How to Ensure FBI CJIS Security Policy Compliance

As more law enforcement agencies utilize third-party software, the need to become FBI CJIS Security Policy compliant extends to many other industries.

December 29, 2020

Article highlights
  • Who needs to be concerned about CJIS compliance.
  • Review your current security policies and procedures.
  • Practical ways to implement the necessary changes.

The FBI created the Criminal Justice Information Services Division (CJIS) in 1992 to equip law enforcement, national security, and the intelligence community with criminal justice information.

The CJIS Security Policy sets minimum security requirements for any organization accessing the data, as well as guidelines to protect the transmission, storage, and creation of criminal justice information (CJI) such as fingerprints, identity history, case/incident history, etc.

The CJIS standards include best practices in areas like data encryption, wireless networking, and remote access, as well multi-factor authentication and physical security. All entities, whether law enforcement or a non-criminal justice agency, that has access to any of the FBI’s CJI data must adhere to the security standards.

As more and more law enforcement agencies utilize third-party and cloud-based software, the need to become CJIS compliant extends to many other industries.

The security requirements are also considered to be best practices, so other companies outside of law enforcement are choosing to implement the FBI’s standards as a means to protect their digital properties.

In fact, PowerDMS went through our own CJIS Compliance process in order to ensure our data and security policies met the CJIS Security standards.

Regardless of your industry, or the kind of data you are handling, the FBI CJIS Security Policy is a good measuring stick for your data security.

Here are some helpful tools for integrating CJIS Security Policy into your security processes.

Don’t Go It Alone

The FBI’s CJIS Security requirements can be very complex.

Even if you have a security or GRC team in place, you will likely need someone familiar with CJIS compliance to assist you through the process.

It may help you to find someone in your field who has been through the process. Use their perspective and experience to your benefit as you create policies of your own.

Another option is to work with an outside vendor to help look at your current policies and procedures. Depending on your circumstances, this may be a requirement.

When we went through our own CJIS compliance process in 2014, we partnered with the Sienna Group to help us navigate the waters. They also provided us with our attestation letter.

Review Your Current Security Policies and Procedures

Start with your current policy manual

There’s no escaping it. To ensure compliance with CJIS security, you are going to have to go through your current policy manual page-by-page, standard-by-standard.

Make sure you look at all aspects, including policies in place, procedures, proof of compliance, and training.

powerdms-assets-photos-080-man-working-in-server-room

Next, list out areas that need to be aligned to CJIS standards. The FBI provides a requirements list, but be forewarned, it’s a 36-page document that can be difficult to decipher on your own.

If you’re still using a paper policy manual, you may want to consider a tool like PowerDMS to help manage policies for optimal compliance.

You will be able to safely store your documents in a single, searchable repository, making it easy to find all policies related to specific topics. This can save you time and hassle as you review your current policies and procedures.

You will also have control over each version you create, ensuring everyone in your department has the most up-to-date copy of every policy.

IT systems

The majority of the CJIS Security standards will focus on your IT systems and the security setup around them.

The FBI CJIS policy lays out very specific requirements for the following:

  • Data encryption
  • Data transfer (both in motion and at rest)
  • Wireless networking
  • Remote access
  • Password strength and multi-factor authentication
  • Virtual Private Network (VPN)
  • Mobile phones

These standards apply to internal networks, any cloud-based vendors who will have access to CJI data, and to both the physical and electronic security protocols in place around those systems.

powerdms-assets-photos-078-women-cop-computer

For example, you need to not only encrypt data as it’s being transferred to or from your systems, but you also need to make sure there is adequate security to the server rooms, so the hardware is protected from tampering or unauthorized access.

This is an area where some smaller companies have outsourced the encryption or found third-party modules to minimize some of the setup and ongoing operational costs.

Security

How are you currently securing the facility where you are either storing or accessing data?

It is important to consider not just office space and server rooms, but anywhere employees may access crucial data.

If any staff are accessing information on mobile phones, there are also requirements for cell phones including auto lock periods, reporting lost devices, and use of passcode/PINs.

Make sure you review these policies closely and train your employees accordingly when it comes to technology use.

Implement the Necessary Changes

The real work comes in with the nuts and bolts of implementing new changes according to policy updates.

As you can probably guess, this part is never as easy as it sounds.

Start by making sure the appropriate people sign off on all policy changes, including general counsel, GRC team, security officer, and so on.

Using a software like PowerDMS that keeps an audit trail of all signatures helps you keep track of who signs off on what and ensure everyone has access to the most recent version of every policy for optimal compliance.

Clear communication

Keeping your employees aware of all compliance requirements and what it means for them is critical.

As you work within your department to get in compliance with FBI CJIS Security Policies, communicate well. Make sure everyone knows what changes you make to your internal policies and how they affect your officers’ jobs.

This compliance process may take place over a matter of months, so it may help to roll out your procedure changes in phases.

Training

Having the right policies in place is important, but your staff also need to comply with the new protocol.

Some changes, such as password strength or device auto-lock settings will be easy to explain. Others will require more extensive training.

At a minimum, all personnel with access to CJI must complete Security Awareness Training within six months of initial assignment and retraining every two years after that.

powerdms-assets-photos-035-officer-working-desk (1)

Make an effort to plan ahead for this training requirement.

If you need assistance, PowerDMS training management can help. With this feature, you will be able to create highly personalized training tools and tests to keep all your employees on the same page.

Ongoing auditing

Auditing and accountability are additional requirements for CJIS security. According to the CJIS Security Policy, “Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.”

Like most policy development, CJIS compliance is not a one-and-done process.

One of the requirements is ongoing audits, including a “State Audit” every three years.

It will be your responsibility to regularly review policies, procedures, location security, data/IT security. Work with your team to plan how you will keep all your files updated and organized ahead of time.

This way, when audit time comes, you won’t have to scramble for a solution.

Becoming CJIS Security Policy compliant is not a small undertaking, but an ongoing process of ensuring the safety and protection of critical documents.

As you know, documentation and organization will play important roles as you work with this confidential information.

PowerDMS is a robust policy and compliance management system that can help put all of your CJIS security documents in one, secure location.

With the right plans and systems in place, you can make compliance with FBI CJIS security policy happen.

Related Article

Footer CTA Image

Download your copy of the report

Download The Future of Policy & Compliance Management report.

How does your organization compare? Get your copy today.

Download the Report