The policy revamp affects all entities that can access FBI Criminal Justice Information Services (CJIS) Division information and services. That includes police departments and courts, as well as non-criminal justice agencies, like departments of education, which use such data to run criminal background checks on applicants for teaching jobs. Vendors and contractors also need to ensure they’re in compliance with the new policies.
Chris Weatherly, information security officer in the FBI/CJIS Division, said during a recent Center for Digital Government* webinar that complying with the updated requirements will be a big but necessary ask.
“It’s roughly 50 percent new,” Weatherly said of the security policy.
Still, he argued that the hard work of complying is better than the alternative of failing to do so and suffering a cyber attack that downs government systems and shakes public trust. Attacks on state and local government could ripple upward, too.
“We need to protect these systems, because, at the federal level, as we continue to evolve and harden our systems and make those systems less attractive for adversaries to get to, they're looking at where's the next infiltration point — and that is our state and local systems that do have access to us,” Weatherly said. “We’re trying to get that CJIS Security Policy up to a certain level so that we can start protecting those systems as well.”
Efforts to modernize the security policy kicked off in September 2020, after the CJIS Advisory Policy Board told Weatherly that systems weren’t keeping up with how cyber threats had evolved.
Policy updates have been released in phases. Version 5.9.4 is the latest and includes several new measures that will need to be adopted by autumn. For example, an organization could be sanctioned on or after Oct. 1 if it isn’t “integrat[ing] audit record review, analysis and reporting processes using automated mechanisms.”
A newer iteration of the policy is in the works, too, with Weatherly saying version 5.9.5 will likely publish by the end of this month and include more guidance on where to focus first. It’ll identify Priority 1 items that should be tackled as soon as possible, because these “do knock down your cyber risk exponentially,” Weatherly said. The remaining measures are prioritized based on ease of implementation, with the idea that it’s easier to implement Priority 4 controls after having implemented Priority 2 and 3 controls. The next CJIS audit will note any areas of non-adoption, but organizations will only be penalized this time for failures to meet Priority 1 controls.
States will need to make sure everyone affected by the policy changes knows about and understands it, said former Massachusetts CIO Curt Wood. Non-public safety organizations may need help parsing the details of the policy, and state auditors should learn it well so they can ensure their checks are in alignment. Meeting new requirements could be burdensome for small police departments that typically have limited technical capabilities, said National White Collar Crime Center Vice President James Emerson. He said 73 percent of the U.S.’ police departments have fewer than 25 sworn officers, putting them in that category.
Agencies shouldn’t assume that using a FedRAMP- or StateRAMP-authorized product necessarily puts them in compliance with the security policy, Weatherly said. They’ll need to check themselves to see if it brings their organization to the right security level.
Navigating this transition can be tricky, but states’ CJIS systems agencies can help. For example, the state agency could offer a centralized system that’s compliant with the security policy and which its customer agencies can use. Or it might establish contracts for compliant vendor products that local governments can also leverage, said former New York State CJIS Systems Officer Scott Wilcox. A CJIS systems agency might be the state police department, attorney general's office or other entity, depending on the state.
And local governments and others shouldn’t be afraid to reach out to their state’s CJIS assistance agency with questions about understanding the policy, Wood said.
“The CJIS Security Policy is a very technical requirement,” Wood said. “It’s gotten better over the years, but it’s a very difficult thing to understand and read, and a lot of people just kind of pass over it. And people have different interpretations of what it means.”
Another support comes from the International Association of Chiefs of Police, whose dedicated CJIS Security Modernization Working Group has been issuing podcasts explaining the changes, said Emerson, who chairs the group. Agencies can submit questions and the group will issue new informational content to address it.
A final piece of advice, Emerson said: Don’t wait to begin updating; start now.
*Note: The Center for Digital Government is part of e.Republic, Government Technology’s parent company.
