Presentation is loading. Please wait.

Presentation is loading. Please wait.

CJIS Security Policy v5.4 Changes

Published byArnold Osborne Modified over 9 years ago

Similar presentations

Presentation on theme: "CJIS Security Policy v5.4 Changes"— Presentation transcript:

1 CJIS Security Policy v5.4 Changes
KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO

2 CJIS ADVISORY PROCESS 5 Working Groups 9 Subcommittees CJIS Advisory
Policy Board 9 Subcommittees What is the CJIS Advisory Process? The Advisory Process is the mechanism by which the FBI Director receives advice and guidance on the operation of the CJIS systems Shared management approach to the protection of CJI The APB is chartered under the Federal Advisory Committee Act (FACA) Every 2 years the Charter is renewed The APB was first chartered in 1994 Combination of existing National Crime Information Center (NCIC) APB and Uniform Crime Report (UCR) APB The Process is composed of three main components Working Groups: Southern, Western, North Central, Northeastern, Federal As Hoc Subcommittees: Bylaws Crisis Management Identification Services N-DEx NCIC Executive Compliance Evaluation Security and Access (SA) UCR Advisory Policy Board (APB) 5 Working Groups

3 CSO WG WG Chair IDEA FBI CJIS FBI CJIS APB SuBS FBI Director
CJIS ADVISORY PROCESS WG Chair IDEA CSO . . . and sent to the state’s CSO . . . who evaluates and forwards it to the Working Group Chairman An idea is born . . . If deemed feasible, CJIS writes staff paper and forwards to the Working Groups for consideration. . . . who forwards it to the FBI’s CJIS Division DFO WG FBI CJIS . . . who directs it to the proper CJIS unit for research and development FBI CJIS After deliberation, the Working Groups make a recommendation which is forwarded to the Subcommittee . . . APB FBI Director SuBS The APB’s recommendation is forwarded to the FBI Director for approval and implementation by CJIS. . . . which sends its recommendation to the Board.

4 CJIS SECURITY POLICY Minimum requirements for the
protection of criminal justice information (CJI) Annual release cycle July / August Time Frame Incorporates APB approved changes from previous year (2 cycles: Spring / Fall) Incorporates administrative changes CJIS Security Policy is on an annual release cycle: current version is 5.3 dated 8/4/2014 Version 5.4 in coordination. New version usually released in the July/August time frame New version includes changes approved by the APB in the previous years spring and fall meeting cycles New version also includes administrative changes

5 Risk-based Approach to Compliance with the CJIS Security Policy
SIGNIFICANT CHANGES FOR v5.4 Risk-based Approach to Compliance with the CJIS Security Policy Executive Summary: “The Policy empowers CSAs with the insight and ability to tune their security programs according to their risks, needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy.” Section 2.3 Risk Versus Realism: “Each agency faces risk unique to that agency. It is quite possible that several agencies could encounter the same type of risk however depending on resources would mitigate that risk differently. In that light, a risk-based approach can be used when implementing requirements.”

6 SIGNIFICANT CHANGES FOR v5.4
Section Remote Access Change requirement when documenting remote access for privileged functions (from why to how): “The agency may permit remote access for privileged functions only for compelling operational needs but shall document the rationale technical and administrative process for such access enabling remote access for privileged functions  in the security plan for the information system.” Addition of Virtual Escorting for Privileged Functions 5.5.6 Remote Access Change documentation requirement from why to how Add Virtual Escorting

7 Virtual Escorting for Privileged Functions
SIGNIFICANT CHANGES FOR v5.4 Virtual Escorting for Privileged Functions Must meet ALL these conditions: Session shall monitored at all times by an authorized escort Escort shall be familiar with the system/area where work is being performed Escort shall have the ability to terminate the session at any time Remote connection shall be encrypted using FIPS certified encryption Remote admin personnel shall be identified prior to access and authenticated prior to or during the session Must meet ALL these conditions: Session shall monitored at all times by an authorized escort Escort shall be familiar with the system/area where work is being performed Escort shall have the ability to terminate the session at any time Remote connection shall be encrypted using FIPS certified encryption Remote admin personnel shall be identified prior to access and authenticated prior to or during the session

8 Section 5.6.2.2 Advanced Authentication
SIGNIFICANT CHANGES FOR v5.4 Section Advanced Authentication Clarify Types of Certificates: “Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)),  smart cards, software tokens, hardware tokens,…” When user-based certificates are used for authentication purposes, they shall: Be specific to an individual user and not to a particular device. Prohibit multiple users from utilizing the same certificate. Require the user to “activate” that certificate for each use in some manner (e.g. passphrase or user-specific PIN). AA Clarify certificates

9 Standardize Terminology within the Policy
SIGNIFICANT CHANGES FOR v5.4 Standardize Terminology within the Policy Criminal Justice Conveyance Section Session Lock – “police vehicle” Section 5.6 Identification and Authentication – “law enforcement conveyance” Section Advanced Authentication Policy and Rationale Interim Compliance – “police vehicle” Section (5) Advanced Authentication Decision Tree – “law enforcement conveyance” Section Physically Secure Location – “police vehicle” Appendix A: Physically Secure Location – “police vehicle”

10 Standardize Terminology within the Policy
SIGNIFICANT CHANGES FOR v5.4 Standardize Terminology within the Policy Criminal Justice Professional Section 5.2 Security Awareness Training Figure 4 – “law-enforcement officers” Section Advanced Authentication Policy and Rationale Interim Compliance – “police officer” Section 5.9 Physical Security Figure 13 – “dispatch, officers, and detectives” Section Cellular – “law enforcement officer”

11 Section 5.10.1.2(2) Encryption Exception
SIGNIFICANT CHANGES FOR v5.4 Section (2) Encryption Exception 2. When CJI is transmitted outside the boundary of a physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption). EXCEPTIONS: b) Encryption shall not be required if the transmission medium meets all of the following requirements: The agency owns, operates, manages, or protects the medium. Medium terminates within physically secure locations at both ends with no interconnections between. Physical access to the medium is controlled by the agency using the requirements in Sections and 5.12. Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and physical) and if feasible countermeasures (e.g., alarms, notifications) to permit its use for the transmission of unencrypted information through an area of lesser classification or control. With prior approval of the CSO.

12 Section 5.10.1.2(2) Encryption Exception
SIGNIFICANT CHANGES FOR v5.4 Section (2) Encryption Exception Examples: A campus is completely owned and controlled by a criminal justice agency (CJA) – If line-of-sight between buildings exists where a cable is buried, encryption is not required. A multi-story building is completely owned and controlled by a CJA – If floors are physically secure or cable runs through non-secure areas are protected, encryption is not required. A multi-story building is occupied by a mix of CJAs and non-CJAs – If floors are physically secure or cable runs through the non-secure areas are protected, encryption is not required.

13 SIGNIFICANT CHANGES FOR v5.4
Alcatraz Thomson Correctional Center, Thomson, IL Campuses that meet the intent for encryption exception Top Left - The 1,600-cell Thomson Correctional Center in Thomson, Ill., was built in 2001 as a state prison with the potential to house maximum-security inmates. It now houses about 200 minimum-security inmates. Top Right – Alcatraz Bottom Left – Virginia State Police HQ Bottom Right - RAFB Virginia State Police HQ, Richmond, VA Randolph Air Force Base, Universal City, TX

14 SIGNIFICANT CHANGES FOR v5.4
Non-potential campuses Top Left – Boise State Univ (represents any college/university campus) Bottom Right – Two county facilities separated by about 1 mile of uncontrolled city area. So even if there is line of sight, there is no controlled campus.

15 Section 5.10.3.2 Virtualization
SIGNIFICANT CHANGES FOR v5.4 Section Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall. 4. Device drivers that are “critical” shall be contained within a separate guest. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible. Internet facing VMs shall be physically separated from VMs processing CJI internally or be separated by a virtual firewall.

16 Section 5.10.3.2 Virtualization
SIGNIFICANT CHANGES FOR v5.4 Section Virtualization The following additional technical security controls shall be applied in virtual environments where CJI is comingled with non-CJI: Encrypt CJI when stored in a virtualized environment where CJI is comingled with non-CJI or segregate and store unencrypted CJI within its own secure VM. Encrypt network traffic within the virtual environment.  The following are additional technical security control best practices and should be implemented wherever feasible: 1. Encrypt network traffic between the virtual machine and host. 1. 2. Implement IDS and/or IPS monitoring within the virtual machine environment. 2. 3. Virtually or physically firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) VM within the virtual environment to and ensure that only allowed protocols will transact. 3. 4. Segregate the administrative duties for the host.

17 Appendix A Terms and Definitions: NEW
SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: NEW Certificate Authority (CA) Certificate Logical Partitioning Partitioning Physical Partitioning Server/Client Computer Certificate (Device-based) User Certificate (User-based) Virtual Escort Virtual Machine NEW Terms and Definitions Certificate Authority (CA) Certificate – Digital certificates required for certificate-based authentication that are issued to tell the client computers and servers that it can trust other certificates that are issued by this CA.  Logical Partitioning – When the host operating system, or hypervisor, allows multiple guest operating systems to share the same physical resources. Partitioning – Managing guest operating system, or virtual machine, access to hardware so that each guest OS can access its own resources but cannot encroach on the other guest operating systems resources or any resources not allocated for virtualization use. Physical Partitioning – When the host operating system, or hypervisor, assigns separate physical resources ot each guest operating systems, or virtual machine.  Server/Client Computer Certificate (device-based) – Digital certificates that are issued to servers or client computers of devices by a CA and used to prove device identity between server and/or client computer devices during the authentication process. User Certificate (user-based) – Digital certificates that are unique and issued to individuals by a CA. Though not always required to do so, these specific certificates are often embedded on smart cards or other external devices as a means of distribution to specified users. This certificate is used when individuals need to prove their identity during the authentication process.  Virtual Escort – Authorized personnel who actively monitor a remote maintenance session on Criminal Justice Information (CJI)-processing systems. The escort must have the ability to end the session at any time deemed necessary to ensure the protection and integrity of CJI at all times.  Virtual Machine (VM) – See Guest Operating System  “If you have specific questions concerning any one of these new definitions, please catch me on break.”

18 Appendix A Terms and Definitions: MODIFIED
SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: MODIFIED Criminal Justice Conveyance “A criminal justice conveyance is any enclosed mobile vehicle used for the purposes of criminal justice activities with the capability to comply, during operational periods, with the requirements of Section ” Guest Operating System “An operating system that has emulated hardware presented to it by a host operating system. Also referred to as the virtualized operating system virtual machine (VM) .” Host Operating System In the context of virtualization, the operating system that interfaces with the actual physical hardware and arbitrates between it and the guest operating systems. It is also referred to as a hypervisor. MODIFIED Terms and Definitions Crim Just Convey: is Physical Access Control The agency shall control all physical access points (except for those areas within the facility officially designate as publicly accessible) and shall verify individual access authorization before granting access. “If you have specific questions concerning any one of these modified definitions, please catch me on break.”

19 Appendix A Terms and Definitions: MODIFIED
SIGNIFICANT CHANGES FOR v5.4 Appendix A Terms and Definitions: MODIFIED State of Residency “A state of residency is the state in which an individual claims and can provide documented evidence as proof of being his/her permanent living domicile. CJIS Systems Officers have the latitude to determine what documentation constitutes acceptable proof of residency. Examples of acceptable documented evidence permitted to confirm an individual’s state of residence are: driver’s license, state or employer issued ID card, voter registration card, proof of an address (such as a utility bill with one’s name and address as the payee), passport, professional or business license, and/or insurance (medical/dental) card.” MODIFIED Terms and Definitions State of Residency: remove examples and allow CSO to determine what is acceptable proof.

20 Appendix J Noncriminal Justice Agency Supplemental Guidance
SIGNIFICANT CHANGES FOR v5.4 Appendix J Noncriminal Justice Agency Supplemental Guidance Updated From 2 pages to 10 Expanded explanation of Policy sections Use Cases “This appendix is not intended to be used in lieu of the CJIS Security Policy (CSP) but rather should be used as supplemental guidance specifically for those Noncriminal Justice Agencies (NCJA) with access to Criminal Justice Information (CJI) as authorized by legislative enactment or federal executive order to request civil fingerprint-based background checks for licensing, employment, or other noncriminal justice purposes, via their State Identification Bureau (SIB) and/or Channeling agency. Examples of the target audience for the Appendix J supplemental guidance include school boards, banks, medical boards, gaming commissions, alcohol and tobacco control boards, social services agencies, pharmacy boards, etc.” Still just supplemental guidance. No requirements. Not auditable. Etc…

21 Administrative Changes
SIGNIFICANT CHANGES FOR v5.4 Administrative Changes Section Advanced Authentication Policy and Rationale Remove “INTERIM COMPLIANCE” 1. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented IPSec in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA until September 30, 2014. Update terminology for LEO Change to LEEP (Law Enforcement Enterprise Portal) IPSEC still OK for encryption as long as it meets the encryption requirements of either FIPS or FIPS 197 AES 256.

22 TOPICS IN SPRING APB Evaluation of Appendix K Administrator Accounts for Least Privilege Assigning Tier Numbers to CJIS Security Policy Requirements Security Awareness Training Requirements Clarification of Out-of-Band Authentication CSO Delegation Authorizing Personnel Screening Requirement CSA Auditing of Vendor Facilities

23 UPCOMING TOPICS FOR FALL APB
Security Incident Reporting and Incident Response Form Mobile Security Task Force Change Recommendations for Section 5.13 Faxing Requirements in the CJIS Security Policy Clarifying Personnel Background Check Requirement for Noncriminal Justice Agencies Noncriminal Justice Agencies and the Security Addendum

24 SIGNIFICANT CHANGES FOR v5.4
Questions?

25 iso@ic.fbi.gov ISO RESOURCES CJIS Security Policy Resource Center
Publically Available: Features: Search and download the CSP Download the CSP Requirements and Tiering Document Use Cases (Advanced Authentication and others to follow) Cloud Computing Report & Cloud Report Control Catalog Mobile Appendix Submit a Question (question forwarded to CJIS ISO Program) Links of importance

26 “Criminal Justice Information Services”
ISO RESOURCES CJIS Security Policy Resource Center Step #2 Select “Criminal Justice Information Services” Step #1 Select “About Us” Click on ABOUT US then CRIMINAL JUSTICE INFORMATION SERVICES

27 “Security Policy Resource Center”
ISO RESOURCES CJIS Security Policy Resource Center Step #3 Select “Security Policy Resource Center” We’re under OTHER PROGRAMS as “Security Policy Resource Center”

28 iso@leo.gov ISO RESOURCES CJIS Security Policy Resource Center

29 iso@leo.gov ISO RESOURCES CJIS Security Policy Resource Center

30 ISO RESOURCES CJIS Information Security Office LEEP SIG
MySIGs are listed here for quick access Click here for the SIG home page

31 MySIGs are listed here for quick access
ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click here to browse all SIGs

32 ISO RESOURCES CJIS Information Security Office LEEP SIG
Expand Access Type and click on UNRESTRICTED MySIGs are listed here for quick access

33 MySIGs are listed here for quick access
ISO RESOURCES CJIS Information Security Office LEEP SIG MySIGs are listed here for quick access Click the CJIS-ISO logo to go to the SIG

34 ISO RESOURCES CJIS Information Security Office LEEP SIG
MySIGs are listed here for quick access Click here to add the CJIS ISO SIG to MySIGs

35 Click here for the Forums
ISO RESOURCES CJIS Information Security Office LEEP SIG Click here for the Forums

36 ISO RESOURCES CJIS Information Security Office LEEP SIG
MySIGs are listed here for quick access Click here for the CJIS ISO Forum

37 CJIS ISO CONTACT INFORMATION George White, CJIS ISO (304) Jeff Campbell, CJIS Assistant ISO (304) 625 – 4961 Steve Exley, Sr. Consultant/Technical Analyst (304)

38 iso@ic.fbi.gov QUESTIONS? Jeff Campbell
FBI CJIS Assistant Information Security Officer CJIS Information Assurance Unit (304)

Download ppt "CJIS Security Policy v5.4 Changes"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.

Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
CJIS Security Policy.

CJIS Security Policy.

Similar presentations

Ads by Google