As noted in its Executive Summary, the Criminal Justice Information Services Security Policy (CJISSECPOL) provides guidance to every criminal justice or non–criminal justice agency, private company, or individual contractor that has access to or acts in support of criminal justice services and information. Criminal Justice Information (CJI) data includes biometric, identity history, biographic, property, and case/incident history, and the personally identifiable information (PII) included therein.
By design, this thorough security policy has a direct impact on the daily operations and technological posture of the vast majority of government agencies and nearly all law enforcement organizations. There is a requirement to perform a self-audit annually, and a formal audit occurs every three years. There are separate levels of required security training for different classes of employees, and detailed guidance on the proper access, use, and dissemination of sensitive information.
Recent Updates
While CJISSECPOL has been around for decades, there are changes in the July 9, 2024, release that are effective as of October 1, 2024, while others will not be audited until September 2027. The purpose behind these changes is to bring the overall security policy more in line with the current cybersecurity and threat landscape as well as with applicable National Institute of Standards & Technology (NIST) standards, including NIST 800-53.
Some recent changes involve updates to visitor access log retention and audit practices, requirements for data encryption at rest and in transit, user account management, and incident response protocols. All entities that fall under CJISSECPOL should review the latest version and work to determine if they are compliant with CJISSECPOL, especially sanctionable requirements under Priority 1.
One of the most important Priority 1 updates comes under the Identification and Authentication (IA) section of the policy. As of October 1, 2024, any agency accessing CJI must adhere to multifactor authentication (MFA), which must capture two of the following three options:
- Something you know (passwords, security codes, or personal identification numbers)
- Something you have (physical authenticators such as USBs, access cards, mobile devices)
- Something you are (biometrics such as facial or iris scans or fingerprints).
These mandatory options for privileged and non-privileged accounts are meant to harden defenses for agencies and entities that have been vulnerable to phishing attacks, social engineering, and other methods of compromise.
Summary
All organizations with CJI should review new FBI guidance to
determine if they are subject to and compliant with the new
regulations, and begin building their road map to compliance for
their annual audits and before the current triennial deadline of
September 30, 2027.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.