In a recent Compass IT Compliance blog, we delved into the fundamentals of the Criminal Justice Information Services (CJIS) Security Policy (CSP), its applicability, and the criticality of CJIS Compliance, terminology, and the thirteen policy areas applicable at the time of that writing. Since then, the landscape of data security, particularly in CJIS compliance, has evolved significantly. In December 2023, the FBI introduced an updated version (5.9.4) of the CSP, augmenting thirteen policy areas with six new ones and refining language across the board. While certain new requirements will not face audits or sanctions until October 1, 2024, organizations must prepare to meet these evolving compliance standards. Additionally, anticipation surrounds the forthcoming release of Version 6.0 of the CSP. To recap, the FBI CJIS CSP delineates security standards applicable to entities accessing or supporting FBI CJIS Division services and information. Encompassing a spectrum of activities related to Criminal Justice Information (CJI), the CSP mandates minimum-security requisites for handling CJI, spanning creation, viewing, modification, transmission, dissemination, storage, and destruction. Every entity, whether a contractor, private entity, noncriminal justice agency, or member of a criminal justice entity, accessing or supporting criminal justice services and information falls under the purview of this policy. CJI encompasses a broad array of data types, including biometric, identity history, personal, organizational, property, and case/incident history data. This comprises data provided by the FBI's CJIS Division essential for civil agencies' mission execution, such as data utilized in hiring decisions. CJI warrants safeguarding until it is either publicly disclosed through authorized channels like crime reports or disposed of according to relevant record retention regulations. The CSP outlines requisite security measures to manage and uphold CJI integrity. Discerning between personally identifiable information (PII) and CJI is pivotal. While the latter refers to crime-associated data accompanied by PII, sans PII, it transforms into criminal statistics, falling outside the scope of the CJIS security policy. Formal audits of CJIS subscribers occur every three years, complemented by annual agency self-reports. Acknowledging organizational disparities, audits employ a "risk vs realism" paradigm, encouraging the identification of lacking requirements as risks with corresponding remediation plans. While no official "CJIS Certification" exists, Compass IT Compliance offers CJIS Readiness assistance, identifying improvement opportunities and devising action plans.Recapitulation
Defining Criminal Justice Information
Distinguishing Criminal Data from PII
Audits and Compliance
Noncompliance Ramifications
Noncompliance with the CSP carries severe penalties, including criminal charges, denial of FBI database/CJIS system access, fines, formal disciplinary action, and suspension or revocation of CJI access.
Illustrative Cases of Misuse
Instances of unauthorized CJIS data access or misuse underscore the gravity of safeguarding sensitive information. High-profile cases elucidate the risks, emphasizing the imperative for robust security measures and accountability frameworks.
While specific instances of unauthorized access or misuse of CJIS data may not always be readily available due to the sensitive nature of the information involved, there have been notable cases where breaches or misconduct have occurred:
| Year | Location | Type of Misconduct | Details |
| 2015 | Virginia Department of Motor Vehicles | Employee Misuse | Employee was convicted of accessing the state's driver's license database without authorization. The employee used the database to conduct background checks on individuals for non-work-related reasons. |
| 2016 | Louisiana Sheriffs | Improper Access by Family Members | A Sheriff’s deputy was terminated and charged with malfeasance for allowing his wife to access the CJIS database without authorization. The deputy's wife used his credentials to conduct unauthorized searches on individuals, including her family members. |
| 2017 | Florida | Unauthorized Access by Law Enforcement Personnel | A former Florida police officer was sentenced to probation after pleading guilty to accessing a law enforcement database for personal use. The officer used the database to conduct background checks on individuals, including her boyfriend's ex-girlfriend, without proper authorization. |
| 2018 | Washington State | Data Theft by Contractors | A former Washington State Patrol contractor was charged with theft and computer trespass for stealing sensitive information, including CJIS data, from the agency's database. The contractor allegedly downloaded and copied thousands of files containing criminal history records. |
| 2018 | Florida | Misuse of Database | A former Florida Department of Law Enforcement crime analyst accessed the CJIS database to conduct unauthorized searches on individuals, including celebrities and local officials, out of curiosity. |
| 2019 | Minnesota Department of Public Safety | Data Breach | A data breach involving the unauthorized access of CJIS data affected approximately 1,500 individuals, exposing personal information stored in the state's driver's license database. |
| 2019 | Georgia | Misuse by Government Employees | A former Georgia court clerk was indicted for accessing and disseminating criminal records for personal gain. The clerk allegedly accessed the CJIS database to provide confidential information to a third party for a fee. |
| 2020 | Washington State | Data Breach | Washington State Patrol disclosed that a former employee had accessed and downloaded confidential CJIS data without authorization. The breach affected thousands of individuals. |
These cases illustrate the potential risks associated with unauthorized access and misuse of CJIS data by individuals within law enforcement agencies or other organizations with access to CJI. They underscore the importance of robust security measures, strict access controls, oversight, and accountability measures to prevent the improper use of CJIS data and safeguard individuals' privacy rights. Law enforcement agencies and organizations must continuously educate their personnel about properly using sensitive information and enforce consequences for violations.
The Basics
Each state or territory has a CJIS Systems Agency (CSA). A CSA is a criminal justice agency that oversees the administration and usage of the CJIS Division programs within a state, district, territory, or country. As more law enforcement and other organizations migrate to cloud technology and rely on third parties as service providers, the obligation to be CJIS compliant extends to many businesses beyond the criminal and law enforcement sectors.
As data security evolves, so do CJIS compliance standards. Organizations must familiarize themselves with existing and new requirements. The following are some basic controls that CJIS organizations should be aware of and adhere to:
| Control | Description |
| Agreements | Used at each CSA and/or local agencies such as Interchange Agreements, Memorandums of Understanding (MOU), and CJIS Security Addendums. |
| Audit Trails | Implement and retain audit trails for access to CJI. |
| Authorized Personnel List | Identify and maintain listings of those authorized to access, handle, or destroy CJI. |
| Awareness Training | Implement Awareness Training and maintain training records. Materials and training records must be completed prior to CJI access and every year thereafter. |
| Encryption | Employ full-device encryption to protect the confidentiality and integrity of information on full and limited-feature operating system mobile devices authorized to process, store, or transmit CJI. |
| Incident Response | Procedures to facilitate the implementation of the incident response policy addressing the Incident Response lifecycle. |
| Multi-factor Authentication (MFA) | The FBI requires all organizations that access CJI to implement Multi-factor Authentication (MFA) on all systems that contain CJI. This is effective as of October 1, 2024. Required whenever the device is used to access CJI (whether from a corporate environment or a personal device). |
| Network Diagram | Identifies all networks and information systems used to store, access, process, or transmit CJI for criminal and non-criminal justice purposes. Additionally, the network diagram must document encrypted segments and the level to which they are encrypted. The diagram must include the agency’s name, the date it was created/updated, and a “For Official Use Only” marking. |
| Personnel Sanctions | Employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. |
| Physical and Environmental Controls | Implement a formal disciplinary process for the misuse of CJI systems or data. |
| Policies and Procedures | Implement, document, and maintain a CSP addressing the 19 policy areas. |
| Terminal Agency Coordinator (TAC) / Local Agency Security Officer (LASO) | The TAC serves as the point of contact at the local agency for matters relating to CJIS information access. The LASO is the primary Information Security contact between a local law enforcement agency and the CSA, under which this agency interfaces with the FBI CJIS Division. They will oversee compliance with the more technical areas such as information system audit logs, system access controls, remote access, and media protection, as well as the use of firewalls, prompt installation of newly released software security patches, spam, virus, and spyware protections. |
| Understand the location of CJI | CJI must remain within the physical boundaries of the US, US territories, Indian Tribes, & Canada. |
What are the Four Levels of CJIS Security Compliance?
To cater to different law enforcement agencies’ unique needs, CJIS Awareness Training is stratified into four levels, each with specific requirements. These levels are formulated to accommodate varying data types and corresponding security necessities. Thorough training at all levels protects CJI data and builds an organizational cybersecurity awareness culture.
Additionally, all individuals who have unescorted access (e.g., vendors, support personnel, custodians) to the CJIS system, either physically or electronically, are required to take CJIS security training.
| Level | Title | Description |
| 1 | Basic Training | Primarily intended for individuals needing rudimentary security training, focusing on the significance of security measures and adherence to CJIS policies. Examples: personnel entering the secured area, such as maintenance and admin assistants. |
| 2 | Awareness Training | Tailored for those with physical access to CJI, instructing on data access and handling protocols. Examples: personnel handling paper – records clerks, filing clerks |
| 3 | Additional Awareness Training | Designed for authorized personnel who can alter or manage CJI, emphasizing responsibilities and security protocols. Examples: personnel running transactions on computers – dispatchers, officers |
| 4 | Advanced Awareness Training | Geared towards IT personnel and administrators responsible for overseeing the technical infrastructure supporting CJI systems, with education on system security, data integrity protection, and incident response. Examples: personnel working on network and computers internal/city/government IT staff |
Enforcement Mechanisms
The FBI CJIS Division is authorized to conduct audits once every three years as a minimum. The audit scope encompasses policies, practices, data security, and physical/technical safeguards to assess agency compliance with applicable statutes, regulations, and policies.
Summary of Policy Areas
CSP v.5.9.4 encompasses nineteen policy areas, catering to diverse CJIS usage scenarios, from information exchange agreements to risk assessment protocols. Not every consumer of FBI CJIS services will encounter all the policy areas; therefore, the circ*mstances of applicability are based on individual agency/entity configurations and usage.
The newest requirements in CSP v.5.9.4 are bolded:
| Policy Area | Title | Description |
| 1 | Information Exchange Agreements | Organizations sharing CJI with another organization or agency must establish a formal agreement to comply with CJIS security standards. Management Control Agreement (MCA) is required if the agency is supported by city or county services (non-law enforcement) for IT, Consolidated Dispatch, Forensic Services, etc. Security Addendum: Required for agencies supported through third-party vendors or contractors when unescorted access or remote access is made available to CJI and legally binds the vendor to the requirements of the CSP. |
| 2 | Awareness & Training | All employees with access to CJI and those who can access, view, store, or process such information must have basic CJIS security awareness training upon hire or initial assignment and annually thereafter. The CSP describes four levels of training in more detail. |
| 3 | Incident Response | Incident Response plans must be in place detailing the capabilities to identify, contain, mitigate, respond, and recover from a data breach or attack. |
| 4 | Auditing and Accountability | Generate audit records of all systems for defined events, including monitoring all access to CJI. Monitoring should consider who is accessing CJI, when they are accessing it, and why the user is accessing that data. Administrators should monitor access. |
| 5 | Access Control | Controls to secure and manage users’ access to information and systems within the network. |
| 6 | Identification and Authentication | Implement authentication standards to access sensitive data, including multi-factor authentication (MFA). |
| 7 | Configuration Management | Manage configuration changes to software updates and add or remove hardware. All procedures must be documented and protected from unauthorized access during configuration changes. |
| 8 | Media Protection | Ensure the protection of CJI stored on all forms of media and the safe disposal of CJI when they are no longer in use. |
| 9 | Physical and Environmental Protection | All physical locations of CJIS must have physical and personnel security controls to protect the CJI data (e.g., cameras, alarms, etc.). Environmental controls (such as proper HVAC levels) support the availability of systems and system components required to support organizational mission and business functions. |
| 10 | System & Communications Protection | Implement network security and related components such as network segmentation, firewalls, anti-virus software, encryption, and intrusion prevention systems (IPS). |
| 11 | Formal Audits | All organizations with users that store, process, transmit, or view CJI will be subject to occasional, formal security audits by the FBI CJIS Division to ensure all CJIS security measures are followed. |
| 12 | Personnel Security | Conduct security screenings for all employees, contractors, and vendors accessing CJI. Screenings include a state of residence and national fingerprint-based record checks and execute a NLETS query (NLETS is the International Justice and Public Safety Network. NLETS inquiries provide state systems criminal histories, driver’s licenses, and motor vehicle registrations). |
| 13 | Mobile Devices | All mobile devices, including smartphones, laptops, or tablets with access to CJI, must adhere to an acceptable use policy and may include additional security policies, including the pre-existing security measures for on-premises devices. |
| 14 | Systems & Services Acquisition | Support the integrity of systems with updated software patches, firmware updates, replacement parts, and maintenance contracts. |
| 15 | System & Information Integrity | Monitor systems to detect attacks and indicators of potential attacks. Employ integrity verification tools to detect unauthorized changes to software, firmware, and information systems that contain or process CJI. |
| 16 | Maintenance | Schedule document, and review records of maintenance, repair, and replacement. Approve and monitor all maintenance activities, whether performed onsite or remotely. |
| 17 | Planning | Plan and coordinate for emergency and non-emergency situations. Develop and implement security and privacy plans that describe how the controls and control enhancements meet the security and privacy requirements. Plans should include rules of expected behavior for use of all systems, including social media. |
| 18 | Contingency Planning | Develop, document, implement, and periodically test a Contingency plan. The contingency plan should identify essential missions, business functions, and associated contingency requirements. |
| 19 | Risk Assessment | Categorize the systems containing CJI and the information stored, processed, or transmitted. Identify threats and vulnerabilities to the system(s). Perform vulnerability scanning and monitoring. |
Closing Remarks
In an era marked by heightened cyber threats, CJIS compliance assumes paramount importance. Aligning with CSP best practices is not merely about compliance. Rather, it is about ingraining security within organizational DNA. As cyber threats proliferate, securing access to criminal justice data is foundational to preserving public safety and fortifying our cybersecurity posture.
Need professional advice on CJIS compliance? Compass IT Compliance is your go-to source. Our experts are adept at strengthening security measures and guaranteeing compliance with various industry standards and regulations. We recognize the distinct hurdles your entity might encounter and provide personalized assistance to suit your particular requirements. Committed to your compliance path, Compass IT Compliance is here to help you tackle the intricacies of CJIS compliance, turning obstacles into chances for advancement and improved security. Reach out now to discover how we can support your journey towards CJIS compliance!
