Posts

How an Auditor Looks at Your Network Diagram

A question that comes up pretty often for our auditors is what they want to see in the agency's network diagram.  When that question comes up, the auditors generally assume that question means the agency wants to ensure the network diagram they have reflects all the appropriate details.  For the smaller agencies using only the CBI-provided OpenFox solution, the diagram can be very simple. For larger agencies, we anticipate a little more complexity when things like file servers, records management systems and computer aided dispatch are in the picture.
The CJIS Security Policy contains this standard for network diagrams:5.7.1.2 Network Diagram
The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix C for sample network diagrams.
The network topological drawing shall include the following:
All communications paths, circui…

Change to the CJIS Vendor Program

Image
In order to alleviate confusion regarding the CJIS Vendor Program enrollment criteria, the CBI has made a change to the initial documents required for vendors to enroll in the CJIS Vendor Program. The CBI will require a signed contract be furnished along with the associated enrollment documents.

According to theCJIS Security Policy, section 5.1.1.5:

"Private contractors designated to perform criminal justice functions for a CJA [Criminal Justice Agency] shall be eligible for access to CJI [Criminal justice Information accessed through State and Federal systems]. Access shall be permitted pursuant to an agreement which specifically identifies the agency’s purpose and scope of providing services for the administration of criminal justice. The agreement between the CJA and the private contractor shall incorporate the CJIS Security Addendum approved by the Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7)."

Since the CBI…

Signing the Security Addendum: A How-To

Image
During audits and when answering questions, CBI encounters a lot of confusion about how to properly sign the CJIS Security Addendum. This can range from asking which employees at the contracting business needs to sign the agreement, to asking about how to properly store the signed agreements. 

So how is the CJIS Security Addendum supposed to be signed? Like this:


COMMON MISTAKES Here are a list of common mistakes with the CJIS Security Addendum and the correct handling of each: OOPS! Sales representative signs this “for the whole company”
FIXED IT: Each employee working on your system must sign one of these!

OOPS! CCIC Coordinator signs the second line.
FIXED IT: As shown above, this form is only signed by vendor personnel. There should be no criminal justice agency personnel signing this form.

OOPS! Agency struggles to assemble a process and find space to store all these documents.
FIXED IT: Again, the form is not agency or customer specific, and copies can be maintained by the vendor and …

Procurement, Purchasing, Contracting - CJIS from the Start

It is very important for individuals working on procurement, purchasing and contracting of new information systems to be aware of when CJIS policy may apply to new purchases of products or services.  Because the CJIS security policy can increase costs to these purchases it is always better to address it as early as possible to ensure the costs of the project are reasonable and expected.  Trying to add it as an additional requirement after contracts are signed can lead to increased costs and potentially to failure of a project.

CJIS Policy can impact Cost The main cost drivers to the CJIS security policy are technical controls for IT projects, and personnel controls for both IT and other projects.  Let's say the agency has quoted and contracted for an off-site document storage solution.  If, after the project is started, the agency has to request the contractor enhance event logging to include all password-related actions and add storage for one year, and also has to request at-res…

Just Dropped: CJIS Security Policy 5.6

Image
It just dropped and it's hot! The CJIS Security Policy, version 5.6 just came out:

Okay, maybe I'm over-hyping it. There really isn't much in the way of policy changes, the revisions to the policy are mostly clarifications and guidance which make it easier to use and understand.
Here's What's different:Authenticators (section 5.6.2.1) This section now includes hard or soft tokens, also one-time passwords as examples of authenticators.
Encryption (section 5.10.1.2) Three new subsections are added, clarifying encryption requirements. Now instead of having the use of FIPS 197 for CJI at rest as an exception, the standards for CJI at rest appear as their own section. Also, PKI rules were moved to their own section.  The result is a much more readable standard.
Not new, but noteworthy: One thing of note to LASO's is the password requirements for CJI at rest.  Although this is not new, just something that has been placed in a more prominent area in this version of the…

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

Image
One of the challenges of working with information systems at criminal justice agencies is determining when the CJIS security policy applies. There are many occasions where agencies have questions about whether the CJIS security policy applies to a new project or system and how or why it applies.
One Simple Rule Any system that contains Criminal Justice Information (CJI) from CCIC, NCIC or Nlets is covered by the CJIS Security Policy.  CJI can include data from NCIC, CCIC, Nlets, as well as criminal history information from the FBI or any state.

...and therefore, the CJIS security policy applies.

The Minimum Standards How far does information have to be pared down to be excluded from the CJIS Security Policy? Anything more than a numeric identifier can be considered CJI.  For identifiers of property of for records, if they appear without personally identifying information, they are not considered CJI.  As soon as personal identifiers are added, it's CJI.  Additionally, any informa…

Information Exchange Agreements: When and How

Image