When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

One of the challenges of working with information systems at criminal justice agencies is determining when the CJIS security policy applies. There are many occasions where agencies have questions about whether the CJIS security policy applies to a new project or system and how or why it applies.

One Simple Rule

Any system that contains Criminal Justice Information (CJI) from CCIC, NCIC or Nlets is covered by the CJIS Security Policy.  CJI can include data from NCIC, CCIC, Nlets, as well as criminal history information from the FBI or any state.

...and therefore, the CJIS security policy applies.

The Minimum Standards

How far does information have to be pared down to be excluded from the CJIS Security Policy? Anything more than a numeric identifier can be considered CJI.  For identifiers of property of for records, if they appear without personally identifying information, they are not considered CJI.  As soon as personal identifiers are added, it's CJI.  Additionally, any information regarding criminal history is CJI and requires CJIS protection.

Here are some examples:
  1. License Plate: 111-ZZZ, Record: V00000
  2. License Plate: 111-ZZZ, Owner: Bob Person
  3. Name: Bob Person Warrant: W00000
  4. Warrant: W00000
  5. Name: Bob Person Criminal History? Yes
Examples 1 and 4 are not CJI. Numbers 2, 3 and 4 are. However - it is best to protect any system containing any information that could be CJI as CJI.  That way if a new process begins placing CJI in a system that only contained the information shown above in examples 1 or 4, the agency isn't faced with a scramble to meet CJIS standards.

"Direct Access"

If an information system connects to CCIC, the CJIS Security Policy applies in full. That means, if users can log onto the system, and run queries of CJI (this includes CJIS data- CCIC, NCIC, N-Dex or Nlets data -DMV’s from other states, administrative messaging) then it is considered a system with “Direct Access” and the standards listed in all thirteen sections of chapter five of the CJIS security policy must be met.

“Indirect access”

Some information systems contain CJIS data, but in a static format. This can be PDF’s or cut-and-paste information taken from a direct access system. A user logging onto one of these systems can only view data retrieved by themselves or another person, they cannot search a CJIS system on this system. In this case, the entirety of the CJIS security policy applies except for the advanced authentication requirement in section 5.6.2.2. Please note: this doesn’t exclude the mobile computing standards in section 5.13! You still need Mobile Device Management, controls on wireless access points, etc.

A tale of Two Law Enforcement Agencies:

Big City Police Department has a Records Management System (RMS) which connects directly to CCIC. Users of the system can use the direct access system to obtain CJI while writing their case reports. The system then stores the CJIS responses the user selects as part of the case report.
Little City Police Department has a Records Management System (RMS) which is not connected directly to CCIC. Users of the system must go to another application to obtain CJI while writing their case reports. The system does, however, allow the user to store copies of CCIC responses the user uploads as part of the case report.
Big City’s RMS requires advanced authentication, Little City’s RMS does not. Why? Both systems contain CJI. Currently, the CJIS security policy requires advanced authentication to protect downstream systems which allow live queries. The impact of a data breach – while still significant – is limited in the system without direct access. However, the CBI recommends using advanced authentication for any remote access to information systems storing CJI, whether direct or indirect, if budget allows.

Civil Licensing and Background Check Data

Most governmental IT departments serve both Criminal Justice Agencies retrieving CJI from CCIC and NCIC, and Non-Criminal Justice Agencies (NCJA’s) receiving criminal histories for background or licensing purposes authorized under state and federal law. In the quest to secure CJI, these agencies should not be forgotten. They can include a number of human service and licensing agencies of state, county and local government.
Agencies who submit fingerprints to CBI and FBI for background checks for civil purposes should also be aware that the information they receive is CJI and is to be protected pursuant to the CJIS security policy. This type of access through CBI meets the FBI definition of indirect access, therefore advance authentication standards do not apply. There are other areas where the CJIS security policy may require adaptation, please review the CJIS Security Policy Appendix J: Noncriminal Justice Agency Supplemental Guidance for further guidance. For NCJA’s using a contractor for storage or transmission of data, also review the Outsourcing Standard for Non-Channelers here: https://www.fbi.gov/file-repository/security-and-management-control-outsourcing-standard-for-non-channelers-2.pdf/view.

What’s a Channeler?

A Channeler is a contractor who can request civil fingerprint-based background checks on behalf of an NCJA. So, essentially while a non-channeler may assist in storage and handling of CJI, the Channeler can initiate the process or may perform the function start-to-finish. If you’re reading this from a law enforcement perspective, know this doesn’t apply to your agency, you have Private Contractors for all instances.

What Does This Mean to Me?

Individuals making security decisions for governmental agencies who receive any type of data from CBI should be aware that the CJIS security policy does apply to some of their information systems. The CBI recommends criminal justice agencies use the CJIS security policy as a departmental standard to ensure that any physical or virtual location where the agency stores data that could contain CJI is protected.

For Non-Criminal Justice Agencies, the CBI recommends licensing and background check data be isolated to specific systems or areas, and specific individuals. While a law enforcement agency uses CJI in most operations, the agency has the potential to store CJI in any information system. The NCJA’s have CJI as a subset of their business information and typically perform the majority of their business without CJI. By matching the limited scope of their CJI use with a limited CJI storage area or system, an NCJA can balance the cost of CJIS security with the benefit of protecting the information.

Additional CJIS Questions? cdps.cbi.laso@state.co.us

Comments

Popular posts from this blog

How an Auditor Looks at Your Network Diagram

Just Dropped: CJIS Security Policy 5.6