Hello again,

Well it happened! CJIS Security Policy version 5.9.1 hit the streets on October 1st, and guess what? The world as we know it didn’t end; well, at least not yet. Don’t worry; there’s more coming.

In the next CJISSECPOL release, we’ll see the update to Section 5.6 Identification and Authentication or as the new control family is called “IA” (that’s easy, right?). This one is going to be a bit of a significant change. Heads-up, I will not be going as in-depth with this one like I did with MP. IA takes us from eight pages in the current policy to a little over 68 pages in the new one.

Pretty big jump, right? There are good reasons for the increase, mainly because it includes information that saves us from having to look it up in other documents. Additionally, the different processes used for authentication are explained in greater detail. Also, the processes for identity verification, now called “identity proofing” (get used to that phrase), is also defined in greater detail. 

Let’s dive in. If you remember, I told y’all that these control families typically start with a requirement for policies and procedures IA-1. IA follows that pattern, but first they snuck something in on us. IA-0 is a hold-over from the current policy that is strictly a CJIS related issue. IA-0 is just 5.6.1 from the current policy (it’s about ORIs), so I’m going to skip it and jump to IA-1.

IA-1 POLICY AND PROCEDURES

Control:

a. Develop, document, and disseminate to authorized personnel all personnel when their unescorted logical or physical access to any information system results in the ability, right, or privilege to view, modify, or make use of unencrypted CJI:

      1. Agency/Entity identification and authentication policy that:

      (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

   2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

c. Review and update the current identification and authentication:

   1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and

   2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.

DISCUSSION: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related Controls: AC-1, PS-8, SI-12.

If you go back and look at the newsletter titled “You Can’t Choose Your Control Family” from January of this year, you’ll see the wording is almost identical. The big thing with all of the “policy and procedure” controls is the annual review and update, and the review and update after a security incident. And I’ll bet you the auditors are gonna ask for some type of documentation that you did just that. Don’t say that you haven’t been warned.

Finally, to answer the question, “When is a Password not a Password?” You’re just going to have to wait and keep reading these crazy newsletters. Yeah, I know it’s a setup, but I gotta keep your attention somehow. I will answer in the future.

As always if you have questions about these updates, CJIS ACE is there to help you understand them so you can be compliant. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.

You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.

Y'all take care.