Hi Y’all,

If you’re reading this it's probably your first newsletter, or maybe you’re bored, or you’re hoping there’s going to be something good. Well, I reckon I have some news, whether it’s good or not will depend on your perspective.

As mentioned in last month’s newsletter, very solid intel says the update to the CJIS Security Policy (version 5.9.1) will be released on October 1st. Several things you need to know. First, and this may seem trivial but it is important, the current acronym for the CJIS Security policy is CSP, but once the update is out it will be CJISSECPOL. The main reason for this change is that in a future update, the term CSP will stand for credential service provider… more on that later.

Second, the update will incorporate the Media Protection (MP) control family, and some information regarding the findings from the Interpretive Guidance Task Force (IGTF). The MP control family is what I’ve been ‘splaining to y’all since February. There was a possibility that we could have gotten three other control families (IA-Identification and Authentication, AR-Awareness and Training, and SI-System and Information Integrity), but it looks like those won’t be released until the spring.

Finally, and most important, though released, unless specifically identified as such, the new policies don’t take effect or to put it in another way, are not immediately sanctionable by the FBI. Please understand, that does not mean that auditors (both state and FBI) won’t be asking you about the new policy requirements. If I were still in that world, you can bet the next audit I  would be talking about the changes, and telling you “get ready”. It’s my understanding, and I could be wrong, that the new requirements will become “sanctionable” one (1) year from release. That gives you a little time to get ready.

You should be able to find the new update here after the 1st: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

After this CJISSECPOL release we will continue to provide information about upcoming policy revisions. The next section to review is the Identification and Authentication (IA) Control Family, and I’ve chosen that one because it’s going to have an impact on everyone. There’s a lot of new stuff that y’all will need to consider and work through.

As always if you have questions about these updates, CJIS ACE is there to help you understand them so you can be compliant. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.

You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.

Y'all take care.