CJIS SECURITY POLICY v5.5 Stephen Doc Petty, CJIS ISO - Texas TCJUIG Agenda CJIS Security Policy version 5.5 History of the CJIS Security Policy The Advisory Policy Board Policy Creation

Highlight Policy changes Areas of Focus MDM / Mobile Devices AA Compensating Controls Cloud Services Vendor Contact Changes Resources & Questions Policy Areas Section 1.

Introduction Section 2. CJIS Security Policy Approach Section 3. Roles and Responsibilities Section 4.

Criminal Justice and PII Section 5. Policy and Implementation Appendix A-K Various supporting information

Shared Management Philosophy The FBI employs a shared management philosophy: Federal Law Enforcement Local Law Enforcement State Law Enforcement Tribal Law Enforcement Similar relationship with the Compact Council and State Identification Bureaus: Noncriminal justice usage of criminal history records The Advisory Process Board, subcommittees, and working groups, collaborate with the FBI CJIS division to ensure that the CJIS Security Policy meets the evolving business, technology, and security needs.


Working Groups Security & Access Subcommittee NORTH CENTRAL WORKING GROUP W E ST E R N WORKING GROUP



Chairman: TBA VIce Chair: Joe Dominic- CA DOJ TJ Smith CA LASD Brenda Abaya- HI, DPS Jim Slater- MA Dept. Crim. Justice Blaine Koops MI County Sheriff Patrick Woods- MO HP Yosef Lehrman - NY NYPD Brad Truitt- TN Chris Kalina -WI DOJ

BiIl Phillips -AZ Nlets Charles Shaffer- FDLE The Advisory Policy Process Two Cycles Annually Topic Papers (Discussion items submitted)

Spring and Fall (APB Meets) Working Groups, Subcommittees, Board

FBI Director (Approval and sign off on Policy) Published Policy Results The Security Review Web Site (DPS) CJIS Security Policy Resource

Center (FBI) Highlight Policy Changes Security Awareness Training Required within six months of employment; biennially afterward It is the agencys responsibility to maintain CJIS Security Awareness training documentation Acceptance of training from another agency Awareness topics depends on level of access

Current options: Omnixx, Security Awareness PDF & Online POLICY CHANGES Security Awareness What's New? Differing levels of training

Level 1: Level 2: Level 3: Level 4: Personnel with unescorted access to secure areas Personnel that have physical contact with CJI Personnel that enter, query or modify CJI Personnel with Information Technology roles

LOGIN TO THE CJIS ONLINE https://www.cjisonline.com Incident Response Plan POLICY CHANGES 5.3: Incident Response Significant change in CJIS Security Policy Any incident involving criminal justice information (CJI) should be reported - physical

or digital Incident Response Access Control POLICY CHANGES 5.5: Access Control Provides the following planning and implementation of mechanisms to protect access to CJI and the modification of the systems which

process CJI: Account Management

Access Enforcement Unsuccessful Login Attempts System Use Notification Session Lock Remote Access Personally Owned Information Systems (BYOD) No CJI from Publicly Accessible Computers POLICY CHANGES 5.5: Access Control A few significant changes in CJIS Security Policy v5.4

Document the rationale, technical and administrative process for enabling remote access for privileged functions Established parameters for permitting Virtual Escorting for Remote Access Advanced Authentication POLICY CHANGES

Section Policy Area 6: Identification and Authentication Clarification of Out-of-Band Authentication for AA Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens, paper (inert) tokens, out-of bandauthenticators(retrievedviaaseparatecommunication

servicechannel-e.g.,authenticatorissentondemandvia textmessage,phonecall,etc.) Encryption 5.10 What's Changed? A few changes in CJIS Security Policy v5.4 Encryption exemption for "campus-like scenarios" Changes to Virtualization - permits virtual segregation (Must be within line of sight, request must be

obtained through CSO) Faxing POLICY CHANGES Section 5.10.2 Policy Area 10: System and Communications Protection and Information Integrity 5.10.2 Facsimile Transmission of CJI

CJI transmitted via facsimile a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server ; application or service which implements email-like technology shall meet the encryption requirements for CJI in transit as defined in Section 5.10. l POLICY CHANGES

Hardwired: Encryption Not Required Email-like: Encryption Required 182 Mobile Devices POLICY CHANGES Section 5.13

Policy Area 13: Mobile Devices Highlighted changes Include: 5.13.3 Wireless Device Risk Mitigations Organizations shall, at a minimum, ensure that cellular wireless devices: Use advanced authentication or CSO approved compensating controls as per Section Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level. Compensating Controls for AA

Applies only to smartphones and tablets Possession of agency issued device is a required part of control

Additional requirements mostly met by MDM Compensating Controls are temporary CSO approval and support required Meet the intent of the CJIS Security Policy AA requirement Provide a similar level of protection or security as the original AA requirement Not rely upon existing requirements for AA as compensating controls Submit email to [email protected]

Include Request for Compensating Controls in subject line. BYOD 1. Personally Owned Information Systems Not authorized to access CJI unless terms and conditions are specified.

When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices. What's Coming in CJIS Policy? Stephen Doc Petty, CISSP, SSCP

CJIS ISO - Texas [email protected] What's Coming in CJIS Policy? Policy Section 5.13 The Mobile Security Task Force will continue to review areas for change and updates to the policy. New Task Force being established to focus on cloud services Mobile Device Management

(MDM) POLICY CHANGES Section 5.13 5.13.2: Mobile Devices 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the:

Remote locking of device Remote wiping of device Setting and locking device configuration Detection of rooted and jailbroken devices Enforcement of folder or disk level encryption

Application of mandatory policy settings on the device Detection of unauthorized configurations POLICY CHANGES Section 5.13 Mobile Devices Continued 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the:

Detection of unauthorized software or applications Ability to determine the location of agency controlled devices Prevention of unpatched devices from accessing CJI or CJI systems Automatic device wiping after a specified number of failed access attempts

What's Coming in CJIS Policy? Policy Section 5.10 The Security and Access (SA) Subcommittee has established a Cloud Task Force to review all cloud related topics, such as: Collection and Use of Metadata by Cloud Service Providers Security of CJIS Data Stored in Offshore Cloud

Computing Facilities FedRAMP/Trustmark concept POLICY CHANGES Step #2 Select DPS and Vendor Contact

DPS and Vendor Contact We have some very strict rules now regarding DPS employees and vendor contact. To set up a call with the DPS CJIS Technical Audit staff, all the following must be true: 1. The vendor must have a contract with a Texas LE Agency. 2. The vendor must have an fully executed CJIS Security Addendum with the LE

Agency. 3. The agency must set up the call with DPS and be on the line. DPS and Vendor Contact The Agency can call the CJIS Technical Audit Team at any time. The Agency will need to ensure that due diligence is done regarding its vendor contract. The agency should specify that CJIS compliance is

required in the contract. There will be no exceptions to this. Questions? Thank you

Recently Viewed Presentations

  • Intragovernmental Transactions Working Group (ITWG) May 8, 2018

    Intragovernmental Transactions Working Group (ITWG) May 8, 2018

    Three IPAC transactions are required to collect all $300 (see next slide) Assumes IPAC must reference an Order/Line/Schedule in G-Invoicing. Solution: Buyer initiates the Order through G-Invoicing. Set up the Order to meet your requirements.
  • Supercomputing in Plain English: Overview

    Supercomputing in Plain English: Overview

    P. Skubic, M. Strauss, B. Abbott, P. Gutierrez, "Experimental Physics Investigations Using Colliding Beam Detectors at Fermilab and the Large Hadron Collider (LHC) (TASK A) 2010-2013 Renewal-Revision," DOE, $1.52M ... Bradley University (IL) Cameron University (OK) The Citadel (SC)
  • Good to Great by Jim Collins Chapter 9:

    Good to Great by Jim Collins Chapter 9:

    Adds more energy into the pool. Passion leads to greatness. Striving for greatness leads to Level 5 Leadership. Takeaways. Enduring great companies preserve their core values and purpose while constantly adapting to local as well as global changes. A good...
  • Theory of Change: A Blueprint for Evaluation Presentation

    Theory of Change: A Blueprint for Evaluation Presentation

    What we do as a part of the programme- deliver, teach, offer loans, etc. What are the resources used -funds, staff, equipment, curriculum, all materials. Tangible products or services produced as a result of the activities - usually can be...
  • Juvenile Justice  Social Determinants of Health (SDoH) as

    Juvenile Justice Social Determinants of Health (SDoH) as

    Why? Incarcerated individuals are much more likely to have higher ACE scores, poorer SDoH, been exposed to violence, and suffer from PTSD. A trauma-informed approach may better help to address some of these criminogenic risk factors and can create a...
  • Safe Backing Monthly Training Topic NV Transport Inc.

    Safe Backing Monthly Training Topic NV Transport Inc.

    G.O.A.L. Nothing can replace the information gained by using your eyes on potential hazards. Walk around your vehicle to get a complete picture of what you are backing into. Walk the pavement surface looking for depressions and fixed objects, and...
  • Presentation - ccirm.org

    Presentation - ccirm.org

    Tend to be used as synonyms. Owing to growth opportunities, sales becomes a dominant mode leading to the spurt in distribution! Many of the woes in financial services emanate from an over-emphasis on distribution. Emerging markets need to beware! "Treating...
  • Writing Fables *Fables A fable is a short

    Writing Fables *Fables A fable is a short

    Writing Fables *Fables A fable is a short story, typically with animals as characters, conveying a moral. Some fables you may be familiar with include The Boy Who Cried Wolf, The Hare and the Tortoise, The Goose with the Golden...