The Criminal Justice Information Services (CJIS) division, managed by the FBI, provides critical information services, including criminal records, fingerprints, and identification data to law enforcement and criminal justice agencies nationwide. CJIS ensures secure, standardized, and regulated access to sensitive data through strict policies designed to maintain confidentiality, integrity, and availability. Agencies using CJIS data must comply with FBI security standards, ensuring proper data handling, auditing, user authentication, incident response, and compliance measures.

The Criminal Justice Information Services (CJIS) Security Policy establishes a comprehensive framework of security requirements to protect Criminal Justice Information (CJI). This policy aligns closely with the National Institute of Standards and Technology (NIST) Special Publication 800-53 controls, ensuring robust data protection measures. These controls collectively ensure that agencies handling CJI maintain a robust security posture, safeguarding sensitive information throughout its lifecycle. The major policy controls in CJIS include

Access Control (AC):

• Account Management (AC-2): Ensures that only authorized individuals have access to systems processing CJI.

• Least Privilege (AC-6): Limits user access rights to the minimum necessary to perform their duties.

• Remote Access (AC-17): Manages secure remote access to systems containing CJI.

• Use of External Systems (AC-20): Regulates the use of external information systems to process, store, or transmit CJI.

Audit and Accountability (AU):

• Audit Events (AU-2): Specifies which events must be logged to monitor system activity.

• Audit Review, Analysis, and Reporting (AU-6): Requires regular analysis of audit logs to detect unauthorized activity.

Awareness and Training (AT):

• Security Awareness Training (AT-2): Mandates regular training programs to ensure personnel understand security responsibilities.

Configuration Management (CM):

• Baseline Configuration (CM-2): Establishes and maintains a baseline configuration for information systems.

• Configuration Settings (CM-6): Defines secure settings for information technology products employed within the information system.

Identification and Authentication (IA):

• Identification and Authentication (IA-2): Requires unique identification and authentication of users accessing CJI systems.

• Authenticator Management (IA-5): Manages the issuance and maintenance of authenticators (e.g., passwords, tokens).

Incident Response (IR):

• Incident Response Training (IR-2): Ensures personnel are trained to respond to security incidents.

• Incident Response Testing (IR-3): Conducts regular testing of incident response capabilities.

Maintenance (MA):

• Controlled Maintenance (MA-2): Manages maintenance activities to ensure they do not compromise system security.

Media Protection (MP):

• Media Access (MP-2): Restricts access to media containing CJI to authorized individuals.

• Media Sanitization (MP-6): Ensures proper disposal or sanitization of media to prevent unauthorized access to CJI.

Personnel Security (PS):

• Personnel Screening (PS-3): Implements background checks for individuals accessing CJI.

• Personnel Termination (PS-4): Defines procedures for terminating access to CJI upon employee departure.

Physical and Environmental Protection (PE):

• Physical Access Control (PE-3): Controls physical access to facilities where CJI is processed or stored.

• Emergency Shutoff (PE-10): Provides the capability to shut down systems in emergencies to protect CJI.

Risk Assessment (RA):

• Risk Assessment (RA-3): Conducts regular assessments to identify and mitigate risks to CJI.

System and Communications Protection (SC):

• Boundary Protection (SC-7): Monitors and controls communications at external boundaries to protect CJI.

• Transmission Confidentiality and Integrity (SC-9): Protects the confidentiality and integrity of transmitted CJI.

System and Information Integrity (SI):

• Flaw Remediation (SI-2): Identifies and corrects system flaws in a timely manner.

• Malicious Code Protection (SI-3): Implements measures to protect systems against malware.

1. Arizona Revised Statutes (A.R.S.) § 13-609: Transfer of Criminal Justice Information
   • This statute mandates the procedures for transmitting case information when a person is found incompetent or guilty except insane. It requires courts to forward pertinent case details to the Arizona Supreme Court, which then transmits this information to the Department of Public Safety (DPS). The DPS is responsible for updating the National Instant Criminal Background Check System (NICS) accordingly. The statute defines "case information" to include personal identifiers such as name, sex, date of birth, and partial Social Security numbers.
2. Arizona Administrative Code (A.A.C.) § R13-1-201: Compliance with CJI Policies
   • This administrative code requires all criminal justice agencies in Arizona that handle CJI or criminal history record information from the Arizona Criminal Justice Information System (ACJIS) or the National Crime Information Center (NCIC) to adhere to established policies and regulations. These guidelines are detailed in publications like the ACJIS Operating Manual and the FBI CJIS Security Policy. The code ensures standardized procedures across agencies for managing and safeguarding CJI.
3. Arizona Revised Statutes (A.R.S.) § 13-4434: Victim's Right to Privacy
   • This statute protects the privacy of victims by restricting the disclosure of their identifying and locating information. It specifies that such information should not be disclosed to the defendant or their attorney without a court order, thereby safeguarding victims' personal data within the criminal justice process.
4. Arizona Department of Public Safety (DPS) Policies
   • DPS oversees the ACJIS, a statewide network that houses various databases on individuals and property in Arizona. The Criminal Justice Services Bureau within DPS manages the ACJIS, the Arizona Biometric Information System (ABIS), and the Central State Repository (CSR). These systems collectively ensure that CJI is collected, stored, and disseminated in compliance with state and federal regulations.

1. Centralized Access to Policy Documents

• NIST 800 Security Policy Templates
  • For a copy of the latest NIST security policy templates, please send a request to [email protected].
• FBI CJIS Security Policy Resource Center
  • Most current CJIS Policy
  • CJIS Companion Document
• State statutes or administrative rules applicable to CJIS
  • Arizona Revised Statutes (A.R.S.) § 13-609
  • Arizona Administrative Code (A.A.C.) § R13-1-201
  • Arizona Revised Statutes (A.R.S.) § 13-4434

During a CJIS Technical Audit, the agency being assessed may need to provide or produce the following:

1. Provide Documentation:
   • CJIS-related policies and procedures (incident response plan, security policies, training records).
   • Network diagrams, system configurations, and logs.
   • Records of employee background checks and training documentation.
2. Demonstrate Technical Controls:
   • Provide evidence of encryption, multifactor authentication (MFA), and access control mechanisms.
   • >Demonstrate live access to audit logs and monitoring tools.
3. Support Audit Activities:
   • Answer auditor inquiries promptly and accurately.
   • Provide technical personnel to assist auditors during reviews.
4. Corrective Action Plans:
   • Respond to any compliance gaps or violations identified during the audit.
   • Submit a Corrective Action Plan (CAP) detailing steps and timelines to resolve issues.

Audit Outcomes:

After completing the technical audit, the CJIS auditor(s) will issue an audit report detailing their findings, which typically includes:

• Areas of compliance.
• Identified deficiencies or non-compliance issues.
• Required remediation steps, timelines, and recommendations.

The audited agency is responsible for addressing any findings and must demonstrate corrective action within a specified period.

Importance:

Compliance with CJIS standards ensures:

• Protection of sensitive criminal justice data.
• Trust between federal, state, and local criminal justice agencies.
• Continued access to CJIS databases and resources.

Non-compliance could result in restricted access or removal of CJIS privileges until compliance is restored.

Technical Compliance Audit Process ~ Criminal Justice Agencies

• 1st Step ~ AZDPS Initiates the audit
  • The CJIS ISO or designee will conduct the following:
    • Verifies the contact information for the agency they are auditing
    • Sends a formal notification to the LASO carbon copy (cc) Chief/Sheriff, the TAC, and the CIO informing them of the triannual audit and a 30-day deadline. There may not always be a CIO.
    • Adds the agency to the CJIS Online Audit system. -- CJIS Online CJA Audit Link
• 2^nd Step ~ Agency Responds to Audit
  • • Completes the audit online through peak performance
    • Requests from DPS a location to send all the requested policies and procedures through the online audit
• 3^rd Step ~ Audit Review
  • The CJIS ISO or designee reviews the completed questionnaire and the documentation the agency has provided.
    • If all documentation and questionnaires are complete, the auditor will send a compliance letter to the LASO, Sheriff/Chief, and SSO.
    • If the questionnaire is incomplete, the response to any question is non-compliant, etc.
      • The CJIS ISO or designee sends the preliminary report to the agency, detailing initial findings, how to remediate the noncompliant items, requesting additional information and/or provide documentation.
      • The report will also provide a deadline of 15 to 30 days to respond, depending on the complexity of the preliminary findings.
      • Once the agency has responded to the findings, the CJIS ISO will review the final findings and prepare a memo/letter for the CSO if the vendor is still in non-compliance.
      • At the ISO / CSO discretion, the agency can be placed on extension. If placed on extension, depending on how the agency cooperates, they may be put on monthly or quarterly updates from the agency.
      • The CSO will determine if the agency is still non-compliant.

A vendor is required to complete a CJIS Vendor Technical Audit to demonstrate compliance with the CJIS Security Policy. This step is crucial for maintaining trust with the Arizona Department of Public Safety and its partners, as well as for protecting sensitive criminal justice information. The audit must be successfully passed before the Arizona Department of Public Safety can proceed with the procurement process.

A Vendor Technical Audit is applicable solely to DPS partnerships and does not extend statewide approval to other criminal justice agencies. Each agency is responsible for adhering to CJIS policy and must conduct its own vetting process for the vendor.

Once the vendor is deemed compliant, they will undergo the audit process every three years.

Vendor Compliance Audit Process

Depending on the vendor's response and documentation review, this process can take up to six months due to the complexity and sensitivity of the information that AZDPS retains.

1. AZDPS Initiates the audit

   • The business unit will make a formal request from their respective division to the CJIS ISO.

   • The CJIS ISO or designee will conduct the following:

   Verifies the contact information for the agency they are auditing.

   Sends the FBI Companion Spreadsheet to the vendor with deadline, expectations, and instructions.
2. Vendor Responds to Audit

   • Completes and returns the FBI Companion Spreadsheet.

   • Requests from the CJIS ISO or designee for a location to send all the requested policies and procedures.

3. Audit Review

   • The CJIS ISO or designee reviews the completed FBI Companion Spreadsheet and the documentation the vendor has provided.

   If all documentation and questionnaires are complete, and the auditor finds no additional findings or information needed, the auditor will send a compliance letter to the vendor.

   If the questionnaire is incomplete, the response to any question is non-compliant, etc.

   - The CJIS ISO or designee sends the preliminary report to the vendor, detailing initial findings, how to remediate the noncompliant items, requesting additional information, and/or providing documentation.

   - The report will also provide a deadline of 30 to 60 days, depending on the complexity of the preliminary findings.

   - Once the vendor has responded to the findings, the CJIS ISO will review the final findings and prepare a memo/letter for the CSO if the vendor is still in non-compliance.

   - The CSO will determine if the agency is still non-compliant.

   - If compliant, the vendor will receive a formal letter informing them they meet CJIS requirements for this request

Note: This only makes the vendor compliant for AZDPS, as requested by the product agency. Additionally, the vendor will undergo a triennial audit process according to CJIS requirements.

Do I have to be FedRAMP or StateRAMP

The CJIS Security Policy , does not explicitly reference or mandate compliance with FedRAMP or StateRAMP. Instead, it establishes its own comprehensive set of security requirements tailored to protect Criminal Justice Information (CJI).

However, recognizing the importance of aligning with CJIS standards, StateRAMP has proactively developed a CJIS-Aligned Overlay. This overlay integrates additional controls specific to CJIS requirements, facilitating cloud service providers in demonstrating conformance with CJIS policies. Notably, this initiative was developed in coordination with CJIS advisors and experts, underscoring a collaborative effort to harmonize security standards for criminal justice agencies.

In summary, while CJIS Policy does not directly address FedRAMP or StateRAMP, initiatives like StateRAMP's CJIS-Aligned Overlay provide structured pathways for service providers to align with CJIS requirements, thereby enhancing the security and compliance landscape for criminal justice information systems.

What is StateRAMP

StateRAMP is a cybersecurity program specifically designed for state and local governments, providing standardized methods for verifying the cybersecurity posture of cloud service providers (CSPs).

Additional StateRAMP information ~ StateRAMP for State and Local Governments & Education - StateRAMP

What is FedRAMP

FedRAMP is a standardized, government-wide program that provides a consistent framework for assessing, authorizing, and continuously monitoring the security of cloud services used by U.S. federal agencies.

Additional FedRAMP Information ~ How to Become FedRAMP Authorized | FedRAMP.gov

Incident reporting is the timely identification, documentation, and communication of security incidents involving unauthorized access, disclosure, loss, or misuse of CJI.

1. ACJIS ISO is informed by the agency of a security-related issue.
   • ACJIS ISO reports preliminary information about the security incident to the CISO
   • ACJIS ISO will alert the AZ DPS incident response team.
   • ACJIS ISO may disable the Agency’s CJIS connection depending on the severity of the breach,
   • CJIS ISO reports preliminary information about the security incident to the FBI
   • ISO reports preliminary information about the security incident to the AZ DOHS.
2. CJIS ISO ensures the LASO of the agency has instituted the CSA incident response reporting procedures at the local level.
   • ISO provides LASO with a “Security Incident Reporting Form”.
3. If there is confirmation of a breach to the agency, here are some of the requirements that will need to be met before DPS will reconnect the agency’s CJIS connection:
   • Check Patch Status:
     1. Verify that the infected devices have all the latest security patches and updates installed.
     2. Provide a log from your patch management system showing the infected devices' patch status.
   • Anti-Malware Scan:
     1. Run a thorough anti-malware scan on the infected devices to ensure they are clean of malicious software or viruses.
     2. Provide logs from infected devices showing the scans are clean.
   • Vulnerability Scan:
     1. Conduct a vulnerability scan to identify any weaknesses or potential security gaps.
     2. Provide DPS with logs showing the results of the scan.
4. Once remediated,
   • Notify the Infrastructure team to enable the agency’s CJIS connection.
   • Have the helpdesk / Biometrics Technology Section Manager send out an update notification.
   • ISO compiles an after-action brief for the CSO.

NOTE: Depending on the severity of the breach the ACJIS ISO may initiate a full “Technical Audit” of the agency.

ACJIS ISO Contact Information ~ [email protected]