What is CJIS Compliance? Here's What You Need to Know
Mar 31, 2021 10:27 AM EDT
Each day, hundreds of private or sensitive information obtained by local, state, and federal law enforcement agencies are stored within the FBI's central repository for criminal justice information - Criminal Justice Information Services. Law enforcement institutions and vendors that utilize these sensitive data are required to be CJIS compliant to access the delicate information.
Whether you are a law firm or a solo practitioner searching for a third-party vendor to provide you different case-related services, you are required to partner with a business that has CJIS compliance. To help you find the compliant partner within the criminal justice network compliant, we are exploring the notion of CJIS and what does the CJIS compliance checklist entail.
What is CJIS?
Established in 1992, Criminal Justice Information Services represents the largest division of the FBI. Within the CJIS, there are several key departments, including NCIC (National Crime Information Center), IAFIS (Integrated Automated Fingerprint Identification System), and NICS (National Instant Criminal Background Check System).
CJIS, located in Clarksburg, West Virginia, serves as the main source of criminal justice data to agencies and third-parties throughout the US. Besides storing information such as fingerprints, criminal background, private documents, the FBI's division is responsible for data security and encryption, ensuring the sensitive intel is protected from potential security breaches and cyber-attacks.
CJIS's work is crucial for defending civil liberties and simultaneously providing criminal justice information to organizations and businesses involved in law enforcement and national security issues.
Why is CJIS compliance important?
The continuous rise of the Internet and the cloud, coupled with the increase and sophistication of cybersecurity threats, made CJIS an integral element for the national security of the US, as well as the privacy and liberties of its citizens. Thus, access to CJIS intel is allowed to those institutions and individuals that prove compliance with the Division's requirements.
Achieving CJIS compliance is the crucial step for different law enforcement and federal, state, and local government agencies, as well as businesses involved in the criminal justice system, as their operations rely upon accessing this comprehensive database.
However, CJIS is one of the most extensive and rigorous cybersecurity standards today, and failure to comply can result in denial of access to any FBI database or CJIS system. In some cases, the organizations can face substantial fines and even criminal charges.
What is the CJIS Checklist?
Criminal Justice Information Services in a over 200 pages long document that defines security requirements and standards for organizations, cloud vendors, local agencies, and corporate networks in the following 13 policy areas:
- Information exchange agreements which define how information is handled by companies and agencies that use criminal justice data. Some of the domains the policy covers are audits, hit confirmation, logging, pre-employment screening, security, validation, etc.
- Security awareness training to which everyone with access to CJI must undergo within six months of receiving the CJI. The training needs to be renewed every two years.
- Incident response, including procedures for detection, analysis, containment, recovery, and user responses for breaches and major incidents.
- Auditing and accountability for events such as login attempts, password changes, history/log files modifications or deletion, permission management for user accounts, files, directories, and other system resources.
- Access control for users and the permissions granted, based on the job, location, network address, and/or time restrictions.
- Identification and authentication using a user's unique identification/authentication method such as a password, token or PIN, biometrics, or another type of multi-factor authentication.
- Configuration management entails in-depth documentation of both planned and unplanned changes, and updates to the information system platform, architecture, hardware, or software.
- Media protection, stating policies and procedures on how digital and physical media will be stored, accessed, transported, and destroyed.
- Physical protection, a policy that defines the secure way of handling and monitoring documents or digital media storage devices.
- Systems and communications protection and information integrity, specifying how data travels within and between systems.
- Formal audits entail reviews that help ensure CJIS compliance by law organizations.
- Personnel security policy that entails detailed security screening for anyone with access to unencrypted CJIS data
- Mobile devices outlining considerations and requirements for managing systems and network access via smartphones, tablets, and other mobile devices.
What Does This Mean For You?
Law offices that require services provided to them by third-party businesses, such as transcription of police reports, witness or suspect interviews, or some other audio or video file, are required to cooperate with CJIS compliant transcription services company.
The same applies to each vendor whose services imply access to the private and sensitive data gathered by this FBI's division. Prior to establishing a partnership with a law organization, make sure to thoroughly check whether they have all the necessary CJIS compliance. Otherwise, both you and the unauthorized business may face legal action.