Virtru Security Insights

4 Challenges to Maintaining CJIS Compliant Email

The Criminal Justice Information Services (CJIS) Division is essential to the United States’ ability to fight crime. The largest FBI division, it shares fingerprint data, criminal background checks, and other vital pieces of information with law enforcement and national security organizations. CJIS uses state of the art data security to prevent this data from falling into the wrong hands, and it expects its law enforcement partners to do the same.

But complying with CJIS requirements is difficult; it requires cutting edge software, carefully controlled access points, and extensive training and supervision of anyone who comes in contact with criminal justice information. Here are four of the biggest challenges to CJIS compliance:

1. Implementing Encryption

The cost of CJIS compliance can vary greatly based on the size and complexity of an organization. CJIS compliant organizations need to employ encryption for a variety of purposes, including:

  • Establishing access control mechanisms to restrict users
  • Protecting user authentication at Access Points (APs)
  • Storing digital information
  • Transporting digital information

For a small organization, it’s reasonably easy to budget and set up CJIS compliant infrastructure. A small town police force, for example, could secure Criminal Justice Information (CJI) in a single secure on-premise storage server, and provide a few inexpensive APs for officers to access data.

A state police force or major metropolitan police department, however, would be responsible for encrypting a huge range of systems and devices, which would require secure storage for vast amounts of CJI. For such a large and complex organization, it can be difficult to budget for all the costs of implementation.

2. Training and Knowledge Sharing

CJIS compliance can require extensive retraining of staff, and that costs a lot of both time and money. Each agency needs to appoint a CJIS Systems Officer (CSO) in charge of:

  • Standards for personnel who have access to CJI within the agency
  • Policies for hardware and software that transmits, processes and stores CJI
  • Standards for outsourced companies that have access to CJI

In essence, CJIS compliance requires you to ensure that everyone is on the same page, from LEOs, to IT contractors who install or repair hardware and software, to cloud storage companies. You must make sure that all of the security systems in all of the offices are up to code.

You’ll need to establish systems to make sure no one is breaking CJIS rules by accessing CJI data on an unsecured personal device, or sending unencrypted data over the Internet, for example. Needless to say, for a state law enforcement department or other large agency, this is no small feat.

3. Making CJIS Data Available

Law enforcement must balance security with the need for easily accessible information. It’s relatively easy to create an AP in a secure location that can be conveniently monitored, but that system may not give law enforcement quick enough data access. You’ll have to weigh the risks, costs, and benefits of providing more APs or more radio support, or making a greater range of information available on agency-issued portable devices.

More data access means more opportunities for data breaches. CJIS compliance requires you to come up with incident response plans, should a device with sensitive information falls into the wrong hands. If one of your portable computers is lost or stolen, how will you retrieve it? How will you protect the information on it from falling into the wrong hands?

4. Technology fracturing

CJIS compliance rules specify security requirements, but they let agencies choose what systems to use. This can make it challenging to share information between organizations. As more cloud storage providers become CJIS compliant, law enforcement will store vast amounts of information across multiple systems. Although there are a variety of law enforcement information sharing platforms, a lot of work still needs to be done to streamline data sharing.

In a major emergency, such as a terrorist attack, LEOs may have to pour through video evidence from cell phones, surveillance cameras, and law enforcement; incident reports; computer logs; and other data. It could be spread across a range of state, local, national, and international platforms. Needless to say, this can be a major obstacle to a quick, coordinated response.

Virtru Email for CJIS Compliance

Adapting to the demands of CJIS compliance without losing the ability to easily share information is one of the biggest challenges facing law enforcement.  Virtru email encryption can help. Designed to integrate easily into your existing email system, Virtru allows LEOs to send secure emails immediately, with no need for extra training. Virtru Pro gives law enforcement even more tools to control sensitive data, letting them revoke emails, prevent forwarding, and schedule expiration dates. Virtru also makes it possible for users who would otherwise have to remain on-prem to move to the cloud.  Get Virtru, for quick, easy, and CJIS compliant communication across agencies.