Not Complying with CJIS? Here are the Risks and Punishments
If you work as an IT service provider in law enforcement, you’re likely in the stages of preparing your organization to be in full compliance with the new, revamped guidelines from the FBI’s Division of Criminal Justice Information Services (CJIS). The September 2014 deadline will be upon us sooner than you think and if one thing is clear from the 200+ pages of the CJIS document, it’s that the guidelines are comprehensive and somewhat complex.
Another issue that’s becoming clearer to law enforcement agencies across the country is the importance of this September 2014 deadline. The FBI has extended its CJIS compliance deadline several times now; there’s a very strong sense that this will not be the case again. It’s very probable this is the last chance for law enforcement agencies to get up to speed on the security measures and safeguards needed to assure the FBI that their systems are secure enough to access the extensive CJIS databases without risking a breach of the information they contain.
Most IT service providers who work in law enforcement understand the FBI’s focus on securing data, as well as the need to upgrade a network’s technical safeguards and password security to protect valuable, sensitive information. What many don’t yet understand, however, is the risks they’re facing if they don’t become CJIS compliant by September 2014.
Losing Valuable Crime-Fighting Information
Perhaps the most obvious risk is losing access to the CJIS database. If you’ve been trying to talk about CJIS compliance with officers or other departments and getting the sense that they aren’t very concerned, be assured that this attitude will change drastically should they lose access to CJIS. Every law enforcement professional relies heavily upon CJIS; being unable to access the database, even temporarily, could be devastating to working ongoing cases and day-to-day operations.
The CJIS database includes information like:
· Criminal records
· License plate records
· Stolen goods records
· Fingerprint records
· Information on criminal organizations and their activities
This information is invaluable to officers and investigators trying to solve cases, prevent crimes, and uphold public safety. Being able to access a centralized database like CJIS closes the gap between different departments and law enforcement agencies across the country—a gap that previously allowed many criminals and cold cases to “fall through the cracks.” Without access to CJIS, a law enforcement agency is forced back a decade in technology, limited in their resources as they try to piece together fragmented data.
The FBI regularly conducts security audits; should your organization be found to be in non-compliance after September of 2014, you will lose access to the CJIS database. So while it may seem like CJIS compliance isn’t high on the priority list of your department or organization, as an IT service provider it’s your responsibility to help everyone understand the importance of CJIS compliance, and what’s actually on the line. The last thing you want is to be held responsible when the FBI decides to refuse your organization access to CJIS.
Other Risks of Non-Compliance
It’s also important to note that being unable to access CJIS isn’t the only risk of noncompliance. Individuals who access the database in a non-compliant manner, referred to as misuse, can be subject to loss of employment and possible prosecution for state and federal crimes. Individuals who use CJIS must sign an agreement, the last two lines of which are:
“I understand that accessing the system for an appropriate purpose and then using, disseminating or re-disseminating the information received for another purpose other than execution of the contract also constitutes misuse… Such exposure for misuse includes, but is not limited to, suspension or loss of employment and prosecution for state and federal crimes.”
Strong password security is crucial to help reduce the chance of CJIS non-compliance; advanced authentication security software ensures that only authorized users have permissions to access the data needed for their job; it also allows administrators to create automatic reports detailing who is trying to access what, when, and how. Implementing such measures shows all users, as well as the FBI, that your organization is serious about CJIS compliance and password security/management best practices.