Oct 26, 2022
When is a Password not a Password?
Well it happened! CJIS Security Policy version 5.9.1 hit the streets on October 1st, and guess what? The world as we know it didn’t end; well, at least not yet. Don’t worry; there’s more coming.
In the next CJISSECPOL release, we’ll see the update to Section 5.6 Identification and Authentication or as the new control family is called “IA” (that’s easy, right?). This one is going to be a bit of a significant change. Heads-up, I will not be going as in-depth with this one like I did with MP. IA takes us from eight pages in the current policy to a little over 68 pages in the new one.
Pretty big jump, right? There are good reasons for the increase, mainly because it includes information that saves us from having to look it up in other documents. Additionally, the different processes used for authentication are explained in greater detail. Also, the processes for identity verification, now called “identity proofing” (get used to that phrase), is also defined in greater detail.
Let’s dive in. If you remember, I told y’all that these control families typically start with a requirement for policies and procedures IA-1. IA follows that pattern, but first they snuck something in on us. IA-0 is a hold-over from the current policy that is strictly a CJIS related issue. IA-0 is just 5.6.1 from the current policy (it’s about ORIs), so I’m going to skip it and jump to IA-1.
IA-1 POLICY AND PROCEDURES
a. Develop, document, and disseminate to authorized personnel all personnel when their unescorted logical or physical access to any information system results in the ability, right, or privilege to view, modify, or make use of unencrypted CJI:
1. Agency/Entity identification and authentication policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;
b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and
c. Review and update the current identification and authentication:
1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and
2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
Related Controls: AC-1, PS-8, SI-12.
If you go back and look at the newsletter titled “You Can’t Choose Your Control Family” from January of this year, you’ll see the wording is almost identical. The big thing with all of the “policy and procedure” controls is the annual review and update, and the review and update after a security incident. And I’ll bet you the auditors are gonna ask for some type of documentation that you did just that. Don’t say that you haven’t been warned.
Finally, to answer the question, “When is a Password not a Password?” You’re just going to have to wait and keep reading these crazy newsletters. Yeah, I know it’s a setup, but I gotta keep your attention somehow. I will answer in the future.
As always if you have questions about these updates, CJIS ACE is there to help you understand them so you can be compliant. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.
You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.
Y'all take care.