CJIS Security Policy

For personnel working with information systems containing Criminal Justice Information (CJI), the portion of the CJIS Security Policy with the greatest significance is chapter five. This chapter of the policy is laid out into 13 policy areas which each define the standards for that policy area.  Below is a brief summary of the contents of the Policy Areas' standards:

Policy Area

Summary

1: Information Exchange Agreements

Proactively formalize the sharing of data, and incorporate the CJIS Security Addendum into contracts.

2: Security Awareness Training

Training must be adequate for the individual's level of use of Criminal Justice Information (CJI).

3: Incident Response

Plan, act, and communicate. A security incident may affect interconnected systems.

4: Auditing and Accountability

Systems storing CJI must record user and administrator activities and maintain those logs for at least one year.

5: Access Control

To ensure proper security, follow least privilege and review access authorizations regularly.

6: Identification and Authentication

Force complex passwords, and use advanced authentication and/or mobile device management when physical security is not available.

7: Configuration Management

Know what's in the agency's CJIS network.

8: Media Protection

Digital and physical media (disk and paper) must be kept secure until they sre securely destroyed.

9: Physical Protection

Control and secure access to areas with CJIS Systems.

10: Systems and Communications Protection and Information Integrity

Encryption must be NIST-Certified FIPS 140-2 in transit, and FIPS 197 at rest when information is stored or held outside the physcially secure location. Also, intrusion and malware protections are required.

11: Formal Audits

Any system containing CJI may be audited by the FBI or CBI.

12: Personnel Security

Fingerprint-based background checks are required for all personnel with access to CJI in any format.

13: Mobile Computing

Ensure the security of wireless communications and mobile devices.

The entire CJIS Security policy is found here: http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view

These standards apply to both criminal justice agencies as well as non-criminal justice agencies who have access to CJI, with some variation due to the different levels and standards for access.  The Denver Police Department would be one example of a criminal justice agency, and the Colorado Department of Education an example of a non-criminal justice agency.

The standards also apply to private businesses providing services to criminal justice and non-criminal justice agencies. The CBI has programs for businesses working with both types of agencies. For criminal justice agency vendors, the CBI maintains the CJIS Vendor Program.

Operational Assistance with the CJIS Security Policy

The CJIS Security Policy is desgined to contain standards which do not designate a specific technology, but can be applied in diverse environments. For that reason, the CBI fields many questions regarding the application of the policy in specific circumstances.  In order to assist in the implementation of the policy, the CBI has created the Colorado CJI Hot Topics Blog to provide agencies accessing criminal justice information with consistent informaton regarding areas of frequent interest.

The blog may be accessed here: http://cjiscolorado.blogspot.com/

For specific CJIS Policy questions, please contact:

CJIS Compliance Officer: 
Ted DeRosa 
CJIS Security Policy Compliance
Phone: (303) 239-4299 
Email: ted.derosa@state.co.us