CJIS Security Policy Changes

Cloud Computing

5.10.1.5 Cloud Computing
Organizations transitioning to a cloud environment are presented unique opportunities and challenges. (e.g., purported cost savings and increased efficiencies versus a loss of control over the data). Reviewing the cloud computing white paper (Appendix G.3), NIST Special Publications (800-144, 800-145, and 800-146), as well as the cloud provider’s policies and capabilities will enable organizations to make informed decisions on whether or not the cloud provider can offer service that maintains compliance with the requirements of the CJIS Security Policy.

The metadata derived from Criminal Justice Information shall not be used by any Cloud Provider for any purposes.  The Cloud Provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.

Add Following Definitions to Appendix A:
Cloud computing – A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services), software, and information.

Cloud subscriber – A person or organization that is a customer of a cloud computing service provider.

Cloud client – A machine or software application that accesses cloud services over a network connection, perhaps on behalf of a subscriber.

Cloud provider – An organization that provides cloud computing services.

Add the following to Appendix I (References):

For guidance on Cloud Computing, the International Association of Chiefs of Police has provided a Guiding Principles on Cloud Computing for Law Enforcement document to help provide tips for agencies contemplating Cloud Computing.

Cell / Smart Phone / Tablet Device Security

5.5.6.1 Personally Owned Information Systems
A personally owned information system shall not be authorized to access, process, store or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage. When bring your own devices (BYOD) are authorized, they shall be controlled using the requirements in Section 5.5.7.3 Cellular.

5.5.7.3.1 Cellular Risk Mitigations
Organizations shall, at a minimum, ensure that cellular devices:

  1. Apply available critical patches and upgrades to the operating system as soon as they become available for the device and after necessary testing as described in section 5.10.4.1.
  2. Are configured for local device authentication.
  3. Use advanced authentication.
  4. Encrypt all CJI resident on the device.
  5. Erase cached information when session is terminated.
  6. Employ personal firewalls or run a Mobile Device Management system that facilitates the ability to provide firewall services from the agency level.
  7. Employ antivirus software or run a Mobile Device Management system that facilitates the ability to provide antivirus services from the agency level.

5.5.7.3.3 Mobile Device Management (MDM)
Mobile Device Management (MDM) facilitates the implementation of sound security controls for mobile devices and allows for centralized oversight of configuration control, application usage, and device protection and recovery [if so desired by the agency].

In addition to the security controls described in this policy, agencies shall implement the following controls when allowing CJI access from cell / smart phones and tablet devices. Devices that have been rooted, jailbroken, or have had any unauthorized changes made to them that would void their warranty shall not be used to process, store, or transmit CJI data at any time.

  1. Ensure that CJI is only transferred between CJI authorized applications or storage areas of the device.
  2. MDM with centralized administration capable of at least:
    1. Remote locking of device
    2. Remote wiping of device
    3. Setting and locking device configuration
    4. Detection of “rooted” and / or “jailbroken” devices
    5. Enforce folder and / or disk level encryption

5.5.7.3.3 Mobile Device Management (MDM)
Mobile device management (MDM) facilitates the implementation of sound security controls for mobile devices and allows for centralized oversight of configuration control, application usage, and device protection and recovery [if so desired by the agency].

In addition to the security controls described in this policy, agencies shall implement the following controls when allowing CJI access from cell / smart phones and tablet devices. Devices that have been rooted, jailbroken, or have had any unauthorized changes made to them shall not be used to process, store, or transmit CJI data at any time.

  1. Segregation where other on-board applications cannot access services or memory associated with CJI application / access and vice versa (e.g. no copy / paste functionality between applications)
  2. MDM with centralized administration capable of at least:
    1. Remote locking of device
    2. Remote wiping of device
    3. Setting and locking device configuration
    4. Detection of “rooted” and / or “jailbroken” devices
    5. Enforce folder and / or disk level encryption

Add the proposed definitions to CJIS Security Policy Appendix A Definitions

Mobile Device – Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).

Mobile Device Management (MDM) – Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed
applications.

Agency Controlled Mobile Device – A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).

Agency Issued Mobile Device A mobile device that is owned by an agency and issued to an individual for use. It is also centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device is not BYOD (personally owned).

Root (Rooting, Rooted) – the process of attaining privileged control (known as "root access") of a device running the Android operating system that ultimately allows a user the ability to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise not allowed.

Jailbreak (Jailbroken) – the process of attaining privileged control (known as "root access") of a device running the Apple iOS operating system that ultimately allows a user the ability to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise not allowed.

Add the proposed acronyms to CJIS Security Policy Appendix B Acronyms

BYOD Bring Your Own Device
MDM Mobile Device Management