Transcription of Criminal Justice Information Services (CJIS) …
1 U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services ( cjis ) Security Policy Version 08/16/2018 Prepared by: cjis Information Security Officer Approved by: cjis Advisory Policy Board 08/16/2018 i EXECUTIVE SUMMARY Law enforcement needs timely and secure access to Services that provide data wherever and whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice Information Services ( cjis ) Division authorize the expansion of the existing security management structure in 1998. Administered through a shared management philosophy, the cjis Security Policy contains Information security requirements, guidelines, and agreements reflecting the will of law enforcement and Criminal Justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
2 The Federal Information Security Management Act of 2002 provides further legal basis for the APB approved management, operational, and technical security requirements mandated to protect CJI and by extension the hardware, software and infrastructure required to enable the Services provided by the Criminal Justice community. The essential premise of the cjis Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The cjis Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual contractor, private entity, noncriminal Justice agency representative, or member of a Criminal Justice entity with access to, or who operate in support of, Criminal Justice Services and Information .
3 The cjis Security Policy integrates presidential directives, federal laws, FBI directives and the Criminal Justice community s APB decisions along with nationally recognized guidance from the National Institute of Standards and Technology. The Policy is presented at both strategic and tactical levels and is periodically updated to reflect the security requirements of evolving business models. The Policy features modular sections enabling more frequent updates to address emerging threats and new security measures. The provided security criteria assists agencies with designing and implementing systems to meet a uniform level of risk and security protection while enabling agencies the latitude to institute more stringent security requirements and controls based on their business model and local needs. The cjis Security Policy strengthens the partnership between the FBI and cjis Systems Agencies (CSA), including, in those states with separate authorities, the State Identification Bureaus (SIB).
4 Further, as use of Criminal history record Information for noncriminal Justice purposes continues to expand, the cjis Security Policy becomes increasingly important in guiding the National Crime Prevention and Privacy Compact Council and State Compact Officers in the secure exchange of Criminal Justice records. The Policy describes the vision and captures the security concepts that set the policies, protections, roles, and responsibilities with minimal impact from changes in technology. The Policy empowers CSAs with the insight and ability to tune their security programs according to their risks, needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy. The cjis Security Policy provides a secure framework of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the Criminal Justice and noncriminal Justice communities.
5 08/16/2018 ii CHANGE MANAGEMENT Revision Change Description Created/Changed by Date Approved By 5 Policy Rewrite Security Policy Working Group 2/9/2011 See Signature Page Incorporate Calendar Year 2011 APB approved changes and administrative changes cjis ISO Program Office 7/13/2012 APB & Compact Council Incorporate Calendar Year 2012 APB approved changes and administrative changes cjis ISO Program Office 8/9/2013 APB & Compact Council Incorporate Calendar Year 2013 APB approved changes and administrative changes cjis ISO Program Office 8/4/2014 APB & Compact Council Incorporate Calendar Year 2014 APB approved changes and administrative changes cjis ISO Program Office 10/6/2015 APB & Compact Council Incorporate Calendar Year 2015 APB approved changes and administrative changes cjis ISO Program Office 6/1/2016 APB & Compact Council Incorporate Calendar Year 2016 APB approved changes and administrative changes cjis ISO Program Office 6/5/2017 APB & Compact Council Incorporate Calendar Year 2017 APB approved changes and administrative changes cjis ISO Program Office 08/16/2018 APB & Compact Council 08/16/2018 iii SUMMARY OF CHANGES Version APB Approved Changes 1.
6 Section Cloud Computing: add language concerning data storage in cloud environments, Fall 2017, APB#17, SA#2, cjis Security Policy Restriction for Criminal Justice Information Stored in Offshore Cloud Computing Facilities. 2. Section Cloud Computing: add language concerning authorized uses of metadata, Spring 2017, APB#16, SA#10, Collection and Use of Metadata by Cloud Service Providers. 3. Section Personnel Screening for Contractors and Vendors: add language allowing CSO delegation of duties, Spring 2017, APB#16, SA#7, cjis Systems Officer Delegation Authorization of Personnel Screening Requirements for Contractors and Vendors. 4. Section Personnel Security Policy and Procedures: rename section to Personnel Screening Requirements for Individuals Requiring Unescorted Access to Unencrypted CJI and combine previous Sections and into the single section, Fall 2017, APB#17, SA#1, cjis Security Policy Language Changes in Section 5.
7 Appendix A Terms and Definitions: add definition of Metadata , Spring 2017, APB#16, SA#10, Collection and Use of Metadata by Cloud Service Providers. 6. Appendix B Acronyms: add RCMP , Royal Canadian Mounted Police , Fall 2017, APB#17, SA#2, cjis Security Policy Restriction for Criminal Justice Information Stored in Offshore Cloud Computing Facilities. 7. Appendix J Noncriminal Justice Agency Supplemental Guidance: add language to clarify which personnel the requirements apply to and remove language referencing deleted language, Fall 2017, APB#17, SA#1, cjis Security Policy Language Changes in Section Administrative Changes1 1. Section , add bullet concerning References/Citations/Directives. 2. Section , change FNU to UCN. 3. Section , remove reference to DOJ Order 0904. 4. Section , remove reference to DOJ Order 0904. 5. Section , remove this section and all other like sections in each policy area ( , , , , , , , , , , ).
8 6. Section , add clarifying language to #4. 7. Section , change cross-reference in bullet #3 8. Section , change bullet for consistency throughout policy. 9. Section , change bullet(s) for consistency throughout policy. 10. Section , change bullet(s) for consistency throughout policy. 11. Section , change bullet(s) for consistency throughout policy. 12. Section , change bullet(s) for consistency throughout policy. 1 Administrative changes are vetted through the Security and Access Subcommittee and not the entire APB process. 08/16/2018 iv 13. Section , change bullet(s) for consistency throughout policy. 14. Section , change bullet(s) for consistency throughout policy. 15. Section , change bullet(s) for consistency throughout policy. 16. Appendix A, change FNU to UCN in definition of Criminal Justice Information . 17.
9 Appendix A, move W definitions to correct location alphabetically. 18. Appendix B, add acronym UCN. 19. Appendix F, update contact Information on form. 20. Appendix , change word securities to security. 21. Appendix I, remove reference for DOJ Order 0904. 22. Appendix J, remove reference to DOJ Order 0904. KEY TO APB APPROVED CHANGES ( Fall 2013, APB11, SA6, Future CSP for Mobile Devices ): Fall 2013 Advisory Policy Board cycle and year APB## Advisory Policy Board Topic number SA# Security and Access Subcommittee Topic number Topic Title 08/16/2018 v TABLE OF CONTENTS Executive Summary .. i Change Management .. ii Summary of Changes .. iii Table of Contents ..v List of Figures ..x 1 Introduction ..1 Purpose ..1 Scope ..1 Relationship to Local Security Policy and Other Policies ..1 Terminology Used in This Distribution of the cjis Security Policy.
10 2 2 cjis Security Policy Approach ..3 cjis Security Policy Vision Statement ..3 Architecture Independent ..3 Risk Versus Realism ..3 3 Roles and Responsibilities ..4 Shared Management Philosophy ..4 Roles and Responsibilities for Agencies and Parties ..4 cjis Systems Agencies (CSA) ..5 cjis Systems Officer (CSO) ..5 Terminal Agency Coordinator (TAC) ..6 Criminal Justice Agency (CJA) ..6 Noncriminal Justice Agency (NCJA) ..6 Contracting Government Agency (CGA) ..7 Agency Coordinator (AC) ..7 cjis Systems Agency Information Security Officer (CSA ISO) ..7 Local Agency Security Officer (LASO) ..8 FBI cjis Division Information Security Officer (FBI cjis ISO) ..8 Repository Manager ..9 Compact Officer ..9 4 Criminal Justice Information and Personally Identifiable Information ..10 Criminal Justice Information (CJI) ..10 Criminal History Record Information (CHRI).
