Procurement, Purchasing, Contracting - CJIS from the Start

It is very important for individuals working on procurement, purchasing and contracting of new information systems to be aware of when CJIS policy may apply to new purchases of products or services.  Because the CJIS security policy can increase costs to these purchases it is always better to address it as early as possible to ensure the costs of the project are reasonable and expected.  Trying to add it as an additional requirement after contracts are signed can lead to increased costs and potentially to failure of a project.

CJIS Policy can impact Cost The main cost drivers to the CJIS security policy are technical controls for IT projects, and personnel controls for both IT and other projects.  Let's say the agency has quoted and contracted for an off-site document storage solution.  If, after the project is started, the agency has to request the contractor enhance event logging to include all password-related actions and add storage for one year, and also has to request at-res…

Just Dropped: CJIS Security Policy 5.6

It just dropped and it's hot! The CJIS Security Policy, version 5.6 just came out:

Okay, maybe I'm over-hyping it. There really isn't much in the way of policy changes, the revisions to the policy are mostly clarifications and guidance which make it easier to use and understand.
Here's What's different:Authenticators (section This section now includes hard or soft tokens, also one-time passwords as examples of authenticators.
Encryption (section Three new subsections are added, clarifying encryption requirements. Now instead of having the use of FIPS 197 for CJI at rest as an exception, the standards for CJI at rest appear as their own section. Also, PKI rules were moved to their own section.  The result is a much more readable standard.
Not new, but noteworthy: One thing of note to LASO's is the password requirements for CJI at rest.  Although this is not new, just something that has been placed in a more prominent area in this version of the…

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

One of the challenges of working with information systems at criminal justice agencies is determining when the CJIS security policy applies. There are many occasions where agencies have questions about whether the CJIS security policy applies to a new project or system and how or why it applies.
One Simple Rule Any system that contains Criminal Justice Information (CJI) from CCIC, NCIC or Nlets is covered by the CJIS Security Policy.  CJI can include data from NCIC, CCIC, Nlets, as well as criminal history information from the FBI or any state.

...and therefore, the CJIS security policy applies.

The Minimum Standards How far does information have to be pared down to be excluded from the CJIS Security Policy? Anything more than a numeric identifier can be considered CJI.  For identifiers of property of for records, if they appear without personally identifying information, they are not considered CJI.  As soon as personal identifiers are added, it's CJI.  Additionally, any informa…

Information Exchange Agreements: When and How