Complying with the CJIS Security Policy: How to Know When You’re CJIS-ready

Are you CJIS compliant? (It’s pronounced “see-jis” and it’s the acronym for Criminal Justice Information Services).​ That’s a question that criminal justice agencies (including law enforcement agencies which are a subset of the criminal justice community) often pose to their current and potential information technology vendors/companies. I see this question popping up all of the time. Bu​t the fact of the matter is –​ there really isn’t an industry-standard CJIS compliance process.

This question came up often during the 22 years I worked as a CJIS Information Security Officer for the Florida Department of Law Enforcement. My answer to criminal justice agencies and vendors alike was always the same: there is no entity, either at the state or national level, that “certifies” a company or product as CJIS compliant.

So how does a company demonstrate its commitment to CJIS compliance? Before I go there, I really need to give you some background.

There is a set of unique security standards that focuses on protecting specific data known as criminal justice information (CJI.) The protections required for CJI can be found in the CJIS Security Policy (CSP), also referred to as the FBI CJIS Security Policy. While the FBI is the custodian of the CSP, the document is actually the creation of the CJIS Advisory Policy Board (APB).

The APB is a national body made up of representatives from each state, and it is this group that “owns” and approves the requirements of the CSP. I say this because it’s not the FBI making the policies; it’s the representatives of the ​national criminal justice community. The CSP is unique in that fashion and this is one of the key things that make it different from other national security standards.

Many entities, especially IT vendors, tend to figure that some of the national standards are parallel, if not comparable. I’ve worked with a number of entities over the years who’ve told me about their compliance with other standards, and assumed that because they’ve met the requirements for one or more of these standards (e.g. HIPAA, FEDRAMP, FISMA, SSAE 16, or PCI to name a few) that they are sufficiently protecting their CJI. While there may be many similarities between these standards and CSP, there are also many differences. When dealing with CJI, law enforcement agencies have to comply with the CSP; it does not equate to other standards.

Any entity that uses, processes, stores, or transmits CJI has to comply with CJIS Security Policy. One of the ​primary groups using CJI is (you guessed it!) criminal justice agencies. Additional, the applications and services used by criminal justice agencies to transmit, process, or store CJI must comply with the CJIS Security Policy as well. For example, an application that cannot meet the CSP password requirements is automatically out of compliance, and therefore problematic for a criminal justice agency. Agencies need to know whether or not a vendor’s offering can comply with CSP.

Another “catch” that comes with CJIS is that each state is individually responsible for compliance within their jurisdictions. Each state is individually held accountable by the FBI. Since each state is responsible for compliance within their jurisdiction, there is no single entity that can bestow a national “compliance” seal of approval, and the FBI does not have the resources to run a national certification process.

Given these facts, what options does a criminal justice agency or vendor have for demonstrating its CJIS understanding?

There are over 550 requirements called “shall statements” within the CSP. Some of these apply to the FBI, some to the states, but most of them apply to the entities that are using CJI, and that includes companies contracted to provide IT-related services. Knowing how to apply the CJIS Security Policy and what to apply it to can be daunting if you’re not familiar with the multitude of specific CJIS requirements. Adding to that complexity is the fact that the CSP is “tweaked” every year. The APB (that I mentioned earlier) is constantly updating the CSP to keep pace with changing technology.

This is the reason that CJIS ACE  was created – to fill this gap. We work with all entities that use CJI and are required to comply with the CJIS Security Policy. Our review essentially takes an entity’s process(es) and “holds them up to” the CSP. We go through all of the requirements identified in the CJIS Security Policy to determine the entity’s overall compliance.

Additionally, our process is as much about knowledge transfer as it is about process review for compliance. We want to pass on our knowledge of the CJIS Security Policy to allow entities to understand how to achieve compliance for their current and future solutions and technology.

We “look in the corners” that are out of the way, and “pull on those threads” that typically don’t get pulled on. We look for those places where CJI is hidden. Some of those places are obvious, for example, record management systems. But where else might CJI be hiding? Maybe in places you would not expect, like a human resources database. Uncovering all of the places where your CJI may be hiding is key because that’s where you have to apply the CSP.

Trust me when I say that law enforcement does not appreciate finding out that they have CJI in an unexpected application or service that has not been accounted for, especially when this comes to light during an audit.

Recently, CJIS ACE put the NICE Investigate solution  and its associated infrastructure through this process. I spent two days with NICE employees at NICE’s New Jersey headquarters office “looking in corners,” “pulling on strings,” and going through every shall statement in the CSP to produce a Compliance Profile for the NICE Investigate  offering. During this comprehensive and intensive in-depth CJIS ACE evaluation our CJIS Audits Compliance team conducted a 553-point review of NICE Investigate, covering all CJIS policy areas.

From there, we developed Mitigation Strategies, essentially a roadmap based on the Compliance Profile. Using the Mitigation Strategies, NICE now knows how to meet the requirements of the CJIS Security Policy. Most importantly, we transferred our CJIS knowledge base to NICE. They now have a much more extensive understanding of the CSP.

CJIS_ACE_Seal_2016.png As a result of all of this, NICE has earned the CJIS ACE Compliance Seal  for its NICE Investigate  solution. CJIS ACE awards its CJIS ACE Compliance Seal  to agencies and companies that have demonstrated an executive commitment to and have real-world working knowledge of CJIS Security Policy  compliance and its criticality to the law enforcement community. As a recipient of the CJIS ACE seal, NICE has demonstrated that it can step up to the myriad of requirements found in the CJIS Security Policy.

If you want to learn more about CJIS ACE, visit us online  or email me at lcoffee@diversecomputing.com. Whether you work for a law enforcement agency, or a company that has law enforcement agency customers, or even a private entity that does fingerprint-based background checks, we can help you navigate the vast requirements of the CJIS Security Policy, just like we helped NICE.

 

​​
Share this:
Twitter LinkedIn Facebook Email