CJIS SECURITY POLICY MODERNIZATION archive

cjis security policy

Oct 26, 2022

When is a Password not a Password?

Hello again,

Well it happened! CJIS Security Policy version 5.9.1 hit the streets on October 1st, and guess what? The world as we know it didn’t end; well, at least not yet. Don’t worry; there’s more coming.

In the next CJISSECPOL release, we’ll see the update to Section 5.6 Identification and Authentication or as the new control family is called “IA” (that’s easy, right?). This one is going to be a bit of a significant change. Heads-up, I will not be going as in-depth with this one like I did with MP. IA takes us from eight pages in the current policy to a little over 68 pages in the new one.

When is a Password not a Password?

Sep 24, 2022

It's Almost Here

Hi Y’all,

If you’re reading this it's probably your first newsletter, or maybe you’re bored, or you’re hoping there’s going to be something good. Well, I reckon I have some news, whether it’s good or not will depend on your perspective.

As mentioned in last month’s newsletter, very solid intel says the update to the CJIS Security Policy (version 5.9.1) will be released on October 1st. Several things you need to know. First, and this may seem trivial but it is important, the current acronym for the CJIS Security policy is CSP, but once the update is out it will be CJISSECPOL. The main reason for this change is that in a future update, the term CSP will stand for credential service provider… more on that later.

It's Almost Here

Jul 27, 2022

Does Hand Sanitizer Work on Hard Drives?

Hey Y’all,

If it seems like this series is never ending, well, you’re close. There have been a lot of changes approved and more are on the way, and this is just part six of the first series! I’m hoping y’all are kinda paying attention to these “ramblings'' so you won’t be caught off guard. 

NOTE: These changes have been “approved”, not been published (as of 7/27/2022). We are waiting for the FBI Director’s signature to move forward. Additionally, there may be some minor differences in what I’ve pointed out and what gets published in the CJISSECPOL (by the way that’s the new acronym for the CJIS Security Policy.) I base these newsletters on the APB Topic Papers.

The Control for this newsletter is MP-6 Media Sanitization, and once again this one’s not really new. 

MP-6 Media Sanitization

Does Hand Sanitizer Work on Hard Drives?

Jun 22, 2022

Planes, Trains, & Automobiles

Hey Y’all,

We’re still working our way through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. Just a quick heads up, there's still no word as to when the new policy will be released but we will be on the front lines and let you know when it appears. As soon as I hear something, I’ll send something out.

The Control for this newsletter is MP-5 Media Transportation, and it too, like the previous from the last newsletter (MP-4 Media Storage), is not really new. The BOLD emphasis is mine. And here we go...

MP-5 MEDIA Transportation

Planes, Trains, & Automobiles

May 4, 2022

No Need for Storage Wars

I’m back!

We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so. 

We continue to work through the Media Protection Controls that will become part of the CJISSECPOL in the near future. The Control for this newsletter is MP-4 Media Storage, and guess what? This one is not really new.

MP-4 MEDIA STORAGE

No Need for Storage Wars

Apr 1, 2022

Mark My Words or Media...

Hello again, Everyone!

We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so. 

We have two Controls down, five more to go (including this one.) The Control for this newsletter is MP-3 Media Marking. This is a new one, folks, as we haven’t seen this requirement before in the CSP (by the way, in the future the acronym “CSP” will no longer refer to the CJIS Security Policy, but more on that in another newsletter...)

MP-3 MEDIA MARKING

Mark My Words or Media...

Feb 4, 2022

Do You Have Access?

Hey y’all,

It’s time for the next installment of “Changes to the CJIS Security Policy.” Last time I talked about the new media protection policy (MP-1). It was kinda long, so I’m gonna give y’all a break this month. 

The Control for this time is MP-2 Media Access. 

MP-2 MEDIA ACCESS

Control: Restrict access to digital and non-digital media to authorized individuals.

Do You Have Access?

Jan 18, 2022

You Can't Choose Your Control Family

Hey y’all,

I’m back with another edition of “Changes to the CJIS Security Policy.” In our last episode, the CJIS community discovered that changes were afoot with CJIS Security Policy. Let’s continue with one of those changes.

So, the previous newsletter talked about a new format for items in the CSP. These items are called controls and they are presented as part of what is called a “Security and Privacy Control Family”, in a format that includes Title, Control, Discussion, Related Controls, Control Enhancements, References.

You Can't Choose Your Control Family

Nov 20, 2021

The More Things Change

Hope y’all had all sorts of happiness during your holidays!

Well, it has been some time since I wrote one of these and I figured now would be a good time. It has been over ten years since the CJIS Security Policy was rewritten and I want y’all to know that change is a-comin'!

The More Things Change