What is the CJIS?
The Criminal Justice Information Services was established by the FBI in 1992 as an intelligence hub that connected the criminal justice community, including law enforcement, national security, and intelligence groups. Its objective was to provide these organizations with the information they needed to protect the United States.
Background to the CJIS
In response to disparate systems that provided information to law enforcement and intelligence agencies piecemeal, the FBI set out to coordinate and integrate a unified system to ensure that they were providing the criminal justice sector with the best possible services.
In February 1992, an FBI executive wrote, “The FBI has an opportunity to significantly improve the level of information services provided to the criminal justice community. “An all-inclusive CJIS will ensure the needs of our users are met and exceeded well into the 21st century, and the technology advancements gained through the creation of CJIS will ensure that the FBI remains at the forefront of criminal justice information systems worldwide.”
Federal, state, and local agencies use the system in their work. The CJIS comprises several departments:
- Next Generation Identification (NGI)
- National Data Exchange (N-DEx)
- Law Enforcement Enterprise Portal (LEEP)
- National Crime Information Center (NCIC)
- National Instant Criminal Background Check System (NICS)
- Uniform Crime Reporting (UCR)
What are the CJIS Compliance Requirements?
The CSP (CJIS Security Policy) sets minimum security requirements for any authorized organization that wishes to access CJIS, or that processes and maintains criminal justice information (CJI). The CJIS Security Policy also establishes guidelines to:
- protect the transmission, storage, and creation of criminal justice information (CJI), such as fingerprints, identity history, case/incident history, etc.
- best practices in areas like data encryption, wireless networking, and remote access, as well as multi-factor authentication, and physical security.
The security policy is based on directives from NIST 800-53. Most recently updated in 2022, the policy guides the handling of CJI and focuses on thirteen main areas. Read on as we provide a checklist of everything you need to know about the CSP.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
The Growing Need for Compliance with the CJIS Security Policy
The CJIS security policy was established with criminal justice and law enforcement agencies in mind. But the service providers that they partner with need to process and maintain this data and therefore must adhere to CJIS standards as well.
As more law enforcement organizations migrate to cloud technology and rely on third parties as service providers, the obligation to be CJIS compliant extends to many businesses beyond the criminal and law enforcement sectors.
Current CJIS Status in the United States (as of August 2024)
As of August 2024, CJIS Management Agreements (CJIS-MAs) are in place covering criminal justice agencies in 47 states and the District of Columbia. This broad coverage underscores a significant commitment to standardizing and securing the handling of Criminal Justice Information (CJI) across much of the country.
What Are CJIS Management Agreements?
CJIS Management Agreements (CJIS-MAs) are formal agreements between the FBI and state or local criminal justice agencies that outline the responsibilities and requirements for accessing and handling Criminal Justice Information (CJI). These agreements ensure that agencies comply with the CJIS Security Policy, which is designed to protect sensitive information and maintain the integrity of criminal justice data.
States Not Covered:
- Delaware
- Wyoming
How is the CJIS Security Policy Enforced?
Every three years, the FBI performs government audits for institutions and organizations that make use of the CJIS network to make sure that agencies are adhering to the proper protection protocols and receiving CJIS compliance certification.
NCJAs with direct access to the data are also included in audits. Inspectors will examine agency policies and practices, conduct staff interviews, look at data security protocols, and assess the physical security of buildings and computer systems throughout the audit. Although the audit findings are kept private, agencies that do not adhere to the CSP’s criteria may be forced to take corrective action to protect national security and the safety of the country’s criminal justice institutions.
What are the Security Requirements of the CJIS?
There are thirteen policy areas of which CJIS-compliant organizations must be aware. Outlined in the FBI policy in Section 5, we’ll provide a summary of each in the following list.
1. Information Exchange Agreements
An information exchange agreement documents the rules by which two parties engage in the sharing of criminal justice information (CJI). The agreement will ensure consistency and compliance with CJIS security standards and specify implemented security controls.
2. Security Awareness Training
Within six months of their initial assignment, all workers who have access to CJI must complete a basic security awareness training course. Every year, training should be given to all employees who have access to CJI data.
3. Incident Response
To ensure the protection of CJI in the case of a malicious attack, organizations must have an incident response plan (IRP) in place. This includes the ability to quickly recognize, stop, analyze, and recover from a data breach or attack. A plan for tracking, documenting, and reporting incidents to appropriate agency officials should also be part of the incident response plan.
4. Auditing and Accountability
Organizations must implement audit and accountability controls to generate audit records for defined events. This involves keeping track of every access to CJI, including who is using it, when, and for what purposes. Administrators should keep an eye on login attempts, changes to permissions or passwords, access to files or folders, and other activity.
5. Access Controls
Access Control is the implementation of mechanisms to restrict access to CJIS information and the modification of information systems, applications, services, and communication configurations that allow traces of CJIS information. This may involve implementing access controls and enacting controls for Wi-Fi.
6. Identification and Authentication
Identification refers to the unique representation of identity within an information system or other entity. Authentication refers to the processes used to verify the unique identity of the user, process, or device.
In July 2022, Section 5.6 of the CSP was modernized with the new Identification and Authentication (IA) control family. One of the many CJIS requirements in this category is that a maximum of five unsuccessful login attempts are allowed per user, after which their credentials will need to be reset.
7. Configuration Management
System configuration modifications involving sensitive CJI data may only be made by authorized users. This covers adding or removing hardware as well as arranging software upgrades. The steps taken during configuration modifications must be documented and secured against unauthorized access.
8. Media Protection
Organizations must ensure that media protection policies are documented and implemented to control access to digital and non-digital media.
9. Physical Protections
Physical protection policies should be documented and implemented to ensure CJI, hardware, and software are physically protected. In practice, this may take the form of securing server rooms with cameras, locks, and alarms.
10. Systems and Communications Protection
Examples of this requirement range from data transmission protection to securing an agency’s virtualized environment. Under this category, applications, services, or systems must have the capability to ensure system integrity through the detection of unauthorized changes.
11. Formal Audits
All CJIS-compliant organizations will be subjected to formal audits once every three years to ensure compliance with applicable statutes, regulations, and policies. Audits will either be conducted by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).
12. Personnel Security
Having sufficient security controls to protect organizations from insider threats is a critical component of the CJIS Security Policy. This section includes requirements for personnel screening, termination, transfer, and sanctions.
13. Mobile Devices
The requirements in this section augment those in other areas of the security policy to address the specific threats introduced by mobile devices. Agencies must:
- Establish usage restrictions for mobile devices
- Authorize, monitor, and control wireless access to the information system
How Centraleyes Can Simplify CJIS Compliance
While ensuring CJIS compliance may seem like a difficult feat, many of these requirements are already implemented through other security and compliance frameworks. One of the most effective ways to ensure compliance with the standards is by mapping the controls to other existing policies that you have already implemented.
See how CentralEyes can help you cross-reference the CJIS Security Policy to other standards and regulatory frameworks like NIST SP 800-53, FedRAMP, the ISO 27000 series, and more.
Reach out to us today to learn more about our innovative risk and compliance system.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days