Two For the Price of One
They did it again. I told you; it just doesn’t stop!
The FBI CJIS Advisory Policy Board met again in Jacksonville, FL on June 7th and 8th, and they had a number of CJIS related topics, but only a few that impact the CJIS Security Policy (CSP).
I always try to get a newsletter out to y’all soon after the meeting so you’ll have an idea of what’s coming in the future.
But before we go any further, I need to give y’all the “Standard Disclaimer.”
A quick reminder about approved APB topics; just because they were approved does not guarantee that they will be part of the CSP. There is an extremely good possibility that they will become part of the CSP, but the FBI Director does have final override or veto authority. The information below is provided as a heads-up, but it is not “written in stone.”
The Security and Access (SA) Chair presented a total of twelve topics, of which only three (3) with direct impact to the CJIS Security Policy. Two were approved by the APB, and one was sent back to SA for work.
APB Item #16, SA Issue #7 titled – CJIS Systems Officer Delegation Authorization of Personnel Screening Requirement for Contractors and Vendors. This topic was approved by the APB.
This topic proposed allowing CSOs to delegate review/approval to a designee for contractors and vendors with records found during required background check process. Up until this change, only the CSO could complete the review and approval/disapproval.
The change: The APB approved change adds the language “, or his or her designee,” to section 184.108.40.206. Essentially, this change allows a CSO designee to review and approve vendors/contractors with a misdemeanor offense(s). This change does not change the criteria that a CSO/CSA uses for the review/approval process.
Does this affect you: Not really. This just allows delegation of authority to make decisions at the CSO level.
When will we see this: This change should show up in CSP version 5.7, summer of 2018.
APB Item #16, SA Issue #9 titled – Security of Criminal Justice Information Stored in Offshore Cloud Computing Facilities. This topic was sent back to the Security & Access (SA) Subcommittee by the APB for further work.
This topic proposed to not permit the storage of CJI, regardless of encryption status, in data centers that are located outside of the United States or U.S. territories.
The change: The APB proposed change was to add language to section 220.127.116.11 – “The storage of CJI, regardless of encryption status, shall not be permitted in any cloud environment (e.g. datacenter, etc.) residing outside of the United States (U.S.) and U.S. territories.” THIS WAS NOT APPROVED, however, it will be tweaked. The APB kicked it back to SA for work. We’ll probably see the proposed updated changes in the Spring of 2018.
Does this affect you: Again, this was not approved, but this issue is not “dead.” Depending on what comes out of SA, this could have an impact if you use a cloud vendor that stores any CJI outside of the U.S; even if those files are encrypted at acceptable CSP standards. Keep an eye out for this one; it could cause some agencies and vendors some problems.
When will we see this: It depends on when the updates move forward through the APB. The topic was referred back to SA. The Working Groups will start the Fall process in August, but the SA won’t meet again until October. Unless SA has an ad hoc conference call meeting before August, this topic probably won’t reappear until next Spring. We’ll keep an eye out for this one.
APB Item #16, SA Issue #10 titled – Collection and Use of Metadata by Cloud Service Providers. This topic was approved by the APB.
This topic proposed adding a definition of metadata in Appendix A: Terms and Definitions, and changing the policies associated with cloud computing and metadata in section 18.104.22.168.
The change: The APB approved changes add a new definition for metadata – Structured information that describes, explains, locates or otherwise makes it easier to retrieve, use or manage an information resource. Metadata is commonly referred to as data about data, information about information, or information describing the characteristics of data.
The change also strikes the current language in section 22.214.171.124 Cloud Computing – The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.
And replaces it with new language: Metadata derived from unencrypted CJI shall be protected in the same manner as CJI and shall not be used for any advertising or other commercial purposes by any cloud service provider or other associated entity.
The agency may permit limited use of metadata derived from unencrypted CJI when specifically approved by the agency and its “intended use” is detailed within the service agreement. Such authorized uses of metadata may include, but are not limited to the following: spam and spyware filtering, data loss prevention, spillage reporting, transaction logs (events and content – similar to Section 5.4), data usage/indexing metrics, and diagnostic/syslog data.
Does this affect you: For those of you who use (or are) a cloud vendor, this change provides a specific definition for metadata, and clarifies the required protection and uses of metadata derived from unencrypted CJI. This may provide some relief for agencies and cloud vendors. The previous language could be interpreted as CJI metadata could not be used for any purposes. I don’t think that was the original intent, but the new change should clear up some of those questions.
When will we see this: This change should show up in CSP version 5.7, summer of 2018.
If you would like to see the topic papers for the above issues and the others that I didn’t talk about, click here: Spring 2017 CSP related APB topics.
Also, the SA Chair mentioned a number of ad hoc topic that discussed during the Spring SA Subcommittee meeting. There were no topic papers associated with these topics. I add them so you will be aware of the things that may be on the horizon. I have no information regarding what was discussed at SA as I am not privileged to the SA meetings.
Ad Hoc Issues
MDM and Compensating Controls
Background Check Process for Non-US Citizens
CJIS Security Policy, Section 5.12
Again, the issues listed above were discussed by the SA Subcommittee. These could appear as topic papers in the spring, sometime in the future, or never. Remember, the inclusion of this list gives you an idea of the topics being discussed at the SA.
And while I’m on the subject of the APB, at the meeting, George White, the FBI CJIS ISO, announced the release of CJIS Security Policy Version 5.6.
The newest version is available for your enjoyment, and you can get your own copy at:
Some of the changes that you’ll find in this new version are:
Section 126.96.36.199 Standard Authenticators: added language concerning tokens and one-time passwords.
Section 188.8.131.52 Standard Authenticators: added a new Section 184.108.40.206.3 One-time Passwords (OTP). Defines the requirements for one-time passwords.
Section 220.127.116.11 Encryption: modified the language in the section, clarifying encryption requirements in the CJIS Security Policy.
Section 18.104.22.168.1 Encryption for CJI in Transit: created a new section for encryption of CJI in transit and realigned requirements within the section. Helps clarify encryption requirements in the CJIS Security Policy.
Section 22.214.171.124.2 Encryption for CJI at Rest: created a new section for encryption of CJI at rest and realigned requirements within the section. Helps clarify encryption requirements in the CJIS Security Policy.
Section 126.96.36.199.2 Encryption for CJI at Rest: remove the reference to National Security Agency (NSA) Suite B Cryptography for encryption of Criminal Justice Information (CJI) at rest.
Section 188.8.131.52.3 Public Key Infrastructure (PKI) Technology: created a new section for encryption with Public Key Infrastructure (PKI) technology and added language, clarifying encryption requirements in the CJIS Security Policy.
Appendix A Terms and Definitions: added new definitions for “Asymmetric Encryption”, “Hybrid Encryption”, “Symmetric Encryption.”
Appendix B Acronyms: added new acronyms – “OTP – One-time Password”,
Appendix G.3 Cloud Computing: modified the language throughout the appendix regarding encrypting CJI stored or accessed within a cloud environment.
Appendix G.6 Encryption: create a new best practices appendix.
We’ll dig deeper into these changes and other topics in future newsletters. Until then, enjoy the read.
I know this was a long one. I figured to take care of two topics in one go. If you have questions, send me an email and we’ll talk.
Y’all take care.