CJIS Compliance Checklist: Are You Meeting All the Requirements?

What is the CJIS?

The Criminal Justice Information Services was established by the FBI in 1992 as an intelligence hub that connected the criminal justice community, including law enforcement, national security, and intelligence groups. Its objective was to provide these organizations with the information they needed to protect the United States. 

Background to the CJIS

In response to disparate systems that provided information to law enforcement and intelligence agencies piecemeal, the FBI set out to coordinate and integrate a unified system to ensure that they were providing the criminal justice sector with the best possible services.

In February 1992, an FBI executive wrote, “The FBI has an opportunity to significantly improve the level of information services provided to the criminal justice community. “An all-inclusive CJIS will ensure the needs of our users are met and exceeded well into the 21st century, and the technology advancements gained through the creation of CJIS will ensure that the FBI remains at the forefront of criminal justice information systems worldwide.”

Federal, state, and local agencies use the system in their work. The CJIS comprises several departments:

• Next Generation Identification (NGI)
• National Data Exchange (N-DEx)
• Law Enforcement Enterprise Portal (LEEP)
• National Crime Information Center (NCIC)
• National Instant Criminal Background Check System (NICS)
• Uniform Crime Reporting (UCR)

What are the CJIS Compliance Requirements?

The CSP (CJIS Security Policy) sets minimum security requirements for any authorized organization that wishes to access CJIS, or that processes and maintains criminal justice information (CJI). The CJIS Security Policy also establishes guidelines to:

• protect the transmission, storage, and creation of criminal justice information (CJI), such as fingerprints, identity history, case/incident history, etc.
• best practices in areas like data encryption, wireless networking, and remote access, as well as multi-factor authentication, and physical security. 

The security policy is based on directives from NIST 800-53. Most recently updated in 2022, the policy guides the handling of CJI and focuses on thirteen main areas. Read on as we provide a checklist of everything you need to know about the CSP.

The Growing Need for Compliance with the CJIS Security Policy

The CJIS security policy was established with criminal justice and law enforcement agencies in mind. But the service providers that they partner with need to process and maintain this data and therefore must adhere to CJIS standards as well.

As more law enforcement organizations migrate to cloud technology and rely on third parties as service providers, the obligation to be CJIS compliant extends to many businesses beyond the criminal and law enforcement sectors.

How is the CJIS  Security Policy Enforced?

Every three years, the FBI performs government audits for institutions and organizations that make use of the CJIS network to make sure that agencies are adhering to the proper protection protocols and receiving CJIS compliance certification. 

NCJAs with direct access to the data are also included in audits. Inspectors will examine agency policies and practices, conduct staff interviews, look at data security protocols, and assess the physical security of buildings and computer systems throughout the audit. Although the audit findings are kept private, agencies that do not adhere to the CSP’s criteria may be forced to take corrective action to protect national security and the safety of the country’s criminal justice institutions.

What are the Security Requirements of the CJIS?

There are thirteen policy areas of which CJIS-compliant organizations must be aware. Outlined in the FBI policy in Section 5, we’ll provide a summary of each in the following list.

1. Information Exchange Agreements

An information exchange agreement documents the rules by which two parties engage in the sharing of criminal justice information (CJI). The agreement will ensure consistency and compliance with CJIS security standards and specify implemented security controls. 

2. Security Awareness Training

Within six months of their initial assignment, all workers who have access to CJI must complete a basic security awareness training course. Every year, training should be given to all employees who have access to CJI data.

3. Incident Response

To ensure the protection of CJI in the case of a malicious attack, organizations must have an incident response plan (IRP) in place. This includes the ability to quickly recognize, stop, analyze, and recover from a data breach or attack. A plan for tracking, documenting, and reporting incidents to appropriate agency officials should also be part of the incident response plan.

4. Auditing and Accountability

Organizations must implement audit and accountability controls to generate audit records for defined events. This involves keeping track of every access to CJI, including who is using it, when, and for what purposes. Administrators should keep an eye on login attempts, changes to permissions or passwords, access to files or folders, and other activity.

5. Access Controls

Access Control is the implementation of mechanisms to restrict access to CJIS information and the modification of information systems, applications, services, and communication configurations that allow traces of CJIS information. This may involve implementing access controls and enacting controls for Wi-Fi.

6. Identification and Authentication

Identification refers to the unique representation of identity within an information system or other entity. Authentication refers to the processes used to verify the unique identity of the user, process, or device.

In July 2022, Section 5.6 of the CSP was modernized with the new Identification and Authentication (IA) control family. One of the many CJIS requirements in this category is that a maximum of five unsuccessful login attempts are allowed per user, after which their credentials will need to be reset. 

7. Configuration Management

System configuration modifications involving sensitive CJI data may only be made by authorized users. This covers adding or removing hardware as well as arranging software upgrades. The steps taken during configuration modifications must be documented and secured against unauthorized access.

8. Media Protection

Organizations must ensure that media protection policies are documented and implemented to control access to digital and non-digital media.

9. Physical Protections

Physical protection policies should be documented and implemented to ensure CJI, hardware, and software are physically protected. In practice, this may take the form of securing server rooms with cameras, locks, and alarms.

10. Systems and Communications Protection 

Examples of this requirement range from data transmission protection to securing an agency’s virtualized environment. Under this category, applications, services, or systems must have the capability to ensure system integrity through the detection of unauthorized changes. 

11. Formal Audits

All CJIS-compliant organizations will be subjected to formal audits once every three years to ensure compliance with applicable statutes, regulations, and policies. Audits will either be conducted by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Having sufficient security controls to protect organizations from insider threats is a critical component of the CJIS Security Policy. This section includes requirements for personnel screening, termination, transfer, and sanctions.

13. Mobile Devices

The requirements in this section augment those in other areas of the security policy to address the specific threats introduced by mobile devices. Agencies must:

• Establish usage restrictions for mobile devices
• Authorize, monitor, and control wireless access to the information system

How  Centraleyes Can Simplify CJIS Compliance

While ensuring CJIS compliance may seem like a difficult feat, many of these requirements are already implemented through other security and compliance frameworks. One of the most effective ways to ensure compliance with the standards is by mapping the controls to other existing policies that you have already implemented. 

See how CentralEyes can help you cross-reference the CJIS Security Policy to other standards and regulatory frameworks like NIST SP 800-53, FedRAMP, the ISO 27000 series, and more. 

Reach out to us today to learn more about our innovative risk and compliance system.