CJIS Security Policy Resource Center

Download CJIS Security Policy v5_5_20160601 (2) (1).pdf — 3074 KB

[{"dest": {"list": [{"ref": 18}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 3, "title": "Executive Summary"}, {"dest": {"list": [{"ref": 27}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 4, "title": "Change Management"}, {"dest": {"list": [{"ref": 31}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 6, "title": "Summary of Changes"}, {"dest": {"list": [{"ref": 44}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 8, "title": "Table of Contents"}, {"dest": {"list": [{"ref": 55}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 13, "title": "List of Figures"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 14, "title": "1 Introduction"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "1.1 Purpose"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 461}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "1.2 Scope"}, {"dest": {"list": [{"ref": 57}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 14, "title": "1.3 Relationship to Local Security Policy and Other Policies"}, {"dest": {"list": [{"ref": 62}, {"literal": "XYZ"}, {"number": 69}, {"number": 686}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 15, "title": "1.4 Terminology Used in This Document"}, {"dest": {"list": [{"ref": 62}, {"literal": "XYZ"}, {"number": 69}, {"number": 515}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 15, "title": "1.5 Distribution of the CJIS Security Policy"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 16, "title": "2 CJIS Security Policy Approach"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 631}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 16, "title": "2.1 CJIS Security Policy Vision Statement"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 16, "title": "2.2 Architecture Independent"}, {"dest": {"list": [{"ref": 65}, {"literal": "XYZ"}, {"number": 69}, {"number": 309}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 16, "title": "2.3 Risk Versus Realism"}, {"dest": {"list": [{"ref": 70}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 17, "title": "3 Roles and Responsibilities"}, {"dest": {"list": [{"ref": 70}, {"literal": "XYZ"}, {"number": 69}, {"number": 694}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 17, "title": "3.1 Shared Management Philosophy"}, {"dest": {"list": [{"ref": 70}, {"literal": "XYZ"}, {"number": 69}, {"number": 447}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 17, "title": "3.2 Roles and Responsibilities for Agencies and Parties"}, {"dest": {"list": [{"ref": 74}, {"literal": "XYZ"}, {"number": 69}, {"number": 462}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.1 CJIS Systems Agencies (CSA)"}, {"dest": {"list": [{"ref": 74}, {"literal": "XYZ"}, {"number": 69}, {"number": 375}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 18, "title": "3.2.2 CJIS Systems Officer (CSO)"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 334}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "3.2.3 Terminal Agency Coordinator (TAC)"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 261}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "3.2.4 Criminal Justice Agency (CJA)"}, {"dest": {"list": [{"ref": 77}, {"literal": "XYZ"}, {"number": 69}, {"number": 174}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 19, "title": "3.2.5 Noncriminal Justice Agency (NCJA)"}, {"dest": {"list": [{"ref": 81}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "3.2.6 Contracting Government Agency (CGA)"}, {"dest": {"list": [{"ref": 81}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "3.2.7 Agency Coordinator (AC)"}, {"dest": {"list": [{"ref": 81}, {"literal": "XYZ"}, {"number": 69}, {"number": 174}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 20, "title": "3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO)"}, {"dest": {"list": [{"ref": 85}, {"literal": "XYZ"}, {"number": 69}, {"number": 591}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 21, "title": "3.2.9 Local Agency Security Officer (LASO)"}, {"dest": {"list": [{"ref": 85}, {"literal": "XYZ"}, {"number": 69}, {"number": 391}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 21, "title": "3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)"}, {"dest": {"list": [{"ref": 88}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 22, "title": "3.2.11 Repository Manager"}, {"dest": {"list": [{"ref": 88}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 22, "title": "3.2.12 Compact Officer"}, {"dest": {"list": [{"ref": 91}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 23, "title": "4 Criminal Justice Information and Personally Identifiable Information"}, {"dest": {"list": [{"ref": 91}, {"literal": "XYZ"}, {"number": 69}, {"number": 674}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 23, "title": "4.1 Criminal Justice Information (CJI)"}, {"dest": {"list": [{"ref": 91}, {"literal": "XYZ"}, {"number": 69}, {"number": 281}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 23, "title": "4.1.1 Criminal History Record Information (CHRI)"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 24, "title": "4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 632}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 24, "title": "4.2.1 Proper Access, Use, and Dissemination of CHRI"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 503}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 24, "title": "4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 171}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 24, "title": "4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information"}, {"dest": {"list": [{"ref": 95}, {"literal": "XYZ"}, {"number": 69}, {"number": 131}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 24, "title": "4.2.3.1 For Official Purposes"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 672}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "4.2.3.2 For Other Authorized Purposes"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 511}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "4.2.3.3 CSO Authority in Other Circumstances"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 453}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 25, "title": "4.2.4 Storage"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 25, "title": "4.2.5 Justification and Penalties"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 340}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "4.2.5.1 Justification"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 268}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 25, "title": "4.2.5.2 Penalties"}, {"dest": {"list": [{"ref": 103}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 25, "title": "4.3 Personally Identifiable Information (PII)"}, {"dest": {"list": [{"ref": 113}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 27, "title": "5 Policy and Implementation"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 28, "title": "5.1 Policy Area 1: Information Exchange Agreements"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 28, "title": "5.1.1 Information Exchange"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 338}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 28, "title": "5.1.1.1 Information Handling"}, {"dest": {"list": [{"ref": 115}, {"literal": "XYZ"}, {"number": 69}, {"number": 163}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 28, "title": "5.1.1.2 State and Federal Agency User Agreements"}, {"dest": {"list": [{"ref": 120}, {"literal": "XYZ"}, {"number": 69}, {"number": 658}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.1.1.3 Criminal Justice Agency User Agreements"}, {"dest": {"list": [{"ref": 120}, {"literal": "XYZ"}, {"number": 69}, {"number": 355}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.1.1.4 Interagency and Management Control Agreements"}, {"dest": {"list": [{"ref": 120}, {"literal": "XYZ"}, {"number": 69}, {"number": 227}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 29, "title": "5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum"}, {"dest": {"list": [{"ref": 124}, {"literal": "XYZ"}, {"number": 69}, {"number": 467}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 30, "title": "5.1.1.6 Agency User Agreements"}, {"dest": {"list": [{"ref": 124}, {"literal": "XYZ"}, {"number": 69}, {"number": 176}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 30, "title": "5.1.1.7 Outsourcing Standards for Channelers"}, {"dest": {"list": [{"ref": 127}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 31, "title": "5.1.1.8 Outsourcing Standards for Non-Channelers"}, {"dest": {"list": [{"ref": 127}, {"literal": "XYZ"}, {"number": 69}, {"number": 484}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.1.2 Monitoring, Review, and Delivery of Services"}, {"dest": {"list": [{"ref": 127}, {"literal": "XYZ"}, {"number": 69}, {"number": 355}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 31, "title": "5.1.2.1 Managing Changes to Service Providers"}, {"dest": {"list": [{"ref": 127}, {"literal": "XYZ"}, {"number": 69}, {"number": 269}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.1.3 Secondary Dissemination"}, {"dest": {"list": [{"ref": 127}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 31, "title": "5.1.4 Secondary Dissemination of Non-CHRI CJI"}, {"dest": {"list": [{"ref": 133}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 32, "title": "5.1.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 33, "title": "5.2 Policy Area 2: Security Awareness Training"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 595}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 33, "title": "5.2.1 Awareness Topics"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 522}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 33, "title": "5.2.1.1 Level One Security Awareness Training"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 357}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 33, "title": "5.2.1.2 Level Two Security Awareness Training"}, {"dest": {"list": [{"ref": 135}, {"literal": "XYZ"}, {"number": 69}, {"number": 180}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 33, "title": "5.2.1.3 Level Three Security Awareness Training"}, {"dest": {"list": [{"ref": 141}, {"literal": "XYZ"}, {"number": 69}, {"number": 306}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 34, "title": "5.2.1.4 Level Four Security Awareness Training"}, {"dest": {"list": [{"ref": 143}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 35, "title": "5.2.2 Security Training Records"}, {"dest": {"list": [{"ref": 143}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 35, "title": "5.2.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 147}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 37, "title": "5.3 Policy Area 3: Incident Response"}, {"dest": {"list": [{"ref": 147}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 37, "title": "5.3.1 Reporting Security Events"}, {"dest": {"list": [{"ref": 147}, {"literal": "XYZ"}, {"number": 69}, {"number": 385}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 37, "title": "5.3.1.1 Reporting Structure and Responsibilities"}, {"dest": {"list": [{"ref": 147}, {"literal": "XYZ"}, {"number": 69}, {"number": 361}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 37, "title": "5.3.1.1.1 FBI CJIS Division Responsibilities"}, {"dest": {"list": [{"ref": 147}, {"literal": "XYZ"}, {"number": 69}, {"number": 129}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 37, "title": "5.3.1.1.2 CSA ISO Responsibilities"}, {"dest": {"list": [{"ref": 153}, {"literal": "XYZ"}, {"number": 69}, {"number": 504}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 38, "title": "5.3.2 Management of Security Incidents"}, {"dest": {"list": [{"ref": 153}, {"literal": "XYZ"}, {"number": 69}, {"number": 431}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 38, "title": "5.3.2.1 Incident Handling"}, {"dest": {"list": [{"ref": 153}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 38, "title": "5.3.2.2 Collection of Evidence"}, {"dest": {"list": [{"ref": 153}, {"literal": "XYZ"}, {"number": 69}, {"number": 226}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 38, "title": "5.3.3 Incident Response Training"}, {"dest": {"list": [{"ref": 153}, {"literal": "XYZ"}, {"number": 69}, {"number": 166}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 38, "title": "5.3.4 Incident Monitoring"}, {"dest": {"list": [{"ref": 159}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 39, "title": "5.3.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 161}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 40, "title": "5.4 Policy Area 4: Auditing and Accountability"}, {"dest": {"list": [{"ref": 161}, {"literal": "XYZ"}, {"number": 69}, {"number": 528}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 40, "title": "5.4.1 Auditable Events and Content (Information Systems)"}, {"dest": {"list": [{"ref": 161}, {"literal": "XYZ"}, {"number": 69}, {"number": 352}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 40, "title": "5.4.1.1 Events"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 41, "title": "5.4.1.1.1 Content"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 542}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.4.2 Response to Audit Processing Failures"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 455}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.4.3 Audit Monitoring, Analysis, and Reporting"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 299}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.4.4 Time Stamps"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 226}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.4.5 Protection of Audit Information"}, {"dest": {"list": [{"ref": 165}, {"literal": "XYZ"}, {"number": 69}, {"number": 167}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 41, "title": "5.4.6 Audit Record Retention"}, {"dest": {"list": [{"ref": 173}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 42, "title": "5.4.7 Logging NCIC and III Transactions"}, {"dest": {"list": [{"ref": 173}, {"literal": "XYZ"}, {"number": 69}, {"number": 625}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 42, "title": "5.4.8 References/Citations/Directives"}, {"dest": {"list": [{"ref": 176}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 43, "title": "5.5 Policy Area 5: Access Control"}, {"dest": {"list": [{"ref": 176}, {"literal": "XYZ"}, {"number": 69}, {"number": 603}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 43, "title": "5.5.1 Account Management"}, {"dest": {"list": [{"ref": 176}, {"literal": "XYZ"}, {"number": 69}, {"number": 342}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 43, "title": "5.5.2 Access Enforcement"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.5.2.1 Least Privilege"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 565}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.5.2.2 System Access Control"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 398}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.5.2.3 Access Control Criteria"}, {"dest": {"list": [{"ref": 180}, {"literal": "XYZ"}, {"number": 69}, {"number": 241}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 44, "title": "5.5.2.4 Access Control Mechanisms"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 45, "title": "5.5.3 Unsuccessful Login Attempts"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 510}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 45, "title": "5.5.4 System Use Notification"}, {"dest": {"list": [{"ref": 185}, {"literal": "XYZ"}, {"number": 69}, {"number": 135}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 45, "title": "5.5.5 Session Lock"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 603}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 46, "title": "5.5.6 Remote Access"}, {"dest": {"list": [{"ref": 189}, {"literal": "XYZ"}, {"number": 69}, {"number": 273}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 46, "title": "5.5.6.1 Personally Owned Information Systems"}, {"dest": {"list": [{"ref": 192}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 47, "title": "5.5.6.2 Publicly Accessible Computers"}, {"dest": {"list": [{"ref": 192}, {"literal": "XYZ"}, {"number": 69}, {"number": 653}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 47, "title": "5.5.7 References/Citations/Directives"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 48, "title": "5.6 Policy Area 6: Identification and Authentication"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 48, "title": "5.6.1 Identification Policy and Procedures"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 508}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 48, "title": "5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges"}, {"dest": {"list": [{"ref": 195}, {"literal": "XYZ"}, {"number": 69}, {"number": 232}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 48, "title": "5.6.2 Authentication Policy and Procedures"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 692}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 49, "title": "5.6.2.1 Standard Authenticators"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 600}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 49, "title": "5.6.2.1.1 Password"}, {"dest": {"list": [{"ref": 201}, {"literal": "XYZ"}, {"number": 69}, {"number": 403}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 49, "title": "5.6.2.1.2 Personal Identification Number (PIN)"}, {"dest": {"list": [{"ref": 205}, {"literal": "XYZ"}, {"number": 69}, {"number": 646}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 50, "title": "5.6.2.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 205}, {"literal": "XYZ"}, {"number": 69}, {"number": 420}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 50, "title": "5.6.2.2.1 Advanced Authentication Policy and Rationale"}, {"dest": {"list": [{"ref": 208}, {"literal": "XYZ"}, {"number": 69}, {"number": 672}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 51, "title": "5.6.2.2.2 Advanced Authentication Decision Tree"}, {"dest": {"list": [{"ref": 210}, {"literal": "XYZ"}, {"number": 69}, {"number": 123}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 52, "title": "5.6.3 Identifier and Authenticator Management"}, {"dest": {"list": [{"ref": 212}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 53, "title": "5.6.3.1 Identifier Management"}, {"dest": {"list": [{"ref": 212}, {"literal": "XYZ"}, {"number": 69}, {"number": 562}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 53, "title": "5.6.3.2 Authenticator Management"}, {"dest": {"list": [{"ref": 212}, {"literal": "XYZ"}, {"number": 69}, {"number": 364}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 53, "title": "5.6.4 Assertions"}, {"dest": {"list": [{"ref": 212}, {"literal": "XYZ"}, {"number": 69}, {"number": 176}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 53, "title": "5.6.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 59, "title": "5.7 Policy Area 7: Configuration Management"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 697}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 59, "title": "5.7.1 Access Restrictions for Changes"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 597}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 59, "title": "5.7.1.1 Least Functionality"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 525}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 59, "title": "5.7.1.2 Network Diagram"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 298}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 59, "title": "5.7.2 Security of Configuration Documentation"}, {"dest": {"list": [{"ref": 222}, {"literal": "XYZ"}, {"number": 69}, {"number": 211}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 59, "title": "5.7.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 61, "title": "5.8 Policy Area 8: Media Protection"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.8.1 Media Storage and Access"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 563}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.8.2 Media Transport"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 490}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 61, "title": "5.8.2.1 Digital Media during Transport"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 390}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 61, "title": "5.8.2.2 Physical Media in Transit"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 318}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.8.3 Digital Media Sanitization and Disposal"}, {"dest": {"list": [{"ref": 230}, {"literal": "XYZ"}, {"number": 69}, {"number": 217}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 61, "title": "5.8.4 Disposal of Physical Media"}, {"dest": {"list": [{"ref": 239}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 62, "title": "5.8.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 63, "title": "5.9 Policy Area 9: Physical Protection"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 650}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 63, "title": "5.9.1 Physically Secure Location"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 460}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.1 Security Perimeter"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 388}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.2 Physical Access Authorizations"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 316}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.3 Physical Access Control"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 244}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.4 Access Control for Transmission Medium"}, {"dest": {"list": [{"ref": 241}, {"literal": "XYZ"}, {"number": 69}, {"number": 186}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 63, "title": "5.9.1.5 Access Control for Display Medium"}, {"dest": {"list": [{"ref": 249}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 64, "title": "5.9.1.6 Monitoring Physical Access"}, {"dest": {"list": [{"ref": 249}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 64, "title": "5.9.1.7 Visitor Control"}, {"dest": {"list": [{"ref": 249}, {"literal": "XYZ"}, {"number": 69}, {"number": 595}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 64, "title": "5.9.1.8 Delivery and Removal"}, {"dest": {"list": [{"ref": 249}, {"literal": "XYZ"}, {"number": 69}, {"number": 537}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 64, "title": "5.9.2 Controlled Area"}, {"dest": {"list": [{"ref": 249}, {"literal": "XYZ"}, {"number": 69}, {"number": 329}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 64, "title": "5.9.3 References/Citations/Directives"}, {"dest": {"list": [{"ref": 255}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 65, "title": "5.10 Policy Area 10: System and Communications Protection and Information Integrity"}, {"dest": {"list": [{"ref": 255}, {"literal": "XYZ"}, {"number": 69}, {"number": 573}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 65, "title": "5.10.1 Information Flow Enforcement"}, {"dest": {"list": [{"ref": 255}, {"literal": "XYZ"}, {"number": 69}, {"number": 324}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 65, "title": "5.10.1.1 Boundary Protection"}, {"dest": {"list": [{"ref": 259}, {"literal": "XYZ"}, {"number": 69}, {"number": 658}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 66, "title": "5.10.1.2 Encryption"}, {"dest": {"list": [{"ref": 261}, {"literal": "XYZ"}, {"number": 69}, {"number": 222}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 67, "title": "5.10.1.3 Intrusion Detection Tools and Techniques"}, {"dest": {"list": [{"ref": 263}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.1.4 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 263}, {"literal": "XYZ"}, {"number": 69}, {"number": 458}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 68, "title": "5.10.1.5 Cloud Computing"}, {"dest": {"list": [{"ref": 263}, {"literal": "XYZ"}, {"number": 69}, {"number": 283}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 68, "title": "5.10.2 Facsimile Transmission of CJI"}, {"dest": {"list": [{"ref": 263}, {"literal": "XYZ"}, {"number": 69}, {"number": 196}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 68, "title": "5.10.3 Partitioning and Virtualization"}, {"dest": {"list": [{"ref": 268}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 69, "title": "5.10.3.1 Partitioning"}, {"dest": {"list": [{"ref": 268}, {"literal": "XYZ"}, {"number": 69}, {"number": 521}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 69, "title": "5.10.3.2 Virtualization"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 70, "title": "5.10.4 System and Information Integrity Policy and Procedures"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 674}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.1 Patch Management"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 428}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 271}, {"literal": "XYZ"}, {"number": 69}, {"number": 267}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 70, "title": "5.10.4.3 Spam and Spyware Protection"}, {"dest": {"list": [{"ref": 276}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 71, "title": "5.10.4.4 Security Alerts and Advisories"}, {"dest": {"list": [{"ref": 276}, {"literal": "XYZ"}, {"number": 69}, {"number": 568}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 71, "title": "5.10.4.5 Information Input Restrictions"}, {"dest": {"list": [{"ref": 276}, {"literal": "XYZ"}, {"number": 69}, {"number": 463}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 71, "title": "5.10.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 73, "title": "5.11 Policy Area 11: Formal Audits"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 664}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.11.1 Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 638}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 73, "title": "5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 497}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 73, "title": "5.11.1.2 Triennial Security Audits by the FBI CJIS Division"}, {"dest": {"list": [{"ref": 281}, {"literal": "XYZ"}, {"number": 69}, {"number": 397}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 73, "title": "5.11.2 Audits by the CSA"}, {"dest": {"list": [{"ref": 287}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 74, "title": "5.11.3 Special Security Inquiries and Audits"}, {"dest": {"list": [{"ref": 287}, {"literal": "XYZ"}, {"number": 69}, {"number": 639}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 74, "title": "5.11.4 References/Citations/Directives"}, {"dest": {"list": [{"ref": 290}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 75, "title": "5.12 Policy Area 12: Personnel Security"}, {"dest": {"list": [{"ref": 290}, {"literal": "XYZ"}, {"number": 69}, {"number": 636}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 75, "title": "5.12.1 Personnel Security Policy and Procedures"}, {"dest": {"list": [{"ref": 290}, {"literal": "XYZ"}, {"number": 69}, {"number": 610}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 75, "title": "5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:"}, {"dest": {"list": [{"ref": 294}, {"literal": "XYZ"}, {"number": 69}, {"number": 530}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 76, "title": "5.12.1.2 Personnel Screening for Contractors and Vendors"}, {"dest": {"list": [{"ref": 294}, {"literal": "XYZ"}, {"number": 69}, {"number": 140}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 76, "title": "5.12.2 Personnel Termination"}, {"dest": {"list": [{"ref": 297}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 77, "title": "5.12.3 Personnel Transfer"}, {"dest": {"list": [{"ref": 297}, {"literal": "XYZ"}, {"number": 69}, {"number": 652}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 77, "title": "5.12.4 Personnel Sanctions"}, {"dest": {"list": [{"ref": 297}, {"literal": "XYZ"}, {"number": 69}, {"number": 593}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 77, "title": "5.12.5 References/Citations/Directives"}, {"dest": {"list": [{"ref": 302}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 78, "title": "5.13 Policy Area 13: Mobile Devices"}, {"dest": {"list": [{"ref": 302}, {"literal": "XYZ"}, {"number": 69}, {"number": 549}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 78, "title": "5.13.1 Wireless Communications Technologies"}, {"dest": {"list": [{"ref": 302}, {"literal": "XYZ"}, {"number": 69}, {"number": 448}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 78, "title": "5.13.1.1 802.11 Wireless Protocols"}, {"dest": {"list": [{"ref": 306}, {"literal": "XYZ"}, {"number": 69}, {"number": 376}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 79, "title": "5.13.1.2 Cellular Devices"}, {"dest": {"list": [{"ref": 308}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 80, "title": "5.13.1.2.1 Cellular Service Abroad"}, {"dest": {"list": [{"ref": 308}, {"literal": "XYZ"}, {"number": 69}, {"number": 604}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 80, "title": "5.13.1.2.2 Voice Transmissions Over Cellular Devices"}, {"dest": {"list": [{"ref": 308}, {"literal": "XYZ"}, {"number": 69}, {"number": 546}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 80, "title": "5.13.1.3 Bluetooth"}, {"dest": {"list": [{"ref": 308}, {"literal": "XYZ"}, {"number": 69}, {"number": 365}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 80, "title": "5.13.1.4 Mobile Hotspots"}, {"dest": {"list": [{"ref": 313}, {"literal": "XYZ"}, {"number": 69}, {"number": 660}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 81, "title": "5.13.2 Mobile Device Management (MDM)"}, {"dest": {"list": [{"ref": 313}, {"literal": "XYZ"}, {"number": 69}, {"number": 238}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 81, "title": "5.13.3 Wireless Device Risk Mitigations"}, {"dest": {"list": [{"ref": 316}, {"literal": "XYZ"}, {"number": 69}, {"number": 619}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 82, "title": "5.13.4 System Integrity"}, {"dest": {"list": [{"ref": 316}, {"literal": "XYZ"}, {"number": 69}, {"number": 518}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 82, "title": "5.13.4.1 Patching/Updates"}, {"dest": {"list": [{"ref": 316}, {"literal": "XYZ"}, {"number": 69}, {"number": 412}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 82, "title": "5.13.4.2 Malicious Code Protection"}, {"dest": {"list": [{"ref": 316}, {"literal": "XYZ"}, {"number": 69}, {"number": 279}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 82, "title": "5.13.4.3 Personal Firewall"}, {"dest": {"list": [{"ref": 321}, {"literal": "XYZ"}, {"number": 69}, {"number": 645}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 83, "title": "5.13.5 Incident Response"}, {"dest": {"list": [{"ref": 321}, {"literal": "XYZ"}, {"number": 69}, {"number": 366}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 83, "title": "5.13.6 Access Control"}, {"dest": {"list": [{"ref": 321}, {"literal": "XYZ"}, {"number": 69}, {"number": 292}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 83, "title": "5.13.7 Identification and Authentication"}, {"dest": {"list": [{"ref": 321}, {"literal": "XYZ"}, {"number": 69}, {"number": 233}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 83, "title": "5.13.7.1 Local Device Authentication"}, {"dest": {"list": [{"ref": 321}, {"literal": "XYZ"}, {"number": 69}, {"number": 161}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 83, "title": "5.13.7.2 Advanced Authentication"}, {"dest": {"list": [{"ref": 327}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 5, "sub": [], "pageno": 84, "title": "5.13.7.2.1 Compensating Controls"}, {"dest": {"list": [{"ref": 327}, {"literal": "XYZ"}, {"number": 69}, {"number": 270}, {"number": 0}], "size": 5}, "level": 4, "sub": [], "pageno": 84, "title": "5.13.7.3 Device Certificates"}, {"dest": {"list": [{"ref": 330}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 1, "sub": [], "pageno": 85, "title": "Appendices"}, {"dest": {"list": [{"ref": 330}, {"literal": "XYZ"}, {"number": 69}, {"number": 689}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 85, "title": "Appendix A Terms and Definitions"}, {"dest": {"list": [{"ref": 344}, {"literal": "XYZ"}, {"number": 69}, {"number": 727}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 97, "title": "Appendix B Acronyms"}, {"dest": {"list": [{"ref": 349}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 101, "title": "Appendix C Network Topology Diagrams"}, {"dest": {"list": [{"ref": 356}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 107, "title": "Appendix D Sample Information Exchange Agreements"}, {"dest": {"list": [{"ref": 356}, {"literal": "XYZ"}, {"number": 69}, {"number": 667}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 107, "title": "D.1 CJIS User Agreement"}, {"dest": {"list": [{"ref": 366}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 115, "title": "D.2 Management Control Agreement"}, {"dest": {"list": [{"ref": 368}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 116, "title": "D.3 Noncriminal Justice Agency Agreement & Memorandum of Understanding"}, {"dest": {"list": [{"ref": 375}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 122, "title": "D.4 Interagency Connection Agreement"}, {"dest": {"list": [{"ref": 381}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 127, "title": "Appendix E Security Forums and Organizational Entities"}, {"dest": {"list": [{"ref": 383}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 128, "title": "Appendix F Sample Forms"}, {"dest": {"list": [{"ref": 385}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 129, "title": "F.1 Security Incident Response Form"}, {"dest": {"list": [{"ref": 387}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 130, "title": "Appendix G Best practices"}, {"dest": {"list": [{"ref": 387}, {"literal": "XYZ"}, {"number": 69}, {"number": 687}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 130, "title": "G.1 Virtualization"}, {"dest": {"list": [{"ref": 392}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 133, "title": "G.2 Voice over Internet Protocol"}, {"dest": {"list": [{"ref": 404}, {"literal": "XYZ"}, {"number": 69}, {"number": 700}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 144, "title": "G.3 Cloud Computing"}, {"dest": {"list": [{"ref": 420}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 159, "title": "G.4 Mobile Appendix"}, {"dest": {"list": [{"ref": 442}, {"literal": "XYZ"}, {"number": 69}, {"number": 720}, {"number": 0}], "size": 5}, "level": 3, "sub": [], "pageno": 180, "title": "G.5 Administrator Accounts for Least Privilege and Separation of Duties"}, {"dest": {"list": [{"ref": 456}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 193, "title": "Appendix H Security Addendum"}, {"dest": {"list": [{"ref": 464}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 200, "title": "Appendix I References"}, {"dest": {"list": [{"ref": 469}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 204, "title": "Appendix J Noncriminal Justice Agency Supplemental Guidance"}, {"dest": {"list": [{"ref": 478}, {"literal": "XYZ"}, {"number": 69}, {"number": 744}, {"number": 0}], "size": 5}, "level": 2, "sub": [], "pageno": 212, "title": "Appendix K Criminal Justice Agency Supplemental Guidance"}] {"5.11.2":{"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audi, but our fellow CSA informed us they are about to conduct an audit of this facility. So, are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?":{"section":"5.11.2","title":"Our CSA wants to use a vendor to provide cloud storage of our backup data containing CJI. We understand we are required to do an audit of the facility in which our data will be kept. However, the datacenter for this vendor is located within another state. We have been in contact with the CSA of the state in which the facility resides. We can send auditors to the facility to conduct our audi, but our fellow CSA informed us they are about to conduct an audit of this facility. So, are we required to conduct our own audit or can we ask the vendor's local CSA to share their results with us to satisfy the requirement for us to audit?","body":"You as the CSA may utilize the results of another CSA's CSP compliance audit of contractor facilities if that CSA agrees to share. The CSA may also provide the results of subsequent audits if an agreement between your CSAs have been reached to do so. Please note that audit results are only good for 3 years. So, if the local CSA conducted an audit a year preior to sharing the results with your CSA, for example, then those result are only exceptable until the contractor facility is audited again in 2 years. Also, be aware this authority to share audit results does not apply to the audit requirement outlined in the Security and Management Control Outsourcing Standard for Non-Channeler and Channelers related to outsourcing noncriminal justice administrative functions.","linked":true},"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?":{"section":"5.11.2","title":"What systems at the local agency does the CJIS Systems Agency (CSA) have to conduct an IT security audit on? Should email systems and Records Management Systems (RMS) be included?","body":"Any system that contains or transports Criminal Justice Information (CJI) should be included in the audit. If the email system is used to receive or transmit CJI, then it should be included. RMS systems that contain CJI (which includes information received from a national CJIS system response whether entered directly or through scanning, copy and pasting, or hand entry) should also be included in the scope of the audit. ","linked":true}},"5.12.1.2":{"Would a contractor who only has hard copy access to CJI (indirect access, but does have unescorted access to a physically secure location be required to undergo fingerprint-based background check per FBI CSP?":{"section":"5.12.1.2","title":"Would a contractor who only has hard copy access to CJI (indirect access, but does have unescorted access to a physically secure location be required to undergo fingerprint-based background check per FBI CSP?","body":"Yes, for unescorted access to a physically secure location the contractor would be required to have fingerprint-based background checks irrespective of CJI access. Additionally, these personnel would have to complete security awareness training. ","linked":true}},"5.10.4.3":{"Is there a requirement by the CJIS Security Policy (CSP) to have spyware protection installed on the laptops issued by our department?":{"section":"5.10.4.3","title":"Is there a requirement by the CJIS Security Policy (CSP) to have spyware protection installed on the laptops issued by our department?","body":"Yes, there is a requirement to employ spyware protection at mobile computing devices on the network. ","linked":true}},"5.12.1":{"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy (CSP). We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?":{"section":"5.12.1","title":"Our agency's policy has been to require all people who have direct access or view any information from NCIC to be fingerprinted as a means to be in compliance with the CJIS Security Policy (CSP). We have been considering relaxing our policy to avoid paying for background checks that might not be needed. Would you explain what roles would require a background check and what roles would not?","body":"Personnel with direct access to Criminal Justice Information (CJI) and support personnel with unescorted access to the physically secure location must be fingerprint based background checked. Personnel such as court clerks, etc. who work outside the physically secure location but who will only view CJI on a regular basis are not required to be background checked but must be trained at the security awareness basic level (policy citation).","linked":true}},"5.2.1.1":{"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?":{"section":"5.2.1.1","title":"Our agency has a contract with a custodial service to provide cleaning services for the facility. These personnel are all private contractors and are background checked to allow for unescorted access. However, they may come across Criminal Justice Information (CJI) material lying around on desks. Are we required to provide security awareness training to the custodial service personnel?","body":"Yes. These contractors may have access to CJI and therefore should be given the first level of security awareness training. This ensures they have been trained to act appropriately should they encounter CJI.","linked":true}},"5.2.1.3":{"We have a number of dispatchers who as part of their daily functions include running CJI queries at the request of the law enforcement officers. The dispatchers do have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of secuurity awareness training are they required to have been given?":{"section":"5.2.1.3","title":"We have a number of dispatchers who as part of their daily functions include running CJI queries at the request of the law enforcement officers. The dispatchers do have access to CJI both logically (running queries) and physically (printed copies of reports containing CJI). What level of secuurity awareness training are they required to have been given?","body":"These dispatchers have direct access to CJI and are therefore required to be given Level Three Security Awareness Training which pertains to all the topics identified in CSP Sections 5.2.1.1, 5.2.1.2, and 5.2.1.3.","linked":true}},"5.2.1.2":{"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awraeness training do we have to provide and to whom?":{"section":"5.2.1.2","title":"If an NCJA only maintains hard copies of CJI (CHRI files) stored in a locked file cabinet what level of security awraeness training do we have to provide and to whom?","body":"Only those personnel who have the ability to access/open the locked file cabinet are required to receive security awareness training. Since this access is to hard copy CJI, it requires the Level Two Security Awareness Training which pertains to all the topics identified in CSP Sections 5.2.1.1 and 5.2.1.2. ","linked":true}},"5.2.1.4":{"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These eprsonnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?":{"section":"5.2.1.4","title":"Our agency has recently hired a number of system and network administrators to help us secure our network. These admins do not regularly access CJI, but instead spend most of their time creating accounts for new personnel, implementing security patches for existing systems, creating backups of existing systems, and implementing access controls throughout the network. These eprsonnel could potentially access CJI, but it is not their focus to do so. Do they need security awareness training?","body":"Yes. These administrators have privileged, administrative access to CJI and CJI-processing systems. These personnel are therefore required to be given Level Four Security Awareness Training which pertains to all the topics identified in CSP Sections 5.2.1.1, 5.2.1.2, 5.2.1.3, and 5.2.1.4. ","linked":true}},"5.13.1.2.2":{"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?":{"section":"5.13.1.2.2","title":"In order to report critical time-sensitive investigative information, can an officer in the field use an agency-issued cell phone (unencrypted voice transmission) to report this information back to the precinct?","body":"Yes. Section 5.13.1.2.2 provides an exemption to the encryption and authentication requirements for transmitting CJI over cellular devices. ","linked":true}},"5.12.1.1":{"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? ":{"section":"5.12.1.1","title":"Is it necessary to fingerprint FBI agents each time they go to a new office in a different state? ","body":"No. All agents are fingerprinted prior to assignment with the FBI. Being rotated between offices doesn't constitute a new assignment for the purpose of 5.12.1.1(1) even though the agency may refer to it as a reassignment. It's a similar situation for city police officers, troopers, etc. who rotate between various precincts or barracks through their careers but remain with the same agency.","linked":true},"Would an agency employee of a small PD (CJA) who only has hard copy access to CJI (indirect access) - does not have their own terminal nor unescorted access to a physically secure location - be required to undergo fingerprint-based background check per FBI CSP?":{"section":"5.12.1.1","title":"Would an agency employee of a small PD (CJA) who only has hard copy access to CJI (indirect access) - does not have their own terminal nor unescorted access to a physically secure location - be required to undergo fingerprint-based background check per FBI CSP?","body":"In this example the employee would not need a fingerprint-based background check, but would have to complete security awareness training. ","linked":true}},"5.6.2.2":{"The CJIS Security Policy (CSP) references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?":{"section":"5.6.2.2","title":"The CJIS Security Policy (CSP) references \"user-based public key infrastructure (PKI).\" Will you elaborate on what that means?","body":"PKI refers to the use of an infrastructure utilizing digital certificates for authentication. A user-based PKI solution requires user-specific certificates as a second form of authentication to meet the requirement for Advanced Authentication (AA). This means the certificate must be assigned (tied to or associated with) to the individual user and not to a particular device. This prevents multiple users from utilizing a common certificate as an authentication factor on a device. User-based certificates may be stored on an external device (e.g., token or smart card) or be issued for use per session. ","linked":true},"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?":{"section":"5.6.2.2","title":"We have been working on our advanced authentication solution. What we would like to use is a risk-based authentication (RBA) solution. The question we have is: Would a vendor-hosted RBA solution be acceptable rather than a self-hosted RBA solution?","body":"Yes. You may outsource your AA solution to a vendor; however, you'll need to come up with a good plan for user management to ensure the vendor administrators responsible for system administration work on the authentication server are blocked from creating their own username access to your network. We advise you to consult with your local system administrators to ensure that does not occur. ","linked":true},"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nSo, the user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy (CSP)?\n":{"section":"5.6.2.2","title":"We would like to know if the following scenario constitutes a proper advanced authentication (AA) solution:\n \n* First, the user logs into a laptop using a username and password. \n\n* Next, the user establishes a VPN connection to the local agency network and is required to login using another username and password. \n\n* Finally, the user launches an application that will provide access to Criminal Justice Information (CJI). The user is once again challenged for another username and password. \n\nSo, the user has had to enter a different username and password for each of the three login stages. As this requires multiple stages of authentication each with differing user names and password, does this satisfy the requirement for AA per the CJIS Security Policy (CSP)?\n","body":"No, this implementation will not satisfy the requirement for AA. AA requires more than a single factor of authentication using a \"two-factor authentication\" or \"strong authentication\" solution or by implementing a risk-based authentication (RBA) solution. \n\nAdditionally, AA is required to be implemented either at the local agency, CSA, SIB or Channeler level which will then assert the identity to all authorized applications. \n","linked":true},"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?":{"section":"5.6.2.2","title":"Do vendor-installed fingerprint readers that authenticate to the operating system at boot up time rather than asking for a second authentication factor when a CJIS application is opened on the computer meet the requirement of Advanced Authentication (AA)?","body":"Whatever device is being used, the basic tenants of AA have to be met: identification (e.g. user name), authentication factor 1 (e.g. password), authentication factor 2 (e.g. fingerprint, token, etc.) Additionally, the authentication for the CJIS application has to occur at the local agency, CSA, SIB, or Channeler level. ","linked":true},"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?":{"section":"5.6.2.2","title":"Is Advanced Authentication (AA) required when/if support personnel have direct access Criminal Justice Information (CJI) from their home?","body":"Absolutely! Direct access to CJI from outside of a physically secure location AA is a requirement.","linked":true},"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?":{"section":"5.6.2.2","title":"Does the requirement of a username, password, and an IP or MAC address form an acceptable risk-based authentication solution that meets the requirements of Advanced Authentication (AA) per the CJIS Security Policy?","body":"No. Risk based authentication solutions should pull from a collection of multiple data sets that extend beyond the IP address and MAC address to other items such as OS, geo-location, time of day logon, screen resolution, etc. A risk determination is made based upon the solution's analysis of the collective information. Anything less would be nothing more than a challenge/response solution.","linked":true},"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? ":{"section":"5.6.2.2","title":"An agency intends to implement a remote access authentication solution that involves using external hard tokens that will be issued for all agency employees. Upon logging in to the local agency, the user will be required to enter a user name (identification), a personal identification number (PIN) (something you know), and a hard token device (something you have). The question we have is will this meet the requirement for advanced authentication (AA)? ","body":"Yes. Because the CJIS Security Policy (CSP) does not say that a password has to be one of the factors of authentication, the use of a PIN as one factor of authentication is permissible. Therefore, the use of a username (identification), PIN (something you know), and hard token (something you have) can satisfy the requirement for AA, if implemented properly. \n\nNote: PIN requirements are found in Section 5.6.2.1.2.\n","linked":true}},"5.13.3":{"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?":{"section":"5.13.3","title":"When I use a mobile (cellular) device, I unlock the device with a PIN. Does this satisfy the requirement for Advanced Authentication (AA) when using this kind of device?","body":"No, this would satisfy the requirement for local device authentication (5.13.9.1) but does not satisfy the additional requirement for AA (5.13.3(3)).","linked":true}},"1.5":{"The CJIS Security Policy (CSP) 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is CSP v5.0 also SBU?":{"section":"1.5","title":"The CJIS Security Policy (CSP) 4.5 is a Sensitive but Unclassified (SBU) document and not allowed to be posted to a public website or distributed to anyone who isn't an authorized user. Is CSP v5.0 also SBU?","body":"The CJIS Security Policy v5.0 does not have any dissemination restrictions and may be posted and shared without restrictions. All future versions will also be without restriction.","linked":true}},"1.3":{"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? ":{"section":"1.3","title":"During a Federal Information Security Management Act (FISMA) training course the following was stated, \"All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant.\" Since we exchange information with the FBI (CJIS), are we required to become FISMA compliant? ","body":"FISMA compliance is a federal standard and cannot be legally applied to states and locals. Therefore, there is no requirement for states to be FISMA compliant in order to exchange information with CJIS.","linked":true}},"1.1":{"We understand that the CJIS Security Policy (CSP) provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the CSP by the state we are in dealings with. Must we comply with the state request or do we only have to meet the requirements of the CSP?":{"section":"1.1","title":"We understand that the CJIS Security Policy (CSP) provides the minimum security standards for the protection of Criminal Justice Information (CJI), but our company is being asked to provide protection mechanisms that exceed the requirements listed in the CSP by the state we are in dealings with. Must we comply with the state request or do we only have to meet the requirements of the CSP?","body":"The CSP presents the minimum standards nationally. States are encouraged to exceed this standard in the protection of CJI. In the event the state requires standards above those listed within the CSP, CJIS would support the state in that decision. ","linked":true}},"3.2.2":{"Can the role of the CJIS Systems Officer (CSO) be outsourced?":{"section":"3.2.2","title":"Can the role of the CJIS Systems Officer (CSO) be outsourced?","body":"No, pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. ","linked":true}},"3.2.3":{"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?":{"section":"3.2.3","title":"Is it acceptable to have the same person assigned in the roles of both Terminal Agency Coordinator (TAC) and Local Agency Security Officer (LASO)?","body":"Yes. The policy does not prohibit a person from functioning in both roles. ","linked":true}},"5.7.1.2":{"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy (CSP) states that \"the number of workstations (clients) is sufficient.\" However, the older CSP v4.5 asked for ORI designations. Are these no longer a requirement? ":{"section":"5.7.1.2","title":"The network diagrams for our agency do not include every individual workstation as the CJIS Security Policy (CSP) states that \"the number of workstations (clients) is sufficient.\" However, the older CSP v4.5 asked for ORI designations. Are these no longer a requirement? ","body":"You are correct. The requirement for the use of ORI designations on network diagrams was dropped in CSP v5.0. ","linked":true},"Section 5.8 of the CJIS Security Policy (CSP) requires that you simply have to have written policy and procedures. Then, in section 5.8.3 it is stated to have written documentation of the steps to sanitize or destroy media. Does this simply require procedures that include the steps taken or must you keep documentation of the actual steps taken for device recorded with serial number etc. If you must keep a log for each device (where is this requirement documented?), how long must those logs be kept?":{"section":"5.7.1.2","title":"Section 5.8 of the CJIS Security Policy (CSP) requires that you simply have to have written policy and procedures. Then, in section 5.8.3 it is stated to have written documentation of the steps to sanitize or destroy media. Does this simply require procedures that include the steps taken or must you keep documentation of the actual steps taken for device recorded with serial number etc. If you must keep a log for each device (where is this requirement documented?), how long must those logs be kept?","body":"The intent of section 5.8 is to have written procedures and processes to ensure effective safeguarding guidance is available for all. The policy does not specify nor require documentation of the actual destruction. The expectation is that if your written procedures call for destruction in a specific manner that includes specific documentation then the auditors would look to see if the process was being followed. ","linked":true}},"5.1.1.4":{"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?":{"section":"5.1.1.4","title":"A city Information Technology (IT) department performs all IT administration for the local police department (PD) and has a signed inter-agency agreement with the PD. Is it necessary to also sign a Management Control Agreement (MCA)?","body":"Yes, unless the MCA is incorporated into the Inter-agency agreement. ","linked":true}},"5.1.1.5":{"Can an agency change some of the language in the Security Addendum (SA)?":{"section":"5.1.1.5","title":"Can an agency change some of the language in the Security Addendum (SA)?","body":"No. Changes can only be made through the approval and direction of the FBI. Any changes to the addendum would invalidate the legal standing of the document. ","linked":true},"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) lying around on desks while cleaning certain areas. So, would these custodial service personnel contracted by a city to provide service to a PD be required to sign the Security Addendum (SA)?":{"section":"5.1.1.5","title":"The city has a contract with a custodial service to provide cleaning services for the police department (PD). These personnel are all private contractors and may come across Criminal Justice Information (CJI) lying around on desks while cleaning certain areas. So, would these custodial service personnel contracted by a city to provide service to a PD be required to sign the Security Addendum (SA)?","body":"No. For unescorted access, the custodians are required to have a fingerprint-based background check and the first level of security awareness training. This ensures they've been vetted and have the training to act appropriately should they encounter CJI. ","linked":true}},"5.2":{"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?":{"section":"5.2","title":"I know a test exists on-line, but could a test be designed by a local agency that would meet the CJIS requirements concerning Security Awareness Training?","body":"Absolutely! While the CJIS Security Policy does not require a test as part of the Security Awareness Training, designing an evaluation that ties specifically to the agency computers, systems, and processes, could help ensure greater understanding of the required training topics.","linked":true},"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?":{"section":"5.2","title":"Can a Channeler perform the security awareness training for Authorized Recipient personnel and/or contractor personnel?","body":"Yes. There is no restriction on a Channeler performing the training as long as (1) the training covers all the areas outlined in the CJIS Security Policy (CSP) and (2) the Contracting Government Agency (CGA) doesn't provide specific training that supersedes the Channeler-provided training. ","linked":true}},"5.3":{"What information should I send to the CJIS ISO to report an incident? ":{"section":"5.3","title":"What information should I send to the CJIS ISO to report an incident? ","body":"The CSA ISO should fill out the Security Incident Reporting Form found in Appendix F of the CJIS Security Policy. This is a sample form but it includes the minimum information the CJIS ISO requires. ","linked":true}},"5.9.1":{"Is security awareness training required for personnel to have unescorted access to physcially secure locations?":{"section":"5.9.1","title":"Is security awareness training required for personnel to have unescorted access to physcially secure locations?","body":"Yes! Security Awareness training is required to permit unescorted access to a physically secure location. Please note this requirement also extends to unescorted, remote access to CJI and CJI processing systems located within physically secure location.","linked":true}},"5.8":{"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?":{"section":"5.8","title":"I have electronic media (hard drives) containing Criminal Justice Information (CJI) stored within a physically secure location. Do I have to encrypt the data while in storage (i.e. media in storage)?","body":"No. Encryption isn't necessary for electronic media while in storage within a physically secure location. ","linked":true}},"5.6.2.1.2":{"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy (CSP). When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card? ":{"section":"5.6.2.1.2","title":"Our agency uses smart cards in addition to a username and password to meet the requirement for advanced authentication (AA) per the CJIS Security Policy (CSP). When the smart card is presented the user is challenged to enter a PIN to unlock the smart card. Do the requirements in 5.6.2.1.2 apply to the PIN associated with the smart card? ","body":"Yes, The PIN requirements do apply. The CSO may waive the 365 expiration requirement (5.6.2.1.2(5a)).","linked":true}},"5.6.2.1.1":{"Does the CJIS Security Policy (CSP) require the use of special characters and numbers in passwords?":{"section":"5.6.2.1.1","title":"Does the CJIS Security Policy (CSP) require the use of special characters and numbers in passwords?","body":"No. As always, however, agencies are highly encouraged to exceed this minimum standard. ","linked":true}},"5.10.1.5":{"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy (CSP) requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. Recently, the cloud vendor has offered to provide some potentially valuable data analytics based on metadata gathered from the information we send to the cloud. Is this permissible?":{"section":"5.10.1.5","title":"Our agency uses a cloud service provider to store data, including CJI, as part of our disaster recovery plan. The data is encrypted by the cloud service provider in accordance with all CJIS Security Policy (CSP) requirements. All other requirements are addressed as well, such as background checks and the Security Addendum for all cloud vendor employees. Recently, the cloud vendor has offered to provide some potentially valuable data analytics based on metadata gathered from the information we send to the cloud. Is this permissible?","body":"Not if the metadata comes from CJI. CSP Section 5.10.1.5 explicitly prohibits the use of metadata derived from CJI by any cloud service provider for any purposes.","linked":true}},"5.2.1":{"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?":{"section":"5.2.1","title":"Our FBI Field office employees are required to take an annual Information Security (INFOSEC) training. Does this training fulfill the requirement for CJIS Security Policy security awareness training?","body":"If the INFOSEC training covers all the required CJIS Security Policy Security Awareness Training areas listed for the user's role and the CSO of the state's CSA approves, then the answer is \"yes\". If it does not, additional training is required.","linked":true}},"5.10.4.1":{"Since Windows XP is no longer supported by Microsoft, will systems still using this OS be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?":{"section":"5.10.4.1","title":"Since Windows XP is no longer supported by Microsoft, will systems still using this OS be found out of compliance during an FBI audit, and are there security concerns that would affect CJIS applications if LEO's have not upgraded to newer version of Windows?","body":"The CJIS ISO sent out guidance concerning Windows XP end-of-life (EOL) in April 2014. Essentially, since Microsoft no longer supports the OS with patches, it does not meet CJIS Security Policy requirements and any system using the OS will be found to be out of compliance during an audit.","linked":true}},"5.10.1.2":{"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?":{"section":"5.10.1.2","title":"Does an encryption module that offers AES encryption at 256 bit strength that does not have a FIPS 140-2 certification meet the requirements for data in transit?","body":"No. The cryptographic module must be FIPS 140-2 certified for data in transit. You can check the certification against the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm).\n \nThere is one exception, however. Subsequent versions of approved cryptographic modules that are under current review for FIPS 140-2 compliancy can be used in the interim until certification is complete.","linked":true},"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy (CSP) does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? ":{"section":"5.10.1.2","title":"FIPS 140-2 specifies 4 levels of security. The CJIS Security Policy (CSP) does not indicate which level meets the requirements for encryption. Which level of certification is required for compliance with the CSP? ","body":"No certification level requirement is specified in the CSP for FIPS 140-2; therefore any level will work so long as the solution utilizes a certified cryptographic module. If the certificate can be produced, the requirement is met.\n \nThe benchmark used to ensure compliance of the cryptographic module is the certificate from the National Institute of Standards and Technology (NIST) website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm). \n","linked":true},"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy (CSP)?":{"section":"5.10.1.2","title":"Must an encryption solution for data at rest in a controlled area be FIPS 140-2 certified to be considered compliant with the CJIS Security Policy (CSP)?","body":"No, the use of a FIPS 197 (AES) certified algortitm at 256 bit strength in accordance with 5.10.1.2(4) is allowed for data at rest. ","linked":true},"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy (CSP) requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the CSP require whole disk encryption in this scenario?":{"section":"5.10.1.2","title":"We are starting to store hard drives at locations outside of our physically secure location. The CJIS Security Policy (CSP) requires the Criminal Justice Information (CJI) to be encrypted, and we think that the most effective method would be to encrypt the whole drive. However, our IT staff would like to implement a folder(s) encryption versus a whole disk encryption policy. Does the CSP require whole disk encryption in this scenario?","body":"As long as the data is being encrypted in accordance with 5.10.1.2 for data at rest the requirements of the CJIS Security Policy (CSP) are met. The CSP does not dictate whether this is accomplished via whole disk or file encryption. As with all requirements in the CSP, this is a minimum standard and CJIS community members are encouraged to exceed it.","linked":true}},"5.6.2.2.1":{"CJIS Security Policy section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? ":{"section":"5.6.2.2.1","title":"CJIS Security Policy section 5.6.2.2.1, Advanced Authentication Policy and Rationale, only references a physically secure location. Do controlled areas require advanced authentication (AA)? ","body":"Yes. Controlled areas were incorporated in the CJIS Security Policy for organizations that need to process Criminal Justice Information but can't, or don't have a need to, maintain a physically secure location (e.g. school board, Dept. of Human Services, etc...).A physically secure location incorporates physical, technical, and personnel controls that make AA unnecessary in most situations whereas controlled areas require AA due to limitations in the aforementioned security controls. ","linked":true},"I have an agency who would like to set up some live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?":{"section":"5.6.2.2.1","title":"I have an agency who would like to set up some live scan fingerprint machines and want to know: Is advanced authentication (AA) is required when using them?","body":"Short answer: It depends. The requirement for AA is based solely on whether or not CJIS is returned to the live scan device and whether or not the live scan device is accessed remotely. If CJI is returned and the live scan is accessed remotely, then AA is required. If CJI is returned and the live scan is not accessed remotely, then AA is not required.","linked":true},"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?":{"section":"5.6.2.2.1","title":"Is Advanced Authentication (AA) required for direct access to Criminal Justice Information (CJI) remotely from a laptop that was just removed from a police vehicle (enclosed criminal justice conveyance)?","body":"Removing the laptop from the police vehicle removed the device from a physically secure location. AA would be required for direct access to CJI from outside of a physically secure location.","linked":true}},"5.6.2.2.2":{"Could you provide me some explanation of what an assertion is? ":{"section":"5.6.2.2.2","title":"Could you provide me some explanation of what an assertion is? ","body":"Assertions essentially deal with two types of activities:\n \n(1) The taking the attributes of someone and sending (asserting) those attributes to an authentication server. \n\nExample: The user has a laptop that has an imbedded or tethered fingerprint reader. The user scans their prints. Then, an application of some sort sends, or \"asserts,\" the attributes of the fingerprint along with other user information to an authentication server which then looks at the provided attributes and determines whether or not the attributes are known or expected and are enough to authenticate the user's identity.\n \n(2) An identity provider who has already authenticated an individual and is sending (asserting) the user's identity to a service or a service broker (e.g., single sign-on).\n\nExample: Continuing with example 1, the authentication server is also an identity provider. The user, now that they have been identified, wants to access different services but in order to access those services the user must provide their identity. The authentication server, acting as an identity provider, can assert the user's identity to the user requested service(s). \n","linked":true}},"5.13.7.2.1":{"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphone devices running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA on the agency network connection. The proposed implementation includes the following controls: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? ":{"section":"5.13.7.2.1","title":"Our agency wants to begin utilizing agency-issued, MDM-controlled smartphone devices running a limited-feature operating system to access to CJI through a remote connection to the agency network. CJI will not be permitted (by policy) to be stored on any mobile device. We intend to implement the following compensating controls on these devices in lieu of implementing AA on the agency network connection. The proposed implementation includes the following controls: each device will be issued and registered to a single individual who will be personally responsible for the device (no one else may use this device); device management will be registered by and controlled via a commercial MDM solution that provides the MDM administrator the ability to remotely lock the device, remotely erase all data stored on the device, and remotely locate the device via GPS tracking. Will these controls be considered acceptable compensating controls? ","body":"The use of compensating controls must be approved by the CSO. The controls listed: controlled possession along with remote device locking, wiping, and GPS tracking do comply with the example controls found in CSP Section 5.13.7.2.1. If your proposal is accepted and approved by the CSO, this solution appears to be acceptable per the CSP. ","linked":true}},"5.9.1.7":{"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? ":{"section":"5.9.1.7","title":"Will utilizing cameras to monitor the activities of visitors meet the policy requirement to escort visitors at all times and monitor activity? ","body":"No, the use of cameras to monitor a visitor to a physically secure location does not constitute an escort. \n \nWhile a camera can serve as a great monitoring and detection tool, it cannot offer the same deterrence and preventative assurance measures necessary to ensure the protection and integrity of the physically secure location.","linked":true}},"5.5.3":{"Per the CJIS Security Policy (CSP), how many unsuccessful login attempts does it take to lock an account? For how long should that account be locked?":{"section":"5.5.3","title":"Per the CJIS Security Policy (CSP), how many unsuccessful login attempts does it take to lock an account? For how long should that account be locked?","body":"After a limit of no more than 5 consecutive invalid attempts the system shall automatically lock the account for a minimum of 10 minutes (unless released by an administrator).","linked":true}},"5.4.7":{"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? ":{"section":"5.4.7","title":"What is the minimum amount of time our department must maintain a log of our National Crime Information Center (NCIC) transactions? ","body":"A log shall be maintained for a minimum of one year for all NCIC transactions. ","linked":true}},"5.8.1":{"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI data?":{"section":"5.8.1","title":"I have Criminal Justice Information (CJI) data stored on hard drives in a controlled area. Do I have to encrypt the CJI data?","body":"Yes, unless the CJI is stored in a safe or other secured storage where access is limited to authorized personnel. See CJIS Security Policy section 5.9.2, Controlled Area, for additional requirements. ","linked":true},"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?":{"section":"5.8.1","title":"Is Criminal Justice Information (CJI) permitted to be saved or stored on a workstation? If so, must the CJI be encrypted?","body":"CJI may be saved unencrypted to a workstation that is within a physically secure location, but must be encrypted if saved to a workstation that resides outside the physically secure location. ","linked":true}},"5.11":{"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? ":{"section":"5.11","title":"What happens if we are unable to fix all the negative audit findings? Will the FBI revoke our access to CJI? ","body":"The FBI does not independently revoke access. Negative audit findings will be part of the final report submitted to the Advisory Policy Board (APB) or Compact Council Sanctions Subcommittee and will be addressed within this subcommittee. Sanctions committee recommendations are vetted through the advisory process and it is through this process that continued access privileges are determined. ","linked":true}},"5.5.5":{"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, sessions locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?":{"section":"5.5.5","title":"We understand that laptops in patrol cars are exempt from session lock. Once removed from the car, though, sessions locks are required. Since our agency policy allows for the removal of laptops from the patrol cars, would it be acceptable to have a policy requiring the officer to manually initiate a session lock once the laptop has been removed from the patrol car even though it's not a technical solution?","body":"Yes, a policy can accomplish the desired outcome of the requirement in the absence of a technical solution. We would recommend including mitigations efforts for instances of policy non-compliance.","linked":true},"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?":{"section":"5.5.5","title":"An officer logs into our state's CJIS system utilizing Advanced Authentication (AA). If the officer initiates a session lock, is he/she required to perform AA in order to regain access to the application that is already connected?","body":"There is no requirement for using AA simply to unlock the screen. ","linked":true}},"5.4.1":{"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. So, are we authorized under the CJIS Security Policy (CSP) to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? ":{"section":"5.4.1","title":"Our agency has wanted to create an all-in-one logging solution in which all the required logs would be sent to a centralized syslog server. We have found this to be difficult to establish due to our financial budget. So, are we authorized under the CJIS Security Policy (CSP) to utilize a distributed logging solution (i.e. Active Directory logging + mobile data terminal (MDT) software + message switch logging)? ","body":"Absolutely. The CSP does not dictate the means by which logs will be managed. While it may not be a desirable method, manual recording of activities is also acceptable in the event no automated system is in place to do so. ","linked":true}},"5.13.4.3":{"Are personal firewalls only required for laptops or are they also required for handheld devices - phones, Blackberries, and so on?":{"section":"5.13.4.3","title":"Are personal firewalls only required for laptops or are they also required for handheld devices - phones, Blackberries, and so on?","body":"Mobile devices with limited feature operating systems (i.e. tablets, smartphones) may not support personal firewalls. However, if the agency can demonstrate that the firewall protection provided by an enterprise server are pushed down to the devices and provide the same level of protection as a personal firewall, such as with a mobile device mangemen (MDM) or enterprise mobile manmgment (EMM) service, it could be acceptable. In order to make the final determination on this capability, the ISO program would typically look at the individual implementation and work with both the agency and the state ISO to make recommendations of compliance. ","linked":true}},"5.9.1.5":{"To comply with the CJIS Security Policy (CSP) requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?":{"section":"5.9.1.5","title":"To comply with the CJIS Security Policy (CSP) requirements for a physically secure location, is it necessary to shut down a Mobile Data Terminal (MDT) to maintain security while transporting an arrestee or if a citizen was to walk up to a police car while the MDT is in use?","body":"As much as possible. It is recommended that during the times when Criminal Justice Information (CJI) is being processed, the officer should attempt to exercise control over the display (as seen in Section 5.9.1.5) to prevent viewing of CJI by unauthorized personnel. At other times, we recommend the use of session locks (though not required for MDTs while in police vehicles), screen protectors/filters, or screen savers, etc... to minimize any risk associated with arrestees or private citizens viewing the screen. ","linked":true}},"2.2":{"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular (3G and 4G) and wireless (Wi-Fi) connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy (CSP)?":{"section":"2.2","title":"Our agency has been considering using tablets (Android or iPads) for everyday use. The tablets would have both cellular (3G and 4G) and wireless (Wi-Fi) connectivity. The intent is to allow the iPad to establish a FIPS 140-2 certified virtual private network (VPN) connection to the local agency network where access to Criminal Justice Information (CJI) would be possible. Is the use of tablets authorized under the CJIS Security Policy (CSP)?","body":"The question when considering the use of tablets, or any other mobile device, is whether Criminal Justice Information (CJI) will be transmitted, received, viewed, or stored. If so, the requirements of the CSP become effective for the scenario in which CJI is handled irrespective of the platform utilized.\n \nTablet requirements for compliance are determined based on the level of access required and the capabilities of the tablet device. So, for example if the tablet has Wi-Fi capability, the requirements of section 5.13.1.1 will apply. If the tablet has cellular network capability, then the requirements of section 5.13.1.2 will be applicable, and so on.\n \nThe principle of least functionality (5.7.1.1) is important to apply to tablets and other mobile devices. Only the essential, required capabilities of the device should be active and accessible to the user. For example, if Bluetooth connectivity is available on the device but not required then it should be disabled to protect the device from external threats.\n","linked":true},"Can an agency be compliant with the CJIS Security Policy (CSP) and cloud compute?":{"section":"2.2","title":"Can an agency be compliant with the CJIS Security Policy (CSP) and cloud compute?","body":"Because the CSP is device and architecture independent, the answer is yes, and this can be accomplished-- assuming the provider/vendor of the cloud technology is able to meet the technical, physical, and personnel security requirements of the CSP.\n \nDue to the general business model for cloud computing, there will be some level of reduced agency control that is transferred to the cloud service provider. This does not reduce the CSP requirements. On the contrary, this means that the outsourcing agency must use due diligence to ensure the CSP requirements will be fulfilled.\n","linked":true}},"5.8.2.1":{"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it.":{"section":"5.8.2.1","title":"What controls are needed when transporting a mobile device, such as a laptop, flash drive, etc. that may have Criminal Justice Information (CJI) or residual CJI data on it.","body":"Encryption (as specified in section 5.10.1.2) is the optimal control during transport. If encryption of the data is not a possibility, then each agency shall institute other controls to ensure the security of the data.","linked":true}},"5.6.4":{"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?":{"section":"5.6.4","title":"Our police department is small and only employs two information technology (IT) personnel to handle all our networking configurations and changes. In this type of environment, is it necessary to reflect all changes on a network diagram when the only two personnel that handle this are aware of the change?","body":"Yes. Network diagrams are required and should be updated (to include date of last update) when changes to the network are made. ","linked":true}},"5.13.2":{"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?":{"section":"5.13.2","title":"Our agency has been reviewing potential MDM solutions for our mobile devices. Some of the prominent products advertise \"cloud-based\" MDM controls. Are there any concerns with using a \"cloud-based\" MDM solution?","body":"Typically, \"cloud-based\" MDM products simply allow administrative controls to be managed by a user accessing the controls via an Internet connection \"in the cloud.\" If this is the case, and no CJI data could be made accessible via this connection this would be permissible.","linked":true}},"3.2.8":{"Who has the authority to appoint the (CSA) ISO?":{"section":"3.2.8","title":"Who has the authority to appoint the (CSA) ISO?","body":"The CJIS Systems Officer (CSO) appoints the CSA ISO. ","linked":true}},"5.6.2":{"Per the CJIS Security Policy must the authentication occur at the Local Agency or CSO, but can fingerprint scanners built into laptops be used to satisfy the requirement for Advanced Authentication (AA)? ":{"section":"5.6.2","title":"Per the CJIS Security Policy must the authentication occur at the Local Agency or CSO, but can fingerprint scanners built into laptops be used to satisfy the requirement for Advanced Authentication (AA)? ","body":"Authentication of the fingerprints must be accomplished at the Local Agency or CSO level. Agencies can use fingerprint readers to capture the fingerprint attributes but they can't use the cached information stored on the laptop as the authenticator for access to CJI. The scanned attributes must be asserted to the local agency or CSO where the authentication of the individual will be verified. ","linked":true}},"5.9.2":{"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?":{"section":"5.9.2","title":"Does an agency that designates a controlled area need to maintain a record of any visitors to the area?","body":"No. There is no requirement to maintain visitor access records for a controlled area; however, measures must be taken to limit access to the controlled area during times of CJI processing.","linked":true}},"5.8.3":{"Is it necessary to overwrite media three times before it is reused? ":{"section":"5.8.3","title":"Is it necessary to overwrite media three times before it is reused? ","body":"Yes. Per the Section 5.8.3 of the CJIS Security Policy (CSP), this is required for the sanitization of electronic media.","linked":true}},"3.2.9":{"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties.":{"section":"3.2.9","title":"Do LASOs have to be an employee of the criminal justice agency (CJA)? We ask, because our agency believes that the duties of a LASO indicate the person has to have authority to perform the duties.","body":"The CJIS Security Policy (CSP) does not require a LASO be a CJA employee. However, the implication of the LASO appointment is that authority required for the role would be available. ","linked":true}},"5.5.6.1":{"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy (CSP) and our local policies. Do these conditions meet the CSP requirements for allowing personally owned information systems?":{"section":"5.5.6.1","title":"Our agency has recently implemented policy permitting the use of personally owned laptop computers. In order for laptops to be given approval, they must be brought to our IT security team to be inspected on a bi-monthly basis to ensure all necessary software and protections are in place to meet compliance with both the CJIS Security Policy (CSP) and our local policies. Do these conditions meet the CSP requirements for allowing personally owned information systems?","body":"Yes. However, the CJIS ISO recommends personally owned devices be inspected monthly to ensure continued compliance with both the CSP and your local policies. \n","linked":true}},"5.10.2":{"The county sherriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encrypiton required in this scenrario?":{"section":"5.10.2","title":"The county sherriff's office regularly sends printed NCIC files to the state police and does so via a multi-function copier/printer/fax machine that is connected to the Internet. It is our understanding that faxed document are sent via the Internet and received by the recipient in their email. Is encrypiton required in this scenrario?","body":"Yes, encryption would be required in this sceanrio, because the document containing CJI is automatically converted to a digital file and routed to the recipient's email through the Internet. Remember, encryption in transit using FIPS 140-2 certified 128 bit symmetric encryption is required.","linked":true},"Our agency at times is required to print the results from an NCIC query and sent to the sherrif's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?":{"section":"5.10.2","title":"Our agency at times is required to print the results from an NCIC query and sent to the sherrif's office in the adjoining county via fax. The fax machine (single function device) is connected to a traditional telephone line, not the Internet. Is encryption required in our case?","body":"No, encryption is not required, because the document travels over a traditional telephone line.","linked":true}},"5.5.6.2":{"Can an officer use a public library computer to access Criminal Justice Information (CJI)?":{"section":"5.5.6.2","title":"Can an officer use a public library computer to access Criminal Justice Information (CJI)?","body":"No, using publicly accessible computers to access, process, store or transmit CJI is prohibited. Some examples of publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. ","linked":true}}}