1. CJIS SECURITY POLICY v5.5 1 Hour presentation goal
Highlight changes only – do not go into depth.
Attempt to leave time for some discussion regarding upcoming focus areas and question period.
Stephen “Doc” Petty,
CJIS ISO - Texas

2. CJIS Security Policy version 5.5
TCJUIG Agenda
History of the CJIS Security Policy
The Advisory Policy Board
Policy Creation
Highlight Policy changes
Areas of Focus
MDM / Mobile Devices
AA Compensating Controls
Cloud Services
Vendor Contact Changes
Resources & Questions
Policy changes:
Security awareness
Incident Response
Audit Logs
Access Controls
Advanced Authentication
Encryption
Faxing

3. Policy Areas Section 1. Introduction
Section 2. CJIS Security Policy Approach
Section 3. Roles and Responsibilities
Section 4. Criminal Justice and PII
Section 5. Policy and Implementation
Appendix A-K Various supporting information
Will focus on Section 5 of the Policy as it relates to the security and implementation.

4. Shared Management Philosophy
The FBI employs a shared management philosophy:
Federal Law Enforcement Local Law Enforcement
State Law Enforcement Tribal Law Enforcement
Similar relationship with the Compact Council and State Identification Bureaus:
Noncriminal justice usage of criminal history records
The Advisory Process Board, subcommittees, and working groups, collaborate with the FBI CJIS division to ensure that the CJIS Security Policy meets the evolving business, technology, and security needs.
Wrap a story around this, visitor log change as example, white paper, and recommendation use APB topic paper as example. 200 people have looked at this before changes. FBI did not pass Amarillo, however the overall message did result in change to how sign-in sheets were being looked at.

5. CJIS SECURITY POLICY 5 Working Groups 9 Subcommittees 1 CJIS APB
Working Groups - Five Regional Groups (approximately 30 members each)
Subcommittees- Nine, Topic Specific which include 18 Task Forces (Subject Matter Experts)
Advisory Policy Board (APB) is comprised of appr. 37 members

6. Security & Access Subcommittee
Representation:
NORTH CENTRAL WORKING GROUP
Chairman: TBA
VIce Chair: Joe Dominic- CA DOJ
TJ Smith –CA LASD
Brenda Abaya- HI, DPS
Jim Slater- MA Dept. Crim. Justice
Blaine Koops MI County Sheriff
Patrick Woods- MO HP
Yosef Lehrman - NY NYPD
Brad Truitt- TN
Chris Kalina -WI DOJ
BiIl Phillips -AZ Nlets
Charles Shaffer- FDLE
NORTHEASTERN WORKING GROUP
Green states have representation within SA. Green states represent a large diverse area of the United States, representation from each working group on the committee. This group of individuals include ISOs, CSOs, sworn law enforcement and technical experts. Retirement of Alan Ferretti.
WESTERN WORKING GROUP
SOUTHERN
WORKING
GROUP

7. The Advisory Policy Process
Two Cycles Annually
Topic Papers (Discussion items submitted)
Spring and Fall (APB Meets)
Working Groups, Subcommittees, Board
FBI Director (Approval and sign off on Policy)
APB meets twice yearly – once in summer and again in Fall
Discuss and vote on changes to be incorporated into the new version of FBI CJIS Policy.

8. Published Policy Results
Results in established National Policy which is published annually in July / August Timeframe.

9. The Security Review Web Site (DPS)
Two sites we recommend for current and validated material.

10. CJIS Security Policy Resource Center (FBI)

11. Highlight Policy Changes

12. Security Awareness Training
Required within six months of employment; biennially afterward
It is the agency’s responsibility to maintain CJIS Security Awareness training documentation
Acceptance of training from another agency
Awareness topics depends on level of access
Current options: Omnixx, Security Awareness PDF & Online
Security Awareness Training.
Required within 6 month, every two years and documented
Current options – Omnixx, PDF & CJIS Online
PDF taken by Level 1, 2, 3 only
IT Level 4 – completed in CJIS Online

13. POLICY CHANGES Security Awareness
What's New?
Differing levels of training
Level 1: Personnel with unescorted access to secure areas
Level 2: Personnel that have physical contact with CJI
Level 3: Personnel that enter, query or modify CJI
Level 4: Personnel with Information Technology roles
Are the levels
As of they added a 4th level.
Spanish version – Level 1 (Only)
Expiration Report

14. LOGIN TO THE CJIS ONLINE https://www.cjisonline.com
CJIS Online website:
TAC – login as Local Agency Administrator
One account only it is tied to agency’s ORI
Vendors can have multiple admin accounts

15. Incident Response Plan
Management of Incidents
Incident Handling
Collection of Evidence
Incident Response Training
Incident Monitoring

16. POLICY CHANGES 5.3: Incident Response
Significant change in CJIS Security Policy
Any incident involving criminal justice information (CJI) should be reported - physical or digital
This is significant and is largely due to the issues of lost hand-held devices continuing to be one of our agencies biggest threats. Potential compromised data is key. Attempt to clarify both physical and digital, hardcopies included which may become compromised. Printed CCH taken out of patrol vehicle, etc.(serving warrants). Includes physical
Also note changes in reporting needs for hand held devices.

17. Incident Response
This form is used for reporting incidents within the State of Texas. It is the same form referred to within the FBI CJIS Policy however the contact names located at the bottom are specific to our state officials. Please use this (available from our website) as the FBI representatives will be referring you back to these contacts for reporting purposes and support.

18. Access Control

19. POLICY CHANGES 5.5: Access Control
Provides the following planning and implementation of mechanisms to protect access to CJI and the modification of the systems which process CJI:
Account Management
Access Enforcement
Unsuccessful Login Attempts
System Use Notification
Session Lock
Remote Access
Personally Owned Information Systems (BYOD)
No CJI from Publicly Accessible Computers
These are areas involving Access Control. Changes to this area are specific to Remote Access.

20. POLICY CHANGES 5.5: Access Control
A few significant changes in CJIS Security Policy v5.4
Document the rationale, technical and administrative process for enabling remote access for privileged functions
Established parameters for permitting Virtual Escorting for Remote Access
Highlight the need to address remote access to CJI. Virtual Escorting can be used for access to systems other than privileged functions as long as requirements are met.

21. Advanced Authentication
Continuing in the access control, highlight changes and clarifications regarding AA

22. Policy Area 6: Identification and Authentication
POLICY CHANGES
Section
Policy Area 6: Identification and Authentication
Clarification of Out-of-Band Authentication for AA
Advanced Authentication
Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards,
software tokens, hardware tokens, paper (inert) tokens, out-of­ band authenticators (retrieved via a separate communication service channel- e.g., authenticator is sent on demand via text message, ph one call, etc.)
When user-based certificates are used for authentication purposes, they shall:
Be specific to an individual user and not to a particular device.
Prohibit multiple users from utilizing the same certificate.
Require the user to “activate” that certificate for each use in some manner (e.g., passphrase or user-specific PIN).

23. Encryption
Continuing in the access control, highlight changes and clarifications regarding AA

24. 5.10 What's Changed? A few changes in CJIS Security Policy v5.4
Encryption exemption for "campus-like scenarios"
Changes to Virtualization - permits virtual segregation
(Must be within line of sight, request must be obtained through CSO)
Acknowledge and permit use of virtualized segmentation for specific cases
Must be within line of sight
Agency must control the fiber
Request must be obtained through CSO

25. Faxing

26. POLICY CHANGES
Section
Policy Area 10: System and Communications Protection and Information Integrity
Facsimile Transmission of CJI
CJI transmitted via facsimile a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server ; application or service which implements -like technology shall meet the encryption requirements for CJI in transit as defined in Section 5.10. l

27. POLICY CHANGES “Hardwired”: Encryption Not Required
182
-like: Encryption Required

28. Mobile Devices
Discuss MDM Mobile Device Management and expanded use of smart phones, tablets within LE

29. Policy Area 13: Mobile Devices Highlighted changes Include:
POLICY CHANGES
Section 5.13
Policy Area 13: Mobile Devices
Highlighted changes Include:
Wireless Device Risk Mitigations
Organizations shall, at a minimum, ensure that cellular wireless devices:
Use advanced authentication or CSO approved compensating controls as per Section
Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level.
Outlines need for MDM solution to meet compensating controls
Specific to AA compensation only

30. Compensating Controls for AA
Applies only to smartphones and tablets
Possession of agency issued device is a required part of control
Additional requirements mostly met by MDM
Compensating Controls are temporary
CSO approval and support required
Meet the intent of the CJIS Security Policy AA requirement
Provide a similar level of protection or security as the original AA requirement
Not rely upon existing requirements for AA as compensating controls
Highlight that this only applies to Cell Phones and Tablets

31. Submit email to security.committee@dps.texas.gov.
Include “Request for Compensating Controls” in subject line.

32. BYOD Personally Owned Information Systems
Not authorized to access CJI unless terms and conditions are specified.
When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices.
Policy must be established along with control measures to meet CJIS Policy requirements. BYOD policies will be reviewed to ensure that requirements are met. BYOD agencies are not eligible for compensating controls and must meet AA requirement.

33. What's Coming in CJIS Policy?
Also have continuing mobile task force
Stephen “Doc” Petty, CISSP, SSCP
CJIS ISO - Texas

34. What's Coming in CJIS Policy?
Policy Section 5.13
The Mobile Security Task Force will continue to review areas for change and updates to the policy.
New Task Force being established to focus on cloud services
Two task forces, one for cloud and one for mobile,
Look for changes in section 13 of the policy – dealing with mobile devices.

35. Mobile Device Management (MDM)

36. Section 5.13 5.13.2: Mobile Devices POLICY CHANGES
Mobile Device Management (MDM)
MDM with centralized administration configured and implemented to perform at least the:
Remote locking of device
Remote wiping of device
Setting and locking device configuration
Detection of “rooted” and “jailbroken” devices
Enforcement of folder or disk level encryption
Application of mandatory policy settings on the device
Detection of unauthorized configurations
Minimum

37. 5.13.7.2.1: Mobile Devices Continued
POLICY CHANGES
Section 5.13
: Mobile Devices Continued
Mobile Device Management (MDM)
MDM with centralized administration configured and implemented to
perform at least the:
Detection of unauthorized software or applications
Ability to determine the location of agency controlled devices
Prevention of unpatched devices from accessing CJI or CJI systems
Automatic device wiping after a specified number of failed access attempts

38. What's Coming in CJIS Policy?
Policy Section 5.10
The Security and Access (SA) Subcommittee has established a Cloud Task Force to review all cloud related topics, such as:
Collection and Use of Metadata by Cloud Service Providers
Security of CJIS Data Stored in Offshore Cloud Computing Facilities
FedRAMP/Trustmark concept
Look for changes within section 10 of the policy dealing with cloud specific issues and services. A task force is being established for this area much like what was done to address mobile computing.
Consider the used car concept here. One you rent, the other you own. With cloud services you (agency) no longer have physical control over your data.
Important to be aware of where your data resides – talk to vendors, ask questions and ask for guidance when needed.

39. POLICY CHANGES
Step #2
Select

40. DPS and Vendor Contact

41. DPS and Vendor Contact
We have some very strict rules now regarding DPS employees and vendor contact.
To set up a call with the DPS CJIS Technical Audit staff, all the following must be true:
1. The vendor must have a contract with a Texas LE Agency.
2. The vendor must have an fully executed CJIS Security Addendum with the LE Agency.
3. The agency must set up the call with DPS and be on the line.

42. DPS and Vendor Contact
The Agency can call the CJIS Technical Audit Team at any time.
The Agency will need to ensure that due diligence is done regarding its vendor contract.
The agency should specify that CJIS compliance is required in the contract.
There will be no exceptions to this.
DPS Office of General Counsel – w/o security addendum provides bidding issues for contracts.

43. Questions?

44. Thank you