CJIS ACE Logo Full Color Blue Font Hi-Re

Newsletter archive

Here We Go Again


It’s that time again, folks. The FBI CJIS Advisory Policy Board (APB) had its Fall 2016 meeting in Phoenix to discuss and approve a myriad of CJIS topics (APB meetings are held in June and December.)


As usual, there were several topics presented for approval that could affect the CJIS Security Policy (CSP). Those topics were part of the Security and Access (SA) Subcommittee Chairman’s Report to the APB.


The SA Chair presented a total of eleven topics, of which only three (3) with direct impact to the CJIS Security Policy. All three were approved by the APB.


The goal of this newsletter is to help keep y’all ahead of what’s going on so that you aren’t surprised by the changes.


A quick reminder about approved APB topics — just because they were approved does not guarantee that they will be part of the CSP. There is an extremely good possibility that they will become part of the CSP, but the FBI Director does have final override or veto authority. The information below is provided as a heads-up, but it is not “written in stone”.


  1. APB Item #16, SA Issue #2 titled – Update to Encryption for Criminal Justice Information (CJI) at Rest, Section This topic was approved by the APB.


This topic talked about about changing certain language specifying the approved level for encrypting CJI data at rest.


The change: The APB approved change removes the language “as described on the National Security Agency (NSA) Suite B Cryptography list of approved algorithms” from section, and other sections. Essentially, CJI at rest must be encrypted using a FIPS 197 certified (AES) cipher to at least 256 bits.


Does this affect you: It could. If you are encrypting data at rest outside of a CSP defined physically secure location, the change slightly modifies the requirements. You still need to go get the FIPS certificate for the cipher that you are using (see the link above.)


When will we see this: This change should show up in CSP version 5.6, summer of 2017.


  1. APB Item #16, SA Issue #3 titled – Encrypting CJI Stored or Accessed within a Cloud Environment. This topic was approved by the APB.


This topic was to clarify scenarios where encryption is used to protect CJI in a cloud (hosted) solution.


The change: The APB approved change updates Appendix G.3 Cloud Computing. First thing to remember, information in the CSP Appendices are typically guidance not policy, and G.3 is one of those situations. It is the guidance for agencies seeking to use cloud or hosted solutions. This change does not change policy, but it does clarify certain situations regarding encryption within the cloud. CJI related cloud solutions are already required to comply with all applicable requirements in the CSP.


Does this affect you: It could, if your agency stores or processes CJI in a hosted solution. This change could clarify for you what your agency should be doing.


When will we see this: This change should show up in CSP version 5.6, summer of 2017.


  1. APB Item #16, SA Issue #4 titled – Standard Authenticator Use in the CSP. This topic was approved by the APB.


This topic recommended changes to address the use of one-time passwords (OTP) as authenticators. An example of a one-time password is text message to authenticate access.


The change: The APB approved change adds a new section about one time passwords, and adds the term “one-time password” to the Terms and Definitions.


The new language should look like this:


  • One-time Passwords (OTP)

  • One-time passwords are considered a “something you have” token for authentication. Examples include bingo cards, hard or soft tokens, and out-of-band tokens (i.e., OTP received via a text message).


When agencies implement the use of an OTP as an authenticator, the OTP shall meet the requirements described below.


  • Be a minimum of six (6) randomly generated characters.

  • Be valid for a single session.

  • If not used, expire within a maximum of five (5) minutes after issuance.



One-time Password – A disposable, single-use standard authenticator for accessing CJI. One-time passwords are: minimum of six (6) randomly generated characters; valid for a single session; and if not used, expire within a maximum of five (5) minutes after issuance.


Does this affect you: If your agency uses a one time password for authentication purposes, typically used in an advanced authentication solution, you will need to review these changes. If your solution uses one-time passwords, you need to make sure that authenticator is 1) at least six randomly generated characters, 2) can only be used for one session and 2) expires within five minutes.


When will we see this: This change should show up in CSP version 5.6, summer of 2017.


If you would like to see the SA topic papers that were presented to the APB, click here : Fall 2016 CSP related topics.


Also, at the APB the SA Chair mentioned a number of ad hoc topic that discussed during the Fall SA Subcommittee meeting. There were no topic papers associated with these topics. I add them so you will be aware of the things that may be on the horizon. I have no information regarding what was discussed at SA as I am not privileged to the SA meetings.


Ad Hoc Issues:


  • MDM [mobile device management] – Indirect vs. Direct

  • Security of CJIS Data Stored in Offshore Cloud Computing Facilities

  • Cloud Metadata Use

  • Continued Access to CJI when Security Awareness Training has Expired

  • Policy Update Related to Previous APB Decisions on Management Boards

  • Level Policy Language for Indirect vs. Direct Access

  • Mobile Task Force Discussion

  • Emergency Communications Centers & MCAs [management control agreements]

  • CSO Delegation for Vendor/Contractor Background Review


Again, the issues listed above were discussed by the SA Subcommittee. These could appear as topic papers in the spring, sometime in the future, or never. Again, the inclusion of the list is give you an idea of the topics being discussed at the SA.


Finally, I mention in the last APB update newsletter that there is Cloud Task Force. There were not any topics that were voted on regarding CSP changes to cloud computing. Maybe we’ll hear something in June.


If you have questions, send me an email and we’ll talk.


Y’all take care.


Larry Coffee