Importance of CJIS Compliance

If your organization has access to sensitive data from government agencies, you will most likely have to adhere to the Criminal Justice Information Services (CJIS) compliance requirements.

In this context, sensitive data, or Criminal Justice Information (CJI), is essentially any information that cannot be publicly disclosed except under certain circumstances like by court order or when necessary for public safety. In particular, it refers to Federal Bureau of Investigation (FBI) data such as biometrics, biographics, case records, and other identifiable information about individuals, vehicles, or properties related to criminal activity.

It should be noted that, contrary to what may be assumed, CJIS is not only relevant to law enforcement agencies, but to civil agencies as well. Specifically, state and local governments are increasingly becoming targets. First, attackers who gain access to state and local government networks could potentially infiltrate the FBI’s networks using their CJIS credentials. And while it would probably be pretty challenging to shut down the entire FBI, the immediate threat is ransomware attacks, in which CJI data could be encrypted or even exposed.

The specific guidelines for protecting data that falls under the category of CJI are outlined in the FBI’s CJIS Security Policy.

Quick Overview of the CJIS Security Policy

The CJIS Security Policy defines the minimum security requirements for accessing and handling FBI criminal justice information throughout the entire CJI lifecycle, from creation to viewing, modification, transmission, dissemination, storage, and destruction.

Currently, the CJIS Security Policy consists of 19 modules, or Policy Areas. While some policy areas apply to all organizations that use the FBI CJIS systems, other components are only relevant to specific configurations or interactions.

Key components of the CJIS Security Policy

Policy Area 3: Incident Response (IR)

• IR Handling: Agencies are required to establish an operational incident response plan for managing, monitoring, documenting and reporting incidents. The plan should address every stage of the IR process, including preparation, training, detection, evidence collection, analysis, containment, eradication, and recovery.
• IR Assistance: Agencies should employ an IR assistance team that will provide expert advice and support in the handling, investigation, and reporting of incidents.

Policy Area 4: Auditing and Accountability

• Agencies should implement audit and accountability controls to ensure that users do not deviate from their authorized behavior patterns.
• Audit logs should be retained for a minimum of 365 days, and include authentication logs for both successful and unsuccessful access attempts to systems and resources, password changes, attempts to access or modify user/resource/directory permissions, and actions involving privileged accounts.

Policy Area 5: Access Control

Integrate mechanisms to restrict access to CJI data, as well as to systems, applications, and services that provide access to CJI, including:

• Account Management: Maintain visibility into all accounts in your environment and perform annual validations.
• Access Enforcement: Assign and manage access privileges based on the least privileges necessary for each system, application or process to operate.
• Remote Access: Implement automated monitoring & access policies.

Policy Area 6: Identification and Authentication

To gain access to systems, services, and resources, users must be identified and authenticated in accordance with the Advanced Authentication requirement. As outlined in Section 5.6.2.2 of the CJIS Security Policy, advanced authentication is mandatory and subject to audit as of October 1, 2024. Advanced authentication consists of:

• Multi-Factor Authentication (MFA): Requires the use of two or more different factors to authenticate successfully. The CJIS Security Policy breaks down authentication factors into the following categories: something you know (such as a personal identification number [PIN]), something you have (such as an authenticator or token), and something you are (such as biometrics).
• Risk-based Authentication (RBA): Authentication requests are accepted based on the risk calculated by a combination of factors such as network information, user information, user profiling, request patterns, geolocation, browser metadata, IP addresses previously authenticated successfully, and other adaptive authentication techniques. 

Conclusion

The CJIS security policy sets the minimum requirements for accessing and handling FBI criminal justice information. Key components include access control, identification and authentication, the adoption of advanced authentication measures such as MFA and risk-based authentication, incident response, visibility into all accounts, and auditing.

CJIS compliance helps prevent unauthorized access to this sensitive data and protect organizations from potential threats such as ransomware attacks and sanctions.

The post Importance of CJIS Compliance appeared first on Silverfort.

*** This is a Security Bloggers Network syndicated blog from Silverfort Blog - Cyber Security News authored by Don Hoffman. Read the original post at: https://www.silverfort.com/blog/how-silverfort-helps-law-enforcement-comply-with-advanced-authentication/