Hey Y’all,

I always try to pick a topic that impacts the most folks and I think I have one. Almost everyone in our business carries a smartphone. Some of y’all even carry two (for good reason.) The CJISSECPOL has some things to say about smartphones that process, store or transmit CJI. If your agency is going to use smartphones related to CJI operations, you need to be on your game.

You can’t just start accessing CJI from a smartphone and hope it’s OK. You have to make sure your processes and controls are compliant. Before I go too far, I want to stress that accessing your work email from a smartphone, as long as your agency is not emailing CJI, is not considered accessing a CJI system, and as such, typically doesn’t need to follow these requirements.

The Mobile Devices Section 5.20, formerly 5.13, has been around since August of 2014. Back then the idea was to bring all of the requirements together that affected mobile devices, with a primary focus on smartphones and tablets. Prior to that, all of the requirements were in the section covering Access Control (the old 5.5).

With the modernized version of the Policy, things are back to being a little more spread out. Just a quick heads-up, solid rumor has it that 5.20 will be going away. The belief is that the other sections of the Policy handle all of the requirements. I’m not so sure, but it ain’t my call.

The new places to look for guidance is back to… wait for it… Access Control. What goes around comes around. Controls AC-18, AC-19, and AC-20 and their Control Enhancements are gonna give the info (along with 5.20.) I’m not gonna get into these right now, but we got something coming to a newsletter near you next month that should be helpful navigating these waters. Keep a sharp look-out.

Until 5.20 goes away (and even maybe after), we still have to play by those rules, including, among others things, running an Mobile Device Management (MDM) solution, which is probably the biggest requirement.

Don’t forget that CJIS ACE is here to help. With our CJIS Insight application, you can track all of these controls related to smartphones and tablets, especially this MFA stuff, and make sure you’re ready. Whether you want us to walk you through the policy with a CJIS ACE Assessment or you wanna tackle it yourself, CJIS Insight can help you show how you’re meeting all those CJISSECPOL Controls.  

You can always learn more about what we at CJIS ACE can do for you on our website and I’d enjoy a chance to talk with you, gimme a call or send me an email at info@cjisace.com.