Each day, criminal justice and law enforcement agencies on the local, state and federal levels access the Criminal Justice Information Services (CJIS) databases for information necessary to catch lawbreakers, perform background checks and track criminal activity. Obviously, it’s important that this data not fall into the wrong hands — while the loss of business intelligence can mean a major financial hit, the security of CJIS data could mean the difference between thwarting a criminal operation and allowing another to occur.
CJIS compliance keeps networks on the same page when it comes to data security and encryption, and ensures that sensitive criminal justice intel is locked down. But before we dig into the checklist of rules to follow to become CJIS compliant, let’s take a closer look at the CJIS.
CJIS — What It Is and How to Stay CJIS Compliant
Established in 1992, CJIS is the largest division of the FBI, and comprises several departments, including the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS). CJIS monitors criminal activities in local and international communities using analytics and statistics provided by law enforcement, and their databases provide a centralized source of criminal justice information (CJI) to agencies around the country.
The world has changed a lot since 1992, and the proliferation of the Internet and the cloud, combined with the growing rate and sophistication of cyber security threats, have made protecting CJIS data more complicated than ever. Because of this growing concern, CJIS came up with a set of security standards for organizations, cloud vendors, local agencies and corporate networks.
The policies set forth by CJIS cover best practices in wireless networking, remote access, data encryption and multiple authentication. Some basic rules include:
- A limit of 5 unsuccessful login attempts by a user accessing CJIS
- Event logging various login activities, including password changes
- Weekly audit reviews
- Active account management moderation
- Session lock after 30 minutes of inactivity
- Access restriction based on physical location, job assignment, time of day, and network address
The CJIS Advanced Authentication Requirement
FBI Security Policy section 18.104.22.168.1, or the Advanced Authentication Requirement, compels agencies to use multi-factor authentication when accessing CJI. A quick example of multi-factor authentication is your debit card. While shopping with your credit card (in the U.S., at least) requires only what you have (the number on your credit card), your debit card also requires something you know (your PIN). If a thief steals your debit card, they can’t use it until they also get your PIN.
One common type of multi-factor authentication involves a software application or physical device that generates a unique, one-time password at timed intervals. This wildcard password (what you have) adds a second level of complexity to your password (what you know), providing multiple barriers of entry to potential data thieves.
CJIS Compliance and Data Encryption
The CJIS has also established requirements for the use of data encryption when storing and using sensitive data, as well as including CJI in communications. A minimum of 128 bit encryption is required, and keys used to decrypt data must be adequately complex (at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters) and changed as soon as authorized personnel no longer need access.
Like multi-factor authentication, data encryption adds an extra layer of security to your data — if a criminal gains access to an encrypted file or communication, that information is useless without the key to decrypt it.
Email presents its own CJIS compliance challenges. A tremendous amount of criminal justice information is exchanged via email and standard email services do not offer the encryption required by CJIS. Most third-party encryption services are either difficult to use, expensive, or both. Many also require senders or receivers to establish new accounts to view CJIS-compliant emails. Virtru offers an alternative: cost effective, easy-to-use email encryption that works with existing email services.
Personnel and Training Considerations
Knowing what your agency needs to maintain CJIS compliance is one thing, but putting it into practice is another. It’s critical that you provide frequent staff training on CJIS best practices, make sure there’s ample documentation and knowledge sharing and implement agency-wide security protocols and password requirements.
Organizations can hire IT consultants, devote a department strictly for CJIS compliance and build the necessary infrastructure required to support the official policies. Alternatively, they can outsource their data protection services to companies that specialize in CJIS compliance. This is a great long-term solution for agencies and contractors that want to streamline their CJIS compliance efforts without making huge investments in staffing and infrastructure.
Loss of access to CJI can cripple an agency’s ability to do its job — not to mention jeopardize public safety. If CJI access is part of your agency’s operations, always err on the side of caution when it comes to data security, and stay on top of your compliance audits. Security investment, however hard on your budget, is always preferable to a leak or loss of critical criminal justice intelligence.
Virtru is a robust data encryption service for secure email communications. The security company offers client-side encryption that helps organizations comply with CJIS, HIPAA and FERPA regulatory requirements for encrypted email.
Download our free guide now and learn how to keep your organization CJIS compliant.