CJIS Security Policy v5.4 Changes KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO
CJIS ADVISORY PROCESS 5 Working Groups 9 Subcommittees CJIS Advisory Policy Board 9 Subcommittees What is the CJIS Advisory Process? The Advisory Process is the mechanism by which the FBI Director receives advice and guidance on the operation of the CJIS systems Shared management approach to the protection of CJI The APB is chartered under the Federal Advisory Committee Act (FACA) Every 2 years the Charter is renewed The APB was first chartered in 1994 Combination of existing National Crime Information Center (NCIC) APB and Uniform Crime Report (UCR) APB The Process is composed of three main components Working Groups: Southern, Western, North Central, Northeastern, Federal As Hoc Subcommittees: Bylaws Crisis Management Identification Services N-DEx NCIC Executive Compliance Evaluation Security and Access (SA) UCR Advisory Policy Board (APB) 5 Working Groups
CSO WG WG Chair IDEA FBI CJIS FBI CJIS APB SuBS FBI Director CJIS ADVISORY PROCESS WG Chair IDEA CSO . . . and sent to the state’s CSO . . . who evaluates and forwards it to the Working Group Chairman . . . An idea is born . . . If deemed feasible, CJIS writes staff paper and forwards to the Working Groups for consideration. . . . who forwards it to the FBI’s CJIS Division DFO . . . WG FBI CJIS . . . who directs it to the proper CJIS unit for research and development . . . FBI CJIS After deliberation, the Working Groups make a recommendation which is forwarded to the Subcommittee . . . APB FBI Director SuBS The APB’s recommendation is forwarded to the FBI Director for approval and implementation by CJIS. . . . which sends its recommendation to the Board.
CJIS SECURITY POLICY Minimum requirements for the protection of criminal justice information (CJI) Annual release cycle July / August Time Frame Incorporates APB approved changes from previous year (2 cycles: Spring / Fall) Incorporates administrative changes CJIS Security Policy is on an annual release cycle: current version is 5.3 dated 8/4/2014 Version 5.4 in coordination. New version usually released in the July/August time frame New version includes changes approved by the APB in the previous years spring and fall meeting cycles New version also includes administrative changes
Risk-based Approach to Compliance with the CJIS Security Policy SIGNIFICANT CHANGES FOR v5.4 Risk-based Approach to Compliance with the CJIS Security Policy Executive Summary: “The Policy empowers CSAs with the insight and ability to tune their security programs according to their risks, needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy.” Section 2.3 Risk Versus Realism: “Each agency faces risk unique to that agency. It is quite possible that several agencies could encounter the same type of risk however depending on resources would mitigate that risk differently. In that light, a risk-based approach can be used when implementing requirements.”
SIGNIFICANT CHANGES FOR v5.4 Section 5.5.6 Remote Access Change requirement when documenting remote access for privileged functions (from why to how): “The agency may permit remote access for privileged functions only for compelling operational needs but shall document the rationale technical and administrative process for such access enabling remote access for privileged functions in the security plan for the information system.” Addition of Virtual Escorting for Privileged Functions 5.5.6 Remote Access Change documentation requirement from why to how Add Virtual Escorting
Virtual Escorting for Privileged Functions SIGNIFICANT CHANGES FOR v5.4 Virtual Escorting for Privileged Functions Must meet ALL these conditions: Session shall monitored at all times by an authorized escort Escort shall be familiar with the system/area where work is being performed Escort shall have the ability to terminate the session at any time Remote connection shall be encrypted using FIPS 140-2 certified encryption Remote admin personnel shall be identified prior to access and authenticated prior to or during the session Must meet ALL these conditions: Session shall monitored at all times by an authorized escort Escort shall be familiar with the system/area where work is being performed Escort shall have the ability to terminate the session at any time Remote connection shall be encrypted using FIPS 140-2 certified encryption Remote admin personnel shall be identified prior to access and authenticated prior to or during the session
Section 5.6.2.2 Advanced Authentication SIGNIFICANT CHANGES FOR v5.4 Section 5.6.2.2 Advanced Authentication Clarify Types of Certificates: “Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens,…” When user-based certificates are used for authentication purposes, they shall: Be specific to an individual user and not to a particular device. Prohibit multiple users from utilizing the same certificate. Require the user to “activate” that certificate for each use in some manner (e.g. passphrase or user-specific PIN). 5.6.2.2 AA Clarify certificates
Standardize Terminology within the Policy SIGNIFICANT CHANGES FOR v5.4 Standardize Terminology within the Policy Criminal Justice Conveyance Section 5.5.5 Session Lock – “police vehicle” Section 5.6 Identification and Authentication – “law enforcement conveyance” Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Interim Compliance – “police vehicle” Section 5.6.2.2.2(5) Advanced Authentication Decision Tree – “law enforcement conveyance” Section 5.9.1 Physically Secure Location – “police vehicle” Appendix A: Physically Secure Location – “police vehicle”
Standardize Terminology within the Policy SIGNIFICANT CHANGES FOR v5.4 Standardize Terminology within the Policy Criminal Justice Professional Section 5.2 Security Awareness Training Figure 4 – “law-enforcement officers” Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Interim Compliance – “police officer” Section 5.9 Physical Security Figure 13 – “dispatch, officers, and detectives” Section 5.13.1.2 Cellular – “law enforcement officer”
Section 5.10.1.2(2) Encryption Exception SIGNIFICANT CHANGES FOR v5.4 Section 5.10.1.2(2) Encryption Exception 2. When CJI is transmitted outside the boundary of a physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption). EXCEPTIONS: b) Encryption shall not be required if the transmission medium meets all of the following requirements: The agency owns, operates, manages, or protects the medium. Medium terminates within physically secure locations at both ends with no interconnections between. Physical access to the medium is controlled by the agency using the requirements in Sections 5.9.1 and 5.12. Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and physical) and if feasible countermeasures (e.g., alarms, notifications) to permit its use for the transmission of unencrypted information through an area of lesser classification or control. With prior approval of the CSO.
Section 5.10.1.2(2) Encryption Exception SIGNIFICANT CHANGES FOR v5.4 Section 5.10.1.2(2) Encryption Exception Examples: A campus is completely owned and controlled by a criminal justice agency (CJA) – If line-of-sight between buildings exists where a cable is buried, encryption is not required. A multi-story building is completely owned and controlled by a CJA – If floors are physically secure or cable runs through non-secure areas are protected, encryption is not required. A multi-story building is occupied by a mix of CJAs and non-CJAs – If floors are physically secure or cable runs through the non-secure areas are protected, encryption is not required.
SIGNIFICANT CHANGES FOR v5.4 Alcatraz Thomson Correctional Center, Thomson, IL Campuses that meet the intent for encryption exception Top Left - The 1,600-cell Thomson Correctional Center in Thomson, Ill., was built in 2001 as a state prison with the potential to house maximum-security inmates. It now houses about 200 minimum-security inmates. Top Right – Alcatraz Bottom Left – Virginia State Police HQ Bottom Right - RAFB Virginia State Police HQ, Richmond, VA Randolph Air Force Base, Universal City, TX
SIGNIFICANT CHANGES FOR v5.4 Non-potential campuses Top Left – Boise State Univ (represents any college/university campus) Bottom Right – Two county facilities separated by about 1 mile of uncontrolled city area. So even if there is line of sight, there is no controlled campus.
Section 5.10.3.2 Virtualization SIGNIFICANT CHANGES FOR v5.4 Section 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall. 4. Device drivers that are “critical” shall be contained within a separate guest. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible. Internet facing VMs shall be physically separated from VMs processing CJI internally or be separated by a virtual firewall.
Section 5.10.3.2 Virtualization SIGNIFICANT CHANGES FOR v5.4 Section 5.10.3.2 Virtualization The following additional technical security controls shall be applied in virtual environments where CJI is comingled with non-CJI: Encrypt CJI when stored in a virtualized environment where CJI is comingled with non-CJI or segregate and store unencrypted CJI within its own secure VM. Encrypt network traffic within the virtual environment. The following are additional technical security control best practices and should be implemented wherever feasible: 1. Encrypt network traffic between the virtual machine and host. 1. 2. Implement IDS and/or IPS monitoring within the virtual machine environment. 2. 3. Virtually or physically firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) VM within the virtual environment to and ensure that only allowed protocols will transact. 3. 4. Segregate the administrative duties for the host.
Appendix A Terms and Definitions: NEW SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: NEW Certificate Authority (CA) Certificate Logical Partitioning Partitioning Physical Partitioning Server/Client Computer Certificate (Device-based) User Certificate (User-based) Virtual Escort Virtual Machine NEW Terms and Definitions Certificate Authority (CA) Certificate – Digital certificates required for certificate-based authentication that are issued to tell the client computers and servers that it can trust other certificates that are issued by this CA. Logical Partitioning – When the host operating system, or hypervisor, allows multiple guest operating systems to share the same physical resources. Partitioning – Managing guest operating system, or virtual machine, access to hardware so that each guest OS can access its own resources but cannot encroach on the other guest operating systems resources or any resources not allocated for virtualization use. Physical Partitioning – When the host operating system, or hypervisor, assigns separate physical resources ot each guest operating systems, or virtual machine. Server/Client Computer Certificate (device-based) – Digital certificates that are issued to servers or client computers of devices by a CA and used to prove device identity between server and/or client computer devices during the authentication process. User Certificate (user-based) – Digital certificates that are unique and issued to individuals by a CA. Though not always required to do so, these specific certificates are often embedded on smart cards or other external devices as a means of distribution to specified users. This certificate is used when individuals need to prove their identity during the authentication process. Virtual Escort – Authorized personnel who actively monitor a remote maintenance session on Criminal Justice Information (CJI)-processing systems. The escort must have the ability to end the session at any time deemed necessary to ensure the protection and integrity of CJI at all times. Virtual Machine (VM) – See Guest Operating System “If you have specific questions concerning any one of these new definitions, please catch me on break.”
Appendix A Terms and Definitions: MODIFIED SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: MODIFIED Criminal Justice Conveyance “A criminal justice conveyance is any enclosed mobile vehicle used for the purposes of criminal justice activities with the capability to comply, during operational periods, with the requirements of Section 5.9.1.3.” Guest Operating System “An operating system that has emulated hardware presented to it by a host operating system. Also referred to as the virtualized operating system virtual machine (VM) .” Host Operating System In the context of virtualization, the operating system that interfaces with the actual physical hardware and arbitrates between it and the guest operating systems. It is also referred to as a hypervisor. MODIFIED Terms and Definitions Crim Just Convey: 5.9.1.3 is Physical Access Control The agency shall control all physical access points (except for those areas within the facility officially designate as publicly accessible) and shall verify individual access authorization before granting access. “If you have specific questions concerning any one of these modified definitions, please catch me on break.”
Appendix A Terms and Definitions: MODIFIED SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: MODIFIED State of Residency “A state of residency is the state in which an individual claims and can provide documented evidence as proof of being his/her permanent living domicile. CJIS Systems Officers have the latitude to determine what documentation constitutes acceptable proof of residency. Examples of acceptable documented evidence permitted to confirm an individual’s state of residence are: driver’s license, state or employer issued ID card, voter registration card, proof of an address (such as a utility bill with one’s name and address as the payee), passport, professional or business license, and/or insurance (medical/dental) card.” MODIFIED Terms and Definitions State of Residency: remove examples and allow CSO to determine what is acceptable proof.
Appendix J Noncriminal Justice Agency Supplemental Guidance SIGNIFICANT CHANGES FOR v5.4 Appendix J Noncriminal Justice Agency Supplemental Guidance Updated From 2 pages to 10 Expanded explanation of Policy sections Use Cases “This appendix is not intended to be used in lieu of the CJIS Security Policy (CSP) but rather should be used as supplemental guidance specifically for those Noncriminal Justice Agencies (NCJA) with access to Criminal Justice Information (CJI) as authorized by legislative enactment or federal executive order to request civil fingerprint-based background checks for licensing, employment, or other noncriminal justice purposes, via their State Identification Bureau (SIB) and/or Channeling agency. Examples of the target audience for the Appendix J supplemental guidance include school boards, banks, medical boards, gaming commissions, alcohol and tobacco control boards, social services agencies, pharmacy boards, etc.” Still just supplemental guidance. No requirements. Not auditable. Etc…
Administrative Changes SIGNIFICANT CHANGES FOR v5.4 Administrative Changes Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Remove “INTERIM COMPLIANCE” 1. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented IPSec in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA until September 30, 2014. Update terminology for LEO Change to LEEP (Law Enforcement Enterprise Portal) IPSEC still OK for encryption as long as it meets the encryption requirements of either FIPS 140-2 or FIPS 197 AES 256.
TOPICS IN SPRING APB Evaluation of Appendix K Administrator Accounts for Least Privilege Assigning Tier Numbers to CJIS Security Policy Requirements Security Awareness Training Requirements Clarification of Out-of-Band Authentication CSO Delegation Authorizing Personnel Screening Requirement CSA Auditing of Vendor Facilities
UPCOMING TOPICS FOR FALL APB Security Incident Reporting and Incident Response Form Mobile Security Task Force Change Recommendations for Section 5.13 Faxing Requirements in the CJIS Security Policy Clarifying Personnel Background Check Requirement for Noncriminal Justice Agencies Noncriminal Justice Agencies and the Security Addendum
SIGNIFICANT CHANGES FOR v5.4 Questions?
iso@ic.fbi.gov ISO RESOURCES CJIS Security Policy Resource Center Publically Available: http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view Features: Search and download the CSP Download the CSP Requirements and Tiering Document Use Cases (Advanced Authentication and others to follow) Cloud Computing Report & Cloud Report Control Catalog Mobile Appendix Submit a Question (question forwarded to CJIS ISO Program) Links of importance iso@ic.fbi.gov
“Criminal Justice Information Services” ISO RESOURCES CJIS Security Policy Resource Center http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view Step #2 Select “Criminal Justice Information Services” Step #1 Select “About Us” Click on ABOUT US then CRIMINAL JUSTICE INFORMATION SERVICES
“Security Policy Resource Center” ISO RESOURCES CJIS Security Policy Resource Center http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view Step #3 Select “Security Policy Resource Center” We’re under OTHER PROGRAMS as “Security Policy Resource Center”
iso@leo.gov ISO RESOURCES CJIS Security Policy Resource Center http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view iso@leo.gov
iso@leo.gov ISO RESOURCES CJIS Security Policy Resource Center http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view iso@leo.gov
ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click here for the SIG home page
MySIGs are listed here for quick access ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click here to browse all SIGs
ISO RESOURCES CJIS Information Security Office LEEP SIG Expand Access Type and click on UNRESTRICTED MySIGs are listed here for quick access
MySIGs are listed here for quick access ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click the CJIS-ISO logo to go to the SIG
ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click here to add the CJIS ISO SIG to MySIGs
Click here for the Forums ISO RESOURCES CJIS Information Security Office LEEP SIG Click here for the Forums
ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click here for the CJIS ISO Forum
CJIS ISO CONTACT INFORMATION George White, CJIS ISO (304) 625 - 5849 george.white@ic.fbi.gov Jeff Campbell, CJIS Assistant ISO (304) 625 – 4961 jeffrey.campbell@ic.fbi.gov Steve Exley, Sr. Consultant/Technical Analyst (304) 625 - 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov
iso@ic.fbi.gov QUESTIONS? Jeff Campbell FBI CJIS Assistant Information Security Officer CJIS Information Assurance Unit (304) 625 - 4961 jeffrey.campbell@ic.fbi.gov iso@ic.fbi.gov