CJIS Compliance: Definition and Checklist

What does it mean to be CJIS compliant? This is a question that many business owners have but don't know the answer to. The term "CJIS compliance" is commonly used in the law enforcement community to refer to the process of adhering to the CJIS Security Addendum.

The FBI established this policy in 1992 to ensure that all organizations that handle criminal justice information protect it from unauthorized access, use, or disclosure. This article will define what it means to be and how to become CJIS compliant.

What Is CJIS?

The FBI's CJIS is a division that provides a comprehensive database that helps law enforcement, national security, and intelligence community partners across the country. The acronym stands for Criminal Justice Information Services.

It’s comprised of several departments, including the National Crime Information Center (NCIC), which stores data on criminals and missing people, and the Uniform Crime Reporting program (UCR), which compiles data on crime across the country.

There is also the Integrated Automated Fingerprint Identification System (IAFIS), which helps law enforcement agencies match fingerprints with criminal records, and the National Instant Criminal Background Check System (NICS), which aids firearms dealers in conducting background checks on potential customers.

In addition to the security program, the Criminal Justice Information Services offers government and law enforcement agencies training and support in various fields such as crime scene investigation, interviewing techniques, and crime prevention. As a result, CJIS plays an essential role in ensuring that federal agencies have the resources they require to solve crimes effectively.

What Is CJIS Data?

The information gathered by the CJIS is highly confidential and is compiled from sources including local, state, and federal law enforcement organizations. Criminal history records, fingerprints, copies of private documents, and other personal information fall into this category.

CJIS Security Policy

The CJIS Security Addendum represents the FBI CJIS, government law enforcement agencies,  and the private industry working together to keep criminal justice information (CJI) secure. 

The policy establishes 13 policy areas listed below and prescribes mandatory procedures for accessing, using, and securing CJI. 

It aims to protect the information from accidental or intentional misuse, unauthorized access, or disclosure, while ensuring that the data is available to those with a legitimate need for it.

1. Access Control

If an organization wishes to share criminal justice information, it must first enter into a formal agreement with the other agency to ensure that both parties adhere to the CJIS policy's minimum security requirements. 

The policy areas mentioned in this piece should be evaluated as part of the agreement.

2. Information Exchange Agreements

The four stages of CJIS security awareness training and the Local Area Security Officer (LASO) training are described here. Users who have been granted remote access to CJI will undergo training tailored to the specifics of their interactions with the system. You must complete your training within six months of first gaining access to CJI and again every two years.

3. Personnel Security 

A thorough screening process, including a check of fingerprints using the Integrated Automated Fingerprint Identification System, is required for all personnel, contractors, and vendors who will have access to CJI.

4. Physical Security 

Access to media storage devices and other forms of physical media, along with CJIS requirements and limitations placed on such access, are discussed in this section. To ensure that all CJI, software, hardware, and media devices are kept in a safe and secure environment, strict physical protection policies must be established.

5. Auditing and Accountability  

Login attempts, changes to user account permissions, files, or directories, attempted modifications to access controls, and the modification or destruction of history logs are just some examples of what can happen to CJI. They show that it requires auditing and monitoring controls, which are described in this section.

6. Media Protection 

Media protection refers to the set of procedures and guidelines that must be followed when dealing with digital and physical media in terms of its archiving, access, transport, and disposal.

7. Incident Response 

CJIS certification entails notifying the Justice Department in the event of a data security breach. Organizations must have an Incident Response Plan (IRP) in place to be able to identify, contain, eradicate, and recover from a security incident in a timely manner.

8. Identification and Authentication 

Detailed guidelines for user identification and verification are discussed here. Passwords, PINs, biometrics, and other forms of advanced authentication are some of the ways authorized users can prove their identities when gaining remote access to CJI.

9. Configuration Management 

Only authorized users may make changes to the configuration systems storing CJI, such as installing new software or hardware or removing components from an existing installation. 

The processes for making these changes and the changes themselves must be well-documented and secure on the CJIS portal.

10. Systems and Communications Protection and Information Integrity

This policy category focuses on protecting an organization's network address, cloud service providers included. All systems and communication protocols used by organizations dealing with CJIS need to be secure from unauthorized access.

11. Formal Audits 

In order to determine that organizations are adhering to the CJIS security standards, formal security controls will be conducted. The CJIS Audit Unit (CAU) or the CJIS Systems Agency  (CSA) will conduct the audits at least once every three years.

12. Security Awareness Training 

Employees with access to CJI must receive CJIS training within the first six months of their assignment in order to comply with CJIS security controls, and this training must be repeated annually.

13. Mobile Devices

A company's "acceptable use policy" should govern how employees use their mobile devices, what content they can access online, and what software they can download. The policy, which mentions wireless security protocols, should protect any device that can access CJI.

These security requirements are critical for ensuring the security of CJI that is stored and transmitted. 

Organizations and individuals can help protect this sensitive data from misuse and protect the privacy of the individuals whose information is stored within CJI systems by adhering to these specific requirements.

CJIS Compliance Requirements and Data Security

In addition to incorporating CJI into communications, the CJIS also mandates data encryption when storing and using sensitive information. 

Information can be made even more secure by encrypting it, which can work alongside multi-factor authentication. If an intruder were to steal an encrypted file or intercept an encrypted communication, they would have no way of understanding its contents without the correct encryption key.

128-bit encryption or better must be used to obtain CJIS clearance. The keys used to decrypt data must be sufficiently complex (at least ten characters long, a mix of upper and lowercase letters, numbers, and special characters) and changed whenever authorized personnel no longer require access.

The use of email, for instance, raises its own set of problems with CJIS. Standard email services do not provide the encryption required by CJIS, even though a great deal of information related to criminal law is exchanged via email. 

CJIS Compliance and Advanced Authentication

The CJIS Advanced Authentication Requirement is an important security measure that helps to protect sensitive information. Before accessing criminal justice information (CJI), all users of the criminal justice system must authenticate their identity according to the requirement. 

This authentication can be accomplished through a variety of methods, such as biometrics, password protection, and multi-factor authentication. The advanced authentication requirement helps to ensure that sensitive information is only accessible to authorized individuals and that all data is adequately protected. 

Furthermore, the requirement aids in the prevention of identity theft and other forms of fraud.

CJIS Compliance Audit

Every three years, the FBI conducts government audits for organizations and institutions that use the CJIS network. The audit is conducted by the CJIS Audit Unit (CAU), and its purpose is to ensure that agencies are following the correct procedures for safeguarding sensitive information. 

During the audit, inspectors will review agency policies and procedures, interview agency personnel, and observe data security practices. They will also test the physical security of facilities and computer systems. 

The audit results are confidential, but agencies that fail to meet the standards outlined in the security policy may be required to take corrective action. The FBI Criminal Justice Information System audit is essential to ensuring national security and the safety of the nation's criminal justice agencies.

How to Maintain CJIS Compliance

This security policy is designed to prevent unauthorized access to sensitive information. To ensure policy compliance, all agencies with access to CJIS data must implement specific security measures and provide ongoing staff training on these topics.

These measures include encrypting all data in transit, using strong passwords and authentication methods, and providing physical security for servers and other devices. Additionally, agencies must maintain detailed logs of all CJIS data access and regularly review the national security policy to ensure that all requirements are understood.

Final Note

The CJIS is just one part of the vast and ever-evolving network that makes up our criminal justice system. Agencies can help protect sensitive information and ensure compliance with the FBI CJIS security policy by taking the steps we’ve outlined above. When an agency loses access to CJI, its ability to do its job suffers, putting the public at risk.

If dealing with CJI is a regular part of your agency's work, avoid taking unnecessary risks with sensitive information and stay on top of compliance audits. There is no such thing as spending too much on security to prevent the loss of vital information.