What Is CJIS?
Established in 1992, CJIS is the largest division of the FBI, and comprises several departments, including the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS). CJIS monitors criminal activities in local and international communities using analytics and statistics provided by law enforcement, and their databases provide a centralized source of criminal justice information (CJI) to agencies around the country.
The world has changed a lot since 1992, and the proliferation of the Internet and the cloud, combined with the growing rate and sophistication of cyber security threats, have made protecting CJIS data more complicated than ever. Because of this growing concern, CJIS came up with a set of security standards for organizations, cloud vendors, local agencies and corporate networks.
The policies set forth by CJIS cover best practices in wireless networking, remote access, data encryption and multiple authentication. Some basic rules include:
• A limit of 5 unsuccessful login attempts by a user accessing CJIS
• Event logging various login activities, including password changes
• Weekly audit reviews
• Active account management moderation
• Session lock after 30 minutes of inactivity
• Access restriction based on physical location, job assignment, time of day, and network address
How do I get a Criminal Justice Information Services (CJIS) certification?
Criminal Justice Information Services (CJIS) is the largest division of the FBI and comprises several departments such as the Integrated Automated Fingerprint Identification System (IAFIS) or the National Crime Information Center (NCIC). The CJIS division monitors criminal activities both locally and internationally and centralizes data providing useful criminal justice information to agencies in the entire country.
If your company or agency uses the CJIS, they must follow well-established processes and rules in order to be CJIS compliant. If you are given CJIS access, then you must follow security awareness training within six months of receiving the CJIS and you must renew your training once every two years.
There's an entire CJIS compliance sheet that makes sure every agency or organization that uses the database are following the same procedures regarding data security and encryption.
Ground Rules for CJI Compliance
Some of the basic rules for CJIS compliance include:
5 unsuccessful login attempts (mac) by a user accessing CJIS
Monitoring various login activities, such as password changes
Performing weekly audit review
Actively moderating account management
Locking off users’ sessions after a half hour of inactivity
Restricted access due to physical location, job assignment, time of day, and network address
The CJIS database is a central database of criminal justice information (CJI), and this information is collected via law enforcer analytics and statistics. As you might have concluded from even just these basic rules, CJIS access and control is strict and complex, and rightfully so.
If your organization isn’t 100 percent compliant, the authorities will be alerted to this fact very quickly. Compliance regulations like these must followed exactly, but understandably, some organizations will have more challenges than others keeping compliant.
Multi-Factor Authentication and Encryption
FBI Security Policy section 5.6.2.2.1, also known as the Advanced Authentication Requirement, obliges organizations to use multi-factor authentication if employees are accessing CJI. This is alike to using a debit or credit card that requires pin input.
A recurrent strategy for multi-factor authentication is to use software applications or physical devices that generate unique, one-time passwords with time limits. Multi-factor authentication is a key policy area that should be on every business’ CJIS checklist along with data encryption.
Encrypting files and emails add one more layer of complexity for criminals trying to gain access to CJI and other vital information. The compliance also governs proper ways to handle the challenges of sending email that won’t compromise CJI.
Personnel Training
For CJIS best practices, training for your staff should be frequent, with sufficient documentation and knowledge circulation to ensure that everyone is on the same page regarding complete compliance. Your security protocols and password requirements should be the same across your entire organization.
CJI can seriously affect both the organizations and the public at large. If you are unsure of which strategies will be feasible to achieve a state of readiness with this compliance, you should consider engaging compliance consultants. You’ll be thankful you did, for sake of safety for your staff and the public.
