HomeMy WebLinkAbout2018-28530 OW Z3
Attached for your records, please find the fully executed Management Control Agreement between
County of Anoka, Minnesota, acting on behalf of its Central Communications Department and the law
enforcement agencies who are part of the Anoka County Joint Law Enforcement Council ( "JLEC").
Please note that this fully executed agreement is 96 pages in length because the CAS and BCA security
policies are included.
Thank you,
Doreen 1. Borntrager
Executive Assistant
763 - 324 -5366
g
"`• Justice. Advocacy. Prevention
Contract #00006230
MANAGEMENT CONTROL AGREEMENT
This Agreement is between County of Anoka, Minnesota; acting on behalf of its Central
Communications Department ( "Central Communications ") and the Anoka County Sheriffs Office;
Anoka Police Department; Blaine Police Department; Columbia Heights Police Department;
Centennial Lakes Police Department; Coon Rapids Police Department; Fridley Police Department;
Lino Lakes Police Department; Ramsey Police Department; St. Francis Police Department; and
Spring Lake Park Police Department; the law enforcement agencies who are part of the Anoka
County Joint Law Enforcement Council ( "JLEC ").
Agreement
1 Term of Agreement
1.1 Effective date: This Agreement will become effective on the date when the last party to
execute this Agreement signs the signature block below.
1.2 Expiration date: This Agreement ends five (5) years from the date of the last signature.
2 Scope of Agreement
The parties acknowledge that Central Communications provides emergency dispatch services
for law enforcement agencies throughout Anoka County, and that Central Communications has
a need, as part of its government function, to send and retrieve data from the Federal Bureau
of Investigation ( "FBI ").
The FBI provides a number of systems and services for use by criminal justice agencies around
the country for criminal justice purposes. The FBI has adopted the Criminal Justice Information
Services ( "CAS ") Security Policy dated February 9, 2011 (the "Security Policy") that sets forth a
number of requirements Central Communications must meet in order to connect to the FBI's
criminal justice information repositories and functionalities. A copy of the 2011 version of the
Security Policy is attached and incorporated by reference, as are the International Justice and
Public Safety Network ( "Nlets ") requirements. The Bureau of Criminal Apprehension ( "BCA ")
at the Minnesota Department of Public Safety has adopted policies that further inform Central
Communications how the requirements are to be met and those policies are attached and
incorporated by reference. Any future updates to these policies are automatically
incorporated into this agreement and the undersigned agency or its JLEC designee will provide
Central Communications with a copy of the updated version.
The Security Policy requires that each state have a CJIS Systems Agency ( "CSA ") - a criminal
justice agency that provides the single connection point for criminal justice agencies in that
state to the FBI. The BCA is the CSA for Minnesota. The Security Policy also requires that each
CSA has a CAS Systems Officer ( "CSO ") who is an employee of the CSA and an Information
Security Officer ( "ISO "). The Security Policy requires that each criminal justice agency have a
Local Agency Security Officer ( "LASO ").
The Security Policy requires that when criminal justice functions, regardless of location, are
performed by a non - criminal justice agency ( "NCJA "); there must be a management control
agreement. Because Central Communications is a NCJA, this management control agreement
is required. As stated in section 3.2 of the Security Policy, the responsibility to manage and
regulate the security controls remains with the undersigned agency and its partners with the
JLEC.
This Agreement covers the overall supervision associated with the development,
implementation, operation and maintenance of all Central Communications systems,
applications, equipment, design, programming and operational procedures that contain, are
integrated with or derived from criminal justice information ( "CJI "), as defined by the Security
Policy, and that may be subsequently designed or implemented within Central
Communications.
The undersigned agency, together with its JLEC partners, has the authority, via managed
control, to set and enforce:
(A) Priorities;
(B) Standards for the selection, supervision and removal of Central Communications personnel
with access to CJI;
(C) Policy governing the operation of justice systems, computers, access devices, circuits, hubs,
routers, firewalls and any other components, including encryption, that comprise and support
the criminal justice data communications network operated for Central Communications and
related criminal justice systems. This includes, but is not limited to criminal justice systems that
process or transmit criminal history records or criminal justice information as those terms are
defined in the Security Policy and guaranteeing the priority, integrity and availability of service
needed by the criminal justice community;
(D) Access restrictions so that only authorized personnel, as determined by the undersigned
agency and its JLEC partners, have access to or use of Central Communications systems and
services;
(E) Compliance with all rules and policies governing access to CJI, the International Justice and
Public Safety Network (Nlets), BCA policy and the Security Policy in the operation of all systems
and services and for all information received, stored or transmitted. This includes a
2
requirement to be audited as provided in these policies and rules. These policies are the
threshold that must be met with respect to the operations and systems governed by this
Agreement.
(F) To demonstrate that the Security Policy and BCA policy requirements for management and
control have been met, the parties will use the following activities and measures.
All Central Communications employees with access to systems containing, integrated with or
derived from CA, regardless of location, must meet the requirements of the Security Policy for
personnel security. This requirement will be included in all job postings for Central
Communications. A committee comprised of JLEC member - representatives appointed by all
members of JLEC (the "Central Communications Committee ") will participate in the hiring of
individuals to be assigned to Central Communications including establishment of qualifications,
review of resumes to select candidates to be interviewed, contributions to interview
questions, and participation on interview panels. The PSAP /911 Manager at Central
Communications will make all decisions regarding which employees have access to CJI systems,
services and projects that contain, are integrated with or derived from CJI. If the employee's
criminal history reflects a situation described in Section 5.12 of the Security Policy, the
PSAP /911 Manager at Central Communications will follow the requirements of that section.
The Central Communications Committee will provide Central Communications with a point of
contact that will accept and respond to all personnel issues and concerns involving Central
Communications employees with access to CJI. The Central Communications Committee will
have input into performance evaluations and the discipline of Central Communications
employees with access to CJI. Following the requirements of section 5.12 of the Security
Policy, the Central Communications Committee (as the representative and point of contact for
all JLEC member - signatories to this Agreement) may revoke access to Central Communications
systems and infrastructure that contain, are integrated with or derived from CA independent
of the Central Communications discipline decision.
To ensure the security of Central Communications systems, services and projects that contain,
are integrated with or derived from CJI, Central Communications employees will submit to
rigorous background checks at the time of hire. These initial checks include a national,
fingerprint -based criminal history records check, and all other requirements that may be
implemented in the future. Central Communications employees with access to CA systems,
services and projects will submit to a national, fingerprint -based criminal history records check
with the same frequency required of law enforcement employed by members of the JLEC
agencies. Costs of personnel screening for all Central Communications employees will be the
responsibility of Central Communications.
All systems, devices, and infrastructure containing, integrated with or derived from CA will be
built, operated and maintained in compliance with Security Policy and BCA policy
3
requirements. The LASO will participate in all discussions and sessions concerning the
development of or change in Central Communications requirements related to this Agreement
and will provide information to Central Communications about the impact of the proposals on
Central Communications' systems, services and projects. The undersigned agency, through the
Central Communications Committee, must provide Central Communications with all relevant
policies that might apply to Central Communications, including any updates. Central
Communications will have 60 days to determine if the agencies' policies are more stringent
and, if so, to implement the policies.
The Central Communications Committee is the final authority to determine operational
policies and interpretation and to determine if its policies are more stringent. All operational
policies will be provided to Central Communications by the Central Communications
Committee in writing. Notice of a required change will also be provided in writing and will be
sent at least sixty (60) days in advance of the required implementation date. The notice
requirement does not apply in the event of an emergency which is defined for purposes of this
Agreement as an event or series of events that have so negatively affected operations as to
jeopardize public and officer safety.
Compliance with access restrictions established by the Security Policy, BCA policy and Central
Communications Committee policies will be documented by Central Communications to show
each separate, unique access to CA systems and infrastructure. This documentation will be
provided to the Central Communications Committee on request and any violation of the access
restrictions is grounds for employee discipline and may independently result in the CSO
revoking access for the individual. Current logging of system, server and physical access to the
server rooms, regardless of location, will meet the terms of this performance measure. New
logging requirements will be mutually agreed to by the parties.
In addition to the documentation of all policies and changes in policies, the undersigned
agency and Central Communications agree to document all standards, policies and procedures
that govern the operation of Central Communications systems in support of criminal justice
agencies in Minnesota. The setting of priorities and the resolution of issues will be
documented. All documentation will be available to the FBI or the BCA during any audit or on
request.
To ensure that all provisions of this Agreement are being met, the Authorized Representatives
will meet on a quarterly basis. All policy, operational and change issues may be discussed at
the quarterly meeting and all meetings will be documented.
3 Consideration and Payment
There is no cost to either agency for this Agreement; total cost $0.00.
4
4 Authorized Representative
Central Communications' Authorized Representative is Valerie Sprynczynatyk, PSAP /911
Manager, 325 E. Main St., Anoka, MN 55303 (763) 427 -1212, or her successor.
The undersigned agency's Authorized Representative is the Central Communications
Committee of the Anoka County Joint Law Enforcement Council.
5 Amendments
Any amendment to this Agreement must be in writing and will not be effective until it has
been executed and approved by the same parties who executed and approved the original
Agreement, or their successors in office.
6 Liability
Each party will be responsible for its own acts and behavior and the results thereof, subject
to any indemnification policy applicable to such agency.
7 Termination
Any party may terminate this Agreement at any time, with or without cause, upon 30 days'
written notice to the other party.
Date: f —, �I ` COUNTY aF NOKA, MINNESOTA
}
By: _
Rhonda Sivarajah
Chair, Boa ommis loners
f
By:
Jerry Som
County Administrator
Date: J— ANOKA COUNTY JOINT LAW ENFORCEMENT COUNCIL
Anthony Palumbo
Chair
Date: 1 —,j / " �o CITY OF A rjo4A
Polic ief /Public Safety Director
,r
Date: 1,701F CITY OF
Lalr-
By:, — -
Police Chief /Public Safety Director
Date: 0.2 ,x , Q
PAV04
Date O/ Ls J Il 21 CITYOI=
By: �,-- le
o ice C ublic Safety Director
Date: CJa.u�.uv_, ��� T_DI CITY OFQV .�✓17°i��s
By: 70 G--�
Police ief /Public Safety Director
Date: �� �� / CITY OF1�`i
By:
Police Chief /Public Safety Director
Date: �Ijro k1 31 24011 CITY OF
By: LL
olive Chief /Public Safety Director
Date: l CITY OF
By: ' C _ 0
Poli ychi / ' blic Safety Director
Date: 01/31 f I I CITY OF,� -anc�5
By: ,
Police Chief /Public Safety Director
Date: La-c, 3 y � FS CITY OF �lc
Safety Director
Date: 0113 1 1 F ANOKA COUNTY SHERIFF'S OFFICE
By:
amen Stuart
Sheriff
U. S. Department of Justice
Federal Bureau of Investigation
Criminal Justice Information Sen -ices Division
•��s .
Criminal Justice Information Services (CJIS)
Security Policy
Version 5.6
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
Prepared by:
CJIS Information Security Officer
Approved by:
CJIS Advisory Policy Board
..'S..4y E.� ^. Z{'J 11 r I
Law enforcement needs timely and secure access to services that provide data wherever and
whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board
(APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice
Information Services (CJIS) Division authorize the expansion of the existing security management
structure in 1998. Administered through a shared management philosophy, the CJIS Security
Policy contains information security requirements, guidelines, and agreements reflecting the will
of law enforcement and criminal justice agencies for protecting the sources, transmission, storage,
and generation of Criminal Justice Information (CJI). The Federal Information Security
Management Act of 2002 provides fiirther legal basis for the APB approved management,
operational, and technical security requirements mandated to protect CJI and by extension the
hardware, software and infrastructure required to enable the services provided by the criminal
justice community.
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the
full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for
the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI.
This Policy applies to every individual - contractor, private entity, noncriminal justice agency
representative, or member of a criminal justice entity —with access to, or who operate in support
of, criminal justice services and information.
The CJIS Security Policy integrates presidential directives, federal laws, FBI directives and the
criminal justice community's APB decisions along with nationally recognized guidance from the
National Institute of Standards and Technology. The Policy is presented at both strategic and
tactical levels and is periodically updated to reflect the security requirements of evolving business
models. The Policy features modular sections enabling more frequent updates to address emerging
threats and new security measures. The provided security criteria assists agencies with designing
and implementing systems to meet a uniform level of risk and security protection while enabling
agencies the latitude to institute more stringent security requirements and controls based on their
business model and local needs.
The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems Agencies
(CSA), including, in those states with separate authorities, the State Identification Bureaus (SIB).
Further, as use of criminal history record information for noncriminal justice purposes continues
to expand, the CJIS Security Policy becomes increasingly important in guiding the National Crime
Prevention and Privacy Compact Council and State Compact Officers in the secure exchange of
criminal justice records.
The Policy describes the vision and captures the security concepts that set the policies, protections,
roles, and responsibilities with minimal impact from changes in technology. The Policy empowers
CSAs with the insight and ability to tune their security programs according to their risks, needs,
budgets, and resource constraints while remaining compliant with the baseline level of security set
forth in this Policy. The CJIS Security Policy provides a secure framework of laws, standards, and
elements of published and vetted policies for accomplishing the mission across the broad spectrum
of the criminal justice and noncriminal justice communities.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
1 INTRODUCTION
This section details the purpose of this document, its scope, relationship to other information
security policies, and its distribution constraints.
1.1 Purpose
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice
Agencies (NCJA) with a minimum set of security requirements for access to Federal Bureau of
Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and
information and to protect and safeguard Criminal Justice Information (CJI). This minimum
standard of security requirements ensures continuity of information protection. The essential
premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from
creation through dissemination; whether at rest or in transit.
The CJIS Security Policy integrates presidential directives, federal laws, FBI directives, the
criminal justice community's Advisory Policy Board (APB) decisions along with nationally
recognized guidance from the National Institute of Standards and Technology (KIST) and the
National Crime Prevention and Privacy Compact Council (Compact Council).
1.2 Scope
At the consent of the advisory process, and taking into consideration federal law and state statutes,
the CJIS Security Policy applies to all entities with access to, or who operate in support of, FBI
CJIS Division's services and information. The CJIS Security Policy provides minimum security
requirements associated with the creation, viewing, modification, transmission, dissemination,
storage, or destruction of CJI.
Entities engaged in the interstate exchange of CJI data for noncriminal justice purposes are also
governed by the standards and rules promulgated by the Compact Council.
1.3 Relationship to Local Security Policy and Other Policies
The CJIS Security Policy may be used as the sole security policy for the agency. The local agency
may complement the CJIS Security Policy with a local policy, or the agency may develop their
own stand -alone security policy; however, the CJIS Security Policy shall always be the minimum
standard and local policy may augment, or increase the standards, but shall not detract from the
CJIS Security Policy standards.
The agency shall develop, disseminate, and maintain formal, documented procedures to facilitate
the implementation of the CJIS Security Policy and, where applicable, the local security policy.
The policies and procedures shall be consistent with applicable laws, executive orders, directives,
policies, regulations, standards, and guidance. Procedures developed for CJIS Security Policy
areas can be developed for the security program in general, and for a particular information system,
when required.
This document is a compendium of applicable policies in providing guidance on the minimum
security controls and requirements needed to access FBI CJIS information and services. These
policies include presidential directives, federal laws, FBI directives and the criminal justice
community's APB decisions. State, local, and Tribal CJA may implement more stringent policies
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
and requirements. Appendix I contains the references while Appendix E lists the security forums
and organizational entities referenced in this document.
1.4 Terminology Used in This Document
The following terms are used interchangeably throughout this document:
• Agency and Organization: The two terms in this document refer to any entity that submits
or receives information, by any means, to /from FBI CJIS systems or services.
• Information and Data: Both terms refer to CJI.
• System, Information System, Service, or named applications like NCIC: all refer to
connections to the FBI's criminal justice information repositories and the equipment used
to establish said connections.
Appendix A and B provide an extensive list of the terms and acronyms.
1.5 Distribution of the CJIS Security Policy
The CJIS Security Policy, version 5.0 and later, is a publically available document and may be
posted and shared without restrictions.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
2 CJIS SECURITY POLICY APPROACH
The CJIS Security Policy represents the shared responsibility between FBI CJIS, CJIS Systems
Agency (CSA), and the State Identification Bureaus (SIB) of the lawful use and appropriate
protection of CJI. The Policy provides a baseline of security requirements for current and planned
services and sets a minimum standard for new initiatives.
2.1 CJIS Security Policy Vision Statement
The executive summary of this document describes the vision in terms of business needs for
confidentiality, integrity, and availability of information. The APB collaborates with the FBI CJIS
Division to ensure that the Policy remains updated to meet evolving business, technology and
security needs.
2.2 Architecture Independent
Due to advancing technology and evolving business models, the FBI CJIS Division is transitioning
from legacy stovepipe systems and moving toward a flexible services approach. Systems such as
National Crime Information Center (NCIC), National Instant Criminal Background Check System
(NICS), and Next Generation Identification (NGI) will continue to evolve and may no longer retain
their current system platforms, hardware, or program name. However, the data and services
provided by these systems will remain stable.
The CJIS Security Policy looks at the data (information), services, and protection controls that
apply regardless of the implementation architecture. Architectural independence is not intended
to lessen the importance of systems, but provide for the replacement of one technology with
another while ensuring the controls required to protect the information remain constant. This
objective and conceptual focus on security policy areas provide the guidance and standards while
avoiding the impact of the constantly changing landscape of technical innovations. The
architectural independence of the Policy provides agencies with the flexibility for tuning their
information security infrastructure and policies to reflect their own environments.
2.3 Risk Versus Realism
Every "shall" statement contained within the CJIS Security Policy has been scrutinized for risk
versus the reality of resource constraints and real -world application. The purpose of the CJIS
Security Policy is to establish the minimum security requirements; therefore, individual agencies
are encouraged to implement additional controls to address agency specific risks. Each agency
faces risk unique to that agency. It is quite possible that several agencies could encounter the same
type of risk however depending on resources would mitigate that risk differently. In that light, a
risk -based approach can be used when implementing requirements.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
3 ROLES AND RESPONSIBILITIES
3.1 Shared Management Philosophy
In the scope of information security, the FBI CJIS Division employs a shared management
philosophy with federal, state, local, and tribal law enforcement agencies. Although an advisory
policy board for the NCIC has existed since 1969, the Director of the FBI established the CJIS
APB in March 1994 to enable appropriate input and recommend policy with respect to CJIS
services. Through the APB and its Subcommittees and Working Groups, consideration is given
to the needs of the criminal justice and law enforcement community regarding public policy,
statutory and privacy aspects, as well as national security relative to CJIS systems and information.
The APB represents federal, state, local, and tribal law enforcement and criminal justice agencies
throughout the United States, its territories, and Canada.
The FBI has a similar relationship with the Compact Council, which governs the interstate
exchange of criminal history records for noncriminal justice purposes. The Compact Council is
mandated by federal law to promulgate riles and procedures for the use of the Interstate
Identification Index (III) for noncriminal justice purposes. To meet that responsibility, the
Compact Council depends on the CJIS Security Policy as the definitive source for standards
defining the security and privacy of records exchanged with noncriminal justice practitioners.
3.2 Roles and Responsibilities for Agencies and Parties
It is the responsibility of all agencies covered under this Policy to ensure the protection of CJI
between the FBI CJIS Division and its user community. The following figure provides an abstract
representation of the strategic fimctions and roles such as governance and operations.
Governance
CJIS Advisory Policy
Board
CJIS Systems Officers
CJIS Working Groups
CJIS Subcommittees
FBI CJIS Information
Security Officer
F I Director
Operations
CSA Information
Security Officers
CJIS Systems Agencies
Compact Officers
Local Agency Security
Officers
Repository Managers
Terminal Agency
Coordinators
Policy Structure /Design
Laws and Directives
Security Policy and
Implcmentation Standards
Security Standards: National
Institute of Standards and
Technology, International
Standards Organization,
Institute of Electrical and
Electronics Engineers
Figure 1— Overview Diagram of Strategic Functions and Policy Components
06/05/2017
CJISD - ITS -DOC- 08140 -5.6
This section provides a description of the following entities and roles:
1. CJIS Systems Agency.
2. CJIS Systems Officer.
3. Terminal Agency Coordinator.
4. Criminal Justice Agency.
5. Noncriminal Justice Agency.
6. Contracting Government Agency.
7. Agency Coordinator.
8. CJIS Systems Agency Information Security Officer.
9. Local Agency Security Officer.
10. FBI CJIS Division Information Security Officer.
11. Repository Manager,
12. Compact Officer.
3.2.1 CJIS Systems Agencies (CSA)
The CSA is responsible for establishing and administering an information technology security
program throughout the CSR's user community, to include the local levels. The head of each CSA
shall appoint a CJIS Systems Officer (CSO). The CSA may impose more stringent protection
measures than outlined in this document. Such decisions shall be documented and kept current.
3.2.2 CJIS Systems Officer (CSO)
The CSO is an individual located within the CSA responsible for the administration of the CJIS
network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working
Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to
subordinate agencies. The CSO shall set, maintain, and enforce the following:
1. Standards for the selection, supervision, and separation of personnel who have access to
CJI.
2. Policy governing the operation of computers, access devices, circuits, hubs, routers,
firewalls, and other components that comprise and support a telecommunications network
and related CJIS systems used to process, store, or transmit CJI, guaranteeing the priority,
confidentiality, integrity, and availability of service needed by the criminal justice
community.
a. Ensure appropriate use, enforce system discipline, and ensure CJIS Division
operating procedures are followed by all users of the respective services and
information.
b. Ensure state /federal agency compliance with policies approved by the APB and
adopted by the FBI.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
c. Ensure the appointment of the CSA ISO and determine the extent of authority to
the CSA ISO.
d. The CSO, or designee, shall ensure that a Terminal Agency Coordinator (TAC) is
designated within each agency that has devices accessing CJIS systems.
e. Ensure each agency having access to CH has someone designated as the Local
Agency Security Officer (LASO).
f. Approve access to FBI CJIS systems.
g. Assume ultimate responsibility for managing the security of CJIS systems within
their state and /or agency.
h. Perform other related duties outlined by the user agreements with the FBI CJIS
Division.
3. Outsourcing of Criminal Justice Functions
a. Responsibility for the management of the approved security requirements shall
remain with the CJA. Security control includes the authority to enforce the
standards for the selection, supervision, and separation of personnel who have
access to CJI; set and enforce policy governing the operation of computers, circuits,
and telecommunications terminals used to process, store, or transmit CJI; and to
guarantee the priority service needed by the criminal justice community.
b. Responsibility for the management control of network security shall remain with
the CJA. Management control of network security includes the authority to enforce
the standards for the selection, supervision, and separation of personnel who have
access to CJI; set and enforce policy governing the operation of circuits and
network equipment used to transmit CJI; and to guarantee the priority service as
determined by the criminal justice community.
3.2.3 Terminal Agency Coordinator (TAC)
The TAC serves as the point -of- contact at the local agency for matters relating to CJIS information
access. The TAC administers CJIS systems programs within the local agency and oversees the
agency's compliance with CJIS systems policies.
3.2.4 Criminal Justice Agency (CJA)
A CJA is defined as a court, a governmental agency, or any subunit of a governmental agency
which performs the administration of criminal justice pursuant to a statute or executive order and
which allocates a substantial part of its annual budget to the administration of criminal justice.
State and federal Inspectors General Offices arc included.
3.2.5 Noncriminal Justice Agency (NCJA)
A NCJA is defined (for the purposes of access to CJI) as an entity or any subunit thereof that
provides services primarily for purposes other than the administration of criminal justice.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
3.2.6 Contracting Government Agency (CGA)
A CGA is a government agency, whether a CJA or a NCJA, that enters into an agreement with a
private contractor subject to the CJIS Security Addendum. The CGA entering into an agreement
with a contractor shall appoint an agency coordinator.
3.2.7 Agency Coordinator (AC)
An AC is a staff member of the CGA who manages the agreement between the Contractor and
agency. The AC shall be responsible for the supervision and integrity of the system, training and
continuing education of employees and operators, scheduling of initial training and testing, and
certification testing and all required reports by NCIC. The AC shall:
1. Understand the communications, records capabilities, and needs of the Contractor which
is accessing federal and state records through or because of its relationship with the CGA.
2. Participate in related meetings and provide input and comments for system improvement.
3. Receive information from the CGA (e.g., system updates) and disseminate it to appropriate
Contractor employees.
4. Maintain and update manuals applicable to the effectuation of the agreement, and provide
them to the Contractor.
5. Maintain up -to -date records of Contractor's employees who access the system, including
name, date of birth, social security number, date fingerprint card(s) submitted, date security
clearance issued, and date initially trained, tested, certified or recertified (if applicable).
6. Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC,
schedule the operators for testing or a certification exam with the CSA staff, or AC staff
with permission from the CSA staff. Schedule new operators for the certification exam
within six (6) months of assignment. Schedule certified operators for biennial re-
certification testing within thirty (30) days prior to the expiration of certification. Schedule
operators for other mandated class.
7. The AC will not permit an untrained/untested or non - certified Contractor employee to
access CH or systems supporting CJI where access to CJI can be gained.
8. Where appropriate, ensure compliance by the Contractor with NCIC validation
requirements.
9. Provide completed applicant fingerprint cards on each Contractor employee who accesses
the system to the CGA (or, where appropriate, CSA) for criminal background investigation
prior to such employee accessing the system.
10. Any other responsibility for the AC promulgated by the FBI.
3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO)
The CSA ISO shall:
1. Serve as the security point of contact (POC) to the FBI CJIS Division ISO.
06/05/2017
CJISD- ITS -DOC- 08140 -5.6
2. Document technical compliance with the CJIS Security Policy with the goal to assure the
confidentiality, integrity, and availability of criminal justice information to the user
community throughout the GSA's user community, to include the local level.
3. Document and provide assistance for implementing the security- related controls for the
Interface Agency and its users.
4. Establish a security incident response and reporting procedure to discover, investigate,
document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS
Division ISO major incidents that significantly endanger the security or integrity of CJI.
3.2.9 Local Agency Security Officer (LASO)
Each LASO shall:
1. Identify who is using the CSA approved hardware, software, and firmware and ensure no
unauthorized individuals or processes have access to the same.
2. Identify and document how the equipment is connected to the state system.
3. Ensure that personnel security screening procedures are being followed as stated in this
Policy.
4. Ensure the approved and appropriate security measures are in place and working as
expected.
5. Support policy compliance and ensure the CSA ISO is promptly informed of security
incidents.
3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)
The FBI CJIS ISO shall:
1. Maintain the CJIS Security Policy.
2. Disseminate the FBI Director approved CJIS Security Policy.
3. Serve as a liaison with the CSA's ISO and with other personnel across the CJIS community
and in this regard provide technical guidance as to the intent and implementation of
operational and technical policy issues.
4. Serve as a point -of- contact (POC) for computer incident notification and distribution of
security alerts to the CSOs and ISOs.
5. Assist with developing audit compliance guidelines as well as identifying and reconciling
security - related issues.
6. Develop and participate in information security training programs for the CSOs and ISOs,
and provide a means by which to acquire feedback to measure the effectiveness and success
of such training.
7. Maintain a security policy resource center (SPRQ on FBI.gov and keep the CEOs and
ISOs updated on pertinent information.
06/05/2017 8
CJISD- ITS -DOC- 08140 -5.6
3.2.11 Repository Manager
The State Identification Bureau (SIB) Chief, i.e. Repository Manager or Chief Administrator, is
the designated manager of the agency having oversight responsibility for a state's fingerprint
identification services. If both state fingerprint identification services and CJIS systems control
are managed within the same state agency, the SIB Chief and CSO may be the same person.
3.2.12 Compact Officer
Pursuant to the National Crime Prevention and Privacy Compact, each party state shall appoint a
Compact Officer who shall ensure that Compact provisions and rules, procedures, and standards
established by the Compact Council are complied with in their respective state.
06/05/2017
CTISD- ITS -DOC- 08140 -5.6
4 CRIMINAL JUSTICE INFORMATION AND PERSONALLY
IDENTIFIABLE INFORMATION
4.1 Criminal Justice Information (CJI)
Criminal Justice Information is the term used to refer to all of the FBI CJIS provided data necessary
for law enforcement and civil agencies to perform their missions including, but not limited to
biometric, identity history, biographic, property, and case /incident history data. The following
categories of CJI describe the various data sets housed by the FBI CJIS architecture:
1. Biometric Data —data derived from one or more intrinsic physical or behavioral traits of
humans typically for the purpose of uniquely identifying individuals from within a
population. Used to identify individuals, to include: fingerprints, palm prints, iris scans,
and facial recognition data.
2. Identity History Data—textual data that corresponds with an individual's Biometric data,
providing a history of criminal and/or civil events for the identified individual.
3. Biographic Data — information about individuals associated with a unique case, and not
necessarily connected to identity data. Biographic data does not provide a history of an
individual, only information related to a unique case.
4. Property Data — information about vehicles and property associated with crime when
accompanied by any personally identifiable information (PII).
5. Case /Incident History— information about the history of criminal incidents.
The following type of data are exempt from the protection levels required for CJI: transaction
control type numbers (e.g., ORI, NIC, FNU, etc.) when not accompanied by information that
reveals CJI or PII.
The intent of the CJIS Security Policy is to ensure the protection of the aforementioned CJI until
the information is: released to the public via authorized dissemination (e.g. within a court system;
presented in crime reports data; released in the interest of public safety); purged or destroyed in
accordance with applicable record retention rules.
4.1.1 Criminal History Record Information (CHRI)
Criminal History Record Information (CHRI), sometimes informally referred to as "restricted
data ", is a subset of CJI. Due to its comparatively sensitive nature, additional controls are required
for the access, use and dissemination of CHRI. In addition to the dissemination restrictions
outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines CHRI and provides
the regulatory guidance for dissemination of CHRI. While the CJIS Security Policy attempts to
be architecturally independent, the III and the NCIC are specifically identified in Title 28, Part 20,
CFR, and the NCIC Operating Manual, as associated with CHRI.
06/05/2017 10
CJISD- ITS -DOC- 08140 -5.6
4.2 Access, Use and Dissemination of Criminal History Record
Information (CHRI), NCIC Restricted Files Information, and
NCIC Non - Restricted Files Information
This section describes the requirements for the access, use and dissemination of CHRI, NCIC
restricted files information, and NCIC non - restricted files information.
4.2.1 Proper Access, Use, and Dissemination of CHRI
Information obtained from the III is considered CHRI. Rules governing the access, use, and
dissemination of CHRI are found in Title 28, Part 20, CFR. The III shall be accessed only for an
authorized purpose. Further, CHRI shall only be used for an authorized purpose consistent with
the purpose for which III was accessed. Dissemination to another agency is authorized if (a) the
other agency is an Authorized Recipient of such information and is being serviced by the accessing
agency, or (b) the other agency is performing personnel and appointment functions for criminal
justice employment applicants.
4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files
Information
The NCIC hosts restricted files and non - restricted files. NCIC restricted files are distinguished
from NCIC non - restricted files by the policies governing their access and use. Proper access to,
use, and dissemination of data from restricted files shall be consistent with the access, use, and
dissemination policies concerning the III described in Title 28, Part 20, CFR, and the NCIC
Operating Manual. The restricted files, which shall be protected as CHRI, are as follows:
1. Gang Files
2. Known or Appropriately Suspected Terrorist Files
3. Supervised Release Files
4. National Sex Offender Registry Files
5. Historical Protection Order Files of the NCIC
6. Identity Theft Files
7. Protective Interest Files
8. Person With Information (PWi) data in the Missing Person Files
9. Violent Person File
10. NICS Denied Transactions File
The remaining NCIC files are considered non- restricted files.
4.2.3 Proper Access, Use, and Dissemination of NCIC Non - Restricted Files
Information
4.2.3.1 For Official Purposes
NCIC non - restricted files are those not listed as restricted files in Section 4.2.2. NCIC non-
restricted files information may be accessed and used for any authorized purpose consistent with
06/05/2017 1
CJISD- ITS -DOC- 08140 -5.6
the inquiring agency's responsibility. Information obtained may be disseminated to (a) other
government agencies or (b) private entities authorized by law to receive such information for any
purpose consistent with their responsibilities.
4.2.3.2 For Other Authorized Purposes
NCIC non - restricted files may be accessed for other purposes consistent with the resources of the
inquiring agency; however, requests for bulk data are discouraged. Information derived from
NCIC non - restricted files for other than law enforcement purposes can be used by authorized
criminal justice personnel only to confirm the status of a person or property (i.e., wanted or stolen).
An inquiring agency is authorized to charge a nominal administrative fee for such service. Non-
restricted files information shall not be disseminated commercially.
A response to a NCIC person inquiry may include NCIC restricted files information as well as
NCIC non - restricted files information. Agencies shall not disseminate restricted files information
for purposes other than law enforcement.
4.2.3.3 CSO Authority in Other Circumstances
If no federal, state or local law or policy prohibition exists, the CSO may exercise discretion to
approve or deny dissemination of NCIC non - restricted file information.
4.2.4 Storage
When CHRI is stored, agencies shall establish appropriate administrative, technical and physical
safeguards to ensure the security and confidentiality of the information. These records shall be
stored for extended periods only when they are key elements for the integrity and/or utility of case
files and/or criminal record files. See Section 5.9 for physical security controls.
4.2.5 Justification and Penalties
4.2.5.1 Justification
In addition to the use of purpose codes and logging information, all users shall provide a reason
for all III inquiries whenever requested by NCIC System Managers, CSAs, local agency
administrators, or their representatives.
4.2.5.2 Penalties
Improper access, use or dissemination of CHRI and NCIC Non - Restricted Files information is
serious and may result in administrative sanctions including, but not limited to, termination of
services and state and Federal criminal penalties.
4.3 Personally Identifiable Information (1311)
For the purposes of this document, PII is information which can be used to distinguish or trace an
individual's identity, such as name, social security number, or biometric records, alone or when
combined with other personal or identifying information which is linked or linkable to a specific
individual, such as date and place of birth, or mother's maiden name. Any FBI CJIS provided data
maintained by an agency, including but not limited to, education, financial transactions, medical
history, and criminal or employment history may include PII. A criminal history record for
06/05/2017 12
CJISD- ITS -DOC- 08140 -5.6
example inherently contains PII as would a Law Enforcement National Data Exchange (N -DEx)
case file.
PH shall be extracted from CJI for the purpose of official business only. Agencies shall develop
policies, based on state and local privacy rules, to ensure appropriate controls are applied when
handling PH extracted from CJI. Due to the expansive nature of PII, this Policy does not specify
auditing, logging, or personnel security requirements associated with the life cycle of PII.
Figure 2 — Dissemination of restricted and non - restricted NCIC data
A citizen of Springfield went to the Springfield Police Department to request whether his new
neighbor, who had been acting suspiciously, had an outstanding warrant. The Springfield Police
Department ran an NCIC persons inquiry, which produced a response that included a Wanted
Person File (non - restricted file) record and a Known or Appropriately Suspected Terrorist File
(restricted file) record. The Springfield Police Department advised the citizen of the
outstanding warrant, but did not disclose any information concerning the subject being a known
or appropriately suspected terrorist.
06/05/2017 13
CJISD- ITS -DOC- 08140 -5.6
5 POLICY AND IMPLEMENTATION
The policy areas focus upon the data and services that the FBI CJIS Division exchanges and
provides to the criminal justice community and its partners. Each policy area provides both
strategic reasoning and tactical implementation requirements and standards.
While the major theme of the policy areas is concerned with electronic exchange directly with the
FBI, it is understood that further dissemination of CH to Authorized Recipients by various means
(hard copy, e-mail, web posting, etc.) constitutes a significant portion of CJI exchanges.
Regardless of its form, use, or method of dissemination, CJI requires protection throughout its life.
Not every consumer of FBI CJIS services will encounter all of the policy areas therefore the
circumstances of applicability are based on individual agency /entity configurations and usage. Use
cases within each of the policy areas will help users relate the Policy to their own agency
circumstances. The policy areas are:
• Policy Area 1— Information Exchange Agreements
• Policy Area 2— Security Awareness Training
Policy Area 3— Incident Response
• Policy Area 4— Auditing and Accountability
• Policy Area 5-Access Control
Policy Area 6— Identification and Authentication
• Policy Area 7 —Configuration Management
• Policy Area 8 —Media Protection
• Policy Area 9— Physical Protection
■ Policy Area l "ystems and Communications Protection and Information Integrity
• Policy Area 11— Formal Audits
• Policy Area 12— Personnel Security
• Policy Area 13 Mobile Devices
06/05/2017 14
CJISD- ITS -DOC- 08140 -5.6
5.1 Policy Area 1: Information Exchange Agreements
The information shared through communication mediums shall be protected with appropriate
security safeguards. The agreements established by entities sharing information across systems
and communications mediums are vital to ensuring all parties frilly understand and agree to a set
of security standards.
5.1.1 Information Exchange
Before exchanging CJI, agencies shall put formal agreements in place that specify security
controls. The exchange of information may take several forms including electronic mail, instant
messages, web services, facsimile, hard copy, and information systems sending, receiving and
storing CJI.
Information exchange agreements outline the roles, responsibilities, and data ownership between
agencies and any external parties. Information exchange agreements for agencies sharing CJI data
that is sent to and /or received from the FBI CJIS shall specify the security controls and conditions
described in this document.
Information exchange agreements shall be supported by documentation committing both parties
to the terms of information exchange. As described in subsequent sections, different agreements
and policies apply, depending on whether the parties involved are CJAs or NCJAs. See Appendix
D for examples of Information Exchange Agreements.
There may be instances, on an ad -hoc basis, where CJI is authorized for further dissemination to
Authorized Recipients not covered by an information exchange agreement with the releasing
agency. In these instances the dissemination of CJI is considered to be secondary dissemination.
Law Enforcement and civil agencies shall have a local policy to validate a requestor of CJI as an
authorized recipient before disseminating CJI. See Section 5.1.3 for secondary dissemination
guidance.
5.1.1.1 Information Handling
Procedures for handling and storage of information shall be established to protect that information
from unauthorized disclosure, alteration or misuse. Using the requirements in this Policy as a
starting point, the procedures shall apply to the handling, processing, storing, and communication
of CJI. These procedures apply to the exchange of CJI no matter the form of exchange.
The policies for information handling and protection also apply to using CJI shared with or
received from FBI CJIS for noncriminal justice purposes. In general, a noncriminal justice purpose
includes the use of criminal history records for purposes authorized by federal or state law other
than purposes relating to the administration of criminal justice, including — but not limited to -
employment suitability, licensing determinations, immigration and naturalization matters, and
national security clearances.
5.1.1.2 State and Federal Agency User Agreements
Each CSA head or SIB Chief shall execute a signed written user agreement with the FBI CJIS
Division stating their willingness to demonstrate conformity with this Policy before accessing and
participating in CJIS records information programs. This agreement shall include the standards
and sanctions governing utilization of CJIS systems. As coordinated through the particular CSA
06/05/2017 15
CJISD- ITS -DOC- 08140 -5.6
or SIB Chief, each Interface Agency shall also allow the FBI to periodically test the ability to
penetrate the FBI's network through the external network connection or system per authorization
of Department of Justice (DOJ) Order 0904. All user agreements with the FBI CJIS Division shall
be coordinated with the CSA head.
5.1.1.3 Criminal Justice Agency User Agreements
Any CJA receiving access to CH shall enter into a signed written agreement with the appropriate
signatory authority of the CSA providing the access. The written agreement shall specify the FBI
CJIS systems and services to which the agency will have access, and the FBI CJIS Division
policies to which the agency must adhere. These agreements shall include:
1. Audit.
2. Dissemination.
3. Hit confirmation.
4. Logging.
5. Quality Assurance (QA).
6. Screening (Pre - Employment).
7. Security.
8. Timeliness.
9. Training.
10. Use of the system.
11. Validation.
5.1.1.4 Interagency and Management Control Agreements
A NCJA (government) designated to perform criminal justice functions for a CJA shall be eligible
for access to the CJI. Access shall be permitted when such designation is authorized pursuant to
executive order, statute, regulation, or interagency agreement. The NCJA shall sign and execute a
management control agreement (MCA) with the CJA, which stipulates management control of the
criminal justice fitnction remains solely with the CJA. The MCA may be a separate document or
included with the language of an interagency agreement. An example of an NCJA (government)
is a city information technology (IT) department_
5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum
The CJIS Security Addendum is a uniform addendum to an agreement between the government
agency and a private contractor, approved by the Attorney General of the United States, which
specifically authorizes access to CHRI, limits the use of the information to the purposes for which
it is provided, ensures the security and confidentiality of the information is consistent with existing
regulations and the CJIS Security Policy, provides for sanctions, and contains such other
provisions as the Attorney General may require.
Private contractors who perform criminal justice functions shall meet the same training and
certification criteria required by governmental agencies performing a similar function, and shall
be subject to the same extent of audit review as are local user agencies. All private contractors
06/05/2017 16
CJISD- ITS -DOC- 08140 -5.6
who perform criminal justice flinctions shall acknowledge, via signing of the CJIS Security
Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS
Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum
shall be enacted only by the FBI.
1. Private contractors designated to perform criminal justice functions for a CJA shall be
eligible for access to CJI. Access shall be permitted pursuant to an agreement which
specifically identifies the agency's purpose and scope of providing services for the
administration of criminal justice. The agreement between the CJA and the private
contractor shall incorporate the CJIS Security Addendum approved by the Director of the
FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7).
2. Private contractors designated to perform criminal justice functions on behalf of a NCJA
(government) shall be eligible for access to CJI. Access shall be permitted pursuant to an
agreement which specifically identifies the agency's purpose and scope of providing
services for the administration of criminal justice. The agreement between the NCJA and
the private contractor shall incorporate the CJIS Security Addendum approved by the
Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR
20.33 (a)(7).
5.1.1.6 Agency User Agreements
A NCJA (public) designated to request civil fingerprint -based background checks, with the full
consent of the individual to whom a background check is taking place, for noncriminal justice
functions, shall be eligible for access to CJI. Access shall be permitted when such designation is
authorized pursuant to federal law or state statute approved by the U. S. Attorney General. A NCJA
(public) receiving access to CJI shall enter into a signed written agreement with the appropriate
signatory authority of the CSA/SIB providing the access. An example of a NCJA (public) is a
county school board.
A NCJA (private) designated to request civil fingerprint -based background checks, with the full
consent of the individual to whom a background check is taking place, for noncriminal justice
functions, shall be eligible for access to CJI. Access shall be permitted when such designation is
authorized pursuant to federal law or state statute approved by the U.S. Attorney General. A NCJA
(private) receiving access to CJI shall enter into a signed written agreement with the appropriate
signatory authority of the CSA, SIB, or authorized agency providing the access. An example of a
NCJA (private) is a local bank.
All NCJAs accessing CJI shall be subject to all pertinent areas of the CJIS Security Policy (see
Appendix J for supplemental guidance). Each NCJA that directly accesses FBI CJI shall also
allow the FBI to periodically test the ability to penetrate the FBI's network through the external
network connection or system per authorization of Department of Justice (DOJ) Order 0904.
5.1.1.7 Outsourcing Standards for Channelers
Channelers designated to request civil fingerprint -based background checks or noncriminal justice
ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice
functions shall be eligible for access to CJI. Access shall be permitted when such designation is
authorized pursuant to federal law or state statute approved by the U.S. Attorney General. All
Channelers accessing CJI shall be subject to the terms and conditions described in the Compact
06/05/2017 17
CMD- ITS -DOC- 08140 -5.6
Council Security and Management Control Outsourcing Standard. Each Channeler that directly
accesses CH shall also allow the FBI to conduct periodic penetration testing.
Channelers leveraging CJI to perform civil fiinctions on behalf of an Authorized Recipient shall
meet the same training and certification criteria required by governmental agencies performing a
similar filnction, and shall be subject to the same extent of audit review as are local user agencies.
5.1.1.8 Outsourcing Standards for Non- Channelers
Contractors designated to perform noncriminal justice ancillary functions on behalf of a NCJA
(public) or NCJA (private) for noncriminal justice functions shall be eligible for access to CJI.
Access shall be permitted when such designation is authorized pursuant to federal law or state
statute approved by the U.S. Attorney General. All contractors accessing CJI shall be subject to
the terms and conditions described in the Compact Council Outsourcing Standard for Non -
Channelers. Contractors leveraging CJI to perform civil fiinctions on behalf of an Authorized
Recipient shall meet the same training and certification criteria required by governmental agencies
performing a similar function, and shall be subject to the same extent of audit review as are local
user agencies.
5.1.2 Monitoring, Review, and Delivery of Services
As specified in the interagency agreements, MCAs, and contractual agreements with private
contractors, the services, reports and records provided by the service provider shall be regularly
monitored and reviewed. The CJA, authorized agency, or FBI shall maintain sufficient overall
control and visibility into all security aspects to include, but not limited to, identification of
vulnerabilities and information security incident reporting /response. The incident
reporting /response process used by the service provider shall conform to the incident
reporting /response specifications provided in this Policy.
5.1.2.1 Managing Changes to Service Providers
Any changes to services provided by a service provider shall be managed by the CJA, authorized
agency, or FBI. This includes provision of services, changes to existing services, and new services.
Evaluation of the risks to the agency shall be undertaken based on the criticality of the data, system,
and the impact of the change.
5.1.3 Secondary Dissemination
If CHRI is released to another authorized agency, and that agency was not part of the releasing
agency's primary information exchange agreement(s), the releasing agency shall log such
dissemination.
5.1.4 Secondary Dissemination of Non -CHRI CJI
If CJI does not contain CHRI and is not part of an information exchange agreement then it does
not need to be logged. Dissemination shall conform to the local policy validating the requestor of
the CJI as an employee and/or contractor of a law enforcement agency or civil agency requiring
the CJI to perform their mission or a member of the public receiving CJI via authorized
dissemination.
06/05/2017 18
CJISD- ITS -DOC- 08140 -5.6
5.1.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 3 — Information Exchange Agreements Implemented by a Local Police Department
A local police department executed a Memorandum of Understanding (MOU) for the interface
with their state CSA. The local police department also executed an MOU (which included an
MCA) with the county information technology (IT) department for the day -to -day operations of
their criminal justice infrastructure. The county IT department, in turn, outsourced operations
to a local vendor who signed the CHS Security Addendum.
06/05/2017 19
CJISD- ITS -DOC- 08140 -5.6
5.2 Policy Area 2: Security Awareness Training
Basic security awareness training shall be required within six months of initial assignment, and
biennially thereafter, for all personnel who have access to CH to include all personnel who have
unescorted access to a physically secure location. The CSO /SIB Chief may accept the
documentation of the completion of security awareness training from another agency. Accepting
such documentation from another agency means that the accepting agency assumes the risk that
the training may not meet a particular requirement or process required by federal, state, or local
laws.
5.2.1 Awareness Topics
A significant number of topics can be mentioned and briefly discussed in any awareness session
or campaign. To help filrther the development and implementation of individual agency security
awareness training programs the following baseline guidance is provided.
5.2.1.1 Level One Security Awareness Training
At a minimum, the following topics shall be addressed as baseline security awareness training for
all personnel who have unescorted access to a physically secure location:
1. Individual responsibilities and expected behavior with regard to being in the vicinity of CH
usage and /or terminals.
2. Implications of noncompliance.
3. Incident response (Identify points of contact and individual actions).
4. Visitor control and physical access to spaces -- discuss applicable physical security policy
and procedures, e.g., challenge strangers, report unusual activity, etc.
5.2.1.2 Level Two Security Awareness Training
In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline
security awareness training for all authorized personnel with access to CJI:
1. Media protection.
2. Protect information subject to confidentiality concerns — hardcopy through destruction.
3. Proper handling and marking of CJI.
4. Threats, vulnerabilities, and risks associated with handling of CJI.
5. Social engineering.
6. Dissemination and destruction.
5.2.1.3 Level Three Security Awareness Training
In addition to 5.2.1.1 and 5.2.1.2 above, the following topics, at a minimum, shall be addressed as
baseline security awareness training for all authorized personnel with both physical and logical
access to CJI:
1. Rules that describe responsibilities and expected behavior with regard to information
system usage.
06/05/2017 20
CJISD- ITS -DOC- 08140 -5.6
2. Password usage and management — including creation, frequency of changes, and
protection.
3. Protection from vinises, worms, Trojan horses, and other malicious code.
4. Unknown e- mail /attachments.
5. Web usage — allowed versus prohibited; monitoring of user activity.
6. Spam.
7. Physical Security— increases in risks to systems and data.
8. Handheld device security issues — address both physical and wireless security issues.
9. Use of encryption and the transmission of sensitive /confidential information over the
Internet — address agency policy, procedures, and technical contact for assistance.
10. Laptop security — address both physical and information security issues.
11. Personally owned equipment and software —state whether allowed or not (e.g.,
copyrights).
12. Access control issues— address least privilege and separation of duties.
13. Individual accountability — explain what this means in the agency.
14. Use of acknowledgement statements — passwords, access to systems and data, personal use
and gain.
15. Desktop security — discuss use of screensavers, restricting visitors' view of information on
screen (mitigating "shoulder surfing "), battery backup devices, allowed access to systems.
16. Protect information subject to confidentiality concerns —in systems, archived, on backup
media, and until destroyed.
17. Threats, vulnerabilities, and risks associated with accessing OIS Service systems and
services.
5.2.1.4 Level Four Security Awareness Training
In addition to 5.2.1.1, 5.2.1.2, and 5.1.2.3 above, the following topics at a minimum shall be
addressed as baseline security awareness training for all Information Technology personnel
(system administrators, security administrators, network administrators, etc.):
1. Protection from viruses, worms, Trojan horses, and other malicious code — scanning,
updating definitions.
2. Data backup and storage — centralized or decentralized approach.
3. Timely application of system patches —part of configuration management.
4. Access control measures.
5. Network infrastructure protection measures.
06/05/2017 21
CJISD- ITS -DOC- 08140 -5.6
5.2.2 Security Training Records
Records of individual basic security awareness training and specific information system security
training shall be documented, kept current, and maintained by the CSO /SIB Chief /Compact
Officer. Maintenance of training records can be delegated to the local level.
5.2.3 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 4 — Security Awareness Training Use Cases
Use Case 1_ - Security Awareness Training Program Implementation by a Local Police Department
A local police department with a staff of 20 sworn criminal justice professionals and 15 support
personnel worked with a vendor to develop role - specific security- awareness training, and
required all staff to complete this training upon assignment and every two years thereafter. The
local police department scheduled the sworn law- enforcement training to coincide with their
NCIC certification training. The vendor maintained the training records for the police
department's entire staff, and provided reporting to the department to help it ensure compliance
with the CJIS Security Policy.
Use Case 2 - Level One Security Awareness Training
A local police department hires custodial staff that will have physical access throughout the PD (a
physically secure location) after normal business hours to clean the facility. These personnel have
unescorted access to a physically secure location and therefore must be given the baseline security
awareness training on all the topics identified in CSP Section 5.2.1.1 Level One Security
Awareness Training.
Use Case 3 — Level Two Security Awareness Trailuinc
A school district maintains a locked file cabinet with hard copies of background check results of all
teachers and employees which may include CH (CHRI). Only authorized personnel who have the
ability to open the cabinet are required to be given the baseline security awareness training on all
the topics identified in CSP Sections 5.2.1.1 and 5.2.1.2.
Use Case 4 -- Level Three Security Awareness Training
A County Sheriff's Office has employed a number of dispatchers. Part of the function of these
dispatchers is to run CJI queries at the request of the Sheriff' and deputies. As part of their daily
duties, the dispatchers have access to CH both logically (running queries) and physically (printed
copies of reports containing CJI). These dispatchers are entrusted with direct access to CH and are
therefore required to be given the baseline security awareness training on all the topics identified
in CSP Sections 5.2.1.1, 5.2.1.2, and 5.2.1.3.
Use Case 5 -- Level Pour Security Awareness Training
The State Police has hired a number of system and network administrator personnel to help bolster
security of the state network. Part of their daily duties may include creating accounts for new
personnel, implementing security patches for existing systems, creating backups of existing systems,
and implementing access controls throughout the network. These administrators have privileged
06/05/2017 22
CIISD- TIS -DOC- 08140 -5.6
access to CH and CJI- processing systems, and are therefore required to be given the baseline security
awareness training on all the topics identified in CSP Sections 5.2.1.1, 5.2.1.2, 5.2.1.3, and 5.2.1.4.
06/05/2017 23
CJISD- ITS -DOC- 08140 -5.6
5.3 Policy Area 3: Incident Response
The security risk of both accidental and malicious attacks against government and private agencies,
remains persistent in both physical and logical environments. To ensure protection of CJI, agencies
shall: (i) establish operational incident handling procedures that include adequate preparation,
detection, analysis, containment, recovery, and user response activities; (ii) track, document, and
report incidents to appropriate agency officials and/or authorities.
ISOs have been identified as the POC on security - related issues for their respective agencies and
shall ensure LASOs institute the CSA incident response reporting procedures at the local level.
Appendix F contains a sample incident notification letter for use when communicating the details
of a CJI - related incident to the FBI CJIS ISO.
Refer to Section 5.13.5 for additional incident response requirements related to mobile devices
used to access CJI.
5.3.1 Reporting Security Events
The agency shall promptly report incident information to appropriate authorities. Security events,
including identified weaknesses associated with the event, shall be communicated in a manner
allowing timely collective action to be taken. Formal event reporting and escalation procedures
shall be in place. Wherever feasible, the agency shall employ automated mechanisms to assist in
the reporting of security incidents. All employees, contractors and third party users shall be made
aware of the procedures for reporting the different types of event and weakness that might have an
impact on the security of agency assets and are required to report any security events and
weaknesses as quickly as possible to the designated point of contact.
5.3.1.1 Reporting Structure and Responsibilities
5.3.1.1.1 FBI CJIS Division Responsibilities
The FBI CJIS Division shall:
1. Manage and maintain the CJIS Division's Computer Security Incident Response Capability
(CS1RC).
2. Serve as a central clearinghouse for all reported intrusion incidents, security alerts,
bulletins, and other security- related material.
3. Ensure additional resources for all incidents affecting FBI CJIS Division controlled
systems as needed.
4. Disseminate prompt advisories of system threats and operating system vulnerabilities via
the security policy resource center on FBI.gov, to include but not limited to: Product
Security Bulletins, Virus Bulletins, and Security Clips.
5. Track all reported incidents and /or trends.
6. Monitor the resolution of all incidents.
5.3.1.1.2 CSA ISO Responsibilities
The CSA ISO shall:
06/05/2017 24
CHSD- ITS -DOC- 08140 -5.6
1. Assign individuals in each state, federal, and international law enforcement organization
to be the primary point of contact for interfacing with the FBI CJIS Division concerning
incident handling and response.
2. Identify individuals who are responsible for reporting incidents within their area of
responsibility.
3. Collect incident information from those individuals for coordination and sharing among
other organizations that may or may not be affected by the incident.
4. Develop, implement, and maintain internal incident response procedures and coordinate
those procedures with other organizations that may or may not be affected.
5. Collect and disseminate all incident - related information received from the Department of
Justice (DOJ), FBI CJIS Division, and other entities to the appropriate local law
enforcement POCs within their area.
6. Act as a single POC for their jurisdictional area for requesting incident response assistance.
5.3.2 Management of Security Incidents
A consistent and effective approach shall be applied to the management of security incidents.
Responsibilities and procedures shall be in place to handle security events and weaknesses
effectively once they have been reported.
5.3.2.1 Incident Handling
The agency shall implement an incident handling capability for security incidents that includes
preparation, detection and analysis, containment, eradication, and recovery. Wherever feasible,
the agency shall employ automated mechanisms to support the incident handling process.
Incident - related information can be obtained from a variety of sources including, but not limited
to, audit monitoring, network monitoring, physical access monitoring, and user /administrator
reports. The agency should incorporate the lessons learned from ongoing incident handling
activities into the incident response procedures and implement the procedures accordingly.
5.3.2.2 Collection of Evidence
Where a follow -up action against a person or agency after an information security incident involves
legal action (either civil or criminal), evidence shall be collected, retained, and presented to
conform to the rules for evidence laid down in the relevant jurisdiction(s).
5.3.3 Incident Response Training
The agency shall ensure general incident response roles responsibilities are included as part of
required security awareness training.
5.3.4 Incident Monitoring
The agency shall track and document security incidents on an ongoing basis. The CSA ISO shall
maintain completed security incident reporting forms until the subsequent FBI triennial audit or
until legal action (if warranted) is complete; whichever time -frame is greater.
06/05/2017 25
CTISD- ITS -DOC- 08140 -5.6
5.3.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 5 — Incident Response Process Initiated by an Incident in a Local Police Department
A state ISO received a notification from a local police department that suspicious network
activity from a known botnet was detected on their network. The state ISO began the process
of collecting all pertinent information about this incident, e.g. incident date /time, points -of-
contact, systems affected, nature of the incident, actions taken, etc. and requested that the local
police department confirm that their malware signatures were up to date. The state ISO
contacted both the FBI CJIS ISO and state CSO to relay the preliminary details of this incident.
The FBI CJIS ISO instructed the involved parties to continue their investigation and to submit
an incident response form once all the information had been gathered. The FBI CJIS ISO
contacted the lead for the FBI CSIRC to inform them that an incident response form was
forthcoming. The state ISO gathered the remainder of the information from the local police
department and submitted a completed incident response form to the FBI CJIS ISO who
subsequently provided it to the FBI CSIRC. The FBI CSIRC notified the Department of Justice
Computer Incident Response Team (DOJCIRT). The state ISO continued to monitor the
situation, passing relevant details to the FBI CJIS ISO, ultimately determining that the botnet
was eliminated from the local police department's infrastructure. Subsequent investigations
determined that the botnet was restricted to the department's administrative and
thus no CH was compromised.
06/05/2017 26
CJISD- ITS -DOC- 08140 -5.6
5.4 Policy Area 4: Auditing and Accountability
Agencies shall implement audit and accountability controls to increase the probability of
authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess
the inventory of components that compose their information systems to determine which security
controls are applicable to the various components.
Auditing controls are typically applied to the components of an information system that provide
auditing capability (servers, etc.) and would not necessarily be applied to every user -level
workstation within the agency. As technology advances, more powerfid and diverse functionality
can be found in such devices as personal digital assistants and cellular telephones, which may
require the application of security controls in accordance with an agency assessment of risk.
Refer to Section 5.13.6 for additional audit requirements related to mobile devices used to access
CH.
5.4.1 Auditable Events and Content (Information Systems)
The agency's information system shall generate audit records for defined events. These defined
events include identifying significant events which need to be audited as relevant to the security
of the information system. The agency shall specify which information system components carry
out auditing activities. Auditing activity can affect information system performance and this issue
must be considered as a separate factor during the acquisition of information systems.
The agency's information system shall produce, at the application and /or operating system level,
audit records containing sufficient information to establish what events occurred, the sources of
the events, and the outcomes of the events. The agency shall periodically review and update the
list of agency - defined auditable events. In the event an agency does not use an automated system,
manual recording of activities shall still take place.
5.4.1.1 Events
The following events shall be logged:
1. Successful and unsuccessful system log -on attempts.
2. Successful and unsuccessfiil attempts to use:
a. access permission on a user account, file, directory or other system resource;
b. create permission on a user account, file, directory or other system resource;
c. write permission on a user account, file, directory or other system resource;
d. delete permission on a user account, file, directory or other system resource;
e. change permission on a user account, file, directory or other system resource.
3. Successful and unsuccessful attempts to change account passwords.
4. Successful and unsuccessful actions by privileged accounts.
5. Successful and unsuccessful attempts for users to:
a. access the audit log file;
b. modify the audit log file;
06105/2017 27
CJISD- ITS -DOC- 08140 -5.6
c. destroy the audit log file.
5.4.1.1.1 Content
The following content shall be included with every audited event:
1. Date and time of the event.
2. The component of the information system (e.g., software component, hardware
component) where the event occurred.
3. Type of event.
4. User /subject identity.
5. Outcome (success or failure) of the event.
5.4.2 Response to Audit Processing Failures
The agency's information system shall provide alerts to appropriate agency officials in the event
of an audit processing failure. Audit processing failures include, for example: software /hardware
errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or
exceeded.
5.4.3 Audit Monitoring, Analysis, and Reporting
The responsible management official shall designate an individual or position to review /analyze
information system audit records for indications of inappropriate or unusual activity, investigate
suspicious activity or suspected violations, to report findings to appropriate officials, and to take
necessary actions. Audit review /analysis shall be conducted at a minimum once a week. The
frequency of review /analysis should be increased when the volume of an agency's processing
indicates an elevated need for audit review. The agency shall increase the level of audit monitoring
and analysis activity within the information system whenever there is an indication of increased
risk to agency operations, agency assets, or individuals based on law enforcement information,
intelligence information, or other credible sources of information.
5.4.4 Time Stamps
The agency's information system shall provide time stamps for use in audit record generation. The
time stamps shall include the date and time values generated by the internal system clocks in the
audit records. The agency shall synchronize internal information system clocks on an annual basis.
5.4.5 Protection of Audit Information
The agency's information system shall protect audit information and audit tools from modification,
deletion and unauthorized access.
5.4.6 Audit Record Retention
The agency shall retain audit records for at least one (1) year. Once the minimum retention time
period has passed, the agency shall continue to retain audit records until it is determined they are
no longer needed for administrative, legal, audit, or other operational purposes. This includes, for
example, retention and availability of audit records relative to Freedom of Information Act (FOIA)
requests, subpoena, and law enforcement actions.
06/05/2017 28
CJISD- ITS -DOC- 08140 -5.6
5.4.7 Logging NCIC and III Transactions
A log shall be maintained for a minimum of one (1) year on all NCIC and III transactions. The III
portion of the log shall clearly identify both the operator and the authorized receiving agency. III
logs shall also clearly identify the requester and the secondary recipient. The identification on the
log shall take the form of a unique identifier that shall remain unique to the individual requester
and to the secondary recipient throughout the minimum one year retention period.
5.4.8 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 6 — Local Police Department's Use of Audit Logs
A state CSO contacted a local police department regarding potentially inappropriate use of
CHRI that was retrieved using the local department's ORI. The state CSO requested all relevant
information from the police department to reconcile state NCIC and III logs against local police
department logs. The police department provided the combination of their CH processing
application's logs with relevant operating system and network infrastructure logs to help verify
the identity of the users conducting these queries. The review of these logs substantiated the
CSO's suspicion.
06/05/2017 29
CJISD- ITS -DOC- 08140 -5.6
5.5 Policy Area 5: Access Control
Access control provides the planning and implementation of mechanisms to restrict reading,
writing, processing and transmission of OIS information and the modification of information
systems, applications, services and communication configurations allowing access to CJIS
information.
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used
to access 01.
5.5.1 Account Management
The agency shall manage information system accounts, including establishing, activating,
modifying, reviewing, disabling, and removing accounts. The agency shall validate information
system accounts at least annually and shall document the validation process. The validation and
documentation of accounts can be delegated to local agencies.
Account management includes the identification of account types (i.e., individual, group, and
system), establishment of conditions for group membership, and assignment of associated
authorizations. The agency shall identify authorized users of the information system and specify
access rights /privileges. The agency shall grant access to the information system based on:
1. Valid need -to -know /need -to -share that is determined by assigned official duties.
2. Satisfaction of all personnel security criteria.
The agency responsible for account creation shall be notified when:
1. A user's information system usage or need -to -know or need -to -share changes.
2. A user is terminated or transferred or associated accounts are removed, disabled, or
otherwise secured.
5.5.2 Access Enforcement
The information system shall enforce assigned authorizations for controlling access to the system
and contained information. The information system controls shall restrict access to privileged
functions (deployed in hardware, software, and firmware) and security - relevant information to
explicitly authorized personnel.
Explicitly authorized personnel include, for example, security administrators, system and network
administrators, and other privileged users with access to system control, monitoring, or
administration functions (e.g., system administrators, information system security officers,
maintainers, system programmers).
Access control policies (e.g., identity -based policies, role -based policies, rule -based policies) and
associated access enforcement mechanisms (e.g., access control lists, access control matrices,
cryptography) shall be employed by agencies to control access between users (or processes acting
on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the
information system.
06/05/2017 30
CJISD- ITS -DOC- 08140 -5.6
5.5.2.1 Least Privilege
The agency shall approve individual access privileges and shall enforce physical and logical access
restrictions associated with changes to the information system; and generate, retain, and review
records reflecting all such changes. The agency shall enforce the most restrictive set of
rights /privileges or access needed by users for the performance of specified tasks. The agency
shall implement least privilege based on specific duties, operations, or information systems as
necessary to mitigate risk to CJI. This limits access to CJI to only authorized personnel with the
need and the right to know.
Logs of access privilege changes shall be maintained for a minimum of one year or at least equal
to the agency's record retention policy — whichever is greater.
5.5.2.2 System Access Control
Access control mechanisms to enable access to CJI shall be restricted by object (e.g., data set,
volumes, files, records) including the ability to read, write, or delete the objects. Access controls
shall be in place and operational for all IT systems to:
1. Prevent multiple concurrent active sessions for one user identification, for those
applications accessing CJI, unless the agency grants authority based upon operational
business needs. Agencies shall document the parameters of the operational business needs
for multiple concurrent active sessions.
2. Ensure that only authorized personnel can add, change, or remove component devices, dial -
up connections, and remove or alter programs.
5.5.2.3 Access Control Criteria
Agencies shall control access to CJI based on one or more of the following:
1. Job assignment or function (i.e., the role) of the user seeking access.
2. Physical location.
3. Logical location.
4. Network addresses (e.g., users from sites within a given agency may be permitted greater
access than those from outside).
5. Time -of -day and day -of- week/month restrictions.
5.5.2.4 Access Control Mechanisms
When setting up access controls, agencies shall use one or more of the following mechanisms:
1. Access Control Lists (ACLs). ACLs are a register of users (including groups, machines,
processes) who have been given permission to use a particular object (system resource)
and the types of access they have been permitted.
2. Resource Restrictions. Access to specific functions is restricted by never allowing users
to request information, functions, or other resources for which they do not have access.
Three major types of resource restrictions are: menus, database views, and network
devices.
06/05/2017 31
CJISD- ITS -DOC- 08140 -5.6
3. Encryption. Encrypted information can only be decrypted, and therefore read, by those
possessing the appropriate cryptographic key. While encryption can provide strong access
control, it is accompanied by the need for strong key management. Follow the guidance in
Section 5.10.2 for encryption requirements if encryption of stored information is employed
as an access enforcement mechanism.
4. Application Level. In addition to controlling access at the information system level, access
enforcement mechanisms are employed at the application level to provide increased
information security for the agency.
5.5.3 Unsuccessful Login Attempts
Where technically feasible, the system shall enforce a limit of no more than 5 consecutive invalid
access attempts by a user (attempting to access CH or systems with access to CJI). The system
shall automatically lock the account /node for a 10 minute time period unless released by an
administrator.
5.5.4 System Use Notification
The information system shall display an approved system use notification message, before granting
access, informing potential users of various usages and monitoring rules. The system use
notification message shall, at a minimum, provide the following information:
1. The user is accessing a restricted information system.
2. System usage may be monitored, recorded, and subject to audit.
3. Unauthorized use of the system is prohibited and may be subject to criminal and/or civil
penalties.
4. Use of the system indicates consent to monitoring and recording.
The system use notification message shall provide appropriate privacy and security notices (based
on associated privacy and security policies or summaries) and remain on the screen until the user
acknowledges the notification and takes explicit actions to log on to the information system.
Privacy and security policies shall be consistent with applicable laws, executive orders, directives,
policies, regulations, standards, and guidance. System use notification messages can be
implemented in the form of warning banners displayed when individuals log in to the information
system. For publicly accessible systems:
(i) the system use information is available and when appropriate, is displayed before
granting access;
(ii) any references to monitoring, recording, or auditing are in keeping with privacy
accommodations for such systems that generally prohibit those activities; and
(iii) the notice given to public users of the information system includes a description of the
authorized uses of the system.
5.5.5 Session Lock
The information system shall prevent fiuther access to the system by initiating a session lock after
a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user
06/05/2017 32
CJISD- ITS -DOC- 08140 -5.6
reestablishes access using appropriate identification and authentication procedures. Users shall
directly initiate session lock mechanisms to prevent inadvertent viewing when a device is
unattended. A session lock is not a substitute for logging out of the information system. In the
interest of safety, devices that are: (1) part of a criminal justice conveyance; or (2) used to perform
dispatch functions and located within a physically secure location; or (3) terminals designated
solely for the purpose of receiving alert notifications (i.e. receive only terminals or ROT) used
within physically secure location facilities that remain staffed when in operation, are exempt from
this requirement. Note: an example of a session lock is a screen saver with password.
5.5.6 Remote Access
The agency shall authorize, monitor, and control all methods of remote access to the information
system. Remote access is any temporary access to an agency's information system by a user (or
an information system) communicating temporarily through an external, non- agency - controlled
network (e.g., the Internet).
The agency shall employ automated mechanisms to facilitate the monitoring and control of remote
access methods. The agency shall control all remote accesses through managed access control
points. The agency may permit remote access for privileged functions only for compelling
operational needs but shall document the technical and administrative process for enabling remote
access for privileged'funetions in the security plan for the information system.
Virtual escorting of privileged functions is permitted only when all the following conditions are
met:
1. The session shall be monitored at all times by an authorized escort
2. The escort shall be familiar with the system/area in which the work is being performed.
3. The escort shall have the ability to end the session at any time.
4. The remote administrative personnel connection shall be via an encrypted (FIPS 140 -2
certified) path.
5. The remote administrative personnel shall be identified prior to access and authenticated
prior to or during the session. This authentication may be accomplished prior to the
session via an Advanced Authentication (AA) solution or during the session via active
teleconference with the escort throughout the session.
5.5.6.1 Personally Owned Information Systems
A personally owned information system shall not be authorized to access, process, store or transmit
CH unless the agency has established and documented the specific terms and conditions for
personally owned information system usage. When personally owned mobile devices (i.e. bring
your own device [BYOD]) are authorized, they shall be controlled in accordance with the
requirements in Policy Area 13: Mobile Devices.
This control does not apply to the use of personally owned information systems to access agency's
information systems and information that are intended for public access (e.g., an agency's public
website that contains purely public information).
06/05/2017 33
C71SD- ITS -DOC- 08140 -5.6
5.5.6.2 Publicly Accessible Computers
Publicly accessible computers shall not be used to access, process, store or transmit CH. Publicly
accessible computers include but are not limited to: hotel business center computers, convention
center computers, public library computers, public kiosk computers, etc.
5.5.7 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 7 — A Local Police Department's Access Controls
A local police department purchased a new computer- assisted dispatch (CAD) system that
integrated with their state CSA's CJI interfaces. In doing so, the police department employed
least - privilege practices to ensure that its employees were only given those privileges needed to
perform their jobs, and as such, excluding IT administrators, employees had only non -
administrative privileges on all equipment they used. The police department also used ACLs in
the operating systems to control access to the CAD client's executables. The CAD system used
internal role -based access controls to ensure only those users that needed access to CJI were
given it. The police department performed annual audits of user accounts on all systems under
their control including remote access mechanisms, operating systems, and the CAD system to
ensure all accounts were in valid states. The police department implemented authentication -
failure account lockouts, system use notification via login banners, and screen -saver passwords
on all equipment that processes CJI.
06/05/2017 34
CJISD- ITS -DOC- 08140 -5.6
5.6 Policy Area 6: Identification and Authentication
The agency shall identify information system users and processes acting on behalf of users and
authenticate the identities of those users or processes as a prerequisite to allowing access to agency
information systems or services.
5.6.1 Identification Policy and Procedures
Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified.
A unique identification shall also be required for all persons who administer and maintain the
system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take
the form of a fiill name, badge number, serial number, or other unique alphanumeric identifier.
Agencies shall require users to identify themselves uniquely before the user is allowed to perform
any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized
users. Identification data shall be kept current by adding new users and disabling and/or deleting
former users.
5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information
Exchanges
An FBI authorized originating agency identifier (ORI) shall be used in each transaction on CJIS
systems in order to identify the sending agency and to ensure the proper Ievel of access for each
transaction. The original identifier between the requesting agency and the CSA/SIB /Channeler
shall be the ORI, and other agency identifiers, such as user identification or personal identifier, an
access device mnemonic, or the Internet Protocol (IP) address.
Agencies may act as a servicing agency and perform transactions on behalf of authorized agencies
requesting the service. Servicing agencies performing inquiry transactions on behalf of another
agency may do so using the requesting agency's ORI. Servicing agencies may also use their own
ORI to perform inquiry transactions on behalf of a requesting agency if the means and procedures
are in place to provide an audit trail for the current specified retention period. Because the agency
performing the transaction may not necessarily be the same as the agency requesting the
transaction, the CSA/SIB /Channeler shall ensure that the ORI for each transaction can be traced,
via audit trail, to the specific agency which is requesting the transaction.
Audit trails can be used to identify the requesting agency if there is a reason to inquire into the
details surrounding why an agency ran an inquiry on a subject. Agencies assigned a P (limited
access) ORI shall not use the full access ORI of another agency to conduct an inquiry transaction.
5.6.2 Authentication Policy and Procedures
Authentication refers to mechanisms or processes that verify users are valid once they are uniquely
identified. The CSA/SIB may develop an authentication strategy which centralizes oversight but
decentralizes the establishment and daily administration of the security measures for access to CJI.
Each individual's identity shall be authenticated at either the local agency, CSA, SIB or Channeler
level. The authentication strategy shall be part of the agency's audit for policy compliance. The
FBI CJIS Division shall identify and authenticate all individuals who establish direct web -based
interactive sessions with FBI CKS Services. The FBI CHS Division shall authenticate the ORI of
all message -based sessions between the FBI CJIS Division and its customer agencies but will not
06/05/2017 35
CJISD- ITS -DOC- 08140 -5.6
further authenticate the user nor capture the unique identifier for the originating operator because
this fiinction is performed at the local agency, CSA, SIB or Channeler level.
5.6.2.1 Standard Authenticators
Authenticators are (the something you know, something you are, or something you have) part of
the identification and authentication process. Examples of standard authenticators include
passwords, hard or soft tokens, biometrics, one -time passwords (OTP) and personal identification
numbers (PIN). Users shall not be allowed to use the same password or PIN in the same logon
sequence.
5.6.2.1.1 Password
Agencies shall follow the secure password attributes, below, to authenticate an individual's unique
ID. Passwords shall:
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.
5.6.2.1.2 Personal Identification Number (PIN)
When agencies implement the use of a PIN as a standard authenticator, the PIN attributes shall
follow the guidance in section 5.6.2.1.1 (password). When agencies utilize a PIN in conjunction
with a certificate or a token (e.g. key fob with rolling numbers) for the purpose of advanced
authentication, agencies shall follow the PIN attributes described below. For example: A user
certificate is installed on a smartphone for the purpose of advanced authentication (AA). As the
user invokes that certificate, a PIN meeting the below attributes shall be used to access the
certificate for the AA process.
a. Be a minimum of six (6) digits
b. Have no repeating digits (i.e., 11223 3)
c. Have no sequential patterns (i.e., 123456)
d. Not be the same as the Userid.
e. Expire within a maximum of 365 calendar days.
a. If a PIN is used to access a soft certificate which is the second factor of
authentication, AND the first factor is a password that complies with the
requirements in Section 5.6.2.1.1, then the 365 day expiration requirement can be
waived by the CSO.
f. Not be identical to the previous three (3) PINs.
g. Not be transmitted in the clear outside the secure location.
06/05/2017 36
CJISD- ITS -DOC- 08140 -5.6
h. Not be displayed when entered.
EXCEPTION: When a PIN is used for local device authentication, the only requirement is that it
be a minimum of six (6) digits.
5.6.2.1.3 One -time Passwords (OTP)
One -time passwords are considered a "something you have" token for authentication. Examples
include bingo cards, hard or soft tokens, and out -of -band tokens (i.e. OTP received via a text
message).
When agencies implement the use of an OTP as an authenticator, the OTP shall meet the
requirements described below.
a. Be a minimum of six (6) randomly generated characters
b. Be valid for a single session
c. If not used, expire within a maximum of five (5) minutes after issuance
5.6.2.2 Advanced Authentication
Advanced Authentication (AA) provides for additional security to the typical user identification
and authentication of login ID and password, such as: biometric systems, user -based digital
certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens,
paper (inert) tokens, out -of -band authenticators (retrieved via a separate communication service
channel — e.g., authenticator is sent on demand via text message, phone call, etc.), or "Risk -based
Authentication" that includes a software token element comprised of a number of factors, such as
network information, user information, positive device identification (i.e. device forensics, user
pattern analysis and user binding), user profiling, and high -risk challenge /response questions.
When user -based certificates are used for authentication purposes, they shall:
J. Be specific to an individual user and not to a particular device.
2. Prohibit multiple users from utilizing the same certificate.
3. Require the user to "activate" that certificate for each use in some manner (e.g.,
passphrase or user- specific PIN).
5.6.2.2.1 Advanced Authentication Policy and Rationale
The requirement to use or not use AA is dependent upon the physical, personnel, and technical
security controls associated with the user location and whether CJI is accessed directly or
indirectly. AA shall not be required for users requesting access to CJI from within the perimeter
of a physically secure location (Section 5.9), when the technical security controls have been met
(Sections 5.5 and 5.10), or when the user has no ability to conduct transactional activities on state
and national repositories, applications, or services (i.e. indirect access). Conversely, if the
technical security controls have not been met, AA shall be required even if the request for CJI
originates from within a physically secure location. Section 5.6.2.2.2 provides agencies with a
decision tree to help guide AA decisions. The CSO will make the final determination of whether
access is considered indirect.
06/05/2017 37
CESD- ITS -DOC- 08140 -5.6
The intent of AA is to meet the standards of two- factor authentication. Two - factor authentication
employs the use of two of the following three factors of authentication: something you know (e.g.
password), something you have (e.g. hard token), something you are (e.g. biometric). The two
authentication factors shall be unique (i.e. password/token or biometric /password but not
password/password or token/token).
EXCEPTION:
AA shall be required when the requested service has built AA into its processes and requires a user
to provide AA before granting access. EXAMPLES:
a. A user, irrespective of his /her location, accesses the LEEP portal. The LEEP
has AA built into its services and requires AA prior to granting access. AA is
required.
b. A user, irrespective of their location, accesses a State's portal through which
access to CJI is facilitated. The State Portal has AA built into its processes and
requires AA prior to granting access. AA is required.
5.6.2.2.2 Advanced Authentication Decision Tree
The following AA Decision Tree, coupled with figures 9 and 10 below, assists decision makers in
determining whether or not AA is required.
1. Can request's physical originating location be determined?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed to
question 2.
a. The IP address is attributed to a physical structure; or
b. The mnemonic is attributed to a specific device assigned to a specific location
that is a physical structure.
If neither (a) or (b) above are true then the answer is "no ". Skip to question number 4.
2. Does request originate from within a physically secure location as described in Section
5.9.1?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed to
question 3.
a. The IP address is attributed to a physically secure location; or
b. If a mnemonic is used it is attributed to a specific device assigned to a specific
physically secure location.
If neither (a) or (b) above are true then the answer is "no ". Decision tree completed.
AA required.
3. Are all required technical controls implemented at this location or at the controlling
agency?
If either (a) or (b) below are true the answer to the above question is "yes ". Decision
tree completed. AA requirement waived.
06/05/2017 38
CJISD- ITS -DOC- 08140 -5.6
a. Appropriate technical controls listed in Sections 5.5 and 5.10 are implemented;
or
b. The controlling agency (i.e. parent agency or agency leveraged as conduit to
CJI) extends its wide area network controls down to the requesting agency and
the extended controls provide assurance equal or greater to the controls listed
in Sections 5.5 and 5.10.
If neither (a) or (b) above are true then the answer is "no ". Decision tree completed.
AA required.
4. Does request originate from an agency - controlled user device?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed to
question 5.
a. The static IP address or MAC address can be traced to registered device; or
b. Certificates are issued to agency managed devices only and certificate exchange
is allowed only between authentication server and agency issued devices.
If neither (a) or (b) above are true then the answer is "no ". Decision tree completed.
AA required.
5. Is the agency managed user device associated with and located within a criminal justice
conveyance?
If any of the (a), (b), or (c) statements below is true the answer to the above question is
"yes ". Proceed to Figure 9 Step 3.
a. The static IP address or MAC address is associated with a device associated
with a criminal justice conveyance; or
b. The certificate presented is associated with a device associated with a criminal
justice conveyance; or
c. The mnemonic presented is associated with a specific device assigned and that
device is attributed to a criminal justice conveyance.
If none of the (a), (b), or (c) statements above are true then the answer is "no". Skip to
question number 7.
6. Is the user device an agency - issued and controlled smartphone or tablet?
If both (a) and (b) below are true, the answer to the above question is "yes." Proceed
to question number 7.
a. The law enforcement agency issued the device to an individual; and
b. The device is subject to administrative management control of the issuing
agency.
If either (a) or (b) above is false, then the answer is "no." Decision tree completed.
AA required.
7. Does the agency - issued smartphone or tablet have CSO- approved AA compensating
controls implemented?
06/05/2017 39
CISD- ITS -DOC- 08140 -5.6
If (d) and (b) below are true, the answer to the above question is "yes." Decision tree
completed. AA requirement is waived.
a. An agency cannot meet a requirement due to legitimate technical or business
constraints; and
b. The CSO has given written approval permitting AA compensating controls to
be implemented in lieu of the required AA control measures.
If either (a) or (b) above is false then the answer is "no." Decision tree completed. AA
required.
5.6.3 Identifier and Authenticator Management
The agency shall establish identifier and authenticator management processes.
5.6.3.1 Identifier Management
In order to manage user identifiers, agencies shall:
1. Uniquely identify each user.
2. Verify the identity of each user.
3. Receive authorization to issue a user identifier from an appropriate agency official.
4. Issue the user identifier to the intended party.
5. Disable the user identifier after a specified period of inactivity.
6. Archive user identifiers.
5.6.3.2 Authenticator Management
In order to manage information system authenticators, agencies shall:
1. Define initial authenticator content.
2. Establish administrative procedures for initial authenticator distribution, for
lost /compromised, or damaged authenticators, and for revoking authenticators.
3. Change default authenticators upon information system installation.
4. Change /refresh authenticators periodically.
Information system authenticators include, for example, tokens, user -based PKI certificates,
biometrics, passwords, and key cards. Users shall take reasonable measures to safeguard
authenticators including maintaining possession of their individual authenticators, not loaning or
sharing authenticators with others, and immediately reporting lost or compromised authenticators.
5.6.4 Assertions
Identity providers can be leveraged to identify individuals and assert the individual's identity to a
service or to a trusted broker who will in -turn assert the identity to a service. Assertion
mechanisms used to communicate the results of a remote authentication to other parties shall be:
1. Digitally signed by a trusted entity (e.g., the identity provider).
06/05/2017 40
CJISD- ITS -DOC- 08140 -5.6
2. Obtained directly from a trusted entity (e.g. trusted broker) using a protocol where the
trusted entity authenticates to the relying party using a secure protocol (e.g. transport
layer security [TLS]) that cryptographically authenticates the verifier and protects the
assertion.
Assertions generated by a verifier shall expire after 12 hours and shall not be accepted thereafter
by the relying party.
5.6.5. References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 8 — Advanced Authentication Use Cases
Use Case l - A Local Police Department Authentication Control Scenario
During the course of an investigation, a detective attempts to access Criminal Justice
Information (CJI) from a. hotel room using an agency issued mobile broadband card. To gain
access, the detective first establishes the remote session via a secure virtual private network
(VPN) tunnel (satisfying the requirement for encryption). Upon connecting to the agency
network, the detective is challenged for a username (identification), password ( "something
you know "), and a one -time password OTP ( "something you have ") from a hardware token
to satisfy the requirement for advanced authentication. Once the detective's credentials are
validated, his identity is asserted by the infrastructure to all authorized applications needed to
complete his queries.
Use Case 2 — Use of a Smart Card
A user is issued a smart card that is loaded with user- specific digital certificates from a
terminal within a controlled area. The user selects an application that will provide access to
Criminal Justice Information (CJI) then enters the proper username (identification) and
password ( "something you know "). Once prompted, the user connects the smart card
( "something you have ") to the terminal. The user is prompted to enter a personal
identification number (PIN) to unlock the smart card. Once unlocked, the smart card sends
the certificates to the authentication management server at the local agency where the
combined username, password, and digital user certificates are validated. The user has
satisfied the requirement for AA and is granted access to CJI.
Use Case 3 — Out of Band One - Time - Password (DTP) — .Mobile phone -based
Using an agency- issued laptop, a user connects to the agency network via an agency - issued
mobile broadband card and an encrypted virtual private network (VPN) tunnel. As part of an
on -going investigation, the user initiates an application that will permit access to Criminal
Justice Information (CJI). The user is prompted to enter a username (identification) and a
password ( "something you know "). Once that has been completed, a text message containing
a one -time password (OTP) is sent via text message (out of band) to the user's agency- issued
06/05/2017 41
CMD- ITS -DOC- 08140 -5.6
cell phone. The user is challenged via the CJI application for that OTP. The user enters the
OTP ( "something you have ") then the username, password, and OTP are validated. The user
has satisfied the requirement for AA and is granted access to CJI.
Use Case 4 Improper Use of a One -Time- Password (OTP) — Laptop
Using an agency- issued laptop, a user connects to the agency network via an agency - issued
mobile broadband card and an encrypted virtual private network (VPN) tunnel. As part of an
on -going investigation, the user initiates an application that will permit access to Criminal
Justice Information (CJI). The user is prompted to enter a username (identification) and a
password ( "something you know "). Once that has been completed, a one -time password
(OTP) is sent to the user's agency - issued laptop (in band) via pop -up message. The user is
challenged via the CJI application for that OTP; however, the delivery of the OTP to the
device that is being used to access CJI (in band) defeats the purpose of the second factor. This
method does not satisfy the requirement for AA, and therefore the user should not be granted
access to CJI. See the below explanation:
This method of receiving the necessary OTP (in band) does not guarantee the authenticity of
the user's identity because anyone launching the CJI application and entering a valid
username /password combination is presented the OTP via a pop -up which is intend to be the
second factor of authentication. This method makes the application accessible to anyone with
knowledge of the valid username and password. Potentially, this is no more secure than using
only a single factor of authentication.
Use Case 5 —Risk -based Authentication (RBA] Implementation
A user has moved office locations and requires email access (containing Criminal Justice
Information) via an Outlook Web Access (OWA) client utilizes a risk -based authentication
(RBA) solution. The user launches the OWA client and is prompted to enter a username
(identification) and a password ( "something you know "). The RBA detects this computer has
not previously been used by the user, is not listed under the user's profile, and then presents
high -risk challenge /response question(s) which the user is prompted to answer. Once the
questions have been verified as correct, the user is authenticated and granted access to the
email. Meanwhile, the RBA logs and collects a number of device forensic information and
captures the user pattern analysis to update the user's profile. The CJIS Security Policy
requirements for RBA have been satisfied.
Use Case 6 — Improper Risk -based Authentication RBA Implementation
A user has moved office locations and requires access to email containing Criminal Justice
Information (CJI) via an Outlook Web Access (OWA) client utilizing a risk -based
authentication (RBA) solution. The user launches the OWA client and is prompted to enter
a username (identification) and a password ( "something you know "). The RBA detects this
computer has not previously been used by the user and is not listed under the user's profile.
The user is prompted to answer high -risk challenge /response questions for verification and
authorization to access to the email; however, if the second authentication factor is to answer
06/05/2017 42
CJISD- ITS -DOC- 08140 -5.6
additional questions presented every time the user logs on, then this solution is referred to as
a knowledge -based authentic on (KBA) solution. A KBA solution does not satisfy the
requirement for AA, and therefore the user should not be granted access to CJI.
See the below explanation:
A KBA solution is not a viable advanced authentication (AA) solution per the CJIS Security
Policy (CSP). The KBA asks questions and compares the answers to those stored within the
user's profile. A KBA is neither a CSP compliant two factor authentication solution, nor does
it meet the CSP criteria of a risk -based authentication (RBA) solution which logs and collects
a member of device forensic information and captures the user patter analysis to update the
user's profile. Using this collected data, the RBA presents challenge /response questions when
changes to the user's profile are noted versus every time the user logs in.
Use Case 7 — Advanced Authentication Compensating Controls on Agency- Issued
Smartphones
An authorized user is issued a smartphone that is administratively managed by the agency -
installed mobile device management (MDM) solution to ensure device compliance with the
CJIS Security Policy. The user initiates an email client on the smartphone that contains emails
with CJI. The email client challenges the user to enter a username (identification) and a
password (one factor: something you know) which are forwarded to the local agency for
authentication. The smartphone lacks the technical capability to challenge the user for a
second factor of authentication. This email client is used across the state agency so access is
a necessity for the user's job functions.
An audit by the CSA identifies the agency's use of the agency smartphone as not compliant
with AA requirements due to the authorized user authenticating with only one factor instead
of the required two factors.
Subsequently, the agency performs a risk assessment of their smartphone authentication
solution and document a legitimate technical constraint due to the lack of technical solutions
for smartphone -based two- factor authentication. The risk assessment identifies the following
compensating controls that, when combined with the authorized user authenticating to the
local agency with their password, meet the intent of the AA requirement by providing a
similar level of security:
1. Enhance smartphone policy to enable possession of the smartphone to be considered a
factor of authentication (i.e. something you have). Require authorized users to treat the
smartphone as a controlled device and protect it as they would a personal credit card or an
issued firearm to ensure only they will be in possession of the device
2. Move the email client used to authenticate with the local agency inside an encrypted,
password - protected secure container on the smartphone ensuring only the authorized user can
access the email application to authenticate.
The agency submits an AA compensating controls request to the CSO outlining the technical
constraint identified by the risk assessment, what compensating controls will be employed,
and the desired duration of the compensating controls.
06/05/2017 43
CJISD - ITS -DOC- 08140 -5.6
The CSO approves the agency's request and provides documentation of the approval to the
agency to maintain for audit purposes. The agency enacts the compensating controls and
informs agency personnel they are permitted to access CH via the agency- issued smartphone.
06/05/2017 44
CJISD- ITS -DOC- 08140 -5.6
Figure 9 — Authentication Decision for Known Location
Incoming CJI
Access Request /,
r
Can request's physical AC) - s See Figure 10
originating location be
determined?
r'
Yes
Does request originate from No
within a physically secure
location?
Yes
Cire d
#3
Are all required technical
controls implemented at this Nc- -
location or at controlling
agency? Z,
Yes
Advanl6, G '. Figure 9
08/04/2014
06/05/2017 45
CJISD - ITS -DOC- 08140 -5.6
Figure 10 — Authentication Decision for Unknown Location
Incoming CJI
#1
Can request's physical Yes ■ See Figure 9
originating location be
determined?
�" w
�+ f
No
r
#4
Does request originate
from an agency-oontrolled — NO Or Unknown - -- — - - - —1
user device?
Yes
r f'
#s
Is the agency managed Is the user device an
user device associated with
and located within a Ntl agency- issued and --No-
Criminal Justice canlmlleJ smartphone or
Conveyance? r r tablet?
Yes
Yes
Does the agency- issued" \
smartphone or tablet have - - -- — -gip --�
CSO- approved cumpensatin
�` car[Vois implemented?
•
Go To Figure 9
Step #3
Yes
Figure 10
10/06/2015
06/05/2017 46
CJISD- ITS -DOC- 08140 -5.6
5.7 Policy Area 7: Configuration Management
5.7.1 Access Restrictions for Changes
Planned or unplanned changes to the hardware, software, and /or finnware components of the
information system can have significant effects on the overall security of the system. The goal is
to allow only qualified and authorized individuals access to information system components for
purposes of initiating changes, including upgrades, and modifications. Section 5.5, Access
Control, describes agency requirements for control of privileges and restrictions.
5.7.1.1 Least Functionality
The agency shall configure the application, service, or information system to provide only essential
capabilities and shall specifically prohibit and /or restrict the use of specified functions, ports,
protocols, and/or services.
5.7.1.2 Network Diagram
The agency shall ensure that a complete topological drawing depicting the interconnectivity of the
agency network, to criminal justice information, systems and services is maintained in a current
status. See Appendix C for sample network diagrams.
The network topological drawing shall include the following:
1. All communications paths, circuits, and other components used for the interconnection,
beginning with the agency -owned system(s) and traversing through all interconnected
systems to the agency end - point.
2. The logical location of all components (e.g., firewalls, routers, switches, hubs, servers,
encryption devices, and computer workstations). Individual workstations (clients) do not
have to be shown; the number of clients is sufficient.
3. "For Official Use Only" (FOUO) markings.
4. The agency name and date (day, month, and year) drawing was created or updated.
5.7.2 Security of Configuration Documentation
The system configuration documentation often contains sensitive details (e.g. descriptions of
applications, processes, procedures, data structures, authorization processes, data flow, etc.)
Agencies shall protect the system documentation from unauthorized access consistent with the
provisions described in Section 5.5 Access Control.
5.7.3 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
06105/2017 47
CJISD- ITS -DOC- 08140 -5.6
Figure 11— A Local Police Department's Configuration Management Controls
A local police department decided to update their CAD system, and in doing so tracked all
changes made to their infrastructure in a configuration management journal, updated their
network topology documents to include all new components in their architecture, then marked
all documentation as FOUO and stored them securely,
06/05/2017 48
CJISD- ITS -DOC- 08140 -5.6
5.8 Policy Area 8: Media Protection
Media protection policy and procedures shall be documented and implemented to ensure that
access to digital and physical media in all forms is restricted to authorized individuals. Procedures
shall be defined for securely handling, transporting and storing media.
5.8.1 Media Storage and Access
The agency shall securely store digital and physical media within physically secure locations or
controlled areas. The agency shall restrict access to digital and physical media to authorized
individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted
per Section 5.10.1.2.
5.8.2 Media Transport
The agency shall protect and control digital and physical media during transport outside of
controlled areas and restrict the activities associated with transport of such media to authorized
personnel.
5.8.2.1 Digital Media during Transport
Controls shall be in place to protect digital media containing CH while in transport (physically
moved from one location to another) to help prevent compromise of the data. Encryption, as
defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if
encryption of the data isn't possible then each agency shall institute physical controls to ensure the
security of the data.
5.8.2.2 Physical Media in Transit
The controls and security measures in this document also apply to CJI in physical (printed
documents, printed imagery, etc.) form. Physical media shall be protected at the same level as the
information would be protected in electronic form.
5.8.3 Digital Media Sanitization and Disposal
The agency shall sanitize, that is, overwrite at least three times or degauss digital media prior to
disposal or release for reuse by unauthorized individuals. Inoperable digital media shall be
destroyed (cut up, shredded, etc.). The agency shall maintain written documentation of the steps
taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction
is witnessed or carried out by authorized personnel.
5.8.4 Disposal of Physical Media
Physical media shall be securely disposed of when no longer required, using formal procedures.
Formal procedures for the secure disposal or destruction of physical media shall minimize the risk
of sensitive information compromise by unauthorized individuals. Physical media shall be
destroyed by shredding or incineration. Agencies shall ensure the disposal or destruction is
witnessed or carried out by authorized personnel.
06/05/2017 49
CJISD- ITS -DOC- 08140 -5.6
5.8.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 12 — A Local Police Department's Media Management Policies
A local police department implemented a replacement CAD system that integrated to their
state's CSA and was authorized to process CH. The police department contracted with an off -
site media manager to store backups of their data in the contractor's vaults, but the contractor
was not authorized to process or store CH. To ensure the confidentially of the police
department's data while outside its perimeter, they encrypted all data going to the contractor
with an encryption product that is FIPS 140 -2 certified. The police department rotated and
reused media through the contractor's vaults periodically, and when it required destruction, the
police department incinerated the media to irreversibly destroy any data on it.
06/05/2017 50
CJISD- ITS -DOC- 08140 -5.6
5.9 Policy Area 9: Physical Protection
Physical protection policy and procedures shall be documented and implemented to ensure CJI
and information system hardware, software, and media are physically protected through access
control measures.
5.9.1 Physically Secure Location
A physically secure location is a facility, a criminal justice conveyance, or an area, a room, or a
group of rooms within a facility with both the physical and personnel security controls sufficient
to protect CJI and associated information systems. The physically secure location is subject to
criminal justice agency management control; SIB control; FBI CJIS Security addendum; or a
combination thereof.
Sections 5.9.1.1 — 5.9.1.8 describe the physical controls required in order to be considered a
physically secure location, while Sections 5.2 and 5.12, respectively, describe the minimum
security awareness training and personnel security controls required for unescorted access to a
physically secure location. Sections 5.5, 5.6.2.2.1, and 5.10 describe the requirements for technical
security controls required to access CJI from within the perimeter of a physically secure location
without AA.
5.9.1.1 Security Perimeter
The perimeter of a physically secure location shall be prominently posted and separated from non -
secure locations by physical controls. Security perimeters shall be defined, controlled and secured
in a manner acceptable to the CSA or SIB.
5.9.1.2 Physical Access Authorizations
The agency shall develop and keep current a list of personnel with authorized access to the
physically secure location (except for those areas within the permanent facility officially
designated as publicly accessible) or shall issue credentials to authorized personnel.
5.9.1.3 Physical Access Control
The agency shall control all physical access points (except for those areas within the facility
officially designated as publicly accessible) and shall verify individual access authorizations
before granting access.
5.9.1.4 Access Control for Transmission Medium
The agency shall control physical access to information system distribution and transmission lines
within the physically secure location.
5.9.1.5 Access Control for Display Medium
The agency shall control physical access to information system devices that display CJI and shall
position information system devices in such a way as to prevent unauthorized individuals from
accessing and viewing CJI.
06105/2017 51
CJISD- ITS -DOC- 08140 -5.6
5.9.1.6 Monitoring Physical Access
The agency shall monitor physical access to the information system to detect and respond to
physical security incidents.
5.9.1.7 Visitor Control
The agency shall control physical access by authenticating visitors before authorizing escorted
access to the physically secure location (except for those areas designated as publicly accessible).
The agency shall escort visitors at all times and monitor visitor activity.
5.9.1.8 Delivery and Removal
The agency shall authorize and control information system- related items entering and exiting the
physically secure location,
5.9.2 Controlled Area
If an agency cannot meet all of the controls required for establishing a physically secure location,
but has an operational need to access or store CJI, the agency shall designate an area, a room, or a
storage container, as a controlled area for the purpose of day -to -day CJI access or storage. The
agency shall, at a minimum:
1. Limit access to the controlled area during CJI processing times to only those personnel
authorized by the agency to access or view CJI.
2. Lock the area, room, or storage container when unattended.
3. Position information system devices and documents containing CJI in such a way as to
prevent unauthorized individuals from access and view.
4. Follow the encryption requirements found in Section 5.10.1.2 for electronic storage (i.e.
data "at rest ") of CJI,
5.9.3 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 13 — A Local Police Department's Physical Protection Measures
A local police department implemented a replacement CAD system that was authorized to
process CJI over an encrypted VPN tunnel to the state's CSA. The police department established
a physically separated wing within their precinct separated by locked doors, walls, and a
monitored security system within which CJI was processed by criminal justice professionals.
Only those persons with the appropriate authorizations were permitted within this wing unless
accompanied by such a person. Within this secure wing the police department further segregated
the back- office information systems' infrastructure within a separately controlled area restricted
only to those authorized administrative personnel with a need to enter.
06/05/2017 52
CJISD- ITS -DOC- 08140 -5.6
5.10 Policy Area 10: System and Communications Protection and
Information Integrity
Examples of systems and communications safeguards range from boundary and transmission
protection to securing an agency's virtualized environment. In addition, applications, services, or
information systems must have the capability to ensure system integrity through the detection and
protection against unauthorized changes to software and information. This section details the
policy for protecting systems and communications infrastructures.
Refer to Section 5.13.4 for additional system integrity requirements related to mobile devices used
to access CJI.
5.10.1 Information Flow Enforcement
The network infrastructure shall control the flow of information between interconnected systems.
Information flow control regulates where information is allowed to travel within an information
system and between information systems (as opposed to who is allowed to access the information)
and without explicit regard to subsequent accesses to that information. In other words, controlling
how data moves from one place to the next in a secure manner. Examples of controls that are
better expressed as flow control than access control (see Section 5.5) are:
1. Prevent CH from being transmitted unencrypted across the public network.
2. Block outside traffic that claims to be from within the agency.
3. Do not pass any web requests to the public network that are not from the internal web
proxy.
Specific examples of flow control enforcement can be found in boundary protection devices (e.g.
proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or
establish configuration settings that restrict information system services or provide a packet
filtering capability.
5.10.1.1 Boundary Protection
The agency shall:
I . Control access to networks processing CJI.
2. Monitor and control communications at the external boundary of the information system
and at key internal boundaries within the system.
3. Ensure any connections to the Internet, other external networks, or information systems
occur through controlled interfaces (e.g. proxies, gateways, routers, firewalls, encrypted
tunnels). See Section 5.13.4.3 for guidance on personal firewalls.
4. Employ tools and techniques to monitor network events, detect attacks, and provide
identification of unauthorized use.
5. Ensure the operational failure of the boundary protection mechanisms do not result in any
unauthorized release of information outside of the information system boundary (i.e. the
device "fails closed" vs. "fails open ").
06/05/2017 53
CJISD- ITS -DOC- 08140 -5.6
6. Allocate publicly accessible information system components (e.g. public Web servers) to
separate sub networks with separate, network interfaces. Publicly accessible information
systems residing on a virtual host shall follow the guidance in Section 5.10.3.2 to achieve
separation.
5.10.1.2 Encryption
Encryption is a form of cryptology that applies a cryptographic operation to provide confidentiality
of (sensitive) information. Decryption is the reversing of the cryptographic operation to convert
the information back into a plaintext (readable) format. There are two main types of encryption:
symmetric encryption and asymmetric encryption (also known as public key encryption). Hybrid
encryption solutions do exist and use both asymmetric encryption for client/server certificate
exchange — session integrity and symmetric encryption for bulk data encryption — data
confidentiality.
5.10.1.2.1 Encryption for CJI in Transit
When CJI is transmitted outside the boundary of the physically secure location, the data shall be
immediately protected via encryption. When encryption is employed, the cryptographic module
used shall be FIPS 140 -2 certified and use a symmetric cipher key strength of at least 128 bit
strength to protect CJI.
NOTE: Subsequent versions of approved cryptographic modules that are under current review for
FIPS 140 -2 compliancy can be used in the interim until certification is complete.
EXCEPTIONS:
a) See Sections 5.13.1.2.2 and 5.10.2.
b) Encryption shall not be required if the transmission medium meets all of the
following requirements:
i. The agency owns, operates, manages, or protects the medium.
ii. Medium terminates within physically secure locations at both ends with no
interconnections between.
iii. Physical access to the medium is controlled by the agency using the
requirements in Sections 5.9.1 and 5.12.
iv. Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and
physical) and if feasible countermeasures (e.g., alarms, notifications) to
permit its use for the transmission of unencrypted information through an
area of lesser classification or control,
V. With prior approval of the CSO.
Examples:
• A campus is completely owned and controlled by a criminal justice agency (CJA)
— If line -of -sight between buildings exists where a cable is buried, encryption is not
required.
06/05/2017 54
CJISD- ITS -DOC- 08140 -5.6
• A multi -story building is completely owned and controlled by a CJA — If floors are
physically secure or cable nuns through non - secure areas are protected, encryption
is not required.
• A multi -story building is occupied by a mix of CJAs and non -CJAs — If floors are
physically secure or cable runs through the non- secure areas are protected,
encryption is not required.
5.10.1.2.2 Encryption for CJI at Rest
When CJI is at rest (i.e. stored digitally) outside the boundary of the physically secure location,
the data shall be protected via encryption. When encryption is employed, agencies shall either
encrypt CJI in accordance with the standard in Section 5.10.1.2.1 above, or use a symmetric
cipher that is FIPS 197 certified (AES) and at least 256 bit strength.
a) When agencies implement encryption on CJI at rest, the passphrase used to
unlock the cipher shall meet the following requirements:
Be at least 10 characters
ii. Not be a dictionary word.
iii. Include at least one (1) upper case letter, one (1) lower case letter, one
(1) number, and one (1) special character.
iv. Be changed when previously authorized personnel no longer require
access.
b) Multiple files maintained in the same umencrypted folder shall have separate
and distinct passphrases. A single passphrase may be used to encrypt an entire
folder or disk containing multiple files. All audit requirements found in Section
5.4.1 Auditable Events and Content (Information Systems) shall be applied.
NOTE: Commonly available encryption tools often use a key to unlock the cipher to allow
data access; this key is called a passphrase. While similar to a password, a passphrase is not
used for user authentication. Additionally, the passphrase contains stringent character
requirements making it more secure and thus providing a higher level of confidence that the
passphrase will not be compromised.
5.10.1.2.3 Public Key Infrastructure (PKI) Technology
For agencies using public key infrastructure (PKI) technology, the agency shall develop and
implement a certificate policy and certification practice statement for the issuance of public
key certificates used in the information system. Registration to receive a public key certificate
shall:
a) Include authorization by a supervisor or a responsible official.
b) Be accomplished by a secure process that verifies the identity of the certificate
holder.
c) Ensure the certificate is issued to the intended party.
06/05/2017 55
CJISD- ITS -DOC- 08140 -5.6
5.10.1.3 Intrusion Detection Tools and Techniques
The agency shall implement network -based and /or host -based intrusion detection tools.
The CSA/SIB shall, in addition:
1. Monitor inbound and outbound communications for unusual or unauthorized activities.
2. Send individual intrusion detection logs to a central logging facility where correlation and
analysis will be accomplished as a system wide intrusion detection effort.
3. Employ automated tools to support near - real -time analysis of events in support of detecting
system -level attacks.
5.10.1.4 Voice over Internet Protocol
Voice over Internet Protocol (VoIP) has been embraced by organizations globally as an addition
to, or replacement for, public switched telephone network (PSTN) and private branch exchange
(PBX) telephone systems. The immediate benefits are lower costs than traditional telephone
services and VoIP can be installed in -line with an organization's existing Internet Protocol (IP)
services. Among VoIP's risks that have to be considered carefully are: myriad security concerns,
cost issues associated with new networking hardware requirements, and overarching quality of
service (QoS) factors.
In addition to the security controls described in this document, the following additional controls
shall be implemented when an agency deploys VoIP within a network that contains unencrypted
CJI:
1. Establish usage restrictions and implementation guidance for VolP technologies.
2. Change the default administrative password on the IP phones and VoIP switches.
3. Utilize Virtual Local Area Network (ULAN) technology to segment VoIP traffic from data
traffic.
Appendix G.2 outlines threats, vulnerabilities, mitigations, and NIST best practices for VoIP.
5.10.1.5 Cloud Computing
Organizations transitioning to a cloud environment are presented unique opportunities and
challenges (e.g., purported cost savings and increased efficiencies versus a loss of control over the
data). Reviewing the cloud computing white paper (Appendix G.3), the cloud assessment located
within the security policy resource center on FBI.gov, NIST Special Publications (800 -144, 800-
145, and 800 -146), as well as the cloud provider's policies and capabilities will enable
organizations to make informed decisions on whether or not the cloud provider can offer service
that maintains compliance with the requirements of the CJIS Security Policy.
The metadata derived from CH shall not be used by any cloud service provider for any purposes.
The cloud service provider shall be prohibited from scanning any email or data files for the purpose
of building analytics, data mining, advertising, or improving the services provided.
5.10.2 Facsimile Transmission of CJI
CJI transmitted via a single or multi- fanction device over a standard telephone line is exempt from
encryption requirements. CJI transmitted external to a physically secure location using a facsimile
06/05/2017 56
CJISD- ITS -DOC- 08140 -5.6
server, application or service which implements email -like technology, shall meet the encryption
requirements for CJI in transit as defined in Section 5.10.
5.10.3 Partitioning and Virtualization
As resources grow scarce, agencies are increasing the centralization of applications, services, and
system administration. Advanced software now provides the ability to create virtual machines that
allows agencies to reduce the amount of hardware needed. Although the concepts of partitioning
and virtualization have existed for a while, the need for securing the partitions and virtualized
machines has evolved due to the increasing amount of distributed processing and federated
information sources now available across the Internet.
5.10.3.1 Partitioning
The application, service, or information system shall separate user functionality (including user
interface services) from information system management functionality.
The application, service, or information system shall physically or logically separate user interface
services (e.g. public web pages) from information storage and management services (e.g. database
management). Separation may be accomplished through the use of one or more of the following:
1. Different computers.
2. Different central processing units.
3. Different instances of the operating system.
4. Different network addresses.
5. Other methods approved by the FBI CJIS ISO.
5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and
software) into multiple execution environments. Virtualized environments are authorized for
criminal justice and noncriminal justice activities. In addition to the security controls described in
this Policy, the following additional controls shall be implemented in a virtual environment:
1. Isolate the host from the virtual machine. In other words, virtual machine users cannot
access host files, firmware, etc.
2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts'
virtual environment.
Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be
physically separate from Virtual Machines (VMs) that process CJI internally or be
separated by a virtual firewall.
4. Drivers that serve critical functions; shall be stored within the specific VM they service. In
other words, do not store these drivers within the hyper visor, or host operating system, for
sharing. Each VM is to be treated as an independent system — secured as independently as
possible.
The following additional technical security controls shall be applied in virtual environments where
CJI is comingled with non -CJI:
06/05/2017 57
CJISD- ITS -DOC- 08140 -5.6
1. Encrypt CJI when stored in a virtualized environment where CJI is comingled with non -
CJI or segregate and store unencrypted CJI within its own secure VM.
2. Encrypt network traffic within the virtual environment.
The following are additional technical security control best practices and should be implemented
wherever feasible:
1. Implement IDS and /or IPS monitoring within the virtual environment.
2. Virtually or physically firewall each VM within the virtual environment to ensure that only
allowed protocols will transact.
3. Segregate the administrative duties for the host.
Appendix G -1 provides some reference and additional background information on virtualization.
5.10.4 System and Information Integrity Policy and Procedures
5.10.4.1 Patch Management
The agency shall identify applications, services, and information systems containing software or
components affected by recently announced software flaws and potential vulnerabilities resulting
from those flaws.
The agency (or the software developer /vendor in the case of software developed and maintained
by a vendor /contractor) shall develop and implement a local policy that ensures prompt installation
of newly released security relevant patches, service packs and hot fixes. Local policies should
include such items as:
1. Testing of appropriate patches before installation.
2. Rollback capabilities when installing patches, updates, etc.
3. Automatic updates without individual user intervention.
4. Centralized patch management.
Patch requirements discovered during security assessments, continuous monitoring or incident
response activities shall also be addressed expeditiously.
5.10.4.2 Malicious Code Protection
The agency shall implement malicious code protection that includes automatic updates for all
systems with Internet access. Agencies with systems not connected to the Internet shall implement
local procedures to ensure malicious code protection is kept current (i.e. most recent update
available).
The agency shall employ virus protection mechanisms to detect and eradicate malicious code (e.g.,
viruses, worms, Trojan horses) at critical points throughout the network and on all workstations,
servers and mobile computing devices on the network. The agency shall ensure malicious code
protection is enabled on all of the aforementioned critical points and information systems and
resident scanning is employed.
06/05/2017 58
CJISD- ITS -DOC- 08140 -5.6
5.10.4.3 Spam and Spyware Protection
The agency shall implement spam and spyware protection.
The agency shall:
1. Employ spam protection mechanisms at critical information system entry points (e.g.
firewalls, electronic mail servers, remote- access servers).
2. Employ spyware protection at workstations, servers and mobile computing devices on the
network.
3. Use the spam and spyware protection mechanisms to detect and take appropriate action on
unsolicited messages and spyware /adware, respectively, transported by electronic mail,
electronic mail attachments, Internet accesses, removable media (e.g. diskettes or compact
disks) or other removable media as defined in this Policy.
5.10.4.4 Security Alerts and Advisories
The agency shall:
1. Receive information system security alerts /advisories on a regular basis.
2. Issue alerts /advisories to appropriate personnel.
3. Document the types of actions to be taken in response to security alerts /advisories.
4. Take appropriate actions in response.
5. Employ automated mechanisms to make security alert and advisory information available
throughout the agency as appropriate.
5.10.4.5 Information Input Restrictions
The agency shall restrict the information input to any connection to FBI CJIS services to authorized
personnel only.
Restrictions on personnel authorized to input information to the information system may extend
beyond the typical access controls employed by the system and include limitations based on
specific operational/project responsibilities.
5.10.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 14 — System and Communications Protection and Information Integrity Use Cases
Use Case 1 —A Local Police Department's Information Systems & Communications Protections
A local police department implemented a replacement CAD system within a physically secure
location that was authorized to process CJI using a FIPS 140 -2 encrypted VPN tunnel over the
06/05/2017 59
CJISD- ITS -DOC- 08140 -5.6
Internet to the state's CSA. In addition to the policies, physical and personnel controls already
in place, the police department employed firewalls both at their border and at key points within
their network, intrusion detection systems, a patch - management strategy that included automatic
patch updates where possible, virus scanners, spam and spyware detection mechanisms that
update signatures automatically, and subscribed to various security alert mailing lists and
addressed vulnerabilities raised through the alerts as needed.
Use Case 2 — Faxing fi•orn a Single /Multi- function Device over aTra.dit onal_Telephyne Liiue
A dispatcher from county A runs a NCIC query on an individual. The results are printed and then
sent to an adjoining county using a single /multi- function device with facsimile capability. For
faxing, the device is only connected to a traditional telephone line as is the device at the receiving
county. Encryption of a document containing CJI is not required because the document travels
over a traditional telephone line.
Use Case 3 — Faxing from a Multi - function Device over a Network
A dispatcher from city A runs a NCIC query on an individual. The results are printed and the
dispatcher uses a multi- function copier to fax the file to a city in another state. The dispatcher
enters the fax number of the receiver and sends the document. The document containing CH is
automatically converted to a digital file and routed to the receiver over the agency network and
the Internet. Because the device uses a network and the Internet for transmitting documents
containing CJI, encryption in transit using FIPS 140 -2 certified 128 bit symmetric encryption is
required.
06/05/2017
CJISD - ITS -DOC- 08140 -5.6
60
5.11 Policy Area 11: Formal Audits
Formal audits are conducted to ensure compliance with applicable statutes, regulations and
policies.
5.11.1 Audits by the FBI CJIS Division
5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division
The FBI CJIS Division is authorized to conduct audits, once every three (3) years as a minimum,
to assess agency compliance with applicable statutes, regulations and policies. The CJIS Audit
Unit (CAU) shall conduct a triennial audit of each CSA in order to verify compliance with
applicable statutes, regulations and policies. This audit shall include a sample of CJAs and, in
coordination with the SIB, the NCJAs. Audits may be conducted on a more frequent basis if the
audit reveals that an agency has not complied with applicable statutes, regulations and policies.
The FBI CJIS Division shall also have the authority to conduct unannounced security inspections
and scheduled audits of Contractor facilities.
5.11.1.2 Triennial Security Audits by the FBI CJIS Division
The FBI CJIS Division is authorized to conduct security audits of the CSA and SIB networks and
systems, once every three (3) years as a minimum, to assess agency compliance with the CJIS
Security Policy. This audit shall include a sample of CJAs and NCJAs. Audits may be conducted
on a more frequent basis if the audit reveals that an agency has not complied with the CJIS Security
Policy.
5.11.2 Audits by the CSA
Each CSA shall:
1. At a minimum, triennially audit all CJAs and NCJAs which have direct access to the state
system in order to ensure compliance with applicable statutes, regulations and policies.
2. In coordination with the SIB, establish a process to periodically audit all NCJAs, with
access to CA in order to ensure compliance with applicable statutes, regulations and
policies.
3. Have the authority to conduct unannounced security inspections and scheduled audits of
Contractor facilities.
4. Have the authority, on behalf of another CSA, to conduct a CSP compliance audit of
contractor facilities and provide the results to the requesting CSA. If a subsequent CSA
requests an audit of the same contractor facility, the CSA may provide the results of the
previous audit unless otherwise notified by the requesting CSA that a new audit be
performed.
Note: This authority does not apply to the audit requirement outlined in the Security and
Management Control Outsourcing Standard for Non - Channeler and Channelers related to
outsourcing noncriminal justice administrative functions.
06/05/2017 61
CJISD- ITS -DOC- 08140 -5.6
5.11.3 Special Security Inquiries and Audits
All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry
and audit of any alleged security violations. The inspection team shall be appointed by the APB
and shall include at least one representative of the CJIS Division. All results of the inquiry and
audit shall be reported to the APB with appropriate recommendations.
5.11.4 Compliance Subcommittees
The Criminal Justice Information Services (CJIS) Advisory Policy Board (APB) established the
Compliance Evaluation Subcommittee (CES) to evaluate the results of audits conducted by the
CJIS Audit Unit (CAU). The CES makes specific recommendations to the APB concerning
compliance with applicable policies and regulations. The most current information regarding the
CAU audits that are within the purview of the CES and detailed CES sanctions process procedures
are available at CJIS.gov (Law Enforcement Enterprise Portal) CJIS Special Interest Groups CES
Section and CJIS Section of FBI.gov.
The National Crime Prevention and Privacy Compact (Compact) Council at Article VI established
the Compact Council (Council). The Compact Council Sanctions Committee is responsible for
ensuring the use of the Interstate Identification Index System for noncriminal justice purposes
complies with the Compact and with riles, standards, and procedures established by the Compact
Council. As such, the Sanctions Committee reviews the results of audits conducted by the Federal
Bureau of Investigation (FBI) of participants in the FBI's Criminal Justice Services (CJIS)
Division programs. The Sanctions Committee reviews the audit results and the participant's
response to determine a course of action necessary to bring the participant into compliance and
make recommendations to the Compact Council or the FBI. Additional information on the
Compact Council Sanctions process is available on' the Compact Council's web -site.
5.11.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 15 — The Audit of a Local Police Department
A local police department implemented a replacement CAD system that integrated to their
state's CSA and was authorized to process CJI. Shortly after the implementation, their state's
CSA conducted an audit of their policies, procedures, and systems that process CJI. The police
department supplied all architectural and policy documentation, including detailed network
diagrams, to the auditors in order to assist them in the evaluation. The auditors discovered a
deficiency in the police department's systems and marked them "out" in this aspect of the FBI
CJIS Security Policy. The police department quickly addressed the deficiency and took
corrective action, notifying the auditors of their actions.
06/05/2017 62
CHM- ITS -DOC- 08140 -5.6
5.12 Policy Area 12: Personnel Security
Having proper security measures against the insider threat is a critical component for the CJIS
Security Policy. This section's security terms and requirements apply to all personnel who have
access to unencrypted CJI including those individuals with only physical or logical access to
devices that store, process or transmit unencrypted CJI.
5.12.1 Personnel Security Policy and Procedures
5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:
1. To verify identification, a state of residency and national fingerprint -based record checks
shall be conducted within 30 days of assignment for all personnel who have direct access
to CJI and those who have direct responsibility to configure and maintain computer systems
and networks with direct access to CJI. However, if the person resides in a different state
than that of the assigned agency, the agency shall conduct state (of the agency) and national
fingerprint -based record checks and execute a NLETS CHRI IQ /FQ /AQ query using
purpose code C, E, or J depending on the circumstances. When appropriate, the screening
shall be consistent with:
(i) 5 CFR 731.106; and /or
(ii) Office of Personnel Management policy, regulations, and guidance; and/or
(iii) agency policy, regulations, and guidance.
(See Appendix J for applicable guidance regarding noncriminal justice agencies
performing adjudication of civil fingerprint submissions.) Federal entities bypassing state
repositories in compliance with federal law may not be required to conduct a state
fingerprint -based record check.
2. All requests for access shall be made as specified by the CSO. The CSO, or their designee,
is authorized to approve access to CJI. All CSO designees shall be from an authorized
criminal justice agency.
3. If a felony conviction of any kind exists, the hiring authority in the Interface Agency shall
deny access to CJI. However, the hiring authority may ask for a review by the CSO in
extenuating circumstances where the severity of the offense and the time that has passed
would support a possible variance.
4. If a record of any other kind exists, access to CJI shall not be granted until the CSO or
his/her designee reviews the matter to determine if access is appropriate.
5. If the person appears to be a fugitive or has an arrest history without conviction, the CSO
or his/her designee shall review the matter to determine if access to CJI is appropriate.
6. If the person is employed by a NCJA, the CSO or his/her designee shall review the matter
to determine if CJI access is appropriate. This same procedure applies if this person is
found to be a fugitive or has an arrest history without conviction.
7. If the person already has access to CJI and is subsequently arrested and or convicted,
continued access to CJI shall be determined by the CSO. This does not implicitly grant
hiring/firing authority with the CSA, only the authority to grant access to CJI. For offenses
06/05/2017 63
CJISD- ITS -DOC -08140 -5.6
other than felonies, the CSO has the latitude to delegate continued access determinations
to his or her designee.
8. If the CSO or his /her designee determines that access to CH by the person would not be in
the public interest, access shall be denied and the person's appointing authority shall be
notified in writing of the access denial.
9. Support personnel, contractors, and custodial workers with access to physically secure
locations or controlled areas (during CH processing) shall be subj ect to a state and national
fingerprint -based record check unless these individuals are escorted by authorized
personnel at all times.
It is recommended individual background re- investigations be conducted every five years unless
Rap Back is implemented.
5.12.1.2 Personnel Screening for Contractors and Vendors
In addition to meeting the requirements in paragraph 5.12.1.1, contractors and vendors shall meet
the following requirements:
1. Prior to granting access to CJI, the CGA on whose behalf the Contractor is retained shall
verify identification via a state of residency and national fingerprint -based record check.
However, if the person resides in a different state than that of the assigned agency, the
agency shall conduct state (of the agency) and national fingerprint -based record checks and
execute a NLETS CHRI IQ/FQ /AQ query using purpose code C, E, or J depending on the
circumstances.
2. If a record of any kind is found, the CGA shall be formally notified and system access shall
be delayed pending review of the criminal history record information. The CGA shall in
turn notify the Contractor- appointed Security Officer.
3. When identification of the applicant with a criminal history has been established by
fingerprint comparison, the CGA or the CJA (if the CGA does not have the authority to
view CHRI) shall review the matter.
4. A Contractor employee found to have a criminal record consisting of felony conviction(s)
shall be disqualified.
5. Applicants shall also be disqualified on the basis of confirmations that arrest warrants are
outstanding for such applicants.
6. The CGA shall maintain a list of personnel who have been authorized access to CJI and
shall, upon request, provide a current copy of the access list to the CSO.
Applicants with a record of misdemeanor offense(s) may be granted access if the CSO determines
the nature or severity of the misdemeanor offense(s) do not warrant disqualification. The CGA
may request the CSO to review a denial of access determination.
5.12.2 Personnel Termination
The agency, upon termination of individual employment, shall immediately terminate access to
CH.
06/05/2017 64
CMD- PI'S -DOC- 08140 -5.6
5.12.3 Personnel Transfer
The agency shall review CJI access authorizations when personnel are reassigned or transferred to
other positions within the agency and initiate appropriate actions such as closing and establishing
accounts and changing system access authorizations.
5.12.4 Personnel Sanctions
The agency shall employ a formal sanctions process for personnel failing to comply with
established information security policies and procedures.
5.12.5 References /Citations /Directives
Appendix I contains all of the references used in this Policy and may contain additional sources
that apply to this section.
Figure 16 — A Local Police Department's Personnel Security Controls
A local police department implemented a replacement CAD system that integrated to their
state's CSA and was authorized to process CH. In addition to the physical and technical controls
already in place, the police department implemented a variety of personnel security controls to
reduce the insider threat. The police department used background screening consistent with the
FBI CJIS Security Policy to vet those with unescorted access to areas in which CJI is processed,
including the IT administrators employed by a contractor and all janitorial staff. The police
department established sanctions against any vetted person found to be in violation of stated
policies. The police department re- evaluated each person's suitability for access to CJI every
five years.
06/05/2017 65
CJISD- ITS -DOC- 08140 -5.6
5.13 Policy Area 13: Mobile Devices
This policy area describes considerations and requirements for mobile devices including
smartphones and tablets. Mobile devices are not limited to a single form factor or communications
medium. The requirements in this section augment those in other areas of the Policy to address
the gaps introduced by using mobile devices.
The agency shall: (i) establish usage restrictions and implementation guidance for mobile devices;
and (ii) authorize, monitor, control wireless access to the information system. Wireless
technologies, in the simplest sense, enable one or more devices to communicate without physical
connections — without requiring network or peripheral cabling.
Appendix G provides reference material and additional information on mobile devices.
5.13.1 Wireless Communications Technologies
Examples of wireless communication technologies include, but are not limited to: 802.11, cellular,
Bluetooth, satellite, microwave, and land mobile radio (LMR). Wireless technologies require at
least the minimum security applied to wired technology and, based upon the specific technology
or implementation, wireless technologies may require additional security controls as described
below.
5.13.1.1 802.11 Wireless Protocols
Wired Equivalent Privacy (WEP) and Wi -Fi Protected Access (WPA) cryptographic algorithms,
used by all pre- 802.11i protocols, do not meet the requirements for FIPS 140 -2 and shall not be
used.
Agencies shall implement the following controls for all agency- managed wireless access points
with access to an agency's network that processes unencrypted 01:
1. Perform validation testing to ensure rogue APs (Access Points) do not exist in the
802.11 Wireless Local Area Network (WLAN) and to fully understand the wireless
network security posture.
2. Maintain a complete inventory of all Access Points (APs) and 802.11 wireless devices.
3. Place APs in secured areas to prevent unauthorized physical access and user
manipulation.
4. Test AP range boundaries to determine the precise extent of the wireless coverage and
design the AP wireless coverage to limit the coverage area to only what is needed for
operational purposes.
5. Enable user authentication and encryption mechanisms for the management interface
of the AP.
6. Ensure that all APs have strong administrative passwords and ensure that all passwords
are changed in accordance with Section 5.6.2.1.
7. Ensure the reset function on APs is used only when needed and is only invoked by
authorized personnel. Restore the APs to the latest security settings, when the reset
functions are used, to ensure the factory default settings are not utilized.
06/05/2017 66
CJISD- ITS -DOC- 08140 -5.6
S. Change the default service set identifier (SSID) in the APs. Disable the broadcast SSID
feature so that the client SSID must match that of the AP. Validate that the SSID
character string does not contain any agency identifiable information (division,
department, street, etc.) or services.
9. Enable all security features of the wireless product, including the cryptographic
authentication, firewall, and other available privacy features.
10. Ensure that encryption key sizes are at least 128 -bits and the default shared keys are
replaced by unique keys.
11. Ensure that the ad hoc mode has been disabled.
12. Disable all nonessential management protocols on the APs.
13. Ensure all management access and authentication occurs via FIPS compliant secure
protocols (e.g. SFTP, HTTPS, SNMP over TLS, etc.). Disable non -F1PS compliant
secure access to the management interface.
14. Enable logging (if supported) and review the logs on a recurring basis per local policy.
At a minimum logs shall be reviewed monthly.
15. Insulate, virtually (e.g. virtual local area network (VLAN) and ACLs) or physically
(e.g. firewalls), the wireless network from the operational wired infrastructure. Limit
access between wireless networks and the wired network to only operational needs.
16. When disposing of access points that will no longer be used by the agency, clear access
point configuration to prevent disclosure of network configuration, keys, passwords,
etc.
5.13.1.2 Cellular Devices
Cellular telephones, smartphones (i.e. Blackberry, iPhones, etc.), tablets, personal digital assistants
(PDA), and "aircards" are examples of cellular handheld devices or devices that are capable of
employing cellular technology. Additionally, cellular handheld devices typically include
Bluetooth, infrared, and other wireless protocols capable of joining infrastructure networks or
creating dynamic ad hoc networks.
Threats to cellular handheld devices stem mainly from their size, portability, and available wireless
interfaces and associated services. Examples of threats to cellular handheld devices include:
1. Loss, theft, or disposal.
2. Unauthorized access.
3. Malware.
4. Spam.
5. Electronic eavesdropping.
6. Electronic tracking (threat to security of data and safety of the criminal justice
professional).
7. Cloning (not as prevalent with later generation cellular technologies).
8. Server- resident data.
06/05/2017 67
CJISD- ITS -DOC- 08140 -5.6
5.13.1.2.1 Cellular Service Abroad
Certain internal functions on cellular devices may be modified or compromised by the cellular
carrier during international use as the devices are intended to have certain parameters configured
by the cellular provider which is considered a "trusted" entity by the device.
When devices are authorized to access CH outside the U.S., agencies shall perform an inspection
to ensure that all controls are in place and functioning properly in accordance with the agency's
policies prior to and after deployment outside of the U.S.
5.13.1.2.2 Voice Transmissions Over Cellular Devices
Any cellular device used to transmit CH via voice is exempt from the encryption and authentication
requirements.
5.13.1.3 Bluetooth
Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth is
used primarily to establish wireless personal area networks (WPAN). Bluetooth technology has
been integrated into many types of business and consumer devices, including cell phones, laptops,
automobiles, medical devices, printers, keyboards, mice, headsets, and biometric capture devices.
Bluetooth technology and associated devices are susceptible to general wireless networking threats
(e.g. denial of service [DoS] attacks, eavesdropping, lean -in- the - middle [MITM] attacks, message
modification, and resource misappropriation) as well as specific Bluetooth- related attacks that
target known vulnerabilities in Bluetooth implementations and specifications. Organizational
security policy shall be used to dictate the use of Bluetooth and its associated devices based on the
agency's operational and business processes.
5.13.1.4 Mobile Hotspots
Many mobile devices include the capability to function as a WiFi hotspot that allows other devices
to connect through the device to the internet over the devices cellular network.
When an agency allows mobile devices that are approved to access or store CJI to function as a
Wi -Fi hotspot connecting to the Internet, they shall be configured:
1. Enable encryption on the hotspot
2. Change the hotspot's default SSID
a. Ensure the hotspot SSID does not identify the device make /model or agency
ownership
3. Create a wireless network password (Pre- shared key)
4. Enable the hotspot's port filtering/blocking features if present
5. Only allow connections from agency controlled devices
Note: Refer to the requirements in Section 5.10.1.2 encryption for item #1. Refer to the
requirements in Section 5.6.2.2.1 Password for item #3. Only password attributes #l, #2 and #3
are required.
CG17
06105/2017 68
CJISD- ITS -DOC- 08140 -5.6
1. Have a MDM solution to provide the same security as identified in items 1 — 5 above.
5.13.2 Mobile Device Management (MDM)
Mobile Device Management (MDM) facilitates the implementation of sound security controls for
mobile devices and allows for centralized oversight of configuration control, application usage,
and device protection and recovery, if so desired by the agency.
Due to the potential for inconsistent network access or monitoring capability on mobile devices,
methods used to monitor and manage the configuration of frill featured operating systems may not
function properly on devices with limited feature operating systems. MDM systems and
applications coupled with device specific technical policy can provide a robust method for device
configuration management if properly implemented.
Devices that have had any unauthorized changes made to them (including but not limited to being
rooted or jailbrolcen) shall not be used to process, store, or transmit CJI data at any time. Agencies
shall implement the following controls when allowing CJI access from devices running a limited -
feature operating system:
1. Ensure that CJI is only transferred between CJI authorized applications and storage areas
of the device.
2. MDM with centralized administration configured and implemented to perform at least
the:
i. Remote locking of device
ii. Remote wiping of device
iii. Setting and locking device configuration
iv. Detection of "rooted" and "jailbrolcen" devices
V. Enforcement of folder or disk level encryption
vi. Application of mandatory policy settings on the device
vii. Detection of unauthorized configurations
viii. Detection of unauthorized software or applications
ix. Ability to determine the location of agency controlled devices
X. Prevention of unpatched devices from accessing CJI or CJI systems
xi. Automatic device wiping after a specified number of failed access attempts
5.13.3 Wireless Device Risk Mitigations
Organizations shall, at a minimum, ensure that wireless devices:
1. Apply available critical patches and upgrades to the operating system as soon as they
become available for the device and after necessary testing as described in Section
5.10.4.1.
2. Are configured for local device authentication (sec Section 5.13.7.1).
3. Use advanced authentication or CSO approved compensating controls as per Section
5.13.7.2.1.
4. Encrypt all CJI resident on the device.
06/05/2017 69
CJISD- ITS -DOC- 08140 -5.6
5. Erase cached information, to include authenticators (see Section 5.6.2.1) in
applications, when session is terminated.
6. Employ personal firewalls or run a Mobile Device Management (MDM) system that
facilitates the ability to provide firewall services from the agency level.
7. Employ malicious code protection or run a MDM system that facilitates the ability to
provide anti- malware services from the agency level.
5.13.4 System Integrity
Managing system integrity on limited function mobile operating systems may require methods
and technologies significantly different from traditional full featured operating systems. In many
cases, the requirements of Section 5.10 of the 01S Security Policy cannot be met with a mobile
device without the installation of a third party MDM, application, or supporting service
infrastructure.
5.13.4.1 Patching /Updates
Based on the varying connection methods for mobile devices, an always on connection cannot be
guaranteed for patching and updating. Devices without always -on cellular connections may not
be reachable for extended periods of time by the MDM or solution either to report status or
initiate patching.
Agencies shall monitor mobile devices to ensure their patch and update state is current.
5.13.4.2 Malicious Code Protection
Appropriately configured MDM software is capable of checking the installed applications on the
device and reporting the software inventory to a central management console in a manner
analogous to traditional virus scan detection of unauthorized software and can provide a high
degree of confidence that only known software or applications are installed on the device.
Agencies that allow smartphones and tablets to access CH shall have a process to approve the
use of specific software or applications on the devices. Any device natively capable of
performing these functions without a MDM solution is acceptable under this section.
5.13.4.3 Personal Firewall
For the purpose of this policy, a personal firewall is an application that controls network traffic to
and from a user device, permitting or denying communications based on policy. A personal
firewall shall be employed on all mobile devices that have a Rill- feature operating system (i.e.
laptops or tablets with Windows or Linux/Unix operating systems). At a minimum, the personal
firewall shall perform the following activities:
1. Manage program access to the Internet.
2. Block unsolicited requests to connect to the user device.
3. Filter incoming traffic by IP address or protocol.
4. Filter incoming traffic by destination ports.
5. Maintain an IP traffic log.
06/05/2017 70
CJISD- ITS -DOC- 08140 -5.6
Mobile devices with limited feature operating systems (i.e. tablets, smartphones) may not support
a personal firewall. However, these operating systems have a limited number of system services
installed, carefully controlled network access, and to a certain extent, perform functions similar to
a personal firewall on a device with a full feature operating system. Appropriately configured
MDM software is capable of controlling which applications are allowed on the device.
5.13.5 Incident Response
In addition to the requirements in Section 5.3 Incident Response, agencies shall develop additional
or enhanced incident reporting and handling procedures to address mobile device operating
scenarios. Rapid response to mobile device related incidents can significantly mitigate the risks
associated with illicit data access either on the device itself or within online data resources
associated with the device through an application or specialized interface.
Special reporting procedures for mobile devices shall apply in any of the following situations:
1. Loss of device control. For example:
a. Device known to be locked, minimal duration of loss
b. Device lock state unknown, minimal duration .of loss
c. Device lock state unknown, extended duration of loss
d. Device known to be unlocked, more than momentary duration of loss
2. Total loss of device
3. Device compromise
4. Device loss or compromise outside the United States
5.13.6 Access Control
Multiple user accounts are not generally supported on limited feature mobile operating systems.
Access control (Section 5.5 Access Control) shall be accomplished by the application that accesses
CJI.
5.13.7 Identification and Authentication
Due to the technical methods used for identification and authentication on many limited feature
mobile operating systems, achieving compliance may require many different components.
5.13.7.1 Local Device Authentication
When mobile devices are authorized for use in accessing CJI, local device authentication shall be
used to unlock the device for use. The authenticator used shall meet the requirements in section
5.6.2.1 Standard Authenticators.
5.13.7.2 Advanced Authentication
When accessing CJI from an authorized mobile device, advanced authentication shall be used by
the authorized user.
06/05/2017 71
CJISD -ITS -DOC- 08140 -5.6
5.13.7.2.1 Compensating Controls
CSO approved compensating controls to meet the AA requirement on agency - issued smartphones
and tablets with limited feature operating systems are permitted. Compensating controls are
temporary control measures that are implemented in lieu of the required AA control measures
when an agency cannot meet a requirement due to legitimate technical or business constraints.
Before CSOs consider approval of compensating controls, Mobile Device Management (MDM)
shall be implemented per Section 5.13.2. The compensating controls shall:
1. Meet the intent of the CJIS Security Policy AA requirement
2. Provide a similar level of protection or security as the original AA requirement
3. Not rely upon the existing requirements for AA as compensating controls
Additionally, compensating controls may rely upon other, non -AA, existing requirements as
compensating controls and /or be combined with new controls to create compensating controls.
The proposed compensating controls for AA are a combination of controls that provide acceptable
assurance only the authorized user is authenticating and not an impersonator or (in the case of
agency - issued device used by multiple users) controls that reduce the risk of exposure if
information is accessed by an unauthorized party.
At least two of the following examples of AA compensating controls for agency - issued
smartphones and tablets with limited feature operating systems shall be implemented to qualify
for compensating control consideration:
- Possession of the agency issued smartphone or tablet as an indication it is the authorized
user
- Implemented password protection on the Mobile Device Management application and /or
secure container where the authentication application is stored
- Enable remote device locking
- Enable remote data deletion
- Enable automatic data wipe after predetermined number of failed authentication attempts
- Remote device location (GPS) tracking
- Require CJIS Security Policy compliant password to access the device
- Use of device certificates as per Section 5.13.7.3 Device Certificates
5.13.7.3 Device Certificates
Device certificates are often used to uniquely identify mobile devices using part of a public key
pair on the device in the form of a public key certificate. While there is value to ensuring the device
itself can authenticate to a system supplying CJI, and may provide a critical layer of device
identification or authentication in a larger scheme, a device certificate alone placed on the device
shall not be considered valid proof that the device is being operated by an authorized user.
When certificates or cryptographic keys used to authenticate a mobile device are used in lieu of
compensating controls for advanced authentication, they shall be:
1. Protected against being extracted from the device
2. Configured for remote wipe on demand or self - deletion based on a number of
unsuccessful login or access attempts
3. Configured to use a secure authenticator (i.e. password, PIN) to unlock the key for use
06/05/2017 72
CHSD- ITS -DOC- 08140 -5.6
Objective:
The Bureau of Criminal Apprehension's (BCA) Minnesota Justice Information Services (MNJIS)
operates the Criminal Justice Data Communications Network (CJDN) so that authorized agencies can
retrieve criminal justice information (CJI) in order to perform their duties. The purpose of this policy
is to help those authorized agencies comply with both the current FBI CJIS Security Poli_c (CSP) and
this Bureau of Criminal Apprehension (BCA) MNJIS CJDN Network Security Policy 5002. The CSP
provides the minimum level of information technology (IT) security requirements acceptable for the
transmission, processing, and storage of the nation's Criminal Justice Information System (CJIS)
data. These requirements are necessary to establish uniformity and consistency in safeguarding CJI
which is accessed via networks throughout the federal, state, and local user communities.
The primary intent of this policy is to clarify certain sections of the CSP so that it is easier for
agencies to be in compliance and to set statewide standards regarding the security and movement of
CJI within Minnesota.
Any security controls listed in this policy that are more restrictive than the CSP will be clearly stated
(they are highlighted with bold and italics).
Many of the terms used in this policy are defined in the CSP and so are not defined in this document.
Additional defined terms are found below.
Authorized agency: a government agency authorized by the BCA to have access to BCA and FBI
resources and that has a valid joint powers agreement or other contract executed by it and the BCA.
BCA: The CJIS Systems Agency (CSA) and State Identification Bureau (SIB) for Minnesota.
CJI Environment: an authorized agency's isolated infrastructure where CJI passes is accessed,
and /or stored. This includes, but is not limited to, network switches, routers, firewalls, workstations,
servers, and virtual environments.
CJIS Systems Officer (CSO): the BCA employee responsible for the administration of the system
that makes it possible to send and retrieve CH.
Criminal Justice Data Communications Network (CJDN): For statutorily authorized users, the
CJDN is a connectivity method that has been approved by the BCA.
Criminal Justice Information (CJI): Criminal Justice Information is the abstract term used to
refer to all data from systems containing, integrated with, or derived from data in the FBI CJIS
repositories and also includes data contained in, integrated with or derived from data maintained in
BCA repositories and that are necessary for authorized agencies to perform their work.
Foreign network: any network or network connection procured only by a Local Agency that has
access to the CJDN.
Local Agency: any Minnesota agency, including federal agencies that serve part or all of Minnesota,
authorized to access the CJDN.
Page 1 of 6
MNJIS Terminal: any device used by a Local Agency to connect to the CJDN to retrieve CJI.
Examples of a MNJIS Terminal include, but are not limited to, a desktop computer, laptop, tablet,
and cellular telephone.
Mobile Devices - any portable device used to access CJI via a wireless connection. Examples of
mobile devices are smart phones, cellular phones transmitting CJI, laptops and tablets and other
portable equipment which can easily be moved from one location to another.
Non - Physically Secure Location - a non - physically secure location is any area that does not fall
under the definition of a Physically Secure Location.
Occasional Unescorted Access is the infrequent access needed for a task in a Physically Secure
Location. Examples are maintaining vending machines and watering plants.
Physically Secure Location: a facility, an area, a room, or a group of rooms that have the physical
and personnel security controls sufficient to protect CJI and the associated information system
subject to the authorized agency's management and control. Specific information on squad cars and
physical security is found on page 6.
Public Key Infrastructure (PKI) - algorithms and encryption that use key pairs to secure CJI
whether in transit or at rest.
Wireless Technology is the transmission of voice and /or data communications via radio
frequencies.
Policy: I
This policy addresses the secure operation of computers, access devices, circuits, hubs, routers,
firewalls, and other components that comprise and support a data network, telecommunications
network and related MNJIS systems used to process, store, share, or transmit CJI, guaranteeing the
priority, integrity, and availability of service needed by state and local agencies. This policy also
applies to CJI data held by authorized agencies, regardless of the means of storage.
Roles and Responsibilities:
A. CJIS System Agency Information Security Officer (CSA ISO)
1. The CSA ISO is a BCA employee who is responsible for:
a. Ensuring agencies conform to the CSP and this policy.
b. Ensuring management controls are in place for the CJDN including the management of
State routers, firewalls, and VPN devices.
c. Ensuring that state and local agency network topology documentation is current.
d. Supporting security - related configuration management for the BCA and Local
Agencies.
e. Providing guidance in implementing security measures at the local level.
f. Disseminating security - related training materials to local agencies.
g. Collecting information about security incidents from LASOs for submission to the FBI.
B. Local Agency Security Officer (LASO)
1. Each agency head must appoint a LASO for the agency. The LASO, who is the liaison between
his /her Local Agency and the CSA ISO, is responsible for ensuring that the agency complies
with both the CSP and this policy.
2. The tasks assigned to the LASO in the CSP are modified as follows:
a. Identify who is using the CSA approved hardware, software, and firmware and ensure
no unauthorized individuals or processes have access to the same.
b. Identify and document how the equipment is connected to the state system.
MN115 -5002
Dir P% Version: 04/17/2017
' Page 2 of 6
c. Ensure that personnel security screening procedures are being followed as stated in
the CSP in coordination with the agency's Terminal Agency Coordinator (TAC)
or Point of Contact (POC).
d. Ensure the approved and appropriate security measures are in place and working as
expected.
e. Support policy compliance and keep the state /federal ISO informed of security
incidents.
f. Ensure the physical security of all MNJIS terminals and equipment in the authorized
agency's environment that accesses the CJDN or contains CJI.
C. Authorized Agency
The authorized agency using the CJDN is responsible for ensuring that personnel screening is
conducted as required by the CSP and Minnesota Statutes, section 299C.46 and that users
receive initial security awareness training and on -going security awareness training as outlined in
the CSP.
D. Standards of Enforcement
1. Each Local Agency is responsible for enforcing system security standards for their agency in
addition to all of the other agencies and entities which the Local Agency provides CJI
services. Local Agencies must have written policies to address the security provisions of the
CSP and this policy. Local Agencies must also have procedures in place to deactivate the
passwords, log -ons, and other access tools of separated employees.
2. Authorized users must access CJIS systems and disseminate CJI only for the purposes for
which they are authorized. Each authorized agency permitted access to FBI CJIS and
Minnesota systems will be held to the provisions of the policies and guidelines set forth in this
policy as well as the most current version of the CSP.
E. Personnel Security
1. According to the CSP, any individual with unescorted access in a Physically Secure Location
must have a national, fingerprint -based background check and complete appropriate security
awareness training. Most individuals will take the security awareness training via the BCA's
Launch Pad (httg anextest .x.state.mn.us /launchpad ) by using the CJIS Online
functionality. Access to these sites is restricted; access is granted by the TAC. As part of the
training, individuals will be tested as required by the CSO. Each agency is responsible for
keeping documentation of each employee's completion of security awareness training.
2. Once the individual has met the requirements, they can have unescorted access to any part
of the Physically Secure Location where there are devices through which CJI can be accessed
or where output from those devices can be found in any media (e.g. paper, electronic or
other physical format).
3. Individuals who do not need to move freely within a Physically Secure Location must be
escorted at all times by an individual who has met these Personnel Security requirements.
4. For individuals who have Occasional Unescorted Access within a Physically Secure Location,
the security awareness training requirement is satisfied by signing an agreement
acknowledging that they understand they are working in a location with access to protected
data, whether access is via a device, printout or overheard conversation and that the
protected data need to "remain in the building." The agreement must be signed prior to
gaining access to CJI and must be renewed every two years. A sample agreement can be
found on the BCA's CJDN Secure website, https: / /app.dos.mn.00v /cidn/ under MNJIS
Policies. Credentials for the CJDN Secure website are obtained from the BCA Service Desk
(651- 793 -2500/ 1- 888 - 234 -1119 or bca.servicedesk @state,mn.us). The sample agreement
can also be found on the BCA's Launch Pad in the CJIS Documents folder under the heading
Security Awareness Training and Testing.
F. Personnel Screening for Contractors, Vendors, and Governmental Agencies Performing
Criminal Justice functions on Behalf of an Authorized Agency
As provided in the CSP, the CSO sets the standard for background checks on contractors and
vendors. The BCA will register companies whose employees support authorized agencies in
Minnesota after determining that the company is in compliance with the CSP and has signed a
MNJIS -5002
Version: 04/17/2017
Page e 3 3 of of 6 6
Security Addendum with the BCA. Part of the registration will include a determination that the
5050 company operates in compliance with the CSP and this policy. The BCA will conduct all
national fingerprint -based background checks on all vendor employees and will be the centralized
repository for the documentation of security awareness training and testing for those employees.
Information on the process is available from the BCA CJIS SAT Screening Unit, *DPS_BCA CJIS
SAT screen in state.mn.us.
G. Incident Response
1. The CSP requires that Local Agencies report a security incident, whether physical or logical,
to the FBI via the CSA ISO. Local Agencies are required to have a policy regarding security
incidents and how they are reported. Local Agencies should use NIST Special Publication 800-
61 as a template for the required incident response policy. The NIST publication can be found
at: htt : vi ubs.nist.gov/nistpubs/Sl2ecial Publ ications NIST.SP.800 -61 r2. df
2. The Local Agency must report all suspected security incidents to the CSA ISO within 24 hours
of the initial discovery. Security incidents include loss or theft of media containing CJI (e.g.
paper, thumb drive) or equipment, suspicious or malicious software in the Local Agency's
environment or unusual network activity. Information security events and weaknesses
associated with information systems must be communicated in a manner allowing timely
corrective action to be taken. Formal event reporting and procedures to increase attention
depending on the severity of the situation must be in place.
3. Wherever feasible, the Local Agency must employ automated mechanisms to assist in the
reporting of security incidents. All employees, contractors and third party users must be
made aware of the procedures for reporting the different types of events and weaknesses
that might have an impact on the security of agency assets and are required to report any
information security events and weaknesses as quickly as possible to the designated point of
contact.
H. Firewalls
Local Agencies with access to a foreign network connected to the CJDN must be protected with a
firewall device. This must include all forms of access including wireless, dial -in, off -site, Internet
access, and others. Firewall architectures must prevent unauthorized access to CJI, the Local
Agency's network, and all network components.
I. Advanced Authentication and Encryption
1. The technical security requirements for encryption and advanced authentication for CJI
transmitted across the CJDN are as follows:
a. Physically Secure Location with direct access to CJDN.
i. Must use NIST- certified 140 -2 encryption algorithm with a minimum of
a128 bit encryption key.
ii. No advanced authentication is required.
b. Physically Secure Location to Physically Secure Location to CJDN. For example, a city
police department has a network connection to the county sheriff's office which has
direct access to CJDN.
i. Must use NIST - certified 140 -2 encryption algorithm with a minimum of a
128 -bit encryption key.
ii. No advanced authentication required.
2. Access to CIDN from a location that is not physically secure must use advanced
authentication and encryption. Police vehicles in Minnesota are physically secure and so
advanced authentication and encryption is not required.
J. Physically Secure Location
1. A Physically Secure Location is a facility, an area, a room, or a group of rooms, that is /are
subject to authorized agency management control and which contain hardware, software,
and /or firmware (e.g., information system servers, controlled interface equipment, associated
peripherals or communications equipment, wire closets, patch panels, etc.) that provide
access to the CJIS and CJDN networks. Physical security perimeters must be acceptable to
the CSO.
K,
2. Restricted and controlled areas must be prominently posted and separated from non -
physically secured areas by physical barriers that restrict unauthorized access. Every physical
access point to physically secure areas housing information systems that access, process, or
display CJI must be secured in a manner which is acceptable to the CSO during both working
and non - working hours. In commercial buildings where the public has complete
access to the building, the requirement of a physically secure location is met by a
secured room within a secured room.
3. All CJI transmitted through any public network segment or over Internet connections must be
immediately protected using a NIST certified, FIPS 140 -2 encryption algorithm using a
minimum of a 128 -bit encryption key. This requirement also applies to any private data
circuit.
4. Advanced Authentication (AA) is the term describing added security functionality, in addition
to the typical user identification and authentication of login ID and password, such as:
a. Biometric systems
b. Public Key Infrastructure (PKI)
c. Smart cards
d. Software tokens or hardware tokens
e. "Risk -based Authentication" that includes a software token element comprised of a
number of factors, such as network information, user information, positive device
identification (i.e. device forensics, user pattern analysis and user binding) and user
profiling, and also includes high -risk challenge /response questions.
5. The objectives of implementing AA are to uniquely and positively identify an authorized
individual for access to CJI.
6. Once authenticated, access to CJI must be though a NIST certified, FIPS 140 -2 encryption
algorithm using a minimum of a 128 -bit encryption key.
7. Encryption keys, such as pre- shared keys used in a site -to -site VPN, must be changed at
least once a year.
8. Digital certificates, whether device and /or user based, must expire and be reissued at least
once every two years.
9. AA does not have to be a part of establishing the encrypted transport.
10. No remote access to CJI, from an unsecure location, is permitted unless both AA and
compliant encrypted transport requirements are met.
11. The infrastructure for AA /encryption must be on an isolated network, not part of the CJDN or
a city /county user network.
12. The infrastructure for encryption must isolate authorized agency users from non - authorized
agency users.
13. The agency must have a firewall between the CJDN and AA /encryption environments.
14. The agency firewall must ensure that only properly authorized and authenticated users may
pass through the firewall to access CJI and /or any resources where CJI is in transit or at rest.
15. The agency AA /encryption environment may provide access to other non - criminal justice
resources such as email and county /city resources as required.
16. Any agency AA methodology must utilize real -time user authentication to an agency
controlled remote environment. Device authentication and locally cached credentials must not
be used as part of AA.
K. Mobile Devices
The use of mobile devices to access CJI is rapidly changing and the FBI periodically issues
additional direction on their use. Contact the CSA ISO for the most current requirements
governing the use of these devices. The CSA ISO can be reached at bca.isoG state. mn.us.
L. Software as a Service (SaaS)
1. For an Authorized agency who wants to use a private sector vendor to provide SaaS the
requirements are:
a. An Authorized agency must consult with the BCA to ensure all requirements can be or are
being met.
b. The Authorized agency must send a written request, on agency letterhead, to the CSO
requesting that vendor provide SaaS.
c. The Authorized agency must have appropriate agreements in place with BCA.
MNJIS -5002
Version: 04/17/2017
Page e 5 5 of of 6 6
d. The Authorized agency must have written contract with the vendor. The vendor must
comply with the CSP and this policy as well as any contractors of Vendor.
i. If the vendor is in the private sector, the Security Addendum needs to be signed
and employees must sign Security Addendum Certification. If the vendor has
subcontractors, there must also be a written agreement between them, along with
Security Addendum and Security Addendum Certifications.
H. If the vendor is a non - criminal justice government agency, a Management Control
Agreement is needed.
e. SaaS must be provided in an isolated network that must reside in the continental United
States.
f. Data must be encrypted in transmission and at rest.
g. SaaS must be configured so that any agency may only have access to another criminal
justice agency's data if the access is authorized by Minnesota law and the parties have a
signed agreement approving the access.
h. Back up security must meet FBI CJIS requirements.
i. BCA must have access for audit.
j. Vendor /agency responsible for cost of connecting to the vendor, however accomplished.
M. Cloud Computing
1. Any authorized agency that wants to store CJI in or transmit CJI through a cloud environment
should consult with the BCA prior to any storage or transmission of CJI. The BCA will
reference the most current version of the FBI's Technical Report entitled 'Recommendations
for Implementation of Cloud Computing Solutions." (As of April 2017, the report was
available at https: / /www.fbi.aovlfile- repository /cjis- cloud - computing
report 20121214.pdf view).
2. Any cloud implementation must host and /or access CH separately from non -CJ1.
N. Electronic Media Disposal
When it is necessary to sanitize or destroy physical media, the use of media sanitization and
destruction methods consistent with the applicable guidance contained in NIST 800 -88 (available
at htt nvi ubs.nist. ov nist ubs S ecialPublications NIST.SP.800 -88rl. df) and /or DOD
5220.22 -M (available at http://www.dtic.miI/whs/directives/correslpdf/522022M.pd ) is required.
O. Analytics Tools
Any Local Agency that wishes to use an analytic tool should consult with BCA prior to
implementation to ensure that the tool is in compliance with the CSP and this policy.
P. Network Configuration
The LASO is responsible for ensuring network compliance with the CSP and establishing
procedures for documenting, maintaining, and updating their agency's criminal justice
information network configuration. Contact the CSO ISO at bca.isoOstate.mn.us for assistance
with network configurations.
1. FBI CJIS Security Policy_
2. NIST Special Publication 800 -61
3. FBI Recommendations for Imolementat on of Cloud Commoutina Solutions
4. NIST 800 -88
5. DoD 5220.22 -M
KKA 0 / 5 2017
Version: 0h /17/2017
Page 6 of 6
w.cr+ucinrrxm