The CJIS Security Policy – Analyzing the 13 Policy Areas: Part III

Rochelle M. Eichner

Better than a sleeping pill or a riveting read?

Welcome back to the third and final post in this series on the CJIS Security Policy. Our last post ended with Policy Area 7 of section 5 concerning Network Diagrams.

Policy Area 8 covers Media Protection and how to protect it both in transit and at rest. It also covers the proper way to dispose of media that contains Criminal Justice Information (CJI) when it is no longer needed. Media is considered both digital and physical (paper) in nature. It is also where encryption is defined as the correct way to protect digital media outside a physically secure location.

The focus of Policy Area 9 is on Physical Protection and access control measures. This is the Policy Area that defines a physically secure location and a controlled area. Visitors need to be identified, but a visitor log is no longer required by the Policy.

Policy Area 10 has the title of Systems and Communications Protection and information Integrity.  This is the Policy Area that defines the encryption requirements, the boundary protection, flow control and enforcement.   When in transit, encryption should be certified to NIST FIPS140-2 standards. When at rest, CJI should be encrypted at NIST FIPS 197 standards. Requirements for VOIP, Cloud Computing, Partitioning and Virtualization, and the faxing of CJI are covered. Point your information technology (IT) support to this policy area if any of the above are being considered.

Policy Area 11 is everyone’s favorite. It covers the Formal Audit process. Every three years the FBI will audit each CJIS Systems Agency (CSA) and State Identification Bureau (SIB) network. The CSA will also audit all Criminal Justice Agencies (CJA) and Non-Criminal Justice Agencies (NCJA) with direct access every three years.

Policy Area 12 covers Personnel Security. The minimum screening requirements for anyone with access to CJI are defined. There is also a section on the screening process for contractors and vendors. This section should be reviewed before bringing on new personnel or vendors.

Policy Area 13 is the newest Policy Area and covers Mobile Devices. Here again, your IT support staff should review this section if mobile devices are to be used at your agency. This includes laptops in a police vehicle or cellular devices such as smart phones or tablets. The necessary security tools such as malicious code protection, firewalls, advanced authentication (AA), mobile device management or the compensating controls for AA are all discussed.

The rest of the policy is made up of the appendices. These include terms and definitions, acronyms, network diagram samples, examples of information exchange agreements and a sample incident response form. Appendix G contains best practices for virtualization, VOIP, and cloud computing. The Appendices end with supplemental guidance for both non-criminal justice agencies and criminal justice agencies. The appendices include excellent information for when you get the call that you are about to be audited.

That completes a very high level look at the CJIS Security Policy and its many sections and Policy Areas. It’s not the scariest document around, but it will tell you what you need to do or have done to protect CJI in all circumstances. We hope this series was helpful and gives you the encouragement to pick up the Policy and read it, even if you take it a section or two at a time.

Part I

Part II

Alan Ferretti

Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing ( ). He retired as the CJIS ISO for the State of Texas after 13 years of service. He was also the Chairman of the APB CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at or (850) 656-3333 ext.293.



Discussion is closed.

Feedback usabilla icon