What You Need to Know About CJIS Policy Area 4

    What You Need to Know About CJIS Policy Area 4

    As an IT services provider for a law enforcement agency, compliance with the FBI’s Criminal Justice Information Services (CJIS) guidelines is probably at the top of your list—especially considering the September 2014 compliance deadline. After that deadline, your organization could be subject to one of the FBI’s security audits. Should you be found to be in violation of CJIS guidelines, your entire agency could lose access to the valuable information stored in the CJIS databases; officers and investigators depend on CJIS data daily for information like criminal records, license plate information, and more.

    But even the most experienced of IT professionals might feel a bit overwhelmed when first looking over the CJIS guidelines. The document’s over 200 pages. If you haven’t already, you can view the full document here: http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view

    There are really three sections that matter to IT service providers who are looking to ensure that their agency is 100 percent compliant with CJIS guidelines: Section 5, Policy Areas 4-6, which cover the technical safeguards that need to be in place for compliance. In this blog article, I’m going to break down Policy Area 4.

    5.4 - Policy Area 4:

    Auditing and Accountability

    “Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.”


    In the guidelines set forth by Policy Area 4, CJIS is looking for agencies to generate (and keep) detailed reports of certain security-related events that occur on the system used to access CJIS, so that:


    • Any security violations or questionable events can be tracked back to a specific user, date, time, system component, etc.
    • An administrator can quickly look over their audit reports and see any unusual behavior or patterns
    • Users will know their actions are audited and avoid questionable behavior Events

    CJIS guidelines require that the following events be logged:

    • Successful and unsuccessful logon attempts
    • Successful and unsuccessful attempts to use access, create, write, delete, or change permissions on a “user account, file, directory, or other system resource”
    • Successful and unsuccessful attempts to change account passwords
    • Successful and unsuccessful actions by privileged users
    • Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file Content

    With every audited event, the following content must be included:

    • Date and time of the event
    • The component of the information system where the event occurred (i.e. software component, hardware component, etc.)
    • Type of event
    • User/ subject ID
    • Outcome of the event (successful or unsuccessful)

    5.4.2 Response to Audit Processing Failures

    In the event of an auditing processing failure (due to software error, etc.), appropriate agency officials must be notified.

    5.4.3 Audit Monitoring, Analysis, and Reporting

    “The responsible management official shall designate an official or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate individuals, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week.” This section goes on to require that monitoring be increased if there are suspected security violations.

    5.4.4 Time Stamps

    All audit logs should use system time stamps that include date and time values generated by internal clocks.

    5.4.5 Protection of Audit Information

    “The agency’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.”

    5.4.6. Audit Record Retention

    “The agency shall retain audit records for at least one (1) year.”

    5.4.7 Logging NCIC and III Transactions

    A log must be maintained for a minimum of one year on all NCIC and III transactions; additional log data is required on all III transactions.

    A security software solution that allows for automated audit reports—complete with all the required data like date, time, users ID, etc. —and complete visibility into who is using and changing passwords, logging into the system, changing permissions, and more can help an agency easily meet the compliance requirements set forth in Policy Area 4. Find out how in our free guide for law enforcement IT professionals, “Password Security and the New CJIS Security Policy.”

    Ready to Get Started?

    Let's Talk