1. CJIS Security Policy Version 5.4, 10/06/2015
Stephen “Doc” Petty, CISSP, SSCP
CJIS Technical Auditor
Texas Dept of Public Safety

2. Policy Changes

3. What’s New in 5.4 2.3 Risk Based Compliance Approach
5.5.6 Remote Access (Virtual Escorting)
Advanced Authentication (Clarify Certificates)
Encryption Exception
Virtualization and Partitioning (Clarification)
Whats Ahead?
Explore upcoming topics of APB discussion
Q&A
Open discussion for questions and concerns

4. Risk Based Compliance

5. 2.3 Risk Based Compliance Under CJIS Security Policy Approach,
Begin a more risk based approach to compliance measures.
Section 2.3 Risk versus Realism
Executive Summary integrating Risk-Based Compliance and Requirements Tiering into the Policy.

6. Virtual Escorting

7. 5.5.6 Remote Access Section 5.5.6 Remote Access
Virtual Escorting – compelling operational needs
Process must be documented within security plan
Must meet 5 requirements as outlined within policy.

8. AA Certificates

9. 5.6.2.2 Advanced Authentication
•Clarifying the Types of Certificates:
Must be specific to an individual user and not to a particular device.
Prohibit multiple users from utilizing the same certificate.
Require the user to “activate” that certificate for each use in some manner (e.g., passphrase or user-specific PIN).

10. Encryption Exception

11. Encryption Exception
Encryption shall not be required if the transmission medium meets all the following requirements:
The agency owns, operates, manages, or protects the medium.
Medium terminates within physically secure locations at both ends with no interconnections between.
Physical access to the medium is controlled by the agency using the requirements in Section and 5.12
Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and physical) and if feasible countermeasures (e.g., alarms, notifications ) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.
With prior approval of the CSO. (Alan Ferretti has been assigned).

12. Virtualization

13. 5.10.3.2 Virtualization and Partitioning (Clarification)
Clarification of Virtualization and Partitioning in the CJIS Security Policy.
Isolate host from virtual machine
Maintain audit logs
Physically separate from virtual machines( if internet facing).
Critical Drivers should be specific to the virtual machine. No sharing - secured as independently as possible.

14. For Future Consideration…

15. Faxing Requirements Update to include up-to-date facsimile technology.
CJI being transmitted via -like technology shall meet encryption requirements in transit as defined in Section 5.10

16. Section 5.13 Mobile Devices
Add FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP, over TLS, etc.) for all management access and authentication.
Disable non-FPS compliant secure access to the management interface.
Verify equipment compliance and function prior to and after any deployment outside of the U.S.

17. Mobile Device Management
Add the following configurations to the required abilities of MDM solution:
Detection of unauthorized software or application.
Ability to determine location of agency controlled devices.
Prevention of unpatched devices from accessing CJI or CJI systems.
Automatic device wiping after a specified number of failed access attempts.

18. LEO Website (LEEP)
APB will be discussing Transport Layer 1.2 implementation and how this may effect agencies;
Impacted browsers, etc.
Now using true two factor authentication (TLS and out of band e.g., PIN)

19. Contacts
Alan Ferretti (512) Stephen “Doc” Petty (512)

20. Questions?