What Law Enforcement Agencies Need to Know About CJIS Regulations: How to Maintain Compliance and Avoid Penalties
You’ve probably heard of several major data protection laws that have been passed in recent years like GDPR, CCPA, and the New York SHIELD Act. While these laws apply across the board, there’s another set of regulations specifically applicable to law enforcement and criminal-justice-related fields: CJIS regulations.
Where did the CJIS regulations come from?
CJIS regulations were established by an organization known as the Criminal Justice Information Services (CJIS). CJIS was established in 1992 and remains the largest division of the Federal Bureau of Investigation (FBI). The CJIS monitors communities and works with data they get from law enforcement agencies.
Over the years, CJIS has amassed a large database full of criminal justice data that is regularly accessed by law enforcement agencies. Hackers often target this database since it contains highly sensitive information they can use for identity theft and other purposes.
To prevent data breaches and other forms of cybercrime, CJIS created a set of regulations to protect their data. All organizations, agencies, cloud vendors and corporate networks that access CJIS data must comply with these regulations even if they’re not in law enforcement or a criminal justice agency.
What do the CJIS regulations require?
The CJIS data protection regulations consist of thirteen policy areas that cover security awareness training, incident response, accountability, auditing requirements, access control, authentication, physical protection, and more. You can access the full security policy on the FBI.gov.
At first glance, it appears that you’ll be fine as long as you and your team comply with CJIS regulations when accessing the database. However, as a law enforcement agency, you have several additional responsibilities.
Storing data. When you store or transmit data retrieved from the CJIS database, you need to comply with the regulations. This means you need to verify that the digital environment where you store the data is compliant. Whether you store the data on a computer in your office or in the cloud on a web server, the physical storage device must be compliant.
Emailing data. You also need to be cautious of emailing the data. Sending CJIS data unencrypted in the body of an email is a violation of the regulations. Ideally, you should be using a service that encrypts emails end-to-end, and only send sensitive data to a company email address you know is encrypted. The alternative is to create password-protected, encrypted PDF files that contain the data you wish to transmit.
Controlling devices that access the data. If you don’t have control over the devices people use to access CJIS data, you could be in trouble. If your team members access the data from their personal devices, they’re probably not in compliance.
If there’s no way around allowing people to use their own devices for work, the best you can do is require them to use an encrypted network connection and have a policy prohibiting the use of public Wi-Fi networks. If you allow team members to use their own devices, it’s strongly recommended to enable two-factor authentication to access the locations where CJIS data is stored.
If a data breach occurs because a team member’s phone was stolen or they accessed the network from a public network, your organization will be held responsible.
Vendors. This is where things get a bit complicated. You are responsible for making sure all of your vendors are CJIS-compliant. For example, if you want to store data in the cloud, you must find a CJIS-compliant webhost.
CJIS regulations are specific and require more than just broad data security. For example, you can’t presume a webhost meet CJIS regulations because they claim to be secure. Although many webhosts go out of their way to become CJIS-compliant, you need to verify the compliance and implement your own security measures you can control.
Your webhost is only responsible for providing security for the infrastructure – you are fully responsible for implementing CJIS security requirements within your hosting environment.
What are the consequences of ignoring CJIS regulations?
Ignoring CJIS regulations can lead to severe consequences like sanctions, financial penalties, and even jail time. Since audits are conducted regularly, you can’t afford to be out of compliance even for a moment.
CJIS regulations apply to everyone who accesses the database
There are plenty of non-criminal justice organizations that require access to the CJIS database. For example, this data is accessed when a firearms dealer performs a criminal background check on a customer.
Although gun dealers aren’t in law enforcement, they’re required by law to run background checks on their customers. It’s a privilege to access CJIS data, and maintaining permission to access the database requires full compliance. If a firearms dealer doesn’t comply with data protection regulations, they could lose access to the database, which would put them out of business.
If you’re working with another organization and need to share CJIS data with them, you need to make sure they are compliant up to your standards.
Your agency needs CJIS compliance tools and expert support
There are several tools you can use to stay compliant, including file and system monitoring software. This type of software helps you maintain policy implementation.
Another piece of software called CimTrak will provide you with a system for documenting and handling incidents. The software will produce an audit trail and comes with a ticketing system.
There are also software applications, like Lepide, that will help you maintain compliance while storing your data in the cloud.
Other important cybersecurity solutions can be obtained from our Cyber-Security-As-A-Service offering, like network security monitoring, endpoint protection, and Office 365 security monitoring.
Are your internal policies aligned with CJIS regulations? It’s not enough
To meet and maintain compliance, your processes and policies must be aligned with these regulations. However, what you need most is a dedicated, professional IT security team that specializes in CJIS regulations. Policies look good on paper, but require extensive training and often big changes to enforce.
If you read through this guide for successful compliance, you’ll see that the requirements are highly technical. Since there’s no room for error without major consequences, you can’t skip the IT security pros.
If your organization hasn’t become CJIS-compliant yet, or if you’re not sure, reach out to our team and we will work to help you get up to speed.