CJIS Security Policy Resource Center

Download CJIS_Security_Policy_v5-9_20200601.pdf — 3872 KB

[{"dest": {"list": [{"ref": 1}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 1, "title": "Executive Summary"}, {"dest": {"list": [{"ref": 3}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 2, "title": "Change Management"}, {"dest": {"list": [{"ref": 5}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 3, "title": "Summary of Changes"}, {"dest": {"list": [{"ref": 7}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 4, "title": "Table of Contents"}, {"dest": {"list": [{"ref": 17}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 9, "title": "List of Figures"}, {"dest": {"list": [{"ref": 19}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 10, "title": "1 Introduction"}, {"dest": {"list": [{"ref": 19}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 10, "title": "1.1 Purpose"}, {"dest": {"list": [{"ref": 19}, {"literal": "XYZ"}, {"number": 69}, {"number": 461}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 10, "title": "1.2 Scope"}, {"dest": {"list": [{"ref": 19}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 10, "title": "1.3 Relationship to Local Security Policy and Other Policies"}, {"dest": {"list": [{"ref": 21}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 11, "title": "1.4 Terminology Used in This Document"}, {"dest": {"list": [{"ref": 21}, {"literal": "XYZ"}, {"number": 69}, {"number": 480}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 11, "title": "1.5 Distribution of the CJIS Security Policy"}, {"dest": {"list": [{"ref": 23}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 12, "title": "2 CJIS Security Policy Approach"}, {"dest": {"list": [{"ref": 23}, {"literal": "XYZ"}, {"number": 69}, {"number": 631}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "2.1 CJIS Security Policy Vision Statement"}, {"dest": {"list": [{"ref": 23}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "2.2 Architecture Independent"}, {"dest": {"list": [{"ref": 23}, {"literal": "XYZ"}, {"number": 69}, {"number": 309}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 12, "title": "2.3 Risk Versus Realism"}, {"dest": {"list": [{"ref": 25}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 13, "title": "3 Roles and Responsibilities"}, {"dest": {"list": [{"ref": 25}, {"literal": "XYZ"}, {"number": 69}, {"number": 694}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 13, "title": "3.1 Shared Management Philosophy"}, {"dest": {"list": [{"ref": 25}, {"literal": "XYZ"}, {"number": 69}, {"number": 447}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 13, "title": "3.2 Roles and Responsibilities for Agencies and Parties"}, {"dest": {"list": [{"ref": 63}, {"literal": "XYZ"}, {"number": 69}, {"number": 462}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 14, "title": "3.2.1 CJIS Systems Agencies (CSA)"}, {"dest": {"list": [{"ref": 63}, {"literal": "XYZ"}, {"number": 69}, {"number": 375}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 14, "title": "3.2.2 CJIS Systems Officer (CSO)"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 301}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 15, "title": "3.2.3 Terminal Agency Coordinator (TAC)"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 228}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 15, "title": "3.2.4 Criminal Justice Agency (CJA)"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 141}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 15, "title": "3.2.5 Noncriminal Justice Agency (NCJA)"}, {"dest": {"list": [{"ref": 67}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 16, "title": "3.2.6 Contracting Government Agency (CGA)"}, {"dest": {"list": [{"ref": 67}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 16, "title": "3.2.7 Agency Coordinator (AC)"}, {"dest": {"list": [{"ref": 67}, {"literal": "XYZ"}, {"number": 69}, {"number": 174}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 16, "title": "3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO)"}, {"dest": {"list": [{"ref": 69}, {"literal": "XYZ"}, {"number": 69}, {"number": 591}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 17, "title": "3.2.9 Local Agency Security Officer (LASO)"}, {"dest": {"list": [{"ref": 69}, {"literal": "XYZ"}, {"number": 69}, {"number": 391}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 17, "title": "3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)"}, {"dest": {"list": [{"ref": 71}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.11 Repository Manager"}, {"dest": {"list": [{"ref": 71}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.12 Compact Officer"}, {"dest": {"list": [{"ref": 73}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 19, "title": "4 Criminal Justice Information and Personally Identifiable Information"}, {"dest": {"list": [{"ref": 73}, {"literal": "XYZ"}, {"number": 69}, {"number": 674}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 19, "title": "4.1 Criminal Justice Information (CJI)"}, {"dest": {"list": [{"ref": 73}, {"literal": "XYZ"}, {"number": 69}, {"number": 253}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "4.1.1 Criminal History Record Information (CHRI)"}, {"dest": {"list": [{"ref": 75}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 20, "title": "4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 75}, {"literal": "XYZ"}, {"number": 69}, {"number": 632}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "4.2.1 Proper Access, Use, and Dissemination of CHRI"}, {"dest": {"list": [{"ref": 75}, {"literal": "XYZ"}, {"number": 69}, {"number": 503}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information"}, {"dest": {"list": [{"ref": 75}, {"literal": "XYZ"}, {"number": 69}, {"number": 171}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 75}, {"literal": "XYZ"}, {"number": 69}, {"number": 131}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 20, "title": "4.2.3.1 For Official Purposes"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 672}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 21, "title": "4.2.3.2 For Other Authorized Purposes"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 511}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 21, "title": "4.2.3.3 CSO Authority in Other Circumstances"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 453}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 21, "title": "4.2.4 Storage"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 21, "title": "4.2.5 Justification and Penalties"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 340}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 21, "title": "4.2.5.1 Justification"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 268}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 21, "title": "4.2.5.2 Penalties"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 21, "title": "4.3 Personally Identifiable Information (PII)"}, {"dest": {"list": [{"ref": 81}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 23, "title": "5 Policy and Implementation"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 24, "title": "5.1 Policy Area 1: Information Exchange Agreements"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 24, "title": "5.1.1 Information Exchange"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 338}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 24, "title": "5.1.1.1 Information Handling"}, {"dest": {"list": [{"ref": 83}, {"literal": "XYZ"}, {"number": 69}, {"number": 163}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 24, "title": "5.1.1.2 State and Federal Agency User Agreements"}, {"dest": {"list": [{"ref": 85}, {"literal": "XYZ"}, {"number": 69}, {"number": 672}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "5.1.1.3 Criminal Justice Agency User Agreements"}, {"dest": {"list": [{"ref": 85}, {"literal": "XYZ"}, {"number": 69}, {"number": 368}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "5.1.1.4 Interagency and Management Control Agreements"}, {"dest": {"list": [{"ref": 85}, {"literal": "XYZ"}, {"number": 69}, {"number": 241}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum"}, {"dest": {"list": [{"ref": 87}, {"literal": "XYZ"}, {"number": 69}, {"number": 481}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 26, "title": "5.1.1.6 Agency User Agreements"}, {"dest": {"list": [{"ref": 87}, {"literal": "XYZ"}, {"number": 69}, {"number": 190}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 26, "title": "5.1.1.7 Outsourcing Standards for Channelers"}, {"dest": {"list": [{"ref": 89}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 27, "title": "5.1.1.8 Outsourcing Standards for Non-Channelers"}, {"dest": {"list": [{"ref": 89}, {"literal": "XYZ"}, {"number": 69}, {"number": 484}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 27, "title": "5.1.2 Monitoring, Review, and Delivery of Services"}, {"dest": {"list": [{"ref": 89}, {"literal": "XYZ"}, {"number": 69}, {"number": 355}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 27, "title": "5.1.2.1 Managing Changes to Service Providers"}, {"dest": {"list": [{"ref": 89}, {"literal": "XYZ"}, {"number": 69}, {"number": 269}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 27, "title": "5.1.3 Secondary Dissemination"}, {"dest": {"list": [{"ref": 89}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 27, "title": "5.1.4 Secondary Dissemination of Non-CHRI CJI"}, {"dest": {"list": [{"ref": 93}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 29, "title": "5.2 Policy Area 2: Security Awareness Training"}, {"dest": {"list": [{"ref": 93}, {"literal": "XYZ"}, {"number": 69}, {"number": 622}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 29, "title": "5.2.1 Basic Security Awareness Training"}, {"dest": {"list": [{"ref": 93}, {"literal": "XYZ"}, {"number": 69}, {"number": 447}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.2.1.1 Level One Security Awareness Training"}, {"dest": {"list": [{"ref": 93}, {"literal": "XYZ"}, {"number": 69}, {"number": 282}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.2.1.2 Level Two Security Awareness Training"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 30, "title": "5.2.1.3 Level Three Security Awareness Training"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 206}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 30, "title": "5.2.1.4 Level Four Security Awareness Training"}, {"dest": {"list": [{"ref": 97}, {"literal": "XYZ"}, {"number": 69}, {"number": 660}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.2.2 LASO Training"}, {"dest": {"list": [{"ref": 97}, {"literal": "XYZ"}, {"number": 69}, {"number": 468}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.2.3 Security Training Records"}, {"dest": {"list": [{"ref": 101}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 33, "title": "5.3 Policy Area 3: Incident Response"}, {"dest": {"list": [{"ref": 101}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 33, "title": "5.3.1 Reporting Security Events"}, {"dest": {"list": [{"ref": 101}, {"literal": "XYZ"}, {"number": 69}, {"number": 385}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 33, "title": "5.3.1.1 Reporting Structure and Responsibilities"}, {"dest": {"list": [{"ref": 101}, {"literal": "XYZ"}, {"number": 69}, {"number": 361}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 33, "title": "5.3.1.1.1 FBI CJIS Division Responsibilities"}, {"dest": {"list": [{"ref": 101}, {"literal": "XYZ"}, {"number": 69}, {"number": 129}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 33, "title": "5.3.1.1.2 CSA ISO Responsibilities"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 504}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 34, "title": "5.3.2 Management of Security Incidents"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 431}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 34, "title": "5.3.2.1 Incident Handling"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 34, "title": "5.3.2.2 Collection of Evidence"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 226}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 34, "title": "5.3.3 Incident Response Training"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 166}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 34, "title": "5.3.4 Incident Monitoring"}, {"dest": {"list": [{"ref": 107}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 36, "title": "5.4 Policy Area 4: Auditing and Accountability"}, {"dest": {"list": [{"ref": 107}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 36, "title": "5.4.1 Auditable Events and Content (Information Systems)"}, {"dest": {"list": [{"ref": 107}, {"literal": "XYZ"}, {"number": 69}, {"number": 352}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 36, "title": "5.4.1.1 Events"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 680}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 37, "title": "5.4.1.1.1 Content"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 523}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.4.2 Response to Audit Processing Failures"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 436}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.4.3 Audit Monitoring, Analysis, and Reporting"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 280}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.4.4 Time Stamps"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 206}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.4.5 Protection of Audit Information"}, {"dest": {"list": [{"ref": 109}, {"literal": "XYZ"}, {"number": 69}, {"number": 147}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.4.6 Audit Record Retention"}, {"dest": {"list": [{"ref": 111}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 38, "title": "5.4.7 Logging NCIC and III Transactions"}, {"dest": {"list": [{"ref": 113}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 39, "title": "5.5 Policy Area 5: Access Control"}, {"dest": {"list": [{"ref": 113}, {"literal": "XYZ"}, {"number": 69}, {"number": 603}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.5.1 Account Management"}, {"dest": {"list": [{"ref": 113}, {"literal": "XYZ"}, {"number": 69}, {"number": 342}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.5.2 Access Enforcement"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 40, "title": "5.5.2.1 Least Privilege"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 565}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 40, "title": "5.5.2.2 System Access Control"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 398}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 40, "title": "5.5.2.3 Access Control Criteria"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 241}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 40, "title": "5.5.2.4 Access Control Mechanisms"}, {"dest": {"list": [{"ref": 117}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.5.3 Unsuccessful Login Attempts"}, {"dest": {"list": [{"ref": 117}, {"literal": "XYZ"}, {"number": 69}, {"number": 510}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.5.4 System Use Notification"}, {"dest": {"list": [{"ref": 117}, {"literal": "XYZ"}, {"number": 69}, {"number": 143}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.5.5 Session Lock"}, {"dest": {"list": [{"ref": 119}, {"literal": "XYZ"}, {"number": 69}, {"number": 617}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 42, "title": "5.5.6 Remote Access"}, {"dest": {"list": [{"ref": 119}, {"literal": "XYZ"}, {"number": 69}, {"number": 287}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.6.1 Personally Owned Information Systems"}, {"dest": {"list": [{"ref": 119}, {"literal": "XYZ"}, {"number": 69}, {"number": 144}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 42, "title": "5.5.6.2 Publicly Accessible Computers"}, {"dest": {"list": [{"ref": 123}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 44, "title": "5.6 Policy Area 6: Identification and Authentication"}, {"dest": {"list": [{"ref": 123}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 44, "title": "5.6.1 Identification Policy and Procedures"}, {"dest": {"list": [{"ref": 123}, {"literal": "XYZ"}, {"number": 69}, {"number": 508}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges"}, {"dest": {"list": [{"ref": 123}, {"literal": "XYZ"}, {"number": 69}, {"number": 232}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 44, "title": "5.6.2 Authentication Policy and Procedures"}, {"dest": {"list": [{"ref": 125}, {"literal": "XYZ"}, {"number": 69}, {"number": 692}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 45, "title": "5.6.2.1 Standard Authenticators"}, {"dest": {"list": [{"ref": 125}, {"literal": "XYZ"}, {"number": 69}, {"number": 586}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 45, "title": "5.6.2.1.1 Password"}, {"dest": {"list": [{"ref": 129}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 47, "title": "5.6.2.1.2 Personal Identification Number (PIN)"}, {"dest": {"list": [{"ref": 129}, {"literal": "XYZ"}, {"number": 69}, {"number": 365}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 47, "title": "5.6.2.1.3 One-time Passwords (OTP)"}, {"dest": {"list": [{"ref": 129}, {"literal": "XYZ"}, {"number": 69}, {"number": 199}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 47, "title": "5.6.2.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 131}, {"literal": "XYZ"}, {"number": 69}, {"number": 601}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 48, "title": "5.6.2.2.1 Advanced Authentication Policy and Rationale"}, {"dest": {"list": [{"ref": 131}, {"literal": "XYZ"}, {"number": 69}, {"number": 227}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 48, "title": "5.6.2.2.2 Advanced Authentication Decision Tree"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 243}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 50, "title": "5.6.3 Identifier and Authenticator Management"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 198}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 50, "title": "5.6.3.1 Identifier Management"}, {"dest": {"list": [{"ref": 137}, {"literal": "XYZ"}, {"number": 69}, {"number": 680}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 51, "title": "5.6.3.2 Authenticator Management"}, {"dest": {"list": [{"ref": 137}, {"literal": "XYZ"}, {"number": 69}, {"number": 481}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 51, "title": "5.6.4 Assertions"}, {"dest": {"list": [{"ref": 183}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 57, "title": "5.7 Policy Area 7: Configuration Management"}, {"dest": {"list": [{"ref": 183}, {"literal": "XYZ"}, {"number": 69}, {"number": 697}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 57, "title": "5.7.1 Access Restrictions for Changes"}, {"dest": {"list": [{"ref": 183}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 57, "title": "5.7.1.1 Least Functionality"}, {"dest": {"list": [{"ref": 183}, {"literal": "XYZ"}, {"number": 69}, {"number": 525}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 57, "title": "5.7.1.2 Network Diagram"}, {"dest": {"list": [{"ref": 183}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 57, "title": "5.7.2 Security of Configuration Documentation"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 58, "title": "5.8 Policy Area 8: Media Protection"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.8.1 Media Storage and Access"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 563}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.8.2 Media Transport"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 490}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 58, "title": "5.8.2.1 Digital Media during Transport"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 390}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 58, "title": "5.8.2.2 Physical Media in Transit"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 318}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.8.3 Digital Media Sanitization and Disposal"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 217}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 58, "title": "5.8.4 Disposal of Physical Media"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 60, "title": "5.9 Policy Area 9: Physical Protection"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 60, "title": "5.9.1 Physically Secure Location"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 460}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.9.1.1 Security Perimeter"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 388}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.9.1.2 Physical Access Authorizations"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 316}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.9.1.3 Physical Access Control"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 244}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.9.1.4 Access Control for Transmission Medium"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 186}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 60, "title": "5.9.1.5 Access Control for Display Medium"}, {"dest": {"list": [{"ref": 191}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 61, "title": "5.9.1.6 Monitoring Physical Access"}, {"dest": {"list": [{"ref": 191}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 61, "title": "5.9.1.7 Visitor Control"}, {"dest": {"list": [{"ref": 191}, {"literal": "XYZ"}, {"number": 69}, {"number": 595}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 61, "title": "5.9.1.8 Delivery and Removal"}, {"dest": {"list": [{"ref": 191}, {"literal": "XYZ"}, {"number": 69}, {"number": 537}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.9.2 Controlled Area"}, {"dest": {"list": [{"ref": 193}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 62, "title": "5.10 Policy Area 10: System and Communications Protection and Information Integrity"}, {"dest": {"list": [{"ref": 193}, {"literal": "XYZ"}, {"number": 69}, {"number": 573}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 62, "title": "5.10.1 Information Flow Enforcement"}, {"dest": {"list": [{"ref": 193}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 62, "title": "5.10.1.1 Boundary Protection"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 658}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.10.1.2 Encryption"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 511}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 63, "title": "5.10.1.2.1 Encryption for CJI in Transit"}, {"dest": {"list": [{"ref": 197}, {"literal": "XYZ"}, {"number": 69}, {"number": 623}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 64, "title": "5.10.1.2.2 Encryption for CJI at Rest"}, {"dest": {"list": [{"ref": 197}, {"literal": "XYZ"}, {"number": 69}, {"number": 274}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 64, "title": "5.10.1.2.3 Public Key Infrastructure (PKI) Technology"}, {"dest": {"list": [{"ref": 197}, {"literal": "XYZ"}, {"number": 69}, {"number": 143}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 64, "title": "5.10.1.3 Intrusion Detection Tools and Techniques"}, {"dest": {"list": [{"ref": 199}, {"literal": "XYZ"}, {"number": 69}, {"number": 425}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 65, "title": "5.10.1.4 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 199}, {"literal": "XYZ"}, {"number": 69}, {"number": 157}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 65, "title": "5.10.1.5 Cloud Computing"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 394}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 66, "title": "5.10.2 Facsimile Transmission of CJI"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 307}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 66, "title": "5.10.3 Partitioning and Virtualization"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 192}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 66, "title": "5.10.3.1 Partitioning"}, {"dest": {"list": [{"ref": 203}, {"literal": "XYZ"}, {"number": 69}, {"number": 640}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.3.2 Virtualization"}, {"dest": {"list": [{"ref": 203}, {"literal": "XYZ"}, {"number": 69}, {"number": 167}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 67, "title": "5.10.4 System and Information Integrity Policy and Procedures"}, {"dest": {"list": [{"ref": 203}, {"literal": "XYZ"}, {"number": 69}, {"number": 141}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.4.1 Patch Management"}, {"dest": {"list": [{"ref": 205}, {"literal": "XYZ"}, {"number": 69}, {"number": 546}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 205}, {"literal": "XYZ"}, {"number": 69}, {"number": 385}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.4.3 Spam and Spyware Protection"}, {"dest": {"list": [{"ref": 205}, {"literal": "XYZ"}, {"number": 69}, {"number": 192}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.4.4 Security Alerts and Advisories"}, {"dest": {"list": [{"ref": 207}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 69, "title": "5.10.4.5 Information Input Restrictions"}, {"dest": {"list": [{"ref": 209}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 70, "title": "5.11 Policy Area 11: Formal Audits"}, {"dest": {"list": [{"ref": 209}, {"literal": "XYZ"}, {"number": 69}, {"number": 664}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 70, "title": "5.11.1 Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 209}, {"literal": "XYZ"}, {"number": 69}, {"number": 638}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 209}, {"literal": "XYZ"}, {"number": 69}, {"number": 497}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.11.1.2 Triennial Security Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 209}, {"literal": "XYZ"}, {"number": 69}, {"number": 397}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 70, "title": "5.11.2 Audits by the CSA"}, {"dest": {"list": [{"ref": 211}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 71, "title": "5.11.3 Special Security Inquiries and Audits"}, {"dest": {"list": [{"ref": 211}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 71, "title": "5.11.4 Compliance Subcommittees"}, {"dest": {"list": [{"ref": 213}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 72, "title": "5.12 Policy Area 12: Personnel Security"}, {"dest": {"list": [{"ref": 213}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 72, "title": "5.12.1 Personnel Screening Requirements for Individuals Requiring Unescorted Access to Unencrypted CJI"}, {"dest": {"list": [{"ref": 215}, {"literal": "XYZ"}, {"number": 69}, {"number": 483}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.12.2 Personnel Termination"}, {"dest": {"list": [{"ref": 215}, {"literal": "XYZ"}, {"number": 69}, {"number": 382}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.12.3 Personnel Transfer"}, {"dest": {"list": [{"ref": 215}, {"literal": "XYZ"}, {"number": 69}, {"number": 309}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.12.4 Personnel Sanctions"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 75, "title": "5.13 Policy Area 13: Mobile Devices"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 549}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 75, "title": "5.13.1 Wireless Communications Technologies"}, {"dest": {"list": [{"ref": 219}, {"literal": "XYZ"}, {"number": 69}, {"number": 448}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 75, "title": "5.13.1.1 802.11 Wireless Protocols"}, {"dest": {"list": [{"ref": 221}, {"literal": "XYZ"}, {"number": 69}, {"number": 390}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 76, "title": "5.13.1.2 Cellular Devices"}, {"dest": {"list": [{"ref": 223}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 77, "title": "5.13.1.2.1 Cellular Service Abroad"}, {"dest": {"list": [{"ref": 223}, {"literal": "XYZ"}, {"number": 69}, {"number": 604}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 77, "title": "5.13.1.2.2 Voice Transmissions Over Cellular Devices"}, {"dest": {"list": [{"ref": 223}, {"literal": "XYZ"}, {"number": 69}, {"number": 546}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 77, "title": "5.13.1.3 Bluetooth"}, {"dest": {"list": [{"ref": 223}, {"literal": "XYZ"}, {"number": 69}, {"number": 365}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 77, "title": "5.13.1.4 Mobile Hotspots"}, {"dest": {"list": [{"ref": 225}, {"literal": "XYZ"}, {"number": 69}, {"number": 660}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 78, "title": "5.13.2 Mobile Device Management (MDM)"}, {"dest": {"list": [{"ref": 225}, {"literal": "XYZ"}, {"number": 69}, {"number": 163}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 78, "title": "5.13.3 Wireless Device Risk Mitigations"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 532}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 79, "title": "5.13.4 System Integrity"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 431}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.4.1 Patching/Updates"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 325}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 227}, {"literal": "XYZ"}, {"number": 69}, {"number": 192}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.4.3 Personal Firewall"}, {"dest": {"list": [{"ref": 229}, {"literal": "XYZ"}, {"number": 69}, {"number": 556}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 80, "title": "5.13.5 Incident Response"}, {"dest": {"list": [{"ref": 229}, {"literal": "XYZ"}, {"number": 69}, {"number": 277}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 80, "title": "5.13.6 Access Control"}, {"dest": {"list": [{"ref": 229}, {"literal": "XYZ"}, {"number": 69}, {"number": 204}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 80, "title": "5.13.7 Identification and Authentication"}, {"dest": {"list": [{"ref": 229}, {"literal": "XYZ"}, {"number": 69}, {"number": 144}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 80, "title": "5.13.7.1 Local Device Authentication"}, {"dest": {"list": [{"ref": 231}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 81, "title": "5.13.7.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 231}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 81, "title": "5.13.7.2.1 Compensating Controls"}, {"dest": {"list": [{"ref": 231}, {"literal": "XYZ"}, {"number": 69}, {"number": 267}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 81, "title": "5.13.7.3 Device Certificates"}, {"dest": {"list": [{"ref": 233}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 82, "title": "Appendices"}, {"dest": {"list": [{"ref": 233}, {"literal": "XYZ"}, {"number": 69}, {"number": 689}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 82, "title": "Appendix A Terms and Definitions"}, {"dest": {"list": [{"ref": 259}, {"literal": "XYZ"}, {"number": 69}, {"number": 727}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 95, "title": "Appendix B Acronyms"}, {"dest": {"list": [{"ref": 267}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 99, "title": "Appendix C Network Topology Diagrams"}, {"dest": {"list": [{"ref": 5335}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 105, "title": "Appendix D Sample Information Exchange Agreements"}, {"dest": {"list": [{"ref": 5335}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 105, "title": "D.1 CJIS User Agreement"}, {"dest": {"list": [{"ref": 5351}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 113, "title": "D.2 Management Control Agreement"}, {"dest": {"list": [{"ref": 5353}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 114, "title": "D.3 Noncriminal Justice Agency Agreement & Memorandum of Understanding"}, {"dest": {"list": [{"ref": 5365}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 120, "title": "D.4 Interagency Connection Agreement"}, {"dest": {"list": [{"ref": 5375}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 125, "title": "Appendix E Security Forums and Organizational Entities"}, {"dest": {"list": [{"ref": 5381}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 126, "title": "Appendix F Sample Forms"}, {"dest": {"list": [{"ref": 5383}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 127, "title": "F.1 Security Incident Response Form"}, {"dest": {"list": [{"ref": 5385}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 128, "title": "Appendix G Best practices"}, {"dest": {"list": [{"ref": 5385}, {"literal": "XYZ"}, {"number": 69}, {"number": 687}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 128, "title": "G.1 Virtualization"}, {"dest": {"list": [{"ref": 5391}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 131, "title": "G.2 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 5413}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 142, "title": "G.3 Cloud Computing"}, {"dest": {"list": [{"ref": 5453}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 159, "title": "G.4 Mobile Appendix"}, {"dest": {"list": [{"ref": 5495}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 180, "title": "G.5 Administrator Accounts for Least Privilege and Separation of Duties"}, {"dest": {"list": [{"ref": 5521}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 193, "title": "G.6 Encryption"}, {"dest": {"list": [{"ref": 5543}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 203, "title": "G.7 Incident Response"}, {"dest": {"list": [{"ref": 5569}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 216, "title": "G.8 Secure Coding"}, {"dest": {"list": [{"ref": 5594}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 225, "title": "Appendix H Security Addendum"}, {"dest": {"list": [{"ref": 5610}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 233, "title": "Appendix I References"}, {"dest": {"list": [{"ref": 5618}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 237, "title": "Appendix J Noncriminal Justice Agency Supplemental Guidance"}, {"dest": {"list": [{"ref": 5634}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 245, "title": "Appendix K Criminal Justice Agency Supplemental Guidance"}] {"5.2.1.3":{"We have a number of dispatchers where part of their daily duties include running CJI queries at the request of law enforcement officers. The dispatchers have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of security awareness training are they required to have been given?":{"body":"These dispatchers have direct access to CJI and are therefore required to be given Level Three Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1, 5.2.1.2, and 5.2.1.3.","section":"5.2.1.3","linked":true,"title":"We have a number of dispatchers where part of their daily duties include running CJI queries at the request of law enforcement officers. The dispatchers have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of security awareness training are they required to have been given?"}},"5.2.1.2":{"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awareness training do we have to provide and to whom?":{"body":"Only those personnel who have the ability to access/open the locked file cabinet are required to receive security awareness training. Since this access is to hard copy CJI, it requires the Level Two Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1 and 5.2.1.2. ","section":"5.2.1.2","linked":true,"title":"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awareness training do we have to provide and to whom?"}},"5.2.1.1":{"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?":{"body":"Yes. These contractors may have access to CJI and therefore should be given Level One Security Awareness Training. This ensures they have been trained to act appropriately should they encounter CJI.","section":"5.2.1.1","linked":true,"title":"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?"}},"5.2.1":{"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?":{"body":"If the INFOSEC training covers all the required CJIS Security Policy Security Awareness Training areas listed for the user's role and the CSO of the state's CSA accepts the training, the answer is \"yes\". If not, additional training is required.","section":"5.2.1","linked":true,"title":"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?"}},"5.9.1.5":{"To comply with the CJIS Security Policy requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?":{"body":"As much as possible. It is recommended that during the times when Criminal Justice Information (CJI) is being processed, the officer should attempt to exercise control over the display (as seen in Section 5.9.1.5) to prevent viewing of CJI by unauthorized personnel. At other times, we recommend the use of session locks (though not required for MDTs while in police vehicles), screen protectors/filters, or screen savers, etc. to minimize any risk associated with arrestees or private citizens viewing the screen. ","section":"5.9.1.5","linked":true,"title":"To comply with the CJIS Security Policy requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?"}},"5.2.1.4":{"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These personnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?":{"body":"Yes. These administrators have privileged, administrative access to CJI and CJI-processing systems. These personnel are therefore required to be given Level Four Security Awareness Training which pertains to all the topics identified in Policy Sections 5.2.1.1, 5.2.1.2, 5.2.1.3, and 5.2.1.4. ","section":"5.2.1.4","linked":true,"title":"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These personnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?"}},"1.5":{"CJIS Security Policy 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is the current Policy version also SBU?":{"body":"CJIS Security Policy v5.0 removed dissemination restrictions and may be posted and shared without restrictions. All future versions will also be without restriction.","section":"1.5","linked":true,"title":"CJIS Security Policy 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is the current Policy version also SBU?"}},"5.4.6":{"The Policy states audit records must be kept for at least one year. Must the audit records be retained within the regulatory agency system, or can our outsourced contractor who collects the logs for us keep them stored at their facility?":{"body":"The Policy does not prescribe the process for retention of the logs. This allows each agency to implement a process which fits their business model. The model could include a centralized state records retention system or the use of a contractor for collection and storage.","section":"5.4.6","linked":true,"title":"The Policy states audit records must be kept for at least one year. Must the audit records be retained within the regulatory agency system, or can our outsourced contractor who collects the logs for us keep them stored at their facility?"}},"5.4.7":{"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? ":{"body":"A log shall be maintained for a minimum of one year for all NCIC transactions. ","section":"5.4.7","linked":true,"title":"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? "}},"5.5.5":{"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, session locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?":{"body":"In the absence of a technical solution, a policy can be used to accomplish the desired outcome of the requirement. We would recommend including mitigation efforts for instances of policy non-compliance.","section":"5.5.5","linked":true,"title":"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, session locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?"},"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?":{"body":"There is no requirement for using AA for local device authentication or to simply unlock the screen. ","section":"5.5.5","linked":true,"title":"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?"}},"1.1":{"We understand that the CJIS Security Policy provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the Policy by the state. Must we comply with the state request or do we only have to meet the requirements of the Policy?":{"body":"The Policy presents the minimum standards nationally. States are encouraged to exceed this standard in the protection of CJI. In the event the state requires standards above those listed within the Policy, CJIS would support the state in that decision. ","section":"1.1","linked":true,"title":"We understand that the CJIS Security Policy provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the Policy by the state. Must we comply with the state request or do we only have to meet the requirements of the Policy?"}},"1.3":{"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? ":{"body":"FISMA compliance is a federal standard and is not mandatory governance for state, local and tribal agencies. Therefore, there is no requirement for states to be FISMA compliant in order to exchange information with CJIS.","section":"1.3","linked":true,"title":"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? "}},"5.1.1.4":{"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?":{"body":"Yes, unless the MCA is incorporated into the inter-agency agreement. ","section":"5.1.1.4","linked":true,"title":"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?"}},"5.1.1.5":{"Can an agency change some of the language in the Security Addendum (SA)?":{"body":"No. Changes can only be made by the FBI. Any unauthorized changes to the addendum would nullify the legal standing of the document. ","section":"5.1.1.5","linked":true,"title":"Can an agency change some of the language in the Security Addendum (SA)?"},"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) laying around on desks while cleaning certain areas. Would these custodial service personnel be required to sign the Security Addendum (SA) certification page?":{"body":"No. For unescorted access, the custodians are required to have a fingerprint-based background check and Level One Security Awareness Training. This ensures they've been vetted and have the training to act appropriately should they encounter CJI. ","section":"5.1.1.5","linked":true,"title":"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) laying around on desks while cleaning certain areas. Would these custodial service personnel be required to sign the Security Addendum (SA) certification page?"}},"5.8.2.1":{"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it.":{"body":"Encryption (as specified in section 5.10.1.2) is the optimal control during transport. If encryption of the data is not a possibility, the agency must use physical controls to ensure the security of the data.","section":"5.8.2.1","linked":true,"title":"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it."}},"5.10.2":{"The county sheriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encryption required in this scenario?":{"body":"Yes, encryption would be required in this scenario, because the document containing CJI is automatically converted to a digital file and routed to the recipient's email through the Internet. Remember, encryption in transit using FIPS 140-2 certified 128 bit symmetric encryption is required.","section":"5.10.2","linked":true,"title":"The county sheriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encryption required in this scenario?"},"Our agency at times is required to print the results from an NCIC query and sent to the sheriff's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?":{"body":"No, encryption is not required, because the document travels over a traditional telephone line.","section":"5.10.2","linked":true,"title":"Our agency at times is required to print the results from an NCIC query and sent to the sheriff's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?"}},"5.7.2":{"Must our network diagram be protected at the same level of CJI?":{"body":"Network diagrams contain sensitive details of the information system and infrastructure and are protected consistent with the provisions in Section 5.5 Access Control.","section":"5.7.2","linked":true,"title":"Must our network diagram be protected at the same level of CJI?"}},"5.11":{"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? ":{"body":"The FBI does not independently revoke access. Negative audit findings will be part of the final report submitted to the Advisory Policy Board (APB) Compliance and Evaluation Subcommittee or Compact Council Sanctions Subcommittee and will be addressed within these subcommittee. Recommendations are vetted through the advisory and Compact process and it is through this process that continued access privileges are determined. ","section":"5.11","linked":true,"title":"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? "}},"5.6.2":{"Per the CJIS Security Policy authentication must occur at the Local Agency or CSA, but can a device's built-in fingerprint scanner be used to satisfy the requirement for Advanced Authentication (AA)? ":{"body":"Authentication of the fingerprints must be accomplished at the Local Agency or CSA level. Agencies can use fingerprint readers to capture the fingerprint attributes but they cannot use the cached information stored on the device as part of the authentication for access to CJI. The scanned attributes must be asserted to the Local Agency or CSA where the authentication of the individual will be verified. ","section":"5.6.2","linked":true,"title":"Per the CJIS Security Policy authentication must occur at the Local Agency or CSA, but can a device's built-in fingerprint scanner be used to satisfy the requirement for Advanced Authentication (AA)? "}},"5.11.2":{"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audit, but our fellow CSA informed us they are about to conduct an audit of this facility. Are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?":{"body":"You as the CSA may utilize the results of another CSA's CSP compliance audit of contractor facilities if that CSA agrees to share. The CSA may also provide the results of subsequent audits if an agreement between your CSAs have been reached to do so. Please note that audit results are only good for 3 years. If the local CSA conducted an audit a year prior to sharing the results with your CSA, for example, then those result are only acceptable until the contractor facility is audited again in 2 years. Also, be aware this authority to share audit results does not apply to the audit requirement outlined in the Security and Management Control Outsourcing Standard for Non-Channeler and Channelers related to outsourcing noncriminal justice administrative functions. Additionally, your agency or state may have requirements aside from those in the CJIS Security Policy which the local CSA would not be aware of and would not audit.","section":"5.11.2","linked":true,"title":"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audit, but our fellow CSA informed us they are about to conduct an audit of this facility. Are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?"},"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?":{"body":"Any system that contains or transports Criminal Justice Information (CJI) should be included in the audit. If the email system is used to receive or transmit CJI, then it should be included. RMS systems that contain CJI (which includes information received from a national CJIS system response whether entered directly or through scanning, copy and pasting, or hand entry) should also be included in the scope of the audit. ","section":"5.11.2","linked":true,"title":"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?"}},"3.2.2":{"Can the role of the CJIS Systems Officer (CSO) be outsourced?":{"body":"No, pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. ","section":"3.2.2","linked":true,"title":"Can the role of the CJIS Systems Officer (CSO) be outsourced?"}},"3.2.3":{"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?":{"body":"Yes. The policy does not prohibit a person from functioning in both roles. ","section":"3.2.3","linked":true,"title":"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?"}},"2.2":{"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular and wireless connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy?":{"body":"The question when considering the use of tablets, or any other mobile device, is whether Criminal Justice Information (CJI) will be transmitted, received, viewed, or stored. If so, the requirements of the Policy become effective for the scenario in which CJI is handled irrespective of the platform utilized.\n \nTablet requirements for compliance are determined based on the level of access required and the capabilities of the tablet device. For example if the tablet has Wi-Fi capability, the requirements of section 5.13.1.1 will apply. If the tablet has cellular network capability, then the requirements of section 5.13.1.2 will be applicable, and so on.\n \nThe principle of least functionality (5.7.1.1) is important to apply to tablets and other mobile devices. Only the essential, required capabilities of the device should be active and accessible to the user. For example, if Bluetooth connectivity is available on the device but not required then it should be disabled to protect the device from external threats.\n","section":"2.2","linked":true,"title":"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular and wireless connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy?"},"Can an agency be compliant with the CJIS Security Policy and cloud compute?":{"body":"Because the Policy is device and architecture independent, the answer is yes and this can be accomplished assuming the provider/vendor of the cloud technology is able to meet the technical, physical, and personnel security requirements of the Policy.\n \nDue to the general business model for cloud computing, there will be some level of reduced agency control that is transferred to the cloud service provider. This does not reduce the Policy requirements. On the contrary, this means that the outsourcing agency must use due diligence to ensure the requirements will be met.","section":"2.2","linked":true,"title":"Can an agency be compliant with the CJIS Security Policy and cloud compute?"}},"5.9.1.7":{"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? ":{"body":"No, the use of cameras to monitor a visitor to a physically secure location does not constitute an escort. \n \nWhile a camera can serve as a great monitoring and detection tool, it cannot offer the same deterrence and preventative assurance measures necessary to ensure the protection and integrity of the physically secure location.","section":"5.9.1.7","linked":true,"title":"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? "}},"3.2.8":{"Who has the authority to appoint the (CSA) ISO?":{"body":"The CJIS Systems Officer (CSO) appoints the CSA ISO. ","section":"3.2.8","linked":true,"title":"Who has the authority to appoint the (CSA) ISO?"}},"3.2.9":{"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties.":{"body":"The CJIS Security Policy does not require a LASO be a CJA employee. However, it is understood the LASO would have the authority comensurate with the position.","section":"3.2.9","linked":true,"title":"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties."}},"5.2":{"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?":{"body":"Yes. There is no restriction on a Channeler performing the training as long as (1) the training covers all the areas outlined in the CJIS Security Policy (CSP) and (2) the Contracting Government Agency (CGA) doesn't provide specific training that supersedes the Channeler-provided training. ","section":"5.2","linked":true,"title":"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?"},"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?":{"body":"Absolutely! While the CJIS Security Policy does not require a test as part of the Security Awareness Training, designing an evaluation that ties specifically to the agency computers, systems, and processes, could help ensure greater understanding of the required training topics.","section":"5.2","linked":true,"title":"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?"}},"5.3":{"What information should I send to the CJIS ISO to report an incident? ":{"body":"The CSA ISO should fill out the Security Incident Reporting Form found in Appendix F of the CJIS Security Policy. This is a sample form but it includes the minimum information the CJIS ISO requires. ","section":"5.3","linked":true,"title":"What information should I send to the CJIS ISO to report an incident? "}},"5.9.1":{"Is security awareness training required for personnel to have unescorted access to physically secure locations?":{"body":"Yes! Security Awareness training is required to permit unescorted access to a physically secure location. Please note this requirement also extends to unescorted, remote access to CJI and CJI processing systems located within physically secure location.","section":"5.9.1","linked":true,"title":"Is security awareness training required for personnel to have unescorted access to physically secure locations?"}},"5.9.2":{"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?":{"body":"No. There is no requirement to maintain visitor access records for a controlled area; however, measures must be taken to limit access to the controlled area during times of CJI processing.","section":"5.9.2","linked":true,"title":"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?"}},"5.8":{"Section 5.8 of the CJIS Security Policy requires the agency to have written media protection policy and procedures. Section 5.8.3 requires written documentation of the steps to sanitize or destroy media. Is this a separate policy and does this indicate a log be kept for each device sanitized or destroyed and if so, how long must those logs be kept?":{"body":"The intent of section 5.8 is to have a single written policy to ensure effective safeguarding, sanitization and destruction guidance is available for all media and situations. The policy does not specify nor require documentation or logging of the actual sanitization or destruction. The expectation is that your written procedures call for destruction in a specific manner which the auditors would evaluate to see if the process was being followed. ","section":"5.8","linked":true,"title":"Section 5.8 of the CJIS Security Policy requires the agency to have written media protection policy and procedures. Section 5.8.3 requires written documentation of the steps to sanitize or destroy media. Is this a separate policy and does this indicate a log be kept for each device sanitized or destroyed and if so, how long must those logs be kept?"}},"5.6.2.1.1":{"Does the CJIS Security Policy require the use of special characters and numbers in passwords?":{"body":"No. As always, however, agencies are highly encouraged to exceed this minimum standard. ","section":"5.6.2.1.1","linked":true,"title":"Does the CJIS Security Policy require the use of special characters and numbers in passwords?"}},"5.13.7.2.1":{"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphones running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? ":{"body":"The proposed controls are only some of the controls required for acceptable use of compensating controls. Several other controls are listed in Section 5.13.7.2.1 and must be implemented. Compensating controls are temporary measures implemented while an AA solution is being acquired and must be approved by the CSO. The compensating controls will expire upon the dated approved by the CSO or when a compliant AA solution is implemented.","section":"5.13.7.2.1","linked":true,"title":"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphones running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? "}},"5.6.2.1.3":{"Our authentication solution provider wants to send our authorized personnel One-time Passwords (OTP) via SMS text to a cell phone that is pre-registered to that person's account. Is this practice permissible in the CJIS Security Policy?":{"body":"The OTP sent to a smartphone which is pre-registered to a user is a proper implementation of the out-of-band requirement. If the OTP complexity meets the rest of the requirements found in Policy Section 5.6.2.1.3, the solution would be acceptable.","section":"5.6.2.1.3","linked":true,"title":"Our authentication solution provider wants to send our authorized personnel One-time Passwords (OTP) via SMS text to a cell phone that is pre-registered to that person's account. Is this practice permissible in the CJIS Security Policy?"}},"5.6.2.1.2":{"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy. When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card?":{"body":"Yes, The PIN requirements do apply. The CSO may waive the 365 expiration requirement (5.6.2.1.2(5a)).","section":"5.6.2.1.2","linked":true,"title":"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy. When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card?"}},"5.12":{"We have an agency that is asking about the requirements for a ride along program in relation to the CJIS Security Policy (CSP). Is it required for a ride along participant to be subjected to a fingerprint-based background check?":{"body":"No, the ride along participant does not have to undergo a fingerprint-based background check as the individual will be escorted by the officer during the ride along.\n\nIt is recommended, however, to provide an abbreviated security awareness briefing for the ride along participant. This briefing can address what the expectations are and inform the rider that he/she should not disclose any sensitive information learned during the ride along.","section":"5.12","linked":true,"title":"We have an agency that is asking about the requirements for a ride along program in relation to the CJIS Security Policy (CSP). Is it required for a ride along participant to be subjected to a fingerprint-based background check?"}},"5.6.2.2.2":{"Could you provide me some explanation of what an assertion is? ":{"body":"Assertions essentially deal with two types of activities:\n \n(1) Taking the attributes of someone and sending (asserting) those attributes to an authentication server. \n\nExample: The user has a laptop with an imbedded or tethered fingerprint reader. The user scans their print and an application sends, or \"asserts,\" the attributes of the fingerprint along with other user information to an authentication server which compares the provided attributes with the registered credentials and determines whether or not the attributes are enough to authenticate the user's identity.\n \n(2) An identity provider who has already authenticated an individual and is sending (asserting) the user's identity to a service or a service broker (i.e. single sign-on).\n\nExample: Continuing with example 1, the authentication server is also an identity provider. The user, now that they have been identified, wants to access different services but in order to access those services the user must provide their identity. The authentication server, acting as an identity provider, can assert the user's identity to the user requested service(s).","section":"5.6.2.2.2","linked":true,"title":"Could you provide me some explanation of what an assertion is? "}},"5.6.2.2.1":{"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?":{"body":"Removing the laptop from the police vehicle removed the device from a physically secure location. AA is required for direct access to CJI from outside of a physically secure location.","section":"5.6.2.2.1","linked":true,"title":"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?"},"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?":{"body":"Whatever device is being used, the basic tenants of AA have to be met: identification (e.g. user name), authentication factor 1 (e.g. password), authentication factor 2 (e.g. fingerprint, token, etc.) Additionally, the authentication for accessing CJI has to occur at the local agency, CSA, SIB, or Channeler level. ","section":"5.6.2.2.1","linked":true,"title":"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?"},"CJIS Security Policy Section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? ":{"body":"Yes. Controlled areas were incorporated in the Policy for organizations that need to process Criminal Justice Information but can't, or don't have a need to, maintain a physically secure location (e.g. school board, Dept. of Human Services, etc.). A physically secure location incorporates physical, technical, and personnel controls that make AA unnecessary in most situations whereas controlled areas require AA due to limitations in the aforementioned security controls. ","section":"5.6.2.2.1","linked":true,"title":"CJIS Security Policy Section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? "},"I have an agency who would like to set up live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?":{"body":"Short answer: It depends. The requirement for AA is based solely on whether or not CJI is returned to the live scan device and whether or not the live scan device is accessed remotely. If CJI is returned and the live scan is accessed remotely, then AA is required. If CJI is returned and the live scan is not accessed remotely, then AA is not required.","section":"5.6.2.2.1","linked":true,"title":"I have an agency who would like to set up live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?"}},"5.10.1.2.1":{"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?":{"body":"No. The cryptographic module must be FIPS 140-2 certified for data in transit. You can check the certification against the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules (https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search).\n \nThere is one exception, however. Subsequent versions of approved cryptographic modules that are under current review for FIPS 140-2 compliancy can be used in the interim until certification is complete.","section":"5.10.1.2.1","linked":true,"title":"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?"},"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? ":{"body":"No certification level requirement is specified in the Policy for FIPS 140-2; therefore any level will work so long as the solution utilizes a certified cryptographic module. If the certificate can be produced, the requirement is met.\n \nThe benchmark used to ensure compliance of the cryptographic module is the certificate from the National Institute of Standards and Technology (NIST) website (https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search). ","section":"5.10.1.2.1","linked":true,"title":"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? "}},"5.10.1.2.3":{"I have read about public key infrastructure (PKI) technology and its use for protecting user certificates stored on smart cards. Is this encryption suitable for data protection?":{"body":"PKI uses asymmetric encryption. For the purpose of CJIS Security Policy compliance, however, this encryption solution is most commonly used for certificate protection on smart cards and the like, but not for data (in-transit and at-rest) protection. This is because Policy Sections 5.10.1.2.1 and 5.10.1.2.2 state the encryption used to protect CJI in transit and at rest must use a symmetric algorithm. Please consult Appendix G.6 to learn more about the types of encryption.","section":"5.10.1.2.3","linked":true,"title":"I have read about public key infrastructure (PKI) technology and its use for protecting user certificates stored on smart cards. Is this encryption suitable for data protection?"}},"5.10.1.2.2":{"Our agency is considered a noncriminal justice agency (NCJA). As part of our daily process, we store information which we are told is criminal justice information (CJI) because it contains criminal history record information (CHRI). We want to store this information encrypted, but all the solutions we find that are FIPS 140-2-certified are more expensive. Do we have to use a solution that has this certification or can we use a less expensive product.":{"body":"There are two options available to protect the CJI/CHRI stored at your location. You may use a solution that is FIPS 140-2-certified which uses a symmetric algorithm of at least 128 bit in strength. Or, you may use a solution based on the specific symmetric algorithm called Advanced Encryption Standard (AES) and is 256 bit in strength. This option provides more compliant products to consider to protect CJI at rest. Please be aware the encryption requirement for data in-transit may differ from the encryption you use to protect the data at-rest. See Policy Section 5.10.1.2.1 for requirement to protect CJI in-transit. ","section":"5.10.1.2.2","linked":true,"title":"Our agency is considered a noncriminal justice agency (NCJA). As part of our daily process, we store information which we are told is criminal justice information (CJI) because it contains criminal history record information (CHRI). We want to store this information encrypted, but all the solutions we find that are FIPS 140-2-certified are more expensive. Do we have to use a solution that has this certification or can we use a less expensive product."},"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy?":{"body":"No, the use of a FIPS 197 (AES) certified algorithm at 256 bit strength in accordance with 5.10.1.2.2 is allowed for data at rest. However, encryption meeting the data in-transit standard can be used for data at-rest. ","section":"5.10.1.2.2","linked":true,"title":"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy?"}},"5.10.4.3":{"Is there a requirement by the CJIS Security Policy to have spyware protection installed on the laptops issued by our department?":{"body":"Yes, there is a requirement to employ spyware protection on mobile computing devices on the network. ","section":"5.10.4.3","linked":true,"title":"Is there a requirement by the CJIS Security Policy to have spyware protection installed on the laptops issued by our department?"}},"5.6.2.2":{"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?":{"body":"Yes. You may outsource your AA solution to a vendor; however, you'll need to come up with a good plan for user management to ensure the vendor administrators responsible for system administration work on the authentication server are blocked from creating their own username access to your network. We advise you to consult with your local system administrators to ensure that does not occur. ","section":"5.6.2.2","linked":true,"title":"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?"},"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? ":{"body":"Yes. Because the CJIS Security Policy does not require a password to be one of the factors of authentication. Therefore, the use of a username (identification), PIN (something you know), and hard token (something you have) can satisfy the requirement for AA, if implemented properly. \n\nNote: PIN requirements are found in Section 5.6.2.1.2.\n","section":"5.6.2.2","linked":true,"title":"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? "},"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?":{"body":"No. Risk-based authentication solutions should consist of a collection of a number of factors that extend beyond the IP address and MAC address to other items such as OS, geo-location, time of day logon, screen resolution, etc. A risk determination is made based upon the solution's analysis of the collective information. Anything less would be nothing more than a challenge/response solution (i.e. knowledge-based authentication).","section":"5.6.2.2","linked":true,"title":"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?"},"The CJIS Security Policy references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?":{"body":"PKI refers to the use of an infrastructure utilizing digital certificates for authentication. A user-based PKI solution requires user-specific certificates as a second form of authentication to meet the requirement for Advanced Authentication (AA). This means the certificate must be assigned (tied to or associated with) to the individual user and not to a particular device. This prevents multiple users from utilizing a common certificate as an authentication factor on a device. User-based certificates may be stored on an external device (e.g., token or smart card) or be issued for use per session. ","section":"5.6.2.2","linked":true,"title":"The CJIS Security Policy references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?"},"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?":{"body":"Absolutely! Direct access to CJI from outside of a physically secure location is scenario requiring AA.","section":"5.6.2.2","linked":true,"title":"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?"},"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nThe user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy?\n":{"body":"No, this implementation will not satisfy the requirement for AA. AA requires more than a single factor of authentication using a \"two-factor authentication\" or \"strong authentication\" solution. In this scenario, the user has entered \"something you know\" each time. AA makes use of an additional factor such as \"something you have\" or \"something you are\" to meet the requirement.","section":"5.6.2.2","linked":true,"title":"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nThe user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy?\n"}},"5.10.4.1":{"Since Windows XP and Windows Vista are no longer supported by Microsoft, will systems still using these operating systems (OS) be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?":{"body":"The CJIS ISO sent out guidance concerning Windows XP end-of-life (EOL) in April 2014 and Windows Vista end-of-life (EOL) in April 2017. Since Microsoft no longer supports the OS with patches, these no longer meet CJIS Security Policy requirements and any system using the OS will be found to be out of compliance during an audit.","section":"5.10.4.1","linked":true,"title":"Since Windows XP and Windows Vista are no longer supported by Microsoft, will systems still using these operating systems (OS) be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?"}},"5.13.1.2.2":{"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?":{"body":"Yes. Section 5.13.1.2.2 provides an exemption to the encryption and authentication requirements for transmitting CJI over cellular devices. ","section":"5.13.1.2.2","linked":true,"title":"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?"}},"5.7.1.2":{"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?":{"body":"Yes. Regardless of the number of IT personnel, network diagrams are required and should be updated (to include date of last update) when changes to the network are made. ","section":"5.7.1.2","linked":true,"title":"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?"},"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy states that \"the number of workstations (clients) is sufficient.\" However, the older CJIS Security Policy v4.5 asked for ORI designations. Are these no longer a requirement? ":{"body":"You are correct. The requirement for the use of ORI designations on network diagrams was dropped in CJIS Security Policy v5.0. ","section":"5.7.1.2","linked":true,"title":"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy states that \"the number of workstations (clients) is sufficient.\" However, the older CJIS Security Policy v4.5 asked for ORI designations. Are these no longer a requirement? "}},"5.13.4.3":{"Are personal firewalls only required for laptops or are they also required for handheld devices - smartphones, tablets, and so on?":{"body":"Mobile devices with full-featured operating systems (i.e. laptops and some tablets) require personal firewalls and malicious code protection. Mobile devices with limited-feature operating systems (i.e. most tablets, smartphones) do not normally support personal firewalls and malware protection. In lieu of those applications, a mobile device mangement (MDM) system is required.","section":"5.13.4.3","linked":true,"title":"Are personal firewalls only required for laptops or are they also required for handheld devices - smartphones, tablets, and so on?"}},"5.8.1":{"I have physical media containing Criminal Justice Information (CJI) located within a physically secure location. Do I have to lock the documents in a file cabinet (i.e. physical media in storage)?":{"body":"No. Inside the physically secure location, documents are not required to be locked in a cabinet.","section":"5.8.1","linked":true,"title":"I have physical media containing Criminal Justice Information (CJI) located within a physically secure location. Do I have to lock the documents in a file cabinet (i.e. physical media in storage)?"},"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI?":{"body":"Yes, unless the CJI is stored in a safe or other secured storage where access is limited to authorized personnel. See CJIS Security Policy section 5.9.2, Controlled Area, for additional requirements. ","section":"5.8.1","linked":true,"title":"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI?"},"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?":{"body":"CJI may be saved unencrypted to a workstation that is within a physically secure location, but must be encrypted if saved to a workstation that resides outside the physically secure location such as in a controlled area. ","section":"5.8.1","linked":true,"title":"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?"},"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?":{"body":"No. Encryption isn't necessary for electronic media while in storage within a physically secure location. ","section":"5.8.1","linked":true,"title":"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?"}},"5.8.3":{"Is it necessary to overwrite media three times before it is reused? ":{"body":"Yes. Per the Section 5.8.3 of the CJIS Security Policy, this is required for the sanitization of electronic media. The requirement also allows the use of degaussing instead of overwriting.","section":"5.8.3","linked":true,"title":"Is it necessary to overwrite media three times before it is reused? "}},"5.5.3":{"Per the CJIS Security Policy, how many unsuccessful login attempts does it take to lock an account and how long should that account be locked?":{"body":"After a limit of no more than 5 consecutive invalid attempts the system shall automatically lock the account for a minimum of 10 minutes (unless released by an administrator).","section":"5.5.3","linked":true,"title":"Per the CJIS Security Policy, how many unsuccessful login attempts does it take to lock an account and how long should that account be locked?"}},"5.12.1":{"Would an employee of a small PD (CJA) that does not have their own terminal nor unescorted access to a physically secure location and only has hard copy access to CJI (indirect access) be required to undergo fingerprint-based background check per FBI CSP?":{"body":"Yes. In this example the employee has unescorted access to hard copy CJI and would need a fingerprint-based background check. Additionally, the employee would have to complete Level Two Security Awareness Training.","section":"5.12.1","linked":true,"title":"Would an employee of a small PD (CJA) that does not have their own terminal nor unescorted access to a physically secure location and only has hard copy access to CJI (indirect access) be required to undergo fingerprint-based background check per FBI CSP?"},"Would a contractor who has hard copy access to CJI and unescorted access to a physically secure location be required to undergo fingerprint-based background check?":{"body":"Yes, for unescorted access to a physically secure location the contractor would be required to have fingerprint-based background checks irrespective of CJI access. Additionally, these personnel would have to complete at least Level Two Security Awareness Training. ","section":"5.12.1","linked":true,"title":"Would a contractor who has hard copy access to CJI and unescorted access to a physically secure location be required to undergo fingerprint-based background check?"},"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? ":{"body":"No. All FBI personnel are fingerprinted prior to assignment with the FBI. Being rotated between offices but still within the Bureau does not constitute a new assignment for the purpose of 5.12.1.1(1). It's a similar situation for city police officers, troopers, etc. who rotate between various precincts or barracks through their careers but remain with the same agency.","section":"5.12.1","linked":true,"title":"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? "},"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy. We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?":{"body":"All personnel with unescorted access to unencrypted Criminal Justice Information (CJI) and all personnel with unescorted access to the physically secure location must have a fingerprint-based background check.","section":"5.12.1","linked":true,"title":"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy. We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?"}},"5.10.1.5":{"Our agency has recently started using an application built and hosted in a cloud environment. The data center in which our CJI will traverse and be stored in will be a physically secure location, and all personnel with unescorted access to the datacenter will be cleared in accordance with the CJIS Security Policy requirements. This application functions as a software as a service (SaaS) model offered to us by the cloud service provider. Our agency will not have any technical control over the security of CJI once it is entered into the application. How can we ensure the cloud vendor will abide by the CJIS Security Policy requirements? How will we assess the solution? ":{"body":"When using a SaaS product typically the only control a cloud subscriber will have is what data to enter in the product. So, it is of paramount importance to vet the solution prior to agreeing to use it. You should perform some sort of audit and/or analysis of the product to ensure it will meet all the applicable CJIS Security Policy requirements. Also, as part of the contractual agreement (often the service level agreement, or SLA) with the cloud provider, the Security Addendum (SA) (Policy pages H5 -H6) should be incorporated in to the contract. In addition, all cloud provider employees with unescorted access to the datacenter or the ability to access unencrypted CJI will be required to sign the SA Certification page (H7) which must then be kept on file and accessible by your agency. The SA is a legal document which will ensure the cloud provider employees agree to adhere to the CJIS Security Policy requirements. ","section":"5.10.1.5","linked":true,"title":"Our agency has recently started using an application built and hosted in a cloud environment. The data center in which our CJI will traverse and be stored in will be a physically secure location, and all personnel with unescorted access to the datacenter will be cleared in accordance with the CJIS Security Policy requirements. This application functions as a software as a service (SaaS) model offered to us by the cloud service provider. Our agency will not have any technical control over the security of CJI once it is entered into the application. How can we ensure the cloud vendor will abide by the CJIS Security Policy requirements? How will we assess the solution? "},"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. The cloud vendor has disclosed the practice of utilizing metadata from the data (CJI) we provide to them as part of our service level agreement (SLA) for undisclosed commercial purposes. Is this permissible?":{"body":"No. Metadata derived from CJI is prohibited for use by any cloud service provider for any commercial purposes. However, some limited use may be approved by the agency as long it the use is described in the SLA.","section":"5.10.1.5","linked":true,"title":"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. The cloud vendor has disclosed the practice of utilizing metadata from the data (CJI) we provide to them as part of our service level agreement (SLA) for undisclosed commercial purposes. Is this permissible?"}},"5.13.3":{"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?":{"body":"No, this would satisfy the requirement for local device authentication (5.13.7.1) but does not satisfy the additional requirement for AA (5.13.7.2).","section":"5.13.3","linked":true,"title":"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?"}},"5.13.2":{"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?":{"body":"Typically, \"cloud-based\" MDM products allow management of the MDM solution from an application hosted in the cloud over an Internet connection. The agency would need to ensure that cloud service personnel do not have access to the MDM application and teh ability to change the MDM configuration. Normally, no CJI will be present in this scenario however if access to CJI is possible, additional requirements would apply.","section":"5.13.2","linked":true,"title":"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?"}},"5.10.1.2":{"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the Policy require whole disk encryption in this scenario?":{"body":"As long as the data is being encrypted in accordance with 5.10.1.2.2 for data at rest the requirements of the CJIS Security Policy are met. The Policy does not dictate whether this is accomplished via whole disk or file encryption. As with all requirements in the Policy, this is a minimum standard and CJIS community members are encouraged to exceed it.","section":"5.10.1.2","linked":true,"title":"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the Policy require whole disk encryption in this scenario?"}},"5.5.6.2":{"Can an officer use a public library computer to access Criminal Justice Information (CJI)?":{"body":"No, using publicly accessible computers to access, process, store or transmit CJI is prohibited. Some examples of publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. ","section":"5.5.6.2","linked":true,"title":"Can an officer use a public library computer to access Criminal Justice Information (CJI)?"}},"5.5.6.1":{"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy and our local policies. Do these conditions meet the CJIS Security Policy requirements for allowing personally owned information systems?":{"body":"The CJIS Security Policy requires a written policy for any agency allowing personally owned information systems (laptops, desktops, etc.) to access CJI. That use must be within the scope of the established agency policy. The CJIS Security Policy does not prescibe what the local policy must contain therefor the agency is at liberty to use security controls appropriate to their operating environment.\n","section":"5.5.6.1","linked":true,"title":"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy and our local policies. Do these conditions meet the CJIS Security Policy requirements for allowing personally owned information systems?"}},"5.4.1":{"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. Are we authorized under the CJIS Security Policy to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? ":{"body":"Absolutely. The Policy does not dictate the means by which logs will be managed. While it may not be a desirable method, manual recording of activities is also acceptable in the event no automated system is in place to do so. ","section":"5.4.1","linked":true,"title":"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. Are we authorized under the CJIS Security Policy to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? "}}}