A Shortcut to the CJIS Security Policy

Criminal Justice Information Services (CJIS) compliance has become more precarious as cyberattacks on government entities and departments increase in size, number, and the amount of damage they can do. State and local government agencies are becoming frequent targets for several reasons:

1. Typically less secure (and less funded) than their federal counterparts, state and local agencies are seen by cybercriminals as an easy target. A report that surveyed local government officials in the United States found that nearly half of the respondents indicated that their cyberinfrastructure is attacked daily, 18 percent reporting attacks every hour.
2. Even small, local agencies can provide malicious actors with a portal into highly sensitive data within CJIS databases.
3. Law enforcement and public safety agencies, as well as their third-party vendors, are increasingly using mobile phones, many containing unauthorized apps, to transmit and store CJIS data.
4. The COVID-19 pandemic has resulted in 46 percent of state and local government employees now working at home, challenging government IT personnel to secure endpoints for remote workers.

As the cyberthreat landscape expands, so does the need for state and local governments to follow CJIS compliance standards to protect their confidential data. At a cool 253 pages, the FBI’s CJIS Security Policy can be a daunting read, and the 13 policies surrounding wireless networking, data encryption, and remote access can feel overwhelming. Before you pull an all-nighter memorizing the policy document, here are some tips on how to follow the key principles of CJIS compliance for state and local government agencies and their contractors.

• Know the basic rules of CJIS’ 13 policies

CJIS compliance is one of the most stringent and comprehensive cybersecurity standards. That’s why it’s critical for governments and their third parties to be familiar with the basic rules of the 13 areas of the CJIS Security Policy. Rules of the policy pertain to:

• A limit of five unsuccessful login attempts by a user accessing CJIS
• Event logging various login activities, including password changes
• Weekly audit reviews
• Active account management moderation
• Session lock after 30 minutes of inactivity
• Access restriction based on physical location, job assignment, time of day, and network address

Familiarize yourself with the 13 policy areas, assess your security protocols, and make changes where changes are needed within your agency’s cybersecurity practices.

• Prepare an incident response plan

State and local government agencies must have an incident response plan (IRP) in place in the event of a malicious attack. The IRP must detail the agency’s plans for identifying, containing, analyzing, and recovering from a data breach or attack in a timely manner.

Any incidents must be tracked, documented, and reported to the Justice Department - and this includes agency contractors and third parties. If trouble does arise, government systems must trace the source of the attack and easily identify the point of entry.

• Always be prepared: Auditing and accountability

State and local government agencies should closely monitor all privileged activity to flag irregularities in requests and access. A remote access platform that provides auditing, down to the granular level, will record each instance of a privileged credential in use, including the name of the user, the start and end time of the session, and actions taken under the power of that credential.

An audit trail will assist agency employees with CJIS’ formal security audits, which all CJIS compliant organizations are subject to once every three years.

• Enforce strict access control

Securing and managing users' access to information and systems within the network is paramount to meeting CJIS compliance and protecting your agency from a costly breach. The key components of access control under CJIS involve password management, configuration management, and system/information integrity protection.

Identification and authentication

All government users, including contractors, must comply with CJIS authentication standards to access sensitive data. This requires the use of multi-factor authentication (MFA), which uses two or more factors to authenticate users and eliminate shared login risks.

Reinforce configuration management

Only authorized users can make configuration changes to systems with sensitive criminal justice information. This includes software updates and the addition or removal of hardware.

Ensuring proper configuration management is just one of many important reasons to adopt a principle of least privilege at your agency. This security practice ensures that both employees and third-party vendors receive only the access level needed to perform their assigned duties.

Protect systems, communication, and information integrity

This CJIS policy will help state and local government agencies ask and answer critical questions about their security and CJIS compliance, including:

• Is CJIS data secure on its way to and from the cloud?
• Has the agency adopted automated technology that detects attacks, monitors events, and identifies unauthorized users?
• Is the agency using data encryption?
• Have they implemented intrusion detection tools to check inbound and outbound communications for unauthorized/unusual activities?
• Is the agency making least privileged access the default for all accounts?

Delegating third-party remote access security

For agencies overwhelmed with ensuring that they’re meeting the complexities of CJIS, there is support available. Implementing a third-party risk management program (TPRM) is a step towards complying with multiple areas of the hefty CJIS security policy. A solid TPRM should include least privileged (or better yet, Zero Trust) network access, identity management, granular auditing and documentation, and full visibility of network activity. These elements cover your bases and protect your network - and your reputation - from costly data breaches.