How to Know If Your Law Enforcement Organization is CJIS Compliant
While many law enforcement IT professionals understand the importance of the information stored in the FBI’s Criminal Justice Information Services (CJIS) Division’s databases, many are now facing a challenge maintaining their department’s access to that information. Agencies that don’t meet the FBI’s latest changes to its Security Policy by the September 2014 deadline will risk losing access to this crime-fighting data.
But how can you ensure 100 percent CJIS compliance (related blog post: CJIS compliance best practices) without costing your agency a small fortune or hindering the day-to-day operations of already-overworked staff members and officers? You can’t afford to fail an FBI security audit and be blocked from important information, but neither can you afford a massive overhaul of your agency’s system—not to mention the time and effort it would take to train everyone on new, complex procedures for accessing CJIS data.
Before you can move forward with CJIS compliance, it’s important to understand where you’re at. It’s time for a comprehensive “reality check” on your current security and password processes. By comparing them to CJIS standards, you’ll be able to see your potential shortcomings and compliance hurdles. From there, you can make a plan of action for complete CJIS compliance.
CJIS Policy Areas
The full FBI CJIS document is over 200 pages (and available here: http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view). For the purposes of IT compliance, the most relevant parts of the document relate to Policy Areas 4, 5, and 6.
Policy Area 4
Does your system log both successful and unsuccessful attempts to:
- Logon to the system used to access CJIS data
- Access, create, delete, or change permissions
- Change account passwords
- Use privileged accounts
- Access or change the audit log file
Is the following data saved with every report for one of the above events?
- Date and time
- Component of the information system where it occurred
- Type of event
- User identity
- Outcome (success or failure)
Policy Area 5
Do users and groups have access only to the password information they need to know and share, based on their role?
Can you change a user’s permission if their role changes, or revoke permission entirely if they’re terminated or separated from the agency?
Are privileged functions (like password resets) only available to administrative users who should have such capabilities?
Does the information system used to access CJIS limit unsuccessful login attempts to five?
Does the system lock out users after 30 minutes of inactivity?
Policy Area 6
Are your users required to use strong passwords that are:
- At least eight characters long?
- Not a dictionary word or proper name?
- Not the same as the user ID?
- Expire within a maximum of 90 days?
- Not the same as the previous 10 passwords?
If a user is trying to log in from a non-secure location, does your system require “advanced authentication,” like multi factor authentication or two factor authentication? (related blog post: What is Multi Factor Authentication?)
CJIS Policies: Options for Compliance
If you just completed this status check and feel, well, stressed, you’re not alone. Many law enforcement IT departments across the country simply haven’t had the resources to advance their security policies and processes in recent years.
Fortunately, advanced password security suites offer law enforcement agencies a one-stop solution for all of their CJIS compliance needs—one that’s affordable, effective, and easily implemented, with solutions like password management, multi-factor authentication (a major requirement of the new policy), and features that will actually make your agency more efficient, like single sign on portals.