the CSO or his/her designee reviews the matter to determine if access is appropriate.
     

  3. a)  If a felony conviction of any kind exists, the Interface Agency shall deny access to CJI. However, the Interface Agency may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance.
     

  4. b) Applicants with a record of misdemeanor offense(s) may be granted access if the CSO, or his or her designee, determines the nature or severity of the misdemeanor offense(s) do not warrant disqualification. The Interface Agency may request the CSO review a denial of access determination. This same procedure applies if the person is found to be a fugitive or has an arrest history without conviction.
     

  5. c) If a record of any kind is found on a Contractor, the CGA shall be formally notified and system access shall be delayed pending review of the criminal history record information. The CGA shallin turn notify the contractor’s security officer.
     

  6. If the person is employed by a NCJA, the CSO or his/her designee shall review the matter to determine if CJI access is appropriate. This same procedure applies if this person is found to be a fugitive or has an arrest history without conviction.
     

  7. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.
     

  8. The granting agency shall maintain a list of personnel who have been authorized unescorted access to unencrypted CJI and shall, upon request, provide a current copy of the access list to the CSO.

 

5.12.1.2 Personnel Screening for Contractors and Vendors

 

In addition to meeting the requirements in paragraph 5.12.1.1, contractors and vendors shall meet the following requirements:

 

  1. Prior to granting access to CJI, the CGA on whose behalf the Contractor is retained shall verify identification via a state of residency and national fingerprint-based record check. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances.
     

  2. If a record of any kind is found, the CGA shall be formally notified and system access shall be delayed pending review of the criminal history record information. The CGA shall in turn notify the Contractor-appointed Security Officer.
     

  3. When identification of the applicant with a criminal history has been established by fingerprint comparison, the CGA or the CJA (if the CGA does not have the authority to view CHRI) shall review the matter.
     

  4. A Contractor employee found to have a criminal record consisting of felony conviction(s) shall be disqualified.
     

  5. Applicants shall also be disqualified on the basis of confirmations that arrest warrants are outstanding for such applicants.
     

  6. The CGA shall maintain a list of personnel who have been authorized access to CJI and shall, upon request, provide a current copy of the access list to the CSO.

 

Applicants with a record of misdemeanor offense(s) may be granted access if the CSO determines the nature or severity of the misdemeanor offense(s) do not warrant disqualification. The CGA may request the CSO to review a denial of access determination.

 

5.12.2 Personnel Termination

 

The agency, upon termination of individual employment, shall immediately terminate access to CJI. Upon termination of personnel employed by an interface agency, the agency shall immediately terminate access to local agency systems with access to CJI. Furthermore, the interface agency shall provide notification or other action to ensure access to state and other agency systems is terminated. If the employee is an employee of a NCJA or a Contractor, the employer shall notify all Interface Agencies that may be affected by the personnel change.

 

Changes to  CJIS Security Policy Appendix J Noncriminal Justice Agency Supplemental Guidance:

 

APPENDIX J NONCRIMINAL JUSTICE AGENCY SUPPLEMENTAL GUIDANCE

 

  1. 5.12 – Personnel Security

 

CSP Section 5.12 provides agencies the security terms and requirements as they apply to all personnel who have unescorted access to unencrypted CJI, including individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.

 

CSP Section 5.12.1 details the minimum screening requirements for all individuals requiring unescorted access to unencrypted CJI. – listed in CSP Section 5.12.1.1. In addition to the requirements listed in CSP Section 5.12.1.1 contractors and vendors must undergo additional screening requirements as listed in CSP Section 5.12.1.2.2.

 

-Does this affect you:  Not really. These changes were designed to clear up confusion regarding “access”. The thing to concentrate on are the changes in the first paragraph (new wording): “To verify identification, state of residency and national fingerprint-based record checks shall be conducted prior to granting access to CJI for all personnel who have unescorted access to unencrypted CJI or unescorted access to physically secure locations or controlled areas (during times of CJI processing).”  This is not new, just clarification.

 

-When will we see this:  This change should show up in CSP version 5.7, summer of 2018.

 

  1. APB Item #17, SA Issue #2 titled – CJIS Security Policy Restriction for Criminal Justice Information (CJI) Stored in Offshore Cloud Computing Facilities. This topic was approved by the APB.

 

This topic proposed language changes to CSP Section 5.10.1.5 to restrict where CJI can be stored in cloud computing facilities.

 

-The change:  The following additional language was approved for CSP Section 5.10.1.5.

 

The storage of CJI, regardless of encryption status, shall only be permitted in cloud environments (e.g. government or third-party/commercial data centers, etc.) which reside within the physical boundaries of APB- member country (i.e. U.S., U.S. territories, Indian Tribes, and Canada) and legal authority of an APB-member agency (i.e., U.S. – federal/state/territory, Indian Tribe, or the Royal Canadian Mounted Police (RCMP)).

 

Note: This restriction does not apply to exchanges of CJI with foreign criminal justice agencies under international exchange arrangements (i.e., the Preventing and Combating Serious Crime (PCSC) agreements, fugitive extracts, and exchanges made for humanitarian and criminal investigatory purposes in particular circumstances).

 

-Does this affect you: Depending on your cloud service vendor, this could have a huge impact. You need to confirm where your data is kept by any vendor or subcontractor. Many of you have contracts with vendors who use cloud services as part of their offering, i.e., they are subcontracting cloud services as part of their offering. For example, Larry’s CAD Services is stored and processed at their facility in Florida, but they have a hot backup site in the UK. This arrangement would not comply with this change.

 

You need to confirm where your agency, and any agency vendor, processes or stores CJI. IMPORTANT:  It does not matter if the data is encrypted, it’s about the location of the data center.

 

-When will we see this: This change should show up in CSP version 5.7, summer of 2018.

 

There wasn’t much this time around, except the length of the first issue, but that second issue could cause some trouble. If you have questions, gimme a holler.

 

Y’all take care.