CJIS Security Policy Resource Center

Download CJIS Security Policy v5_6_20170605 (2).pdf — 3059 KB

[{"dest": {"list": [{"ref": 15}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 1, "title": "Executive Summary"}, {"dest": {"list": [{"ref": 24}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 2, "title": "Change Management"}, {"dest": {"list": [{"ref": 30}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 3, "title": "Summary of Changes"}, {"dest": {"list": [{"ref": 36}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 5, "title": "Table of Contents"}, {"dest": {"list": [{"ref": 50}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 11, "title": "List of Figures"}, {"dest": {"list": [{"ref": 52}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 12, "title": "1 Introduction"}, {"dest": {"list": [{"ref": 52}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "1.1 Purpose"}, {"dest": {"list": [{"ref": 52}, {"literal": "XYZ"}, {"number": 69}, {"number": 461}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "1.2 Scope"}, {"dest": {"list": [{"ref": 52}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "1.3 Relationship to Local Security Policy and Other Policies"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 13, "title": "1.4 Terminology Used in This Document"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 515}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 13, "title": "1.5 Distribution of the CJIS Security Policy"}, {"dest": {"list": [{"ref": 60}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 14, "title": "2 CJIS Security Policy Approach"}, {"dest": {"list": [{"ref": 60}, {"literal": "XYZ"}, {"number": 69}, {"number": 631}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "2.1 CJIS Security Policy Vision Statement"}, {"dest": {"list": [{"ref": 60}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "2.2 Architecture Independent"}, {"dest": {"list": [{"ref": 60}, {"literal": "XYZ"}, {"number": 69}, {"number": 309}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "2.3 Risk Versus Realism"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 15, "title": "3 Roles and Responsibilities"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 694}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 15, "title": "3.1 Shared Management Philosophy"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 447}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 15, "title": "3.2 Roles and Responsibilities for Agencies and Parties"}, {"dest": {"list": [{"ref": 69}, {"literal": "XYZ"}, {"number": 69}, {"number": 462}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 16, "title": "3.2.1 CJIS Systems Agencies (CSA)"}, {"dest": {"list": [{"ref": 69}, {"literal": "XYZ"}, {"number": 69}, {"number": 375}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 16, "title": "3.2.2 CJIS Systems Officer (CSO)"}, {"dest": {"list": [{"ref": 72}, {"literal": "XYZ"}, {"number": 69}, {"number": 334}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 17, "title": "3.2.3 Terminal Agency Coordinator (TAC)"}, {"dest": {"list": [{"ref": 72}, {"literal": "XYZ"}, {"number": 69}, {"number": 261}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 17, "title": "3.2.4 Criminal Justice Agency (CJA)"}, {"dest": {"list": [{"ref": 72}, {"literal": "XYZ"}, {"number": 69}, {"number": 174}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 17, "title": "3.2.5 Noncriminal Justice Agency (NCJA)"}, {"dest": {"list": [{"ref": 76}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.6 Contracting Government Agency (CGA)"}, {"dest": {"list": [{"ref": 76}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.7 Agency Coordinator (AC)"}, {"dest": {"list": [{"ref": 76}, {"literal": "XYZ"}, {"number": 69}, {"number": 174}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO)"}, {"dest": {"list": [{"ref": 80}, {"literal": "XYZ"}, {"number": 69}, {"number": 591}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "3.2.9 Local Agency Security Officer (LASO)"}, {"dest": {"list": [{"ref": 80}, {"literal": "XYZ"}, {"number": 69}, {"number": 391}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "3.2.11 Repository Manager"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "3.2.12 Compact Officer"}, {"dest": {"list": [{"ref": 86}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 21, "title": "4 Criminal Justice Information and Personally Identifiable Information"}, {"dest": {"list": [{"ref": 86}, {"literal": "XYZ"}, {"number": 69}, {"number": 674}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 21, "title": "4.1 Criminal Justice Information (CJI)"}, {"dest": {"list": [{"ref": 86}, {"literal": "XYZ"}, {"number": 69}, {"number": 281}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 21, "title": "4.1.1 Criminal History Record Information (CHRI)"}, {"dest": {"list": [{"ref": 90}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 22, "title": "4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 90}, {"literal": "XYZ"}, {"number": 69}, {"number": 632}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 22, "title": "4.2.1 Proper Access, Use, and Dissemination of CHRI"}, {"dest": {"list": [{"ref": 90}, {"literal": "XYZ"}, {"number": 69}, {"number": 503}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 22, "title": "4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information"}, {"dest": {"list": [{"ref": 90}, {"literal": "XYZ"}, {"number": 69}, {"number": 171}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 22, "title": "4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 90}, {"literal": "XYZ"}, {"number": 69}, {"number": 131}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 22, "title": "4.2.3.1 For Official Purposes"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 672}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 23, "title": "4.2.3.2 For Other Authorized Purposes"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 511}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 23, "title": "4.2.3.3 CSO Authority in Other Circumstances"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 453}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 23, "title": "4.2.4 Storage"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 23, "title": "4.2.5 Justification and Penalties"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 340}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 23, "title": "4.2.5.1 Justification"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 268}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 23, "title": "4.2.5.2 Penalties"}, {"dest": {"list": [{"ref": 98}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 23, "title": "4.3 Personally Identifiable Information (PII)"}, {"dest": {"list": [{"ref": 108}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 25, "title": "5 Policy and Implementation"}, {"dest": {"list": [{"ref": 110}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 26, "title": "5.1 Policy Area 1: Information Exchange Agreements"}, {"dest": {"list": [{"ref": 110}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 26, "title": "5.1.1 Information Exchange"}, {"dest": {"list": [{"ref": 110}, {"literal": "XYZ"}, {"number": 69}, {"number": 338}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 26, "title": "5.1.1.1 Information Handling"}, {"dest": {"list": [{"ref": 110}, {"literal": "XYZ"}, {"number": 69}, {"number": 163}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 26, "title": "5.1.1.2 State and Federal Agency User Agreements"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 658}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 27, "title": "5.1.1.3 Criminal Justice Agency User Agreements"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 355}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 27, "title": "5.1.1.4 Interagency and Management Control Agreements"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 227}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 27, "title": "5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum"}, {"dest": {"list": [{"ref": 119}, {"literal": "XYZ"}, {"number": 69}, {"number": 467}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 28, "title": "5.1.1.6 Agency User Agreements"}, {"dest": {"list": [{"ref": 119}, {"literal": "XYZ"}, {"number": 69}, {"number": 176}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 28, "title": "5.1.1.7 Outsourcing Standards for Channelers"}, {"dest": {"list": [{"ref": 122}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.1.1.8 Outsourcing Standards for Non-Channelers"}, {"dest": {"list": [{"ref": 122}, {"literal": "XYZ"}, {"number": 69}, {"number": 484}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 29, "title": "5.1.2 Monitoring, Review, and Delivery of Services"}, {"dest": {"list": [{"ref": 122}, {"literal": "XYZ"}, {"number": 69}, {"number": 355}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.1.2.1 Managing Changes to Service Providers"}, {"dest": {"list": [{"ref": 122}, {"literal": "XYZ"}, {"number": 69}, {"number": 269}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 29, "title": "5.1.3 Secondary Dissemination"}, {"dest": {"list": [{"ref": 122}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 29, "title": "5.1.4 Secondary Dissemination of Non-CHRI CJI"}, {"dest": {"list": [{"ref": 128}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 30, "title": "5.1.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 130}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 31, "title": "5.2 Policy Area 2: Security Awareness Training"}, {"dest": {"list": [{"ref": 130}, {"literal": "XYZ"}, {"number": 69}, {"number": 595}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.2.1 Awareness Topics"}, {"dest": {"list": [{"ref": 130}, {"literal": "XYZ"}, {"number": 69}, {"number": 522}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 31, "title": "5.2.1.1 Level One Security Awareness Training"}, {"dest": {"list": [{"ref": 130}, {"literal": "XYZ"}, {"number": 69}, {"number": 357}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 31, "title": "5.2.1.2 Level Two Security Awareness Training"}, {"dest": {"list": [{"ref": 130}, {"literal": "XYZ"}, {"number": 69}, {"number": 180}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 31, "title": "5.2.1.3 Level Three Security Awareness Training"}, {"dest": {"list": [{"ref": 136}, {"literal": "XYZ"}, {"number": 69}, {"number": 306}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 32, "title": "5.2.1.4 Level Four Security Awareness Training"}, {"dest": {"list": [{"ref": 138}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 33, "title": "5.2.2 Security Training Records"}, {"dest": {"list": [{"ref": 138}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 33, "title": "5.2.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 142}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 35, "title": "5.3 Policy Area 3: Incident Response"}, {"dest": {"list": [{"ref": 142}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 35, "title": "5.3.1 Reporting Security Events"}, {"dest": {"list": [{"ref": 142}, {"literal": "XYZ"}, {"number": 69}, {"number": 385}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 35, "title": "5.3.1.1 Reporting Structure and Responsibilities"}, {"dest": {"list": [{"ref": 142}, {"literal": "XYZ"}, {"number": 69}, {"number": 361}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 35, "title": "5.3.1.1.1 FBI CJIS Division Responsibilities"}, {"dest": {"list": [{"ref": 142}, {"literal": "XYZ"}, {"number": 69}, {"number": 129}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 35, "title": "5.3.1.1.2 CSA ISO Responsibilities"}, {"dest": {"list": [{"ref": 148}, {"literal": "XYZ"}, {"number": 69}, {"number": 504}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 36, "title": "5.3.2 Management of Security Incidents"}, {"dest": {"list": [{"ref": 148}, {"literal": "XYZ"}, {"number": 69}, {"number": 431}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 36, "title": "5.3.2.1 Incident Handling"}, {"dest": {"list": [{"ref": 148}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 36, "title": "5.3.2.2 Collection of Evidence"}, {"dest": {"list": [{"ref": 148}, {"literal": "XYZ"}, {"number": 69}, {"number": 226}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 36, "title": "5.3.3 Incident Response Training"}, {"dest": {"list": [{"ref": 148}, {"literal": "XYZ"}, {"number": 69}, {"number": 166}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 36, "title": "5.3.4 Incident Monitoring"}, {"dest": {"list": [{"ref": 154}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.3.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 156}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 38, "title": "5.4 Policy Area 4: Auditing and Accountability"}, {"dest": {"list": [{"ref": 156}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 38, "title": "5.4.1 Auditable Events and Content (Information Systems)"}, {"dest": {"list": [{"ref": 156}, {"literal": "XYZ"}, {"number": 69}, {"number": 352}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 38, "title": "5.4.1.1 Events"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 39, "title": "5.4.1.1.1 Content"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.4.2 Response to Audit Processing Failures"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 455}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.4.3 Audit Monitoring, Analysis, and Reporting"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 299}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.4.4 Time Stamps"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 226}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.4.5 Protection of Audit Information"}, {"dest": {"list": [{"ref": 160}, {"literal": "XYZ"}, {"number": 69}, {"number": 167}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.4.6 Audit Record Retention"}, {"dest": {"list": [{"ref": 168}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 40, "title": "5.4.7 Logging NCIC and III Transactions"}, {"dest": {"list": [{"ref": 168}, {"literal": "XYZ"}, {"number": 69}, {"number": 625}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 40, "title": "5.4.8 References/Citations/Directives"}, {"dest": {"list": [{"ref": 171}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 41, "title": "5.5 Policy Area 5: Access Control"}, {"dest": {"list": [{"ref": 171}, {"literal": "XYZ"}, {"number": 69}, {"number": 603}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.5.1 Account Management"}, {"dest": {"list": [{"ref": 171}, {"literal": "XYZ"}, {"number": 69}, {"number": 342}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.5.2 Access Enforcement"}, {"dest": {"list": [{"ref": 175}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.2.1 Least Privilege"}, {"dest": {"list": [{"ref": 175}, {"literal": "XYZ"}, {"number": 69}, {"number": 565}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.2.2 System Access Control"}, {"dest": {"list": [{"ref": 175}, {"literal": "XYZ"}, {"number": 69}, {"number": 398}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.2.3 Access Control Criteria"}, {"dest": {"list": [{"ref": 175}, {"literal": "XYZ"}, {"number": 69}, {"number": 241}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.2.4 Access Control Mechanisms"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 43, "title": "5.5.3 Unsuccessful Login Attempts"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 510}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 43, "title": "5.5.4 System Use Notification"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 135}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 43, "title": "5.5.5 Session Lock"}, {"dest": {"list": [{"ref": 184}, {"literal": "XYZ"}, {"number": 69}, {"number": 603}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 44, "title": "5.5.6 Remote Access"}, {"dest": {"list": [{"ref": 184}, {"literal": "XYZ"}, {"number": 69}, {"number": 273}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.5.6.1 Personally Owned Information Systems"}, {"dest": {"list": [{"ref": 187}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 45, "title": "5.5.6.2 Publicly Accessible Computers"}, {"dest": {"list": [{"ref": 187}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 45, "title": "5.5.7 References/Citations/Directives"}, {"dest": {"list": [{"ref": 190}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 46, "title": "5.6 Policy Area 6: Identification and Authentication"}, {"dest": {"list": [{"ref": 190}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 46, "title": "5.6.1 Identification Policy and Procedures"}, {"dest": {"list": [{"ref": 190}, {"literal": "XYZ"}, {"number": 69}, {"number": 508}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 46, "title": "5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges"}, {"dest": {"list": [{"ref": 190}, {"literal": "XYZ"}, {"number": 69}, {"number": 232}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 46, "title": "5.6.2 Authentication Policy and Procedures"}, {"dest": {"list": [{"ref": 196}, {"literal": "XYZ"}, {"number": 69}, {"number": 692}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 47, "title": "5.6.2.1 Standard Authenticators"}, {"dest": {"list": [{"ref": 196}, {"literal": "XYZ"}, {"number": 69}, {"number": 586}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 47, "title": "5.6.2.1.1 Password"}, {"dest": {"list": [{"ref": 196}, {"literal": "XYZ"}, {"number": 69}, {"number": 389}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 47, "title": "5.6.2.1.2 Personal Identification Number (PIN)"}, {"dest": {"list": [{"ref": 200}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 48, "title": "5.6.2.1.3 One-time Passwords (OTP)"}, {"dest": {"list": [{"ref": 200}, {"literal": "XYZ"}, {"number": 69}, {"number": 466}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 48, "title": "5.6.2.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 200}, {"literal": "XYZ"}, {"number": 69}, {"number": 234}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 48, "title": "5.6.2.2.1 Advanced Authentication Policy and Rationale"}, {"dest": {"list": [{"ref": 204}, {"literal": "XYZ"}, {"number": 69}, {"number": 496}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 49, "title": "5.6.2.2.2 Advanced Authentication Decision Tree"}, {"dest": {"list": [{"ref": 207}, {"literal": "XYZ"}, {"number": 69}, {"number": 585}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 51, "title": "5.6.3 Identifier and Authenticator Management"}, {"dest": {"list": [{"ref": 207}, {"literal": "XYZ"}, {"number": 69}, {"number": 540}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 51, "title": "5.6.3.1 Identifier Management"}, {"dest": {"list": [{"ref": 207}, {"literal": "XYZ"}, {"number": 69}, {"number": 376}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 51, "title": "5.6.3.2 Authenticator Management"}, {"dest": {"list": [{"ref": 207}, {"literal": "XYZ"}, {"number": 69}, {"number": 178}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 51, "title": "5.6.4 Assertions"}, {"dest": {"list": [{"ref": 212}, {"literal": "XYZ"}, {"number": 69}, {"number": 625}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 52, "title": "5.6.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 58, "title": "5.7 Policy Area 7: Configuration Management"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 697}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.7.1 Access Restrictions for Changes"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 58, "title": "5.7.1.1 Least Functionality"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 525}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 58, "title": "5.7.1.2 Network Diagram"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.7.2 Security of Configuration Documentation"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 211}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.7.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 60, "title": "5.8 Policy Area 8: Media Protection"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 60, "title": "5.8.1 Media Storage and Access"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 563}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 60, "title": "5.8.2 Media Transport"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 490}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.8.2.1 Digital Media during Transport"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 390}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.8.2.2 Physical Media in Transit"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 318}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 60, "title": "5.8.3 Digital Media Sanitization and Disposal"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 217}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 60, "title": "5.8.4 Disposal of Physical Media"}, {"dest": {"list": [{"ref": 236}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.8.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 62, "title": "5.9 Policy Area 9: Physical Protection"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 62, "title": "5.9.1 Physically Secure Location"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 460}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.9.1.1 Security Perimeter"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 388}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.9.1.2 Physical Access Authorizations"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 316}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.9.1.3 Physical Access Control"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 244}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.9.1.4 Access Control for Transmission Medium"}, {"dest": {"list": [{"ref": 238}, {"literal": "XYZ"}, {"number": 69}, {"number": 186}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.9.1.5 Access Control for Display Medium"}, {"dest": {"list": [{"ref": 246}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.6 Monitoring Physical Access"}, {"dest": {"list": [{"ref": 246}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.7 Visitor Control"}, {"dest": {"list": [{"ref": 246}, {"literal": "XYZ"}, {"number": 69}, {"number": 595}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.8 Delivery and Removal"}, {"dest": {"list": [{"ref": 246}, {"literal": "XYZ"}, {"number": 69}, {"number": 537}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 63, "title": "5.9.2 Controlled Area"}, {"dest": {"list": [{"ref": 246}, {"literal": "XYZ"}, {"number": 69}, {"number": 329}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 63, "title": "5.9.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 252}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 64, "title": "5.10 Policy Area 10: System and Communications Protection and Information Integrity"}, {"dest": {"list": [{"ref": 252}, {"literal": "XYZ"}, {"number": 69}, {"number": 573}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 64, "title": "5.10.1 Information Flow Enforcement"}, {"dest": {"list": [{"ref": 252}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 64, "title": "5.10.1.1 Boundary Protection"}, {"dest": {"list": [{"ref": 256}, {"literal": "XYZ"}, {"number": 69}, {"number": 658}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 65, "title": "5.10.1.2 Encryption"}, {"dest": {"list": [{"ref": 256}, {"literal": "XYZ"}, {"number": 69}, {"number": 511}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 65, "title": "5.10.1.2.1 Encryption for CJI in Transit"}, {"dest": {"list": [{"ref": 259}, {"literal": "XYZ"}, {"number": 69}, {"number": 623}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 66, "title": "5.10.1.2.2 Encryption for CJI at Rest"}, {"dest": {"list": [{"ref": 259}, {"literal": "XYZ"}, {"number": 69}, {"number": 261}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 66, "title": "5.10.1.2.3 Public Key Infrastructure (PKI) Technology"}, {"dest": {"list": [{"ref": 262}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.1.3 Intrusion Detection Tools and Techniques"}, {"dest": {"list": [{"ref": 262}, {"literal": "XYZ"}, {"number": 69}, {"number": 574}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.1.4 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 262}, {"literal": "XYZ"}, {"number": 69}, {"number": 307}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.1.5 Cloud Computing"}, {"dest": {"list": [{"ref": 262}, {"literal": "XYZ"}, {"number": 69}, {"number": 132}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 67, "title": "5.10.2 Facsimile Transmission of CJI"}, {"dest": {"list": [{"ref": 267}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 68, "title": "5.10.3 Partitioning and Virtualization"}, {"dest": {"list": [{"ref": 267}, {"literal": "XYZ"}, {"number": 69}, {"number": 571}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.3.1 Partitioning"}, {"dest": {"list": [{"ref": 267}, {"literal": "XYZ"}, {"number": 69}, {"number": 367}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.3.2 Virtualization"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 69, "title": "5.10.4 System and Information Integrity Policy and Procedures"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 516}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 69, "title": "5.10.4.1 Patch Management"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 270}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 69, "title": "5.10.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 275}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.3 Spam and Spyware Protection"}, {"dest": {"list": [{"ref": 275}, {"literal": "XYZ"}, {"number": 69}, {"number": 533}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.4 Security Alerts and Advisories"}, {"dest": {"list": [{"ref": 275}, {"literal": "XYZ"}, {"number": 69}, {"number": 376}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.5 Information Input Restrictions"}, {"dest": {"list": [{"ref": 275}, {"literal": "XYZ"}, {"number": 69}, {"number": 270}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 70, "title": "5.10.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 72, "title": "5.11 Policy Area 11: Formal Audits"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 664}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 72, "title": "5.11.1 Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 638}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 72, "title": "5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 497}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 72, "title": "5.11.1.2 Triennial Security Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 397}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 72, "title": "5.11.2 Audits by the CSA"}, {"dest": {"list": [{"ref": 287}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.11.3 Special Security Inquiries and Audits"}, {"dest": {"list": [{"ref": 287}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.11.4 Compliance Subcommittees"}, {"dest": {"list": [{"ref": 287}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.11.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 291}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 74, "title": "5.12 Policy Area 12: Personnel Security"}, {"dest": {"list": [{"ref": 291}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 74, "title": "5.12.1 Personnel Security Policy and Procedures"}, {"dest": {"list": [{"ref": 291}, {"literal": "XYZ"}, {"number": 69}, {"number": 610}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 74, "title": "5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:"}, {"dest": {"list": [{"ref": 296}, {"literal": "XYZ"}, {"number": 69}, {"number": 544}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 75, "title": "5.12.1.2 Personnel Screening for Contractors and Vendors"}, {"dest": {"list": [{"ref": 296}, {"literal": "XYZ"}, {"number": 69}, {"number": 154}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 75, "title": "5.12.2 Personnel Termination"}, {"dest": {"list": [{"ref": 299}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 76, "title": "5.12.3 Personnel Transfer"}, {"dest": {"list": [{"ref": 299}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 76, "title": "5.12.4 Personnel Sanctions"}, {"dest": {"list": [{"ref": 299}, {"literal": "XYZ"}, {"number": 69}, {"number": 593}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 76, "title": "5.12.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 303}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 77, "title": "5.13 Policy Area 13: Mobile Devices"}, {"dest": {"list": [{"ref": 303}, {"literal": "XYZ"}, {"number": 69}, {"number": 549}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 77, "title": "5.13.1 Wireless Communications Technologies"}, {"dest": {"list": [{"ref": 303}, {"literal": "XYZ"}, {"number": 69}, {"number": 448}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 77, "title": "5.13.1.1 802.11 Wireless Protocols"}, {"dest": {"list": [{"ref": 307}, {"literal": "XYZ"}, {"number": 69}, {"number": 376}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 78, "title": "5.13.1.2 Cellular Devices"}, {"dest": {"list": [{"ref": 309}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 79, "title": "5.13.1.2.1 Cellular Service Abroad"}, {"dest": {"list": [{"ref": 309}, {"literal": "XYZ"}, {"number": 69}, {"number": 604}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 79, "title": "5.13.1.2.2 Voice Transmissions Over Cellular Devices"}, {"dest": {"list": [{"ref": 309}, {"literal": "XYZ"}, {"number": 69}, {"number": 546}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.1.3 Bluetooth"}, {"dest": {"list": [{"ref": 309}, {"literal": "XYZ"}, {"number": 69}, {"number": 365}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.1.4 Mobile Hotspots"}, {"dest": {"list": [{"ref": 314}, {"literal": "XYZ"}, {"number": 69}, {"number": 660}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 80, "title": "5.13.2 Mobile Device Management (MDM)"}, {"dest": {"list": [{"ref": 314}, {"literal": "XYZ"}, {"number": 69}, {"number": 238}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 80, "title": "5.13.3 Wireless Device Risk Mitigations"}, {"dest": {"list": [{"ref": 317}, {"literal": "XYZ"}, {"number": 69}, {"number": 619}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 81, "title": "5.13.4 System Integrity"}, {"dest": {"list": [{"ref": 317}, {"literal": "XYZ"}, {"number": 69}, {"number": 518}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 81, "title": "5.13.4.1 Patching/Updates"}, {"dest": {"list": [{"ref": 317}, {"literal": "XYZ"}, {"number": 69}, {"number": 412}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 81, "title": "5.13.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 317}, {"literal": "XYZ"}, {"number": 69}, {"number": 279}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 81, "title": "5.13.4.3 Personal Firewall"}, {"dest": {"list": [{"ref": 322}, {"literal": "XYZ"}, {"number": 69}, {"number": 645}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 82, "title": "5.13.5 Incident Response"}, {"dest": {"list": [{"ref": 322}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 82, "title": "5.13.6 Access Control"}, {"dest": {"list": [{"ref": 322}, {"literal": "XYZ"}, {"number": 69}, {"number": 292}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 82, "title": "5.13.7 Identification and Authentication"}, {"dest": {"list": [{"ref": 322}, {"literal": "XYZ"}, {"number": 69}, {"number": 233}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 82, "title": "5.13.7.1 Local Device Authentication"}, {"dest": {"list": [{"ref": 322}, {"literal": "XYZ"}, {"number": 69}, {"number": 161}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 82, "title": "5.13.7.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 328}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 83, "title": "5.13.7.2.1 Compensating Controls"}, {"dest": {"list": [{"ref": 328}, {"literal": "XYZ"}, {"number": 69}, {"number": 270}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 83, "title": "5.13.7.3 Device Certificates"}, {"dest": {"list": [{"ref": 331}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 84, "title": "Appendices"}, {"dest": {"list": [{"ref": 331}, {"literal": "XYZ"}, {"number": 69}, {"number": 689}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 84, "title": "Appendix A Terms and Definitions"}, {"dest": {"list": [{"ref": 346}, {"literal": "XYZ"}, {"number": 69}, {"number": 727}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 97, "title": "Appendix B Acronyms"}, {"dest": {"list": [{"ref": 351}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 101, "title": "Appendix C Network Topology Diagrams"}, {"dest": {"list": [{"ref": 358}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 107, "title": "Appendix D Sample Information Exchange Agreements"}, {"dest": {"list": [{"ref": 358}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 107, "title": "D.1 CJIS User Agreement"}, {"dest": {"list": [{"ref": 368}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 115, "title": "D.2 Management Control Agreement"}, {"dest": {"list": [{"ref": 370}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 116, "title": "D.3 Noncriminal Justice Agency Agreement & Memorandum of Understanding"}, {"dest": {"list": [{"ref": 377}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 122, "title": "D.4 Interagency Connection Agreement"}, {"dest": {"list": [{"ref": 383}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 127, "title": "Appendix E Security Forums and Organizational Entities"}, {"dest": {"list": [{"ref": 385}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 128, "title": "Appendix F Sample Forms"}, {"dest": {"list": [{"ref": 387}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 129, "title": "F.1 Security Incident Response Form"}, {"dest": {"list": [{"ref": 389}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 130, "title": "Appendix G Best practices"}, {"dest": {"list": [{"ref": 389}, {"literal": "XYZ"}, {"number": 69}, {"number": 687}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 130, "title": "G.1 Virtualization"}, {"dest": {"list": [{"ref": 394}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 133, "title": "G.2 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 406}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 144, "title": "G.3 Cloud Computing"}, {"dest": {"list": [{"ref": 424}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 161, "title": "G.4 Mobile Appendix"}, {"dest": {"list": [{"ref": 446}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 182, "title": "G.5 Administrator Accounts for Least Privilege and Separation of Duties"}, {"dest": {"list": [{"ref": 460}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 195, "title": "G.6 Encryption"}, {"dest": {"list": [{"ref": 471}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 205, "title": "Appendix H Security Addendum"}, {"dest": {"list": [{"ref": 480}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 212, "title": "Appendix I References"}, {"dest": {"list": [{"ref": 485}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 216, "title": "Appendix J Noncriminal Justice Agency Supplemental Guidance"}, {"dest": {"list": [{"ref": 494}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 224, "title": "Appendix K Criminal Justice Agency Supplemental Guidance"}] {"5.8":{"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?":{"section":"5.8","body":"No. Encryption isn't necessary for electronic media while in storage within a physically secure location. ","title":"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?","linked":true}},"5.2":{"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?":{"section":"5.2","body":"Absolutely! While the CJIS Security Policy does not require a test as part of the Security Awareness Training, designing an evaluation that ties specifically to the agency computers, systems, and processes, could help ensure greater understanding of the required training topics.","title":"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?","linked":true},"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?":{"section":"5.2","body":"Yes. There is no restriction on a Channeler performing the training as long as (1) the training covers all the areas outlined in the CJIS Security Policy (CSP) and (2) the Contracting Government Agency (CGA) doesn't provide specific training that supersedes the Channeler-provided training. ","title":"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?","linked":true}},"5.3":{"What information should I send to the CJIS ISO to report an incident? ":{"section":"5.3","body":"The CSA ISO should fill out the Security Incident Reporting Form found in Appendix F of the CJIS Security Policy. This is a sample form but it includes the minimum information the CJIS ISO requires. ","title":"What information should I send to the CJIS ISO to report an incident? ","linked":true}},"5.12.1.1":{"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? ":{"section":"5.12.1.1","body":"No. All agents are fingerprinted prior to assignment with the FBI. Being rotated between offices doesn't constitute a new assignment for the purpose of 5.12.1.1(1) even though the agency may refer to it as a reassignment. It's a similar situation for city police officers, troopers, etc. who rotate between various precincts or barracks through their careers but remain with the same agency.","title":"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? ","linked":true},"Would an agency employee of a small PD (CJA) who only has hard copy access to CJI (indirect access) - does not have their own terminal nor unescorted access to a physically secure location - be required to undergo fingerprint-based background check per FBI CSP?":{"section":"5.12.1.1","body":"In this example the employee would not need a fingerprint-based background check, but would have to complete security awareness training. ","title":"Would an agency employee of a small PD (CJA) who only has hard copy access to CJI (indirect access) - does not have their own terminal nor unescorted access to a physically secure location - be required to undergo fingerprint-based background check per FBI CSP?","linked":true}},"5.10.1.2":{"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the Policy require whole disk encryption in this scenario?":{"section":"5.10.1.2","body":"As long as the data is being encrypted in accordance with 5.10.1.2 for data at rest the requirements of the CJIS Security Policy are met. The Policy does not dictate whether this is accomplished via whole disk or file encryption. As with all requirements in the Policy, this is a minimum standard and CJIS community members are encouraged to exceed it.","title":"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the Policy require whole disk encryption in this scenario?","linked":true}},"5.10.1.5":{"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. Recently, the cloud vendor has reluctantly disclosed its practice of utilizing metadata from the data (CJI) we provide to them as part of our service level agreement (SLA) for undisclosed commercial purposes. Is this permissible?":{"section":"5.10.1.5","body":"No it is not! Policy Section 5.10.1.5 explicitly prohibits the use of metadata derived from CJI by any cloud service provider for any commercial purposes.","title":"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. Recently, the cloud vendor has reluctantly disclosed its practice of utilizing metadata from the data (CJI) we provide to them as part of our service level agreement (SLA) for undisclosed commercial purposes. Is this permissible?","linked":true},"Our agency has recently started using an application built and hosted in a cloud environment. The data center in which our CJI will traverse and be stored in will be a physically secure location, and all personnel with unescorted access to the datacenter will be cleared in accordance with the CJIS Security Policy requirements. This application functions as a software as a service (SaaS) model offered to us by the cloud service provider. Our agency will not have any technical control over the security of CJI once it is entered into the application. How can we ensure the cloud vendor will abide by the CJIS Security Policy requirements? How will we assess the solution? ":{"section":"5.10.1.5","body":"When using a SaaS product typically the only control a cloud subscriber will have is what data to enter in the product. So, it is of paramount importance to vet the solution prior to agreeing to use it. You should perform some sort of audit and/or analysis of the product to ensure it will meet all the applicable CJIS Security Policy requirements. Also, as part of the contractual agreement (often the service level agreement, or SLA) with the cloud provider, the Security Addendum (SA) (Policy pages H5 -H6) should be incorporated in to the contract. In addition, all cloud provider employees with unescorted access to the datacenter or the ability to access unencrypted CJI will be required to sign the SA Certification page (H7) which must then be kept on file and accessible by your agency. The SA is a legal document which will ensure the cloud provider employees agree to adhere to the CJIS Security Policy requirements. ","title":"Our agency has recently started using an application built and hosted in a cloud environment. The data center in which our CJI will traverse and be stored in will be a physically secure location, and all personnel with unescorted access to the datacenter will be cleared in accordance with the CJIS Security Policy requirements. This application functions as a software as a service (SaaS) model offered to us by the cloud service provider. Our agency will not have any technical control over the security of CJI once it is entered into the application. How can we ensure the cloud vendor will abide by the CJIS Security Policy requirements? How will we assess the solution? ","linked":true}},"5.10.1.2.2":{"Our agency is considered a noncriminal justice agency (NCJA). As part of our daily process, we store information which we are told is criminal justice information (CJI) because it contains criminal history record information (CHRI). We want to store this information encrypted, but all the solutions we find that are FIPS 140-2-certified are more expensive. Do we have to use a solution that has this certification or can we use a less expensive product.":{"section":"5.10.1.2.2","body":"There are two options available to you to protect the CJI which you store at your location. You may use a solution that is FIPS 140-2-certified which uses a symmetric algorithm of at least 128 bit in strength. Or, you may use a solution based on the specific symmetric algorithm called Advanced Encryption Standard (AES) and is 256 bit in strength. This option will provide more compliant products to consider to protect CJI at rest. Please be aware the encryption requirement for data in transit may differ from the encryption you use to protect the data at rest. See Policy Section 5.10.1.2.1 for requirement to protect CJI in transit. ","title":"Our agency is considered a noncriminal justice agency (NCJA). As part of our daily process, we store information which we are told is criminal justice information (CJI) because it contains criminal history record information (CHRI). We want to store this information encrypted, but all the solutions we find that are FIPS 140-2-certified are more expensive. Do we have to use a solution that has this certification or can we use a less expensive product.","linked":true}},"5.13.1.2.2":{"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?":{"section":"5.13.1.2.2","body":"Yes. Section 5.13.1.2.2 provides an exemption to the encryption and authentication requirements for transmitting CJI over cellular devices. ","title":"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?","linked":true}},"2.2":{"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular (3G and 4G) and wireless (Wi-Fi) connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy?":{"section":"2.2","body":"The question when considering the use of tablets, or any other mobile device, is whether Criminal Justice Information (CJI) will be transmitted, received, viewed, or stored. If so, the requirements of the Policy become effective for the scenario in which CJI is handled irrespective of the platform utilized.\n \nTablet requirements for compliance are determined based on the level of access required and the capabilities of the tablet device. So, for example if the tablet has Wi-Fi capability, the requirements of section 5.13.1.1 will apply. If the tablet has cellular network capability, then the requirements of section 5.13.1.2 will be applicable, and so on.\n \nThe principle of least functionality (5.7.1.1) is important to apply to tablets and other mobile devices. Only the essential, required capabilities of the device should be active and accessible to the user. For example, if Bluetooth connectivity is available on the device but not required then it should be disabled to protect the device from external threats.\n","title":"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular (3G and 4G) and wireless (Wi-Fi) connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy?","linked":true},"Can an agency be compliant with the CJIS Security Policy and cloud compute?":{"section":"2.2","body":"Because the Policy is device and architecture independent, the answer is yes, and this can be accomplished-- assuming the provider/vendor of the cloud technology is able to meet the technical, physical, and personnel security requirements of the Policy.\n \nDue to the general business model for cloud computing, there will be some level of reduced agency control that is transferred to the cloud service provider. This does not reduce the Policy requirements. On the contrary, this means that the outsourcing agency must use due diligence to ensure the requirements will be fulfilled.","title":"Can an agency be compliant with the CJIS Security Policy and cloud compute?","linked":true}},"5.13.4.3":{"Are personal firewalls only required for laptops or are they also required for handheld devices - phones, Blackberries, and so on?":{"section":"5.13.4.3","body":"Mobile devices with limited feature operating systems (i.e. tablets, smartphones) may not support personal firewalls. However, if the agency can demonstrate that the firewall protection provided by an enterprise server are pushed down to the devices and provide the same level of protection as a personal firewall, such as with a mobile device mangement (MDM) or enterprise mobile management (EMM) service, it could be acceptable. In order to make the final determination on this capability, the ISO program would typically look at the individual implementation and work with both the agency and the state ISO to make recommendations of compliance. ","title":"Are personal firewalls only required for laptops or are they also required for handheld devices - phones, Blackberries, and so on?","linked":true}},"5.6.2.2":{"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?":{"section":"5.6.2.2","body":"No. Risk based authentication solutions should pull from a collection of multiple data sets that extend beyond the IP address and MAC address to other items such as OS, geo-location, time of day logon, screen resolution, etc. A risk determination is made based upon the solution's analysis of the collective information. Anything less would be nothing more than a challenge/response solution.","title":"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?","linked":true},"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?":{"section":"5.6.2.2","body":"Absolutely! Direct access to CJI from outside of a physically secure location AA is a requirement.","title":"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?","linked":true},"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?":{"section":"5.6.2.2","body":"Yes. You may outsource your AA solution to a vendor; however, you'll need to come up with a good plan for user management to ensure the vendor administrators responsible for system administration work on the authentication server are blocked from creating their own username access to your network. We advise you to consult with your local system administrators to ensure that does not occur. ","title":"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?","linked":true},"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? ":{"section":"5.6.2.2","body":"Yes. Because the CJIS Security Policy does not say that a password has to be one of the factors of authentication, the use of a PIN as one factor of authentication is permissible. Therefore, the use of a username (identification), PIN (something you know), and hard token (something you have) can satisfy the requirement for AA, if implemented properly. \n\nNote: PIN requirements are found in Section 5.6.2.1.2.\n","title":"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? ","linked":true},"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?":{"section":"5.6.2.2","body":"Whatever device is being used, the basic tenants of AA have to be met: identification (e.g. user name), authentication factor 1 (e.g. password), authentication factor 2 (e.g. fingerprint, token, etc.) Additionally, the authentication for the CJIS application has to occur at the local agency, CSA, SIB, or Channeler level. ","title":"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?","linked":true},"The CJIS Security Policy references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?":{"section":"5.6.2.2","body":"PKI refers to the use of an infrastructure utilizing digital certificates for authentication. A user-based PKI solution requires user-specific certificates as a second form of authentication to meet the requirement for Advanced Authentication (AA). This means the certificate must be assigned (tied to or associated with) to the individual user and not to a particular device. This prevents multiple users from utilizing a common certificate as an authentication factor on a device. User-based certificates may be stored on an external device (e.g., token or smart card) or be issued for use per session. ","title":"The CJIS Security Policy references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?","linked":true},"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nSo, the user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy?\n":{"section":"5.6.2.2","body":"No, this implementation will not satisfy the requirement for AA. AA requires more than a single factor of authentication using a \"two-factor authentication\" or \"strong authentication\" solution or by implementing a risk-based authentication (RBA) solution. \n\nAdditionally, AA is required to be implemented either at the local agency, CSA, SIB or Channeler level which will then assert the identity to all authorized applications. \n","title":"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nSo, the user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy?\n","linked":true}},"5.11":{"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? ":{"section":"5.11","body":"The FBI does not independently revoke access. Negative audit findings will be part of the final report submitted to the Advisory Policy Board (APB) or Compact Council Sanctions Subcommittee and will be addressed within this subcommittee. Sanctions committee recommendations are vetted through the advisory process and it is through this process that continued access privileges are determined. ","title":"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? ","linked":true}},"5.12":{"We have an agency that is asking about the requirements for a ride along program in relation to the CJIS Security Policy (CSP). Is it required for a ride along participant to be subjected to a fingerprint-based background check?":{"section":"5.12","body":"No, the ride along participant does not have to undergo a fingerprint-based background check as the individual will be escorted by the officer during the ride along.\n\nIt is recommended, however, to provide an abbreviated security awareness briefing for the ride along participant. This briefing can address what the expectations are and inform the rider that he/she should not disclose any sensitive information learned during the ride along.","title":"We have an agency that is asking about the requirements for a ride along program in relation to the CJIS Security Policy (CSP). Is it required for a ride along participant to be subjected to a fingerprint-based background check?","linked":true}},"1.5":{"CJIS Security Policy 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is the current Policy version also SBU?":{"section":"1.5","body":"CJIS Security Policy v5.0 removed dissemination restrictions and may be posted and shared without restrictions. All future versions will also be without restriction.","title":"CJIS Security Policy 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is the current Policy version also SBU?","linked":true}},"5.10.1.2.3":{"I have read about public key infrastructure technology and its use for protecting user certificates stored on smart cards. Is this the proper use for this type of encryption?":{"section":"5.10.1.2.3","body":"There are a few general uses for this type of asymmetric encryption. For the purpose of CJIS Security Policy compliance, however, this encryption solution is most commonly used for certificate protection on smart cards and the like, but not for information protection. This is because Policy Sections 5.10.1.2.1 and 5.10.1.2.2 state the encryption used to protect CJI in transit and at rest must use a symmetric algorithm. PKI uses asymmetric. Please consult Appendix G.6 to learn more about the types of encryption.","title":"I have read about public key infrastructure technology and its use for protecting user certificates stored on smart cards. Is this the proper use for this type of encryption?","linked":true}},"1.3":{"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? ":{"section":"1.3","body":"FISMA compliance is a federal standard and is not mandatory governance for state, local and tribal agencies. Therefore, there is no requirement for states to be FISMA compliant in order to exchange information with CJIS.","title":"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? ","linked":true}},"5.10.1.2.1":{"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy?":{"section":"5.10.1.2.1","body":"No, the use of a FIPS 197 (AES) certified algorithm at 256 bit strength in accordance with 5.10.1.2(4) is allowed for data at rest. ","title":"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy?","linked":true},"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?":{"section":"5.10.1.2.1","body":"No. The cryptographic module must be FIPS 140-2 certified for data in transit. You can check the certification against the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm).\n \nThere is one exception, however. Subsequent versions of approved cryptographic modules that are under current review for FIPS 140-2 compliancy can be used in the interim until certification is complete.","title":"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?","linked":true},"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? ":{"section":"5.10.1.2.1","body":"No certification level requirement is specified in the Policy for FIPS 140-2; therefore any level will work so long as the solution utilizes a certified cryptographic module. If the certificate can be produced, the requirement is met.\n \nThe benchmark used to ensure compliance of the cryptographic module is the certificate from the National Institute of Standards and Technology (NIST) website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm). ","title":"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? ","linked":true}},"1.1":{"We understand that the CJIS Security Policy provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the Policy by the state. Must we comply with the state request or do we only have to meet the requirements of the Policy?":{"section":"1.1","body":"The Policy presents the minimum standards nationally. States are encouraged to exceed this standard in the protection of CJI. In the event the state requires standards above those listed within the Policy, CJIS would support the state in that decision. ","title":"We understand that the CJIS Security Policy provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the Policy by the state. Must we comply with the state request or do we only have to meet the requirements of the Policy?","linked":true}},"5.2.1.1":{"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?":{"section":"5.2.1.1","body":"Yes. These contractors may have access to CJI and therefore should be given the first level of security awareness training. This ensures they have been trained to act appropriately should they encounter CJI.","title":"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?","linked":true}},"5.8.3":{"Is it necessary to overwrite media three times before it is reused? ":{"section":"5.8.3","body":"Yes. Per the Section 5.8.3 of the CJIS Security Policy, this is required for the sanitization of electronic media.","title":"Is it necessary to overwrite media three times before it is reused? ","linked":true}},"5.2.1.3":{"We have a number of dispatchers who as part of their daily functions include running CJI queries at the request of the law enforcement officers. The dispatchers do have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of security awareness training are they required to have been given?":{"section":"5.2.1.3","body":"These dispatchers have direct access to CJI and are therefore required to be given Level Three Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1, 5.2.1.2, and 5.2.1.3.","title":"We have a number of dispatchers who as part of their daily functions include running CJI queries at the request of the law enforcement officers. The dispatchers do have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of security awareness training are they required to have been given?","linked":true}},"5.2.1.2":{"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awareness training do we have to provide and to whom?":{"section":"5.2.1.2","body":"Only those personnel who have the ability to access/open the locked file cabinet are required to receive security awareness training. Since this access is to hard copy CJI, it requires the Level Two Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1 and 5.2.1.2. ","title":"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awareness training do we have to provide and to whom?","linked":true}},"5.12.1.2":{"Would a contractor who only has hard copy access to CJI (indirect access, but does have unescorted access to a physically secure location be required to undergo fingerprint-based background check?":{"section":"5.12.1.2","body":"Yes, for unescorted access to a physically secure location the contractor would be required to have fingerprint-based background checks irrespective of CJI access. Additionally, these personnel would have to complete security awareness training. ","title":"Would a contractor who only has hard copy access to CJI (indirect access, but does have unescorted access to a physically secure location be required to undergo fingerprint-based background check?","linked":true}},"5.2.1.4":{"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These personnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?":{"section":"5.2.1.4","body":"Yes. These administrators have privileged, administrative access to CJI and CJI-processing systems. These personnel are therefore required to be given Level Four Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1, 5.2.1.2, 5.2.1.3, and 5.2.1.4. ","title":"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These personnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?","linked":true}},"5.9.1":{"Is security awareness training required for personnel to have unescorted access to physically secure locations?":{"section":"5.9.1","body":"Yes! Security Awareness training is required to permit unescorted access to a physically secure location. Please note this requirement also extends to unescorted, remote access to CJI and CJI processing systems located within physically secure location.","title":"Is security awareness training required for personnel to have unescorted access to physically secure locations?","linked":true}},"5.10.4.1":{"Since Windows XP and Windows Vista are no longer supported by Microsoft, will systems still using these operating systems (OS) be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?":{"section":"5.10.4.1","body":"The CJIS ISO sent out guidance concerning Windows XP end-of-life (EOL) in April 2014 and Windows Vista end-of-life (EOL) in April 2017. Since Microsoft no longer supports the OS with patches, these no longer meet CJIS Security Policy requirements and any system using the OS will be found to be out of compliance during an audit.","title":"Since Windows XP and Windows Vista are no longer supported by Microsoft, will systems still using these operating systems (OS) be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?","linked":true}},"5.6.4":{"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?":{"section":"5.6.4","body":"Yes. Network diagrams are required and should be updated (to include date of last update) when changes to the network are made. ","title":"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?","linked":true}},"5.6.2":{"Per the CJIS Security Policy must the authentication occur at the Local Agency or CSO, but can fingerprint scanners built into laptops be used to satisfy the requirement for Advanced Authentication (AA)? ":{"section":"5.6.2","body":"Authentication of the fingerprints must be accomplished at the Local Agency or CSO level. Agencies can use fingerprint readers to capture the fingerprint attributes but they can't use the cached information stored on the laptop as the authenticator for access to CJI. The scanned attributes must be asserted to the local agency or CSO where the authentication of the individual will be verified. ","title":"Per the CJIS Security Policy must the authentication occur at the Local Agency or CSO, but can fingerprint scanners built into laptops be used to satisfy the requirement for Advanced Authentication (AA)? ","linked":true}},"5.9.2":{"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?":{"section":"5.9.2","body":"No. There is no requirement to maintain visitor access records for a controlled area; however, measures must be taken to limit access to the controlled area during times of CJI processing.","title":"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?","linked":true}},"5.5.3":{"Per the CJIS Security Policy, how many unsuccessful login attempts does it take to lock an account? For how long should that account be locked?":{"section":"5.5.3","body":"After a limit of no more than 5 consecutive invalid attempts the system shall automatically lock the account for a minimum of 10 minutes (unless released by an administrator).","title":"Per the CJIS Security Policy, how many unsuccessful login attempts does it take to lock an account? For how long should that account be locked?","linked":true}},"5.8.1":{"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI data?":{"section":"5.8.1","body":"Yes, unless the CJI is stored in a safe or other secured storage where access is limited to authorized personnel. See CJIS Security Policy section 5.9.2, Controlled Area, for additional requirements. ","title":"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI data?","linked":true},"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?":{"section":"5.8.1","body":"CJI may be saved unencrypted to a workstation that is within a physically secure location, but must be encrypted if saved to a workstation that resides outside the physically secure location. ","title":"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?","linked":true}},"5.10.4.3":{"Is there a requirement by the CJIS Security Policy to have spyware protection installed on the laptops issued by our department?":{"section":"5.10.4.3","body":"Yes, there is a requirement to employ spyware protection at mobile computing devices on the network. ","title":"Is there a requirement by the CJIS Security Policy to have spyware protection installed on the laptops issued by our department?","linked":true}},"5.5.5":{"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?":{"section":"5.5.5","body":"There is no requirement for using AA simply to unlock the screen. ","title":"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?","linked":true},"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, sessions locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?":{"section":"5.5.5","body":"Yes, a policy can accomplish the desired outcome of the requirement in the absence of a technical solution. We would recommend including mitigations efforts for instances of policy non-compliance.","title":"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, sessions locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?","linked":true}},"5.4.6":{"The Policy states audit records must be kept for at least one year. Must the audit records be retained within the regulatory agency system, or can our outsourced contractor who collects the logs for us keep them stored at their facility?":{"section":"5.4.6","body":"The Policy does not prescribe the process for retention of the logs. This allows each agency to implement a process which fits their business model. The model could include a centralized state records retention system or the use of a contractor for collection and storage.","title":"The Policy states audit records must be kept for at least one year. Must the audit records be retained within the regulatory agency system, or can our outsourced contractor who collects the logs for us keep them stored at their facility?","linked":true}},"5.4.7":{"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? ":{"section":"5.4.7","body":"A log shall be maintained for a minimum of one year for all NCIC transactions. ","title":"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? ","linked":true}},"5.5.6.2":{"Can an officer use a public library computer to access Criminal Justice Information (CJI)?":{"section":"5.5.6.2","body":"No, using publicly accessible computers to access, process, store or transmit CJI is prohibited. Some examples of publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. ","title":"Can an officer use a public library computer to access Criminal Justice Information (CJI)?","linked":true}},"5.4.1":{"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. So, are we authorized under the CJIS Security Policy to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? ":{"section":"5.4.1","body":"Absolutely. The Policy does not dictate the means by which logs will be managed. While it may not be a desirable method, manual recording of activities is also acceptable in the event no automated system is in place to do so. ","title":"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. So, are we authorized under the CJIS Security Policy to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? ","linked":true}},"5.6.2.2.1":{"CJIS Security Policy Section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? ":{"section":"5.6.2.2.1","body":"Yes. Controlled areas were incorporated in the Policy for organizations that need to process Criminal Justice Information but can't, or don't have a need to, maintain a physically secure location (e.g. school board, Dept. of Human Services, etc...).A physically secure location incorporates physical, technical, and personnel controls that make AA unnecessary in most situations whereas controlled areas require AA due to limitations in the aforementioned security controls. ","title":"CJIS Security Policy Section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? ","linked":true},"I have an agency who would like to set up some live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?":{"section":"5.6.2.2.1","body":"Short answer: It depends. The requirement for AA is based solely on whether or not CJIS is returned to the live scan device and whether or not the live scan device is accessed remotely. If CJI is returned and the live scan is accessed remotely, then AA is required. If CJI is returned and the live scan is not accessed remotely, then AA is not required.","title":"I have an agency who would like to set up some live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?","linked":true},"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?":{"section":"5.6.2.2.1","body":"Removing the laptop from the police vehicle removed the device from a physically secure location. AA would be required for direct access to CJI from outside of a physically secure location.","title":"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?","linked":true}},"5.6.2.2.2":{"Could you provide me some explanation of what an assertion is? ":{"section":"5.6.2.2.2","body":"Assertions essentially deal with two types of activities:\n \n(1) The taking the attributes of someone and sending (asserting) those attributes to an authentication server. \n\nExample: The user has a laptop that has an imbedded or tethered fingerprint reader. The user scans their prints. Then, an application of some sort sends, or \"asserts,\" the attributes of the fingerprint along with other user information to an authentication server which then looks at the provided attributes and determines whether or not the attributes are known or expected and are enough to authenticate the user's identity.\n \n(2) An identity provider who has already authenticated an individual and is sending (asserting) the user's identity to a service or a service broker (e.g., single sign-on).\n\nExample: Continuing with example 1, the authentication server is also an identity provider. The user, now that they have been identified, wants to access different services but in order to access those services the user must provide their identity. The authentication server, acting as an identity provider, can assert the user's identity to the user requested service(s).","title":"Could you provide me some explanation of what an assertion is? ","linked":true}},"5.12.1":{"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy. We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?":{"section":"5.12.1","body":"Personnel with direct access to Criminal Justice Information (CJI) and support personnel with unescorted access to the physically secure location must be fingerprint based background checked. Personnel such as court clerks, etc. who work outside the physically secure location but who will only view CJI on a regular basis are not required to be background checked but must be trained at the security awareness basic level (policy citation).","title":"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy. We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?","linked":true}},"5.2.1":{"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?":{"section":"5.2.1","body":"If the INFOSEC training covers all the required CJIS Security Policy Security Awareness Training areas listed for the user's role and the CSO of the state's CSA approves, then the answer is \"yes\". If it does not, additional training is required.","title":"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?","linked":true}},"5.13.3":{"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?":{"section":"5.13.3","body":"No, this would satisfy the requirement for local device authentication (5.13.9.1) but does not satisfy the additional requirement for AA (5.13.3(3)).","title":"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?","linked":true}},"5.13.2":{"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?":{"section":"5.13.2","body":"Typically, \"cloud-based\" MDM products simply allow administrative controls to be managed by a user accessing the controls via an Internet connection \"in the cloud.\" If this is the case, and no CJI data could be made accessible via this connection this would be permissible.","title":"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?","linked":true}},"5.1.1.4":{"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?":{"section":"5.1.1.4","body":"Yes, unless the MCA is incorporated into the Inter-agency agreement. ","title":"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?","linked":true}},"5.1.1.5":{"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) lying around on desks while cleaning certain areas. So, would these custodial service personnel contracted by a city to provide service to a PD be required to sign the Security Addendum (SA)?":{"section":"5.1.1.5","body":"No. For unescorted access, the custodians are required to have a fingerprint-based background check and the first level of security awareness training. This ensures they've been vetted and have the training to act appropriately should they encounter CJI. ","title":"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) lying around on desks while cleaning certain areas. So, would these custodial service personnel contracted by a city to provide service to a PD be required to sign the Security Addendum (SA)?","linked":true},"Can an agency change some of the language in the Security Addendum (SA)?":{"section":"5.1.1.5","body":"No. Changes can only be made through the approval and direction of the FBI. Any changes to the addendum would invalidate the legal standing of the document. ","title":"Can an agency change some of the language in the Security Addendum (SA)?","linked":true}},"5.10.2":{"Our agency at times is required to print the results from an NCIC query and sent to the sheriff's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?":{"section":"5.10.2","body":"No, encryption is not required, because the document travels over a traditional telephone line.","title":"Our agency at times is required to print the results from an NCIC query and sent to the sheriff's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?","linked":true},"The county sheriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encryption required in this scenario?":{"section":"5.10.2","body":"Yes, encryption would be required in this scenario, because the document containing CJI is automatically converted to a digital file and routed to the recipient's email through the Internet. Remember, encryption in transit using FIPS 140-2 certified 128 bit symmetric encryption is required.","title":"The county sheriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encryption required in this scenario?","linked":true}},"5.8.2.1":{"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it.":{"section":"5.8.2.1","body":"Encryption (as specified in section 5.10.1.2) is the optimal control during transport. If encryption of the data is not a possibility, then each agency shall institute other controls to ensure the security of the data.","title":"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it.","linked":true}},"5.7.1.2":{"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy states that \"the number of workstations (clients) is sufficient.\" However, the older CJIS Security Policy v4.5 asked for ORI designations. Are these no longer a requirement? ":{"section":"5.7.1.2","body":"You are correct. The requirement for the use of ORI designations on network diagrams was dropped in CJIS Security Policy v5.0. ","title":"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy states that \"the number of workstations (clients) is sufficient.\" However, the older CJIS Security Policy v4.5 asked for ORI designations. Are these no longer a requirement? ","linked":true},"Section 5.8 of the CJIS Security Policy requires that you simply have to have written policy and procedures. Then, in section 5.8.3 it is stated to have written documentation of the steps to sanitize or destroy media. Does this simply require procedures that include the steps taken or must you keep documentation of the actual steps taken for device recorded with serial number etc. If you must keep a log for each device (where is this requirement documented?), how long must those logs be kept?":{"section":"5.7.1.2","body":"The intent of section 5.8 is to have written procedures and processes to ensure effective safeguarding guidance is available for all. The policy does not specify nor require documentation of the actual destruction. The expectation is that if your written procedures call for destruction in a specific manner that includes specific documentation then the auditors would look to see if the process was being followed. ","title":"Section 5.8 of the CJIS Security Policy requires that you simply have to have written policy and procedures. Then, in section 5.8.3 it is stated to have written documentation of the steps to sanitize or destroy media. Does this simply require procedures that include the steps taken or must you keep documentation of the actual steps taken for device recorded with serial number etc. If you must keep a log for each device (where is this requirement documented?), how long must those logs be kept?","linked":true}},"5.6.2.1.3":{"Our authentication solution provider wants to send our authorized personnel One-time Passwords (OTP) via SMS text to a cell phone that is pre-registered to that person's account. Is this practice permissible in the CJIS Security Policy?":{"section":"5.6.2.1.3","body":"The OTP sent to a smartphone which is pre-registered to a user is a proper implementation of the out-of-band requirement. If the OTP complexity meets the rest of the requirements found in Policy Section 5.6.2.1.3, the solution would be acceptable.","title":"Our authentication solution provider wants to send our authorized personnel One-time Passwords (OTP) via SMS text to a cell phone that is pre-registered to that person's account. Is this practice permissible in the CJIS Security Policy?","linked":true}},"5.6.2.1.2":{"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy. When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card?":{"section":"5.6.2.1.2","body":"Yes, The PIN requirements do apply. The CSO may waive the 365 expiration requirement (5.6.2.1.2(5a)).","title":"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy. When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card?","linked":true}},"5.6.2.1.1":{"Does the CJIS Security Policy require the use of special characters and numbers in passwords?":{"section":"5.6.2.1.1","body":"No. As always, however, agencies are highly encouraged to exceed this minimum standard. ","title":"Does the CJIS Security Policy require the use of special characters and numbers in passwords?","linked":true}},"5.11.2":{"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?":{"section":"5.11.2","body":"Any system that contains or transports Criminal Justice Information (CJI) should be included in the audit. If the email system is used to receive or transmit CJI, then it should be included. RMS systems that contain CJI (which includes information received from a national CJIS system response whether entered directly or through scanning, copy and pasting, or hand entry) should also be included in the scope of the audit. ","title":"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?","linked":true},"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audit, but our fellow CSA informed us they are about to conduct an audit of this facility. So, are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?":{"section":"5.11.2","body":"You as the CSA may utilize the results of another CSA's CSP compliance audit of contractor facilities if that CSA agrees to share. The CSA may also provide the results of subsequent audits if an agreement between your CSAs have been reached to do so. Please note that audit results are only good for 3 years. So, if the local CSA conducted an audit a year prior to sharing the results with your CSA, for example, then those result are only acceptable until the contractor facility is audited again in 2 years. Also, be aware this authority to share audit results does not apply to the audit requirement outlined in the Security and Management Control Outsourcing Standard for Non-Channeler and Channelers related to outsourcing noncriminal justice administrative functions.","title":"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audit, but our fellow CSA informed us they are about to conduct an audit of this facility. So, are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?","linked":true}},"5.9.1.5":{"To comply with the CJIS Security Policy requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?":{"section":"5.9.1.5","body":"As much as possible. It is recommended that during the times when Criminal Justice Information (CJI) is being processed, the officer should attempt to exercise control over the display (as seen in Section 5.9.1.5) to prevent viewing of CJI by unauthorized personnel. At other times, we recommend the use of session locks (though not required for MDTs while in police vehicles), screen protectors/filters, or screen savers, etc.... to minimize any risk associated with arrestees or private citizens viewing the screen. ","title":"To comply with the CJIS Security Policy requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?","linked":true}},"5.5.6.1":{"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy and our local policies. Do these conditions meet the CJIS Security Policy requirements for allowing personally owned information systems?":{"section":"5.5.6.1","body":"Yes. However, the CJIS ISO recommends personally owned devices be inspected monthly to ensure continued compliance with both policies. \n","title":"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy and our local policies. Do these conditions meet the CJIS Security Policy requirements for allowing personally owned information systems?","linked":true}},"5.9.1.7":{"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? ":{"section":"5.9.1.7","body":"No, the use of cameras to monitor a visitor to a physically secure location does not constitute an escort. \n \nWhile a camera can serve as a great monitoring and detection tool, it cannot offer the same deterrence and preventative assurance measures necessary to ensure the protection and integrity of the physically secure location.","title":"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? ","linked":true}},"3.2.8":{"Who has the authority to appoint the (CSA) ISO?":{"section":"3.2.8","body":"The CJIS Systems Officer (CSO) appoints the CSA ISO. ","title":"Who has the authority to appoint the (CSA) ISO?","linked":true}},"3.2.9":{"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties.":{"section":"3.2.9","body":"The CJIS Security Policy does not require a LASO be a CJA employee. However, the implication of the LASO appointment is that authority required for the role would be available. ","title":"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties.","linked":true}},"3.2.2":{"Can the role of the CJIS Systems Officer (CSO) be outsourced?":{"section":"3.2.2","body":"No, pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. ","title":"Can the role of the CJIS Systems Officer (CSO) be outsourced?","linked":true}},"3.2.3":{"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?":{"section":"3.2.3","body":"Yes. The policy does not prohibit a person from functioning in both roles. ","title":"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?","linked":true}},"5.13.7.2.1":{"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphone devices running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA on the agency network connection. The proposed implementation includes the following controls: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? ":{"section":"5.13.7.2.1","body":"The use of compensating controls must be approved by the CSO. The controls listed: controlled possession along with remote device locking, wiping, and GPS tracking do comply with the example controls found in Policy Section 5.13.7.2.1. If your proposal is accepted and approved by the CSO, this solution would be acceptable. ","title":"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphone devices running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA on the agency network connection. The proposed implementation includes the following controls: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? ","linked":true}}}