What Does It Mean to Be CJIS Compliant?
If your organization is involved with government entities and operations, chances are you have heard of Criminal Justice Information Services (CJIS) compliance. The term is commonly used in law enforcement but can also apply to civil entities.
What Does CJIS Stand For?
CJIS means Criminal Justice Information Services, which is a division of the Federal Bureau of Investigation (FBI) in the United States that provides a wide range of information services to support law enforcement agencies at the federal, state and local levels.
What Does CJIS Compliance Mean?
CJIS compliance requirements protect national security while safeguarding the civil liberties of individuals and businesses and shielding private and sensitive information. It is an integral part of securing organizations for law enforcement and civil agencies, with access to criminal justice information (CJI) and ensuring they do not become victims of cybercriminals looking to exploit CJI for ransom or cause public damage.
CJI refers to all the FBI CJIS-provided data needed for law enforcement and civil agencies to conduct their missions, including but not limited to, biographic, biometric, identity history, property and case or incident history data.
Since it was established, CJIS has become the biggest division of the FBI and the main source of information and services for all national security, law enforcement and intelligence community partners. FBI CJIS is a division that provides a comprehensive database that helps law enforcement, national security and intelligence community partners across the country and comprises several departments:
- Integrated Automated Fingerprint Identification System (IAFIS): The IAFIS houses the most extensive collection of digital representations of fingerprint images, features from the digital fingerprint images and criminal history information in the world.
- Law Enforcement Enterprise Portal (LEEP): The LEEP provides web-based investigative tools and analytical resources that support the strengthening of case development for investigators and enhance sharing between agencies.
- National Crime Information Center (NCIC): The NCIC stores data on criminals and missing people.
- National Instant Criminal Background Check System (NICS): The NICS is used for background checks on people who want to own a firearm or explosive.
- Uniform Crime Reporting (UCR): The UCR compiles statistics for use in law enforcement, students of criminal justice, researchers, media and the public.
Each state or territory has a CJIS Systems Agency (CSA) that oversees the administration and usage of the CJIS Division programs within a state, district, territory or country.
Why Is CJIS Important?
State and local government and non-criminal justice agencies (NCJAs) are becoming frequent targets for compliance issues due to several reasons:
- Small local agencies may provide malicious actors with a portal into sensitive data in CJIS databases.
- Government agencies are considered an easy target by malicious actors.
- Law enforcement and public safety agencies, as well as their third-party vendors, are increasingly using mobile devices, many containing unauthorized use, to transmit and store CJIS data.
- State and local governments are typically less secure and less funded than their federal counterparts.
- With the increase in remote work, IT personnel are facing more challenges to secure endpoints for remote workers.
A data or infrastructure breach can damage national security and the civil liberties of individuals and businesses. Not prioritizing CJIS requirements and the policies that pertain to your organization could lead to sanctions, penalties, suspension, revocation or monitoring of access to CJIS.
The CJIS Security Policy (CSP) offers a set of security standards for all organizations, including cloud vendors, local agencies and corporate networks, to protect CJIS data from cybersecurity threats. Failing to follow the CSP means you could lose access to CJIS systems or FBI databases. You may also be subject to fines and criminal charges.
There have been several cases of non-compliance with CJIS. In April of 2021, a Lanesborough, MA, police officer was fired for improper use of the criminal records database. In September of 2022, a Freehold, NJ, officer illegally accessed information from a law enforcement (LE) database for personal use and was put on probation and fined. Fort Worth, TX, also had an incident whereby employees with criminal convictions were allowed access to a confidential FBI criminal database.
Who Needs to Be CJIS Compliant?
The short, easy answer is that if your organization receives information from state bureau investigation organizations or the FBI, you are likely bound by CJIS requirements.
A CJIS-compliant solution relies on shared responsibility between a vendor and the particular agency. Even if your CJIS data is accessed via a cloud service provider, some of the requirements can only be met by those directly within your organization. By implementing and utilizing best practices as recommended by the CSP, organizations can maintain compliance, keep sensitive data secure and enable more efficient operations within an agency.
There is not a standardized approach to determining whether a particular solution is considered compliant with CJIS. To that end, each state is individually responsible for compliance within their jurisdictions and individually accountable to the FBI. Since each state is responsible for compliance within its jurisdiction, no single entity can grant a national compliance seal of approval, and the FBI does not have the resources to manage a national certification process.
However, to ensure organizations are following the best practices outlined in the CSP, an assessment can help determine if an organization is compliant at the time. Remember that compliance does not mean security. Security needs to be incorporated within your typical business operations rather than only for the time in which an assessment is conducted.
What Is the Difference Between a CJA and NCJA?
Criminal Justice Agencies (CJAs) are law enforcement related, such as the FBI, police, correctional institutions and courts. An NCJA is any agency or sub-unit thereof that provides services primarily for purposes other than the administration of criminal justice. Examples of services include national security clearances, licensing determinations, employment suitability, immigration and naturalization matters.
There are three categories of NCJAs:
Type | Purpose | Example |
Government | A government agency whose charter does not need to administer criminal justice but may be required to process CJI. | An IT organization in state government that handles the administering of equipment for a state law-enforcement agency. |
Private | A private agency whose charter does not include responsibility for administering criminal justice but could be required to process CJI. | A local bank. |
Public | A public agency whose charter does not mandate a responsibility for administering criminal justice but may need to process CJI. | A county school board that uses criminal history record information to aid in decisions regarding employee hiring. |
Other NCJAs examples include:
- 911 communications center that performs dispatching functions for a criminal justice agency
- Agency for Healthcare Administration
- Bank needing access to criminal justice information for hiring purposes
- City or county IT Department
- Data center or cloud service provider housing CJI
- Departments of Public Safety
- Prosecuting attorney offices
- Public school districts, charter schools
- Transcription and translation companies
- Outsourcing whereby another entity performs a given service or function on behalf of the authorized receipt to include storage of CJI, destruction of CJI or IT support where access to CJI may be incidental but necessary
CJIS CSP
The CSP was developed based on federal laws, presidential and FBI directives and guidance from the National Institute of Standards and Technology (NIST) 800-53: Security and Privacy Controls for Information Systems and Organizations. The policy offers guidance for creating, viewing, modifying, transmitting, disseminating, and storing CJI. Version 5.9.1 includes several appendices on topics such as best practices for virtualization, cloud computing, Voice over Internet Protocol (VoIP), mobile and incident response.
The CSP provides CJAs and NCJAs with minimum security requirements for access to FBI CJIS Division systems and information, along with protecting and safeguarding CJI. The policy applies to every individual contractor, private entity, NCJA representative or member of a criminal justice entity that has access to or operates in support of criminal justice services and information.
One thing to note is that the CSP considers data, services and protection controls that apply regardless of the architecture. Architectural independence is not meant to lessen the significance of systems but to provide for the replacement of one technology with another while ensuring the controls required to protect the information remain constant.
The FBI conducts government audits for organizations and institutions that use the CJIS network to ensure that agencies are following the correct procedures for safeguarding sensitive information. Audits also include NCJAs with direct access to that data. During the audit, inspectors will perform the following tasks:
- Review agency policies and procedures
- Interview agency personnel
- Observe data security practices
- Test the physical security of facilities and computer systems
Although the audit results are confidential, agencies that fail to meet the standards outlined in the CSP may be required to take corrective action to ensure national security and the safety of the nation's criminal justice agencies.
CHRI
Before discussing the policy areas within the CSP, it is important to understand additional terminology, such as Criminal History Record Information (CHRI), which is a subset of CJI and is sometimes referred to as restricted data. It includes information about the history of an individual's contact with law enforcement agencies. CJI and CHRI terms are used interchangeably, but because of its comparatively sensitive nature, additional controls are required for CHRI's use, access and dissemination.
CHRI is defined by Title 28 Code of Federal Regulations (CFR) §20.3. CHRI must not be distributed to the general public. This includes maintaining CHRI in formats that are accessible by the public or within records that are subject to release through public record requests. Every state has unique laws about details released for non-criminal justice record inquiries.
Restricted files that should be protected as CHRI include:
- Gang Files
- Historical Protection Order Files of the NCIC
- Identity Theft Files
- National Sex Offender Registry Files
- NICS Denied Transactions Files
- Person With Information (PWI) data in the Missing Person Files
- Protective Interest Files
- Supervised Release Files
- Threat Screening Center Files
- Violent Person Files
NCJAs authorized to receive CHRI for non-criminal justice purposes are subject to audit to ensure compliance with state and federal rules regarding fingerprint submissions and CHRI use. When CHRI is disseminated for non-criminal justice purposes, it should only be used for the purposes for which it was given. Users shall not perform background checks to access criminal history record information on themselves for training purposes, as this is considered a misuse of CHRI and is a sanctionable offense.
Policy Areas
The CSP defines thirteen areas with over 580 controls that CJAs and NCJAs must evaluate for consistency with CJIS requirements. These areas closely correspond to NIST 800-53, which is the basis for the Federal Risk and Authorization Management Program (FedRAMP). Therefore, organizations can leverage a FedRAMP audit to get insight into CSP control implementation details relevant to the CSP requirements.
Local agencies can complement the CSP with a local policy or develop their own standalone security policy, but the CSP should always be the minimum standard. Local policy can augment or increase the standards but not detract from them. Note that cloud service providers, such as Google Cloud, can support agencies in states that have executed a CJIS Information Management Agreement with Google.
Each policy area provides both strategic analysis and tactical implementation requirements and standards. The circumstances of applicability are based on individual entity configurations and use. While the major theme of the policy areas is concerned with electronic exchange directly with the FBI, it is understood that further dissemination of CJI to authorized recipients by various means constitutes a significant portion of CJI exchanges.
CJIS Compliance Requirements
Create a CJIS compliance checklist based on the requirements below. The following table provides a high-level description of each policy area:
Policy Area | Title | Description |
1 | Information Exchange Agreements | Organizations sharing CJI with another organization or agency must establish a formal agreement to ensure that they comply with CJIS security standards. |
2 | Security Awareness Training | All employees with access to CJI must have basic CJIS security awareness training within six months of initial assignment. The CSP describes four levels of training in more detail. |
3 | Incident Response | Incident Response plans must be in place detailing the capabilities to identify, contain, mitigate, respond and recover from a data breach or attack. |
4 | Auditing and Accountability | Generate audit records of all systems for defined events, including monitoring all access to CJI. Monitoring should consider who is accessing CJI, when they are accessing it and why the user is accessing that data. Access should be monitored by administrators. |
5 | Access Control | Controls to secure and manage users' access to information and systems within the network. |
6 | Identification and Authentication | Implement authentication standards to access sensitive data, including multi-factor authentication (MFA). |
7 | Configuration Management | Management of configuration changes to software updates and adding or removing hardware. All procedures must be documented and protected from unauthorized access during configuration changes. |
8 | Media Protection | Ensure the protection and safe disposal of CJI when they are no longer in use. |
9 | Physical Protection | All physical locations of CJIS must have physical and personnel security control to protect the CJI data (e.g., cameras, alarms, etc). |
10 | System & Communications Protection & Information Integrity | Implement network security and related components such as firewalls, anti-virus software, encryption and intrusion prevention systems (IPS). |
11 | Formal Audits | All organizations with users that store, process, transmit or view CJI will be subject to occasional, formal security audits to ensure all CJIS security measures are followed. |
12 | Personnel Security | Conduct security screenings for all employees, contractors and vendors with access to CJI. Screenings include a state of residence and national fingerprint-based record checks with IAFIS. |
13 | Mobile Devices | All mobile devices, including smartphones, laptops or tablets with access to CJI must adhere to an acceptable use policy and may include additional security policies, including the pre-existing security measures for on-premises devices. |
CJIS Requirements Companion Document
Along with the CSP, the FBI has a CJIS Requirements Companion document. This resource is in the CJIS Security Policy Resource Center, and it explains what parties can act to ensure CJIS Security Policies. These responsibilities are color-coded based on an agreed ability to meet requirements.
The document also contains the “cloud matrix” consisting of additional columns describing who has the technical capability to perform the actions necessary to ensure a particular requirement is being met. However, note that the agency is ultimately accountable for ensuring policy compliance.
Version 5.9.1 includes new requirements not yet auditable or sanctionable. The following is a snippet from part of the Requirements Companion Document:
CJIS Certification
CJIS certification is a requirement for organizations that access or use criminal justice information. The certification is administered by the FBI and is designed to ensure that organizations have the necessary security measures in place to protect CJI. There are different certification levels:
- Level 1: This level covers basic security training for anyone with solitary access to secured locations.
- Level 2: This training is for authorized individuals with access to physical CJI.
- Level 3: Authorized personnel with physical access who can modify CJI receive this level of training.
- Level 4: IT personnel like administrators receive this level of security awareness training.
To become CJIS certified, organizations must:
- Submit a security assessment report: This report is a document that describes your organization's security program and how it meets the requirements of the security policy.
- Complete security awareness training: The security awareness training is a mandatory training course that covers the basics of CJI security. Personnel must receive a 70% or higher on this open-book test to pass.
If your organization is CJIS certified, you may need to maintain your certification by completing annual training and submitting a biennial security assessment report. By becoming certified, your organization can demonstrate your commitment to protecting CJI and help ensure the safety of the public.
The following are some of the benefits of CJIS certification:
- Enhanced public trust
- Reduced risk of data breaches
- Increased opportunities for business
- Improved confidence in the security of CJI
- Better compliance with federal regulations
Whether your organization is considered a CJA or NCJA, if dealing with CJI is a regular part of the entity’s work, avoid taking unnecessary risks with sensitive information and ensure the CSP is followed. Knowing the various policy areas and how to best approach them is the first step to making sure your organization is adhering to the CSP guidelines.
Seeking expert guidance on CJIS compliance? Look no further than Compass IT Compliance. Our team specializes in fortifying security controls and ensuring adherence to a myriad of industry frameworks and regulations. We understand the unique challenges your organization may face and offer customized support tailored to meet your specific needs. Compass IT Compliance is dedicated to guiding you through every step of the compliance journey. Contact us today to learn how we can assist you in navigating the complexities of CJIS compliance and transform your challenges into opportunities for growth and enhanced security.
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think