The advancement and evolution of cloud computing over the years have created challenges when it comes to data security, compliance, and incident response.
If data is found in the wrong hands, it can be disastrous to civil liberties and erode public trust in government. Many state and local governments are seeking cloud solutions as a matter of necessity, and are concerned with staying compliant and secure regarding the Criminal Justice Information Services (CJIS) requirements.
What is CJIS?
Established in 1992, the Criminal Justice Information Services(CJIS), is the largest division of the FBI comprised of several departments. CJIS is focused on monitoring activities in local and international communities, employing analytics and statistics provided by law enforcement.
- As such, their database acts a repository and source for criminal justice information (CJI) to agencies around the country. The rapid rate of change in technology, coupled with sophisticated security threats, has challenged the department to evolve with the times in fulfilling its mission to protect civil liberties. Specifically, CJIS devised a set of security standards for organizations, cloud vendors,
local agencies and corporate networks.
To that end, the CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to CJIS systems and information for the protection and safeguarding of criminal justice information (CJI).
Not prioritizing CJIS requirements and the policies that pertain to you could lead to sanctions, penalties, and the like. According to the 2018 CJIS Year in Review, more than 26 million background checks alone were completed, and more than 3 billion transactions were conducted with more than 15 million records on file. Access is a privilege, not a right, and has to be treated as such.
But with a bit of knowledge and proper tools in place, access to CJI can be less of a liability and more asset.
Understanding CJIS
The underlying premise of the CJIS policies is to provide the appropriate controls to protect CJI data, from creation through dissemination; whether at rest or in transit.
CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules
There are thirteen policy areas that fall under the CJIS requirement:
| Policy Area 1: | Information Exchange Agreements |
| Policy Area 2: | Security Awareness Training |
| Policy Area 3: | Incident Response |
| Policy Area 4: | Auditing and Accountability |
| Policy Area 5: |
Access Control |
| Policy Area 6: | Identification and Authentication |
| Policy Area 7: | Configuration Management |
| Policy Area 8: | Media Protection |
| Policy Area 9: | Physical Protection |
| Policy Area 10: | Systems and Communications Protection and Information Integrity |
| Policy Area 11: | Formal Audio |
| Policy Area 12: | Personnel Security |
| Policy Area 13: | Mobile Devices |
Source: CJIS Policy Resource Center
According to the U.S. Department of Justice, the Policy integrates presidential directives, federal laws, FBI directives, the criminal justice community Advisory Policy Board (APB) decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council (Compact Council).
Determining CJIS Compliance
While guidance comes into play, it’s important to realize there is no central CJIS authorization body, no accredited pool of independent assessors, nor a standardized assessment approach to determining whether a particular solution is considered CJIS compliant. In other words, there’s no standardized CJIS compliance authority that works across all law enforcement agencies.
Instead, each law enforcement organization granting CJIS authorizations interprets solutions according to their own compliance standards. That means authorizations from one state are not necessarily recognized in other states or even the same state. As such, providers must submit solutions for review with each agency authorizing official.
Compliance Tools
That’s where CJIS requirements and CJIS compliance tools come into play. You rely on systems and data to conduct business and technical and operational issues must be considered when evaluating potential cloud computing solutions.
Along with data security, you must also prove security processes and policies are aligned with internal procedures and external regulations. The situation is more nuanced than you may realize, however. Using a cloud service provider (CSP) that aligns with CJIS security requirements doesn't automatically mean that your environment is covered by the CSP's security posture. Security is a shared and mutual responsibility.
As noted in policy area 11, a formal audit process is completed every 3 years, and this includes not each CSA but also Non-criminal Justice Agencies(NCJA) with direct access to that data.
Ultimately, you are responsible for implementing the applicable CJIS Security Policy requirements in your respective environment. The provider only manages the implementation of security requirements within the specified infrastructure. Encryption of data at rest is just as critical.
File and system integrity monitoring software can help those in law enforcement, security teams, and vendors stay on top of policy and implementation. A robust file and system integrity monitoring software should assist with CJIS requirements ranging from incident handling to protection of audit information — and everything in between.
CimTrak helps security teams with security and compliance with multiple incident response requirements by providing a complete audit trail, integrated ticketing system, along with the framework for documenting, tracking, and handling incidents. Learn more about how CimTrak helps with CJIS compliance today.
