CJIS Compliance – What does it mean in the software world?

Many public safety professionals perform their duties in the field rather than in an office. Software is key to ensuring both in-office and professionals in the field can record, track, access, and use mission-critical data in real time. However, enabling remote access to this data via mobile devices like laptops, tablets, or smartphones comes with its own security risks.

CJIS Security Policy Requirements

As a response to those risks and in order to prevent CJI data from getting into the wrong hands, the CJIS Security Policy was established with specific requirements regarding:

  1. Sharing CJI data between organizations or agencies.
  2. Security awareness training for employees handling CJIS-protected data.
  3. Incident detection and response.
  4. Audits and accountability for CJI data use.
  5. Controlling who can access, download, upload, transfer, and delete secure data.
  6. Authentication and identification.
  7. Configuration management.
  8. Digital protection of CJI data both while in transit and when at rest.
  9. Physical protection of CJI data.
  10. Organizational systems and communications protection.
  11. Formal audits of agencies.
  12. Security screenings and background checks for personnel within an organization.
  13. Usage restrictions for mobile devices.

CJI Data and Your Public Safety Software

The data your agency handles is sensitive in nature, and this sensitive data is likely housed within your public safety software system. To comply with the CJIS security policy, measures must be put in place by your agency for the software systems you use.

For example, Article 4, which covers identification and authentication, requires your software system’s limiting of user login attempts and recording of all login activity. Putting these safety measures in place is intended to keep your data housed within the software more secure and less at risk of being accessed by unauthorized personnel.

Data encryption is another requirement the CJIS has established for agencies in storing, using, and electronically communicating sensitive data. To maintain CJIS compliance, software that involves criminal justice information must:

– Encrypt data at a minimum of 128 bits

– Use decryption keys that are complex and comprised of 10+ characters, including uppercase letters, lower case letters, numbers, and special characters.

Each requirement adds another layer of security to the sensitive data housed within your public safety software.

Maintaining CJIS Compliance with Software

As a public safety organization it is vital for you and your personnel to not just understand these policy articles, but also understand when these apply, i.e. do you track CJI in your in-service training documents, personnel evaluations, field training documents? Only then can you determine how you will maintain compliance with the CJIS security policy that your department has established. 

Many vendors incorrectly state that their solution is “CJIS certified.” There is no such thing. Having a CJIS compliant solution relies on a shared responsibility between the vendor and the agency. It’s important to remember that some of the requirements can only be met by those directly within your organization. By both implementing and utilizing best practices as recommended by the FBI, you can maintain compliance, keep your sensitive data secure, and enable more efficient operations within your agency.

To learn more about MdE or to get your department started with our public safety training solutions, call MdE, Inc. today at 1.877.500.5396 or email us at MdE@MdE-Inc.com.