U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJ IS) Security Policy Version 5.3 8/4/2014 1 40?53 Prepared by: CJ IS Information Security Officer Approved by: CJIS Advisory Policy Board EXECUTIVE SUMMARY Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice Information Services (CJIS) Division authorize the expansion of the existing security management structure in 1998. Administered through a shared management philosophy, the CJIS Security Policy contains information security requirements, guidelines, and agreements re?ecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CH). The Federal Information Security Management Act of 2002 provides further legal basis for the APB approved management, operational, and technical security requirements mandated to protect CI I and by extension the hardware, software and infrastructure required to enable the services provided by the criminal justice community. The essential premise of the CJ IS Security Policy is to provide appropriate controls to protect the full lifecycle of I, Whether at rest or in transit. The CI IS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of I. This Policy applies to every individual?contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity with access to, or who operate in support of, criminal justice services and information. The CJIS Security Policy integrates presidential directives, federal laws, FBI directives and the criminal justice community?s APB decisions along with nationally recognized guidance from the National Institute of Standards and Technology. The Policy is presented at both strategic and tactical levels and is periodically updated to re?ect the security requirements of evolving business models. The Policy features modular sections enabling more frequent updates to address emerging threats and new security measures. The provided security criteria assists agencies with designing and implementing systems to meet a uniform level of risk and security protection while enabling agencies the latitude to institute more stringent security requirements and controls based on their business model and local needs. The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems Agencies (CSA), including, in those states with separate authorities, the State Identification Bureaus (SIB). Further, as use of criminal history record information for noncriminal justice purposes continues to expand, the CJIS Security Policy becomes increasingly important in guiding the National Crime Prevention and Privacy Compact Council and State Compact Officers in the secure exchange of criminal justice records. The Policy describes the vision and captures the security concepts that set the policies, protections, roles, and responsibilities with minimal impact from changes in technology. The Policy empowers CSAs with the insight and ability to tune their security programs according to their needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy. The CJIS Security Policy provides a secure framework of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the criminal justice and noncriminal justice communities. i CJISD-ITS-DOC-08140-53 CHANGE MANAGEMENT Revlslon Change 5.0 Policy Rewrite Incorporate Calendar Year 2011 APB approved changes and administrative changes 5.1 Incorporate Calendar Year 2012 APB approved changes and administrative changes 5.2 Incorporate Calendar Year 2013 APB approved changes and administrative changes 5.3 CreatedlChanged by Security Policy Working Group CJIS ISO Program Office CJIS ISO Program Office CJIS ISO Program Office Date 02/09/2011 07/13/2012 08/09/2013 08/04/2014 Approved By See Signature Page APB Compact Council APB Compact Council APB Compact Council 8/4/2014 CJISD-ITS-DOC-08140-5.3 ii SUMMARY OF CHANGES Version 5.3 APB Approved Changes Section 5.3 Policy Area 3: Incident Response: added reference to new Section 5.13.5, Fall 2013, APB 11, SA6, Future CSP for Mobile Devices. Section 5.4 Policy Area 4: Auditing and Accountability: added reference to new Section 5.13.6, Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Section 5.5 Policy Area 5: Access Control: added reference to new Section 5.13.7, APB approved change, Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Section 5.5.5 Session Lock: added language for receive only terminals (ROT), Spring 2013, APB12, add ROT language. Section 5.5.6.1 Personally Owned Information Systems: modified language and requirements for bring your own device(s) (BYOD), Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Section 5.5.7 Wireless Access Restrictions: moved to Section 5.13, Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Section 5.6.2.1 Standard Authenticators: modified language, Fall 2013, APB 1 l, SA6, Future CSP for Mobile Devices. Section 5.6.2.1.2 Personal Identi?cation Number (PIN): added language from Appendix PIN, Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Section 5.6.2.2.1 Advance Authentication Policy and Rationale: removed Interim Compliance language, Spring 2013, APB 12, SA5, AA exemption for police vehicles. Section 5.6.2.2.1 Advance Authentication Policy and Rationale: added language for compensating controls, Spring 2013, APB12, SA8, compensating controls for AA on smartphones. Section 5.6.2.2.1 Advance Authentication Policy and Rationale: added language for indirect access, Fall 2013, APB 1, AA for Indirect Access. Section 5.6.2.2.2 Advanced Authentication Decision Tree: added steps related to the use of compensating controls, Spring 2013, APB12, SA8, compensating controls for AA on smartphones. Figure 8 Advanced Authentication Use Cases: added ?Use Case 7 Advanced Authentication Compensating Controls on Agency Issued Smartphones?, Spring 2013, APB12, SAS, compensating controls for AA on smartphones. Figure 10 Advanced Authentication Decision Tree: updated tree to remove steps related to the Interim Compliance, Spring 2013, APB12, SA5, AA exemption for police vehicles. Figure 10 Advanced Authentication Decision Tree: updated tree to include steps related to the use of compensating controls, Spring 2013, APB12, SA8, compensating controls for AA on smartphones. Section 5.8.2.1 Electronic Media in Transit: changed section title to Digital Media during Transit and modify language, Fall 2013, APB 11, SA6, Future CSP for Mobile Devices. Section 5.9.1 Physically Secure Location: added language for police vehicle, Spring 2013, APB12, SA5, AA exemption for police vehicles. Section 5.9.1 Physically Secure Location: removed Interim Compliance language, Spring 2013, APB12, SA5, AA exemption for police vehicles. CJISD-ITS-DOC-08140-53 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. Section 5.10 System and Communications Protection and Information Integrity: added reference to new Section 5.13.4, Fall 2013, APB1 1, SA6, Future CSP for Mobile Devices. Section 5 .10.1.2 added language for Fall 2013, APB11, SA3, standards for I at rest. Section 5.10.1.2 added language for exception, Fall 2013, APB11, SA3, standards for I at rest. Section 5.10.4.4 Personal Firewall: moved to new Section 5.13.4.5, Fall 2013, APB 1 1, SA6, Future CSP for Mobile Devices. Policy Area 5.13 Mobile Device Security: added new policy area and approved changes to affected policy sections, Fall 2013, APB11, SA6, Future CSP for Mobile Devices. Appendix A Terms and Definitions: added definition for Compensating Controls, Digital Media, Indirect Access, Laptop Devices, Physical Media, Pocket/Handheld Mobile Devices, Receive-Only Terminal (ROT), Smartphone, Tablet Devices, various APB actions. Appendix A Terms and De?nitions: added a police vehicle,? to de?nition of Physically Secure Location, Spring 2013, SA5, AA exemption for police vehicles. Appendix A Terms and Definitions: removed Interim Compliance language from definition of Physically Secure Location, Spring 2013, APB 12, SA5, AA exemption for police vehicles. Appendix Acronyms: added LMR Land Mobile Radio, Fall 2013, APB 1 1, SA6, Future CSP for Mobile Devices. Appendix PIN: deleted appendix, Fall 2013, APB 1 1, SA6, Future CSP for Mobile Devices. Administrative Changes 1. 2. 8. 9. 10. 11. 12. 8141If 20 4 Section 3.2.7 Agency Coordinator changed to Section 4.2.2 NCIC Restricted Files: removed current 4. Immigration Violator File (formerly the Deported Felon Files) and renumber list Section 4.2.2 NCIC Restricted Files: added new file categories; Violent Persons File, NICS Denied Transaction File Section 5.5.2.4 Access Control Mechanisms removed language for consistency based on Fall 2013, APB11, SA3, standards for I at rest Section 5.5.8 renumbered due to prior section change Section 5 .6.2.2.2 Advanced Authentication Decision Tree removed language for consistency based on Spring 2013, APB 12, SA5, AA exemption for police vehicles Section 5 .6.2.2.2 Advanced Authentication Decision Tree removed language for consistency based on Spring 2013, APB 12, SA5, AA exemption for police vehicles Section 5.9.1.1 Security Perimeter: added to ?rst sentence Sections 5.10.4.5 5.10.4.6: renumbered due to prior section change Appendix A Terms and Definitions, Agency Coordinator: changed to Appendix D.2 Management Control Agreement: added language to bullet (2) Appendix D.2 Management Control Agreement: added opening quote to reference to Section 5.1.1.4 iv CJISD-ITS-DOC-08140-53 13. Appendix F.1 IT Security Incident Response Form: added line for affected system descriptor/function ?le server, RMS server, web server, workstation, 14. Appendix Security Addendum: changed to 15. Appendix I ?rst reference: added end quote after reference title KEY TO APB APPROVED CHANGES ?Fall 2013, APB11, SA6, Future CSP for Mobile Devices?): Fall 2013 Advisory Policy Board cycle and year Advisory Policy Board Topic number Security and Access Subcommittee Topic number Topic Title 8/4f2014 CJISD-ITS-DOC-08140-5.3 TABLE OF CONTENTS Executive Summary .. i Change Management .. ii Summary of Changes .. Table of Contents .. vi List of Figures .. Xi 1 Introduction ..1 1.1 Purpose ..1 1.2 Scope ..1 1.3 Relationship to Local Security Policy and Other Policies ..1 1.4 Terminology Used in This Document ..2 1.5 Distribution of the CJIS Security Policy ..2 2 CJ IS Security Policy Approach ..3 2.1 CJ IS Security Policy Vision Statement ..3 2.2 Architecture Independent ..3 2.3 Risk Versus Realism ..3 3 Roles and Responsibilities ..4 3.1 Shared Management Philosophy ..4 3.2 Roles and Responsibilities for Agencies and Parties ..4 3.2.1 CJIS Systems Agencies (CSA) ..5 3.2.2 CJIS Systems Of?cer (CSO) ..5 3.2.3 Terminal Agency Coordinator (TAC) ..6 3.2.4 Criminal Justice Agency (CJ A) ..6 3.2.5 Noncriminal Justice Agency (NCJ A) ..6 3.2.6 Contracting Government Agency (CGA) ..7 3.2.7 Agency Coordinator (AC) ..7 3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO) ..7 3.2.9 Local Agency Security Officer (LASO) ..8 3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO) ..8 3.2.11 Repository Manager ..9 3.2.12 Compact Of?cer ..9 4 Criminal Justice Information and Personally Identifiable Information ..10 4.1 Criminal Justice Information (CJ I) .. 10 4.1.1 Criminal History Record Information (CHRI) .. 10 4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non?Restricted Files Information .. 11 4.2.1 Proper Access, Use, and Dissemination of CHRI ..11 4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information ..11 4.2.3 Proper Access, Use, and Dissemination of NCIC Non?Restricted Files Inforrnationll 4.2.3.1 For Official Purposes ..11 4.2.3.2 For Other Authorized Purposes ..12 4.2.3.3 CSO Authority in Other Circumstances ..12 4.2.4 Storage ..12 4.2.5 Justi?cation and Penalties ..12 4.2.5.1 Justi?cation ..12 8i4i2014 vi CJISD-ITS-DOC-08140-53 4.2.5.2 Penalties ..12 4.3 Personally Identifiable Information (PII) ..12 5 Policy and Implementation ..14 5.1 Policy Area 1: Information Exchange Agreements ..15 5.1.1 Information Exchange ..15 5.1.1.1 Information Handling ..15 5.1.1.2 State and Federal Agency User Agreements ..15 5.1.1.3 Criminal Justice Agency User Agreements .. 16 5.1.1.4 Interagency and Management Control Agreements .. 16 5.1.1.5 Private Contractor User Agreements and CJ IS Security Addendum .. 16 5.1.1.6 Agency User Agreements ..17 5.1.1.7 Outsourcing Standards for Channelers ..17 5.1.1.8 Outsourcing Standards for Non?Channelers ..18 5.1.2 Monitoring, Review, and Delivery of Services ..18 5.1.2.1 Managing Changes to Service Providers .. 18 5.1.3 Secondary Dissemination ..18 5.1.4 Secondary Dissemination of I ..18 5.1.5 ..19 5.2 Policy Area 2: Security Awareness Training ..20 5.2.1 Awareness Topics ..20 5.2.1.1 All Personnel ..20 5.2.1.2 Personnel with Physical and Logical Access ..20 5.2.1.3 Personnel with Information Technology Roles ..21 5.2.2 Security Training Records ..21 5.2.3 ..22 5.3 Policy Area 3: Incident Response ..23 5.3.1 Reporting Information Security Events ..23 5.3.1.1 Reporting Structure and Responsibilities ..23 5.3.1.1.1 FBI CJIS Division Responsibilities .. 23 5.3.1.1.2 CSA ISO Responsibilities .. 24 5.3.2 Management of Information Security Incidents ..24 5.3.2.1 Incident Handling ..24 5.3.2.2 Collection of Evidence ..24 5.3.3 Incident Response Training ..24 5.3.4 Incident Monitoring ..25 5.3.5 ..25 5.4 Policy Area 4: Auditing and Accountability ..26 5.4.1 Auditable Events and Content (Information Systems) ..26 5.4.1.1 Events ..26 5.4.1.1.1 Content .. 27 5.4.2 Response to Audit Processing Failures ..27 5.4.3 Audit Monitoring, Analysis, and Reporting ..27 5.4.4 Time Stamps ..27 5.4.5 Protection of Audit Information ..27 5.4.6 Audit Record Retention ..28 5.4.7 Logging NCIC and Transactions ..28 8/4f2014 vii CJISD-ITS-DOC-08140-53 5.4.8 ..28 5.5 Policy Area 5: Access Control .29 5.5.1 Account Management ..29 5.52 Access Enforcement ..29 5.52.1 Least Privilege ..30 5.522 System Access Control ..30 5.52.3 Access Control Criteria ..30 5.52.4 Access Control Mechanisms ..30 5.5.3 Unsuccessful Login Attempts ..31 5.5.4 System Use Notification ..31 5.5.5 Session Lock ..32 5.5.6 Remote Access ..32 5.5.6.1 Personally Owned Information Systems ..32 5.5 .62 Publicly Accessible Computers ..32 5.5.7 ..32 5.6 Policy Area 6: Identi?cation and Authentication ..34 5.6.1 Identi?cation Policy and Procedures ..34 5.6.1.1 Use of Originating Agency Identi?ers in Transactions and Information Exchanges ..34 5.62 Authentication Policy and Procedures ..34 5.62.1 Standard Authenticators ..35 5.62.1.1 Password .. 35 5.62.12 Personal Identification Number (PIN) .. 35 5.622 Advanced Authentication ..36 5.62.2.1 Advanced Authentication Policy and Rationale .. 36 5.6222 Advanced Authentication Decision Tree .. 38 5.6.3 Identi?er and Authenticator Management ..40 5.6.3.1 Identi?er Management ..40 5.6.32 Authenticator Management ..40 5.6.4 Assertions ..40 5.6.5 ..41 5.7 Policy Area 7: Con?guration Management ..47 5.7.1 Access Restrictions for Changes ..47 5.7.1.1 Least Functionality ..47 5.7.12 Network Diagram ..47 5.72 Security of Con?guration Documentation ..47 5.7.3 ..47 5.8 Policy Area 8: Media Protection ..49 5.8.1 Media Storage and Access ..49 5.82 Media Transport ..49 5.82.1 Digital Media during Transport ..49 5.822 Physical Media in Transit ..49 5.8.3 Electronic Media Sanitization and Disposal ..49 5.8.4 Disposal of Physical Media ..49 5.8.5 ..50 5.9 Policy Area 9: Physical Protection ..51 8/4f2014 CJISD-ITS-DOC-08140-5.3 5.9.1 Physically Secure Location ..51 5.9.1.1 Security Perimeter ..51 5.9.1.2 Physical Access Authorizations ..51 5.9.1.3 Physical Access Control ..51 5.9.1.4 Access Control for Transmission Medium ..51 5.9.1.5 Access Control for Display Medium ..51 5.9.1.6 Monitoring Physical Access ..52 5.9.1.7 Visitor Control ..52 5.9.1.8 Delivery and Removal ..52 5.9.2 Controlled Area ..52 5.9.3 ..52 5.10 Policy Area 10: System and Communications Protection and Information Integrity ..53 5.10.1 Information Flow Enforcement ..53 5.10.1.1 Boundary Protection ..53 5.10.1.2 ..54 5.10.1.3 Intrusion Detection Tools and Techniques ..55 5.10.1.4 Voice over Internet Protocol ..55 5.10.1.5 Cloud Computing ..56 5.10.2 Facsimile Transmission of CH ..56 5.10.3 Partitioning and Virtualization ..56 5.10.3.1 Partitioning ..56 5.10.3.2 Virtualization ..56 5.10.4 System and Information Integrity Policy and Procedures ..57 5.10.4.1 Patch Management ..57 5.10.4.2 Malicious Code Protection ..57 5.10.4.3 Spam and Spyware Protection ..58 5.10.4.4 Security Alerts and Advisories ..58 5.10.4.5 Information Input Restrictions ..58 5.10.5 ..58 5.11 Policy Area 11: Formal Audits ..60 5.11.1 Audits by the FBI CJ IS Division ..60 5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division ..60 5.11.1.2 Triennial Security Audits by the FBI CJ IS Division ..60 5.11.2 Audits by the CSA ..60 5.11.3 Special Security Inquiries and Audits ..60 5.11.4 ..60 5.12 Policy Area 12: Personnel Security ..62 5.12.1 Personnel Security Policy and Procedures ..62 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to ..62 5.12.1.2 Personnel Screening for Contractors and Vendors ..63 5.12.2 Personnel Termination ..63 5.12.3 Personnel Transfer ..64 5.12.4 Personnel Sanctions ..64 5.12.5 ..64 5.13 Policy Area 13: Mobile Devices ..65 5.13.1 Wireless Communications Technologies ..65 8/4f2014 ix CJISD-ITS-DOC-08140-53 5.13.1.1 All 802.11 Wireless Protocols ..65 5.13.1.2 Cellular ..66 5.13.121 Cellular Service Abroad .. 66 5.13.122 Voice Transmissions Over Cellular Devices .. 67 5.13.1.3 Bluetooth ..67 5.13.2 Mobile Device Management (MDM) ..67 5.13.3 Wireless Device Risk Mitigations ..68 5.13.3.1 Legacy 802.11 Protocols ..68 5.13.4 System Integrity ..68 5.13.4.1 Patching/Updates ..68 5.13.4.2 Malicious Code Protection ..69 5.13.4.3 Physical Protection ..69 5.13.4.4 Personal Firewall ..69 5.13.5 Incident Response ..70 5.13.6 Auditing and Accountability ..70 5.13.7 Access Control ..70 5.13.8 Wireless Hotspot Capability ..71 5.13.9 Identi?cation and Authentication ..71 5.13.9.1 Local Device Authentication ..71 5.13.10 Device Certi?cates ..71 Appendices .. A-l Appendix A Terms and Definitions .. A-l Appendix Acronyms Appendix Network Topology Diagrams .. C-l Appendix Sample Information Exchange Agreements .. D-l D.1 CJIS User Agreement .. D-1 D.2 Management Control Agreement .. D-9 D.3 Noncriminal Justice Agency Agreement Memorandum of Understanding .. 10 D4 Interagency Connection Agreement .. 16 Appendix Security Forums and Organizational Entities Appendix Sample Forms F.1 IT Security Incident Response Form .. F-2 Appendix Best practices .. G-l G.1 Virtualization .. G-1 G.2 Voice over Internet Protocol White Paper .. G-4 G.3 Cloud Computing White Paper .. G.4 Mobile Appendix .. Appendix Security Addendum .. H-l Appendix I References Appendix Noncriminal Justice Agency Supplemental Guidance .. -1 Appendix Criminal Justice Agency Supplemental Guidance .. K-l 8i4i2014 CJISD-ITS-DOC-08140-5.3 LIST OF FIGURES Figure 1 Overview Diagram of Strategic Functions and Policy Components ..4 Figure 2 Dissemination of restricted and non?restricted NCIC data ..13 Figure 3 Information Exchange Agreements Implemented by a Local Police Department .. 19 Figure 4 Security Awareness Training Implemented by a Local Police Department ..22 Figure 5 Incident Response Process Initiated by an Incident in a Local Police Department Figure 6 Local Police Department's Use of Audit Logs ..28 Figure 7 A Local Police Department?s Access Controls ..33 Figure 8 Advanced Authentication Use Cases ..41 Figure 9 Authentication Decision for Known Location ..45 Figure 10 Authentication Decision for Unknown Location ..46 Figure 11 A Local Police Department?s Con?guration Management Controls ..48 Figure 12 A Local Police Department?s Media Management Policies ..50 Figure 13 A Local Police Department's Physical Protection Measures ..52 Figure 14 A Local Police Department's Information Systems Communications Protections 59 Figure 15 The Audit of a Local Police Department ..61 Figure 16 A Local Police Department's Personnel Security Controls ..64 8/4/2014 xi CJISD-ITS-DOC-08140-53 1 INTRODUCTION This section details the purpose of this document, its scope, relationship to other information security policies, and its distribution constraints. 1.1 Purpose The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJ A) with a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI). This minimum standard of security requirements ensures continuity of information protection. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit. The CJIS Security Policy integrates presidential directives, federal laws, FBI directives, the criminal justice community?s Advisory Policy Board (APB) decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council (Compact Council). 1.2 Scope At the consent of the advisory process, and taking into consideration federal law and state statutes, the CJ IS Security Policy applies to all entities with access to, or who operate in support of, FBI CJ IS Division?s services and information. The CJ IS Security Policy provides minimum security requirements associated with the creation, viewing, modification, transmission, dissemination, storage, or destruction of CJI. Entities engaged in the interstate exchange of CH data for noncriminal justice purposes are also governed by the standards and rules promulgated by the Compact Council. 1.3 Relationship to Local Security Policy and Other Policies The CJIS Security Policy may be used as the sole security policy for the agency. The local agency may complement the CJ IS Security Policy with a local policy, or the agency may develop their own stand-alone security policy; however, the CJIS Security Policy shall always be the minimum standard and local policy may augment, or increase the standards, but shall not detract from the CJ IS Security Policy standards. The agency shall develop, disseminate, and maintain formal, documented procedures to facilitate the implementation of the CJ IS Security Policy and, where applicable, the local security policy. The policies and procedures shall be consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. Procedures developed for CJ IS Security Policy areas can be developed for the security program in general, and for a particular information system, when required. This document is a compendium of applicable policies in providing guidance on the minimum security controls and requirements needed to access FBI CJ IS information and services. These policies include presidential directives, federal laws, FBI directives and the criminal justice community?s APB decisions. State, local, and Tribal CJA may implement more stringent 8/4/2014 1 CJISD-ITS-DOC-08140-53 policies and requirements. Appendix I contains the references While Appendix lists the security forums and organizational entities referenced in this document. 1.4 Terminology Used in This Document The following terms are used interchangeably throughout this document: 0 Agency and Organization: The two terms in this document refer to any entity that submits or receives information, by any means, to/from FBI CJ IS systems or services. 0 Information and Data: Both terms refer to CJI. I System, Information System, Service, or named applications like NCIC: all refer to connections to the criminal justice information repositories and the equipment used to establish said connections. Appendix A and provide an extensive list of the terms and acronyms. 1.5 Distribution of the CJIS Security Policy The CI IS Security Policy, version 5.0 and later, is a publically available document and may be posted and shared without restrictions. 8/4/2014 2 CJISD-ITS-DOC-08140-53 2 CJIS SECURITY POLICY APPROACH The IS Security Policy represents the shared responsibility between FBI CJ IS, CJ IS Systems Agency (CSA), and the State Identi?cation Bureaus (SIB) of the lawful use and appropriate protection of CH. The Policy provides a baseline of security requirements for current and planned services and sets a minimum stande for new initiatives. 2.1 CJIS Security Policy Vision Statement The executive summary of this document describes the vision in terms of business needs for con?dentiality, integrity, and availability of information. The APB collaborates with the FBI CJ IS Division to ensure that the Policy remains updated to meet evolving business, technology and security needs. 2.2 Architecture Independent Due to advancing technology and evolving business models, the FBI CJIS Division is transitioning from legacy stovepipe systems and moving toward a ?exible services approach. Systems such as National Crime Information Center (NCIC), National Instant Criminal Background Check System (NICS), and Integrated Automated Fingerprint Identification System (IAFIS) will continue to evolve and may no longer retain their current system platforms, hardware, or program name. However, the data and services provided by these systems will remain stable. The CJIS Security Policy looks at the data (information), services, and protection controls that apply regardless of the implementation architecture. Architectural independence is not intended to lessen the importance of systems, but provide for the replacement of one technology with another while ensuring the controls required to protect the information remain constant. This objective and conceptual focus on security policy areas provide the guidance and standards while avoiding the impact of the constantly changing landscape of technical innovations. The architectural independence of the Policy provides agencies with the ?exibility for tuning their information security infrastructure and policies to re?ect their own environments. 2.3 Risk Versus Realism Every ?shall? statement contained within the CJ IS Security Policy has been scrutinized for risk versus the reality of resource constraints and real?world application. The purpose of the CJIS Security Policy is to establish the minimum security requirements; therefore, individual agencies are encouraged to implement additional controls to address agency speci?c risks. 8l4/2014 3 CJISD-ITS-DOC-08140-53 3 ROLES AND RESPONSIBILITIES 3.1 Shared Management Phil050phy In the scope of information security, the FBI CJIS Division employs a shared management philosophy with federal, state, local, and tribal law enforcement agencies. Although an advisory policy board for the NCIC has existed since 1969, the Director of the FBI established the CJ IS APB in March 1994 to enable appropriate input and recommend policy with respect to CJIS services. Through the APB and its Subcommittees and Working Groups, consideration is given to the needs of the criminal justice and law enforcement community regarding public policy, statutory and privacy aspects, as well as national security relative to CJIS systems and information. The APB represents federal, state, local, and tribal law enforcement and criminal justice agencies throughout the United States, its territories, and Canada. The FBI has a similar relationship with the Compact Council, which governs the interstate exchange of criminal history records for noncriminal justice purposes. The Compact Council is mandated by federal law to promulgate rules and procedures for the use of the Interstate Identi?cation Index for noncriminal justice purposes. To meet that responsibility, the Compact Council depends on the CJIS Security Policy as the de?nitive source for standards de?ning the security and privacy of records exchanged with noncriminal justice practitioners. 3.2 Roles and Responsibilities for Agencies and Parties It is the responsibility of all agencies covered under this Policy to ensure the protection of I between the FBI CJIS Division and its user community. The following figure provides an abstract representation of the strategic functions and roles such as governance and operations. Governance Operations Policy Structure/Design CJIS Advisory Policy CSA Information Laws and Directives Board Security Of?cers - . Security Policy and CJIS Systems Officers CJIS Systems AgenCIes Implementation Standards CJIS Working Groups Compact Of?cers Security Standards: National Institute of Standards and Technology, International CJIS Subcommittees Local Agency Security Standardg Organization Of?cers Institute of Electrical and FBI CJIS Information Electronics Engineers Securitv Of?cer Repository Managers FBI Director Terminal Agency Coordinators Figure 1 Overview Diagram of Strategic Functions and Policy Components 8/4/2014 4 CJISD-ITS-DOC-08140-53 This section provides a description of the following entities and roles: 1. CJIS Systems Agency. CJ IS Systems Of?cer. Terminal Agency Coordinator. Criminal Justice Agency. Noncriminal Justice Agency. Contracting Government Agency. Agency Coordinator. CJ IS Systems Agency Information Security Officer. 5990999993?) Local Agency Security Of?cer. 10. FBI CJ IS Division Information Security Of?cer. 11. Repository Manager. 12. Compact Of?cer. 3.2.1 CJIS Systems Agencies (CSA) The CSA is responsible for establishing and administering an information technology security program throughout the user community, to include the local levels. The head of each CSA shall appoint a CJIS Systems Of?cer (CS0). The CSA may impose more stringent protection measures than outlined in this document. Such decisions shall be documented and kept current. 3.2.2 CJIS Systems Officer (CSO) The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJ IS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. The CSO shall set, maintain, and enforce the following: 1. Standards for the selection, supervision, and separation of personnel who have access to CH. 2. Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that comprise and support a telecommunications network and related CJ IS systems used to process, store, or transmit I, guaranteeng the priority, con?dentiality, integrity, and availability of service needed by the criminal justice community. a. Ensure appropriate use, enforce system discipline, and ensure CJIS Division operating procedures are followed by all users of the respective services and information. b. Ensure state/federal agency compliance with policies approved by the APB and adopted by the FBI. 5 CJISD-ITS-DOC-08140-53 c. Ensure the appointment of the CSA ISO and determine the extent of authority to the CSA ISO. d. The CSO, or designee, shall ensure that a Terminal Agency Coordinator (TAC) is designated within each agency that has devices accessing CJ IS systems. e. Ensure each agency having access to CJI has someone designated as the Local Agency Security Officer (LASO). f. Approve access to FBI CJIS systems. g. Assume ultimate responsibility for managing the security of CI IS systems within their state and/or agency. h. Perform other related duties outlined by the user agreements with the FBI CJIS Division. 3. Outsourcing of Criminal Justice Functions a. Responsibility for the management of the approved security requirements shall remain with the CIA. Security control includes the authority to enforce the standards for the selection, supervision, and separation of personnel who have access to set and enforce policy governing the operation of computers, circuits, and telecommunications terminals used to process, store, or transmit CJ and to guarantee the priority service needed by the criminal justice corrnnunity. b. Responsibility for the management control of network security shall remain with the A. Management control of network security includes the authority to enforce the standards for the selection, supervision, and separation of personnel who have access to set and enforce policy governing the operation of circuits and network equipment used to transmit CJ and to guarantee the priority service as determined by the criminal justice community. 3.2.3 Terminal Agency Coordinator (TAC) The TAC serves as the point?of?contact at the local agency for matters relating to CI IS information access. The TAC administers CJIS systems programs within the local agency and oversees the agency?s compliance with CJ IS systems policies. 3.2.4 Criminal Justice Agency (CJA) A CIA is defined as a court, a governmental agency, or any subunit of a governmental agency which performs the administration of criminal justice pursuant to a statute or executive order and which allocates a substantial part of its annual budget to the administration of criminal justice. State and federal Inspectors General Offices are included. 3.2.5 Noncriminal Justice Agency (NCJA) A NCJA is defined (for the purposes of access to CJI) as an entity or any subunit thereof that provides services primarily for purposes other than the administration of criminal justice. 6 CJISD-ITS-DOC-08140-53 3.2.6 Contracting Government Agency (CGA) A CGA is a government agency, whether a CJ A or a NCJA, that enters into an agreement with a private contractor subject to the CJ IS Security Addendum. The CGA entering into an agreement with a contractor shall appoint an agency coordinator. 3.2.7 Agency Coordinator (AC) An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certi?cation testing and all required reports by NCIC. The AC shall: 1. Understand the communications, records capabilities, and needs of the Contractor which is accessing federal and state records through or because of its relationship with the CGA. Participate in related meetings and provide input and comments for system improvement. 3. Receive information from the CGA system updates) and disseminate it to appropriate Contractor employees. 4. Maintain and update manuals applicable to the effectuation of the agreement, and provide them to the Contractor. 5. Maintain up-to?date records of Contractor?s employees who access the system, including name, date of birth, social security number, date fingerprint card(s) submitted, date security clearance issued, and date initially trained, tested, certified or recerti?ed (if applicable). 6. Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certi?cation exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam Within six (6) months of assignment. Schedule certified operators for biennial re-certification testing within thirty (30) days prior to the expiration of certification. Schedule operators for other mandated class. 7. The AC will not permit an untrained/untested or non?certi?ed Contractor employee to access CJI or systems supportng CJI Where access to CJI can be gained. 8. Where appropriate, ensure compliance by the Contractor with NCIC validation requirements. 9. Provide completed applicant fingerprint cards on each Contractor employee who accesses the system to the CGA (or, where appropriate, CSA) for criminal background investigation prior to such employee accessing the system. 10. Any other responsibility for the AC promulgated by the FBI. 3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO) The CSA ISO shall: 1. Serve as the security point of contact (POC) to the FBI CJ IS Division ISO. 8/4r2014 7 CJISD-ITS-DOC-08140-53 2. Document technical compliance with the CJ IS Security Policy with the goal to assure the confidentiality, integrity, and availability of criminal justice information to the user community throughout the user community, to include the local level. 3. Document and provide assistance for implementing the security-related controls for the Interface Agency and its users. 4. Establish a security incident response and reporting procedure to discover, investigate, document, and report to the CSA, the affected criminal justice agency, and the FBI CJ IS Division ISO major incidents that significantly endanger the security or integrity of I. 3.2.9 Local Agency Security Officer (LASO) Each LASO shall: 1. Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. 2. Identify and document how the equipment is connected to the state system. 3. Ensure that personnel security screening procedures are being followed as stated in this Policy. 4. Ensure the approved and appropriate security measures are in place and working as expected. 5. Support policy compliance and ensure the CSA ISO is informed of security incidents. 3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO) The FBI CJIS ISO shall: 1. Maintain the CJ IS Security Policy. 2. Disseminate the FBI Director approved CJ IS Security Policy. 3. Serve as a liaison with the ISO and with other personnel across the CJIS community and in this regard provide technical guidance as to the intent and implementation of operational and technical policy issues. 4. Serve as a point?of?contact (POC) for computer incident noti?cation and distribution of security alerts to the C808 and 130s. 5. Assist with developing audit compliance guidelines as well as identifying and reconciling security?related issues. 6. Develop and participate in information security training programs for the CSOs and 130s, and provide a means by which to acquire feedback to measure the effectiveness and success of such training. 7. Maintain a security policy resource center (SPRC) on FBI.gov and keep the C303 and 130s updated on pertinent information. 8 CJISD-ITS-DOC-08140-53 3.2.11 Repository Manager The State Identi?cation Bureau (SIB) Chief, i.e. Repository Manager or Chief Administrator, is the designated manager of the agency having oversight responsibility for a state?s ?ngerprint identification services. If both state ?ngerprint identification services and CJ IS systems control are managed within the same state agency, the SIB Chief and C30 may be the same person. 3.2.12 Compact Officer Pursuant to the National Crime Prevention and Privacy Compact, each party state shall appoint a Compact Officer who shall ensure that Compact provisions and rules, procedures, and standards established by the Compact Council are complied with in their respective state. 9 CJISD-ITS-DOC-08140-53 4 CRIMINAL JUSTICE INFORMATION AND PERSONALLY IDENTIFIABLE INFORMATION 4.1 Criminal Justice Information (CJI) Criminal Justice Information is the term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to biometric, identity history, biographic, property, and case/incident history data. The following categories of CI I describe the various data sets housed by the FBI CJ IS architecture: 1. Biometric Data?data derived from one or more intrinsic physical or behavioral traits of humans typically for the purpose of uniquely identifying individuals from within a population. Used to identify individuals, to include: fingerprints, palm prints, iris scans, and facial recognition data. 2. Identity History Data?textual data that corresponds with an individual?s biometric data, providing a history of criminal and/or civil events for the identi?ed individual. 3. Biographic Data?information about individuals associated with a unique case, and not necessarily connected to identity data. Biographic data does not provide a history of an individual, only information related to a unique case. 4. Property Data?information about vehicles and property associated with crime when accompanied by any personally identi?able information (PH). 5. Case/Incident History?information about the history of criminal incidents. The following type of data are exempt from the protection levels required for CI I: transaction control type numbers ORI, NIC, FNU, etc.) when not accompanied by information that reveals I or PE. The intent of the CJ IS Security Policy is to ensure the protection of the aforementioned CJ I until the information is: released to the public via authorized dissemination within a court system; presented in crime reports data; released in the interest of public safety); purged or destroyed in accordance with applicable record retention rules. 4.1.1 Criminal History Record Information Criminal History Record Information (CHRI), sometimes informally referred to as ?restricted data?, is a subset of CJI. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. In addition to the dissemination restrictions outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines and provides the regulatory guidance for dissemination of CHRI. While the CJIS Security Policy attempts to be architecturally independent, the and the NCIC are specifically identified in Title 28, Part 20, CPR, and the NCIC Operating Manual, as associated with CHRI. 8l4/2014 10 CJISD-ITS-DOC-08140-53 4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information This section describes the requirements for the access, use and dissemination of CHRI, NCIC restricted files information, and NCIC non-restricted files information. 4.2.1 Proper Access, Use, and Dissemination of CHRI Information obtained from the is considered CHRI. Rules governing the access, use, and dissemination of CHRI are found in Title 28, Part 20, CFR. The 111 shall be accessed only for an authorized purpose. Further, CHRI shall only be used for an authorized purpose consistent with the purpose for which was accessed. Dissemination to another agency is authorized if the other agency is an Authorized Recipient of such information and is being serviced by the accessing agency, or the other agency is performing personnel and appointment functions for criminal justice employment applicants. 4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information The NCIC hosts restricted files and non?restricted files. NCIC restricted files are distinguished from NCIC non?restricted ?les by the policies governing their access and use. Proper access to, use, and dissemination of data from restricted ?les shall be consistent with the access, use, and dissemination policies concerning the described in Title 28, Part 20, CPR, and the NCIC Operating Manual. The restricted files, which shall be protected as CHRI, are as follows: 1. Gang Files Known or Appropriately Suspected Terrorist Files Supervised Release Files National Sex Offender Registry Files Historical Protection Order Files of the NCIC Identity Theft Files Protective Interest Files Person With Information (PWI) data in the Missing Person Files Violent Person File 10. NICS Denied Transactions File The remaining NCIC files are considered non?restricted files. 4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information 4.2.3.1 For Official Purposes NCIC non?restricted files are those not listed as restricted files in Section 4.2.2. NCIC non? restricted files information may be accessed and used for any authorized purpose consistent with 8l4/2014 1 CJISD-ITS-DOC-08140-53 the inquiring agency?s responsibility. Information obtained may be disseminated to other government agencies or private entities authorized by law to receive such information for any purpose consistent with their responsibilities. 4.2.3.2 For Other Authorized Purposes NCIC non?restricted ?les may be accessed for other purposes consistent with the resources of the inquiring agency; however, requests for bulk data are discouraged. Information derived from NCIC non?restricted ?les for other than law enforcement purposes can be used by authorized criminal justice personnel only to confirm the status of a person or property wanted or stolen). An inquiring agency is authorized to charge a nominal administrative fee for such service. Non?restricted ?les information shall not be disseminated commercially. A response to a NCIC person inquiry may include NCIC restricted files information as well as NCIC non?restricted files information. Agencies shall not disseminate restricted ?les information for purposes other than law enforcement. 4.2.3.3 CSO Authority in Other Circumstances If no federal, state or local law or policy prohibition exists, the CSO may exercise discretion to approve or deny dissemination of NCIC non?restricted file information. 4.2.4 Storage When CHRI is stored, agencies shall establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of the information. These records shall be stored for extended periods only when they are key elements for the integrity and/or utility of case files and/or criminal record files. See Section 5.9 for physical security controls. 4.2.5 Justification and Penalties 4.2.5.1 Justification In addition to the use of purpose codes and logging information, all users shall provide a reason for all inquiries whenever requested by NCIC System Managers, CSAS, local agency administrators, or their representatives. 4.2.5.2 Penalties Improper access, use or dissemination of and NCIC Non-Restricted Files information is serious and may result in administrative sanctions including, but not limited to, termination of services and state and federal criminal penalties. 4.3 Personally Identifiable Information (Pll) For the purposes of this document, P11 is information which can be used to distinguish or trace an individual?s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother?s maiden name. Any FBI CJ IS provided data maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history may include PII. A criminal history record 8/4/2014 12 CJISD-ITS-DOC-08140-53 for example inherently contains PH as would a Law Enforcement National Data Exchange case ?le. PH shall be extracted from I for the purpose of official business only. Agencies shall develop policies, based on state and local privacy rules, to ensure appropriate controls are applied when handling PII extracted from CJI. Due to the expansive nature of PH, this Policy does not specify auditing, logging, or personnel security requirements associated with the life cycle of PH. Figure 2 Dissemination of restricted and non-restricted NCIC data A citizen of Springfield went to the Springfield Police Department to request whether his new neighbor, who had been acting suspiciously, had an outstanding warrant. The Spring?eld Police Department ran an NCIC persons inquiry, which produced a response that included a Wanted Person File (non-restricted ?le) record and a Known or Appropriately Suspected Terrorist File (restricted file) record. The Springfield Police Department advised the citizen of the outstanding warrant, but did not disclose any information concerning the subject being a known or appropriately suspected terrorist. 13 CJISD-ITS-DOC-08140-53 5 POLICY AND IMPLEMENTATION The policy areas focus upon the data and services that the FBI CJIS Division exchanges and provides to the criminal justice community and its partners. Each policy area provides both strategic reasoning and tactical implementation requirements and standards. While the major theme of the policy areas is concerned with electronic exchange directly with the FBI, it is understood that further dissemination of CI I to Authorized Recipients by various means (hard copy, e?mail, web posting, etc.) constitutes a signi?cant portion of CJI exchanges. Regardless of its form, use, or method of dissemination, CJI requires protection throughout its life. Not every consumer of FBI CJIS services will encounter all of the policy areas therefore the circumstances of applicability are based on individual agency/entity configurations and usage. Use cases within each of the policy areas will help users relate the Policy to their own agency circumstances. The policy areas are: 0 Policy Area 1?Information Exchange Agreements 0 Policy Area 2?Security Awareness Training 0 Policy Area 3?Incident Response 0 Policy Area 4?Auditing and Accountability 0 Policy Area 5?Access Control 0 Policy Area 6?Identification and Authentication 0 Policy Area 7?Conf1guration Management 0 Policy Area S?Media Protection 0 Policy Area 9?Physical Protection 0 Policy Area 10?Systems and Protection and Information Integrity 0 Policy Area 11?Formal Audits 0 Policy Area 12?Personnel Security 8/4/2014 14 CJISD-ITS-DOC-08140-53 5.1 Policy Area 1: Information Exchange Agreements The information shared through communication mediums shall be protected with appropriate security safeguards. The agreements established by entities sharing information across systems and communications mediums are vital to ensuring all parties fully understand and agree to a set of security standards. 5.1.1 Information Exchange Before exchanging CJI, agencies shall put formal agreements in place that specify security controls. The exchange of information may take several forms including electronic mail, instant messages, web services, facsimile, hard copy, and information systems sending, receiving and storing I. Information exchange agreements outline the roles, responsibilities, and data ownership between agencies and any external parties. Information exchange agreements for agencies sharing CJI data that is sent to and/or received from the FBI CJIS shall specify the security controls and conditions described in this document. Information exchange agreements shall be supported by documentation committing both parties to the terms of information exchange. As described in subsequent sections, different agreements and policies apply, depending on whether the parties involved are CJAS or NCJ As. See Appendix for examples of Information Exchange Agreements. There may be instances, on an ad-hoc basis, where I is authorized for further dissemination to Authorized Recipients not covered by an information exchange agreement with the releasing agency. In these instances the dissemination of I is considered to be secondary dissemination. Law Enforcement and civil agencies shall have a local policy to validate a requestor of CJ I as an authorized recipient before disseminating CJI. See Section 5.1.3 for secondary dissemination guidance. 5.1.1.1 Information Handling Procedures for handling and storage of information shall be established to protect that information from unauthorized disclosure, alteration or misuse. Using the requirements in this Policy as a starting point, the procedures shall apply to the handling, processing, storing, and communication of CJI. These procedures apply to the exchange of CJI no matter the form of exchange. The policies for information handling and protection also apply to using CJI shared with or received from FBI CJIS for noncriminal justice purposes. In general, a noncriminal justice purpose includes the use of criminal history records for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances. 5.1.1.2 State and Federal Agency User Agreements Each CSA head or SIB Chief shall execute a signed written user agreement with the FBI CJ IS Division stating their willingness to demonstrate conformity with this Policy before accessing and participating in CJIS records information programs. This agreement shall include the 15 CJISD-ITS-DOC-08140-53 standards and sanctions governing utilization of IS systems. As coordinated through the particular CSA or SIB Chief, each Interface Agency shall also allow the FBI to periodically test the ability to penetrate the network through the external network connection or system per authorization of Department of Justice (DOJ) Order 2640.2F. All user agreements with the FBI CJ IS Division shall be coordinated with the CSA head. 5.1.1.3 Criminal Justice Agency User Agreements Any A receiving access to I shall enter into a signed written agreement with the appropriate signatory authority of the CSA providing the access. The written agreement shall specify the FBI CJIS systems and services to which the agency will have access, and the FBI CJIS Division policies to which the agency must adhere. These agreements shall include: 1. Audit. Dissemination. Hit con?rmation. Logging. Quality Assurance (QA). Screening (Pre?Employment). Security. Timeliness. 5990999993?) Training. 10. Use of the system. 1 1. Validation. 5.1.1.4 lnteragency and Management Control Agreements A NCJA (government) designated to perform criminal justice functions for a CIA shall be eligible for access to the CH. Access shall be permitted when such designation is authorized pursuant to executive order, statute, regulation, or inter?agency agreement. The A shall sign and execute a management control agreement (MCA) with the CJA, which stipulates management control of the criminal justice function remains solely with the CJA. The MCA may be a separate document or included with the language of an inter-agency agreement. An example of an A (government) is a city information technology (IT) department. 5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum The IS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require. Private contractors who perform criminal justice functions shall meet the same training and certi?cation criteria required by governmental agencies performing a similar function, and shall 8/4f2014 16 CJISD-ITS-DOC-08140-53 be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI. 1. Private contractors designated to perform criminal justice functions for a CJA shall be eligible for access to CJI. Access shall be permitted pursuant to an agreement which speci?cally identi?es the agency?s purpose and scope of providing services for the administration of criminal justice. The agreement between the CJA and the private contractor shall incorporate the CJ IS Security Addendum approved by the Director of the FBI, acting for the US. Attorney General, as referenced in Title 28 CFR 20.33 2. Private contractors designated to perform criminal justice functions on behalf of a NCJA (government) shall be eligible for access to CJI. Access shall be permitted pursuant to an agreement which specifically identi?es the agency?s purpose and scope of providing services for the administration of criminal justice. The agreement between the NCJ A and the private contractor shall incorporate the CJIS Security Addendum approved by the Director of the FBI, acting for the US. Attorney General, as referenced in Title 28 CFR 20.33 5.1.1.6 Agency User Agreements A A (public) designated to request civil ?ngerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to Access shall be permitted when such designation is authorized pursuant to federal law or state statute approved by the US. Attorney General. A NCJA (public) receiving access to CJI shall enter into a signed written agreement with the appropriate signatory authority of the providing the access. An example of a NCJA (public) is a county school board. A NCJ A (private) designated to request civil ?ngerprint?based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to Access shall be permitted when such designation is authorized pursuant to federal law or state statute approved by the US. Attorney General. A NCJA (private) receiving access to CJI shall enter into a signed written agreement with the appropriate signatory authority of the CSA, SIB, or authorized agency providing the access. An example of a A (private) is a local bank. All NCJAs accessing I shall be subject to all pertinent areas of the CJIS Security Policy (see Appendix for supplemental guidance). Each NCJA that directly accesses FBI CJI shall also allow the FBI to periodically test the ability to penetrate the network through the external network connection or system per authorization of Department of Justice (DOJ) Order 2640.2F. 5.1.1.7 Outsourcing Standards for Channelers Channelers designated to request civil ?ngerprint?based background checks or noncriminal justice ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice functions shall be eligible for access to CJI. Access shall be permitted when such designation is authorized pursuant to federal law or state statute approved by the US. Attorney 17 CJISD-ITS-DOC-08140-53 General. All Channelers accessing I shall be subject to the terms and conditions described in the Compact Council Security and Management Control Outsourcing Standard. Each Channeler that directly accesses I shall also allow the FBI to conduct periodic penetration testing. Channelers leveraging I to perform civil functions on behalf of an Authorized Recipient shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. 5.1.1.8 Outsourcing Standards for Non-Channelers Contractors designated to perform noncriminal justice ancillary functions on behalf of a NCJ A (public) or A (private) for noncrirninal justice functions shall be eligible for access to Access shall be permitted when such designation is authorized pursuant to federal law or state statute approved by the U.S. Attorney General. All contractors accessing I shall be subject to the terms and conditions described in the Compact Council Outsourcing Standard for Non? Channelers. Contractors leveraging CJI to perform civil functions on behalf of an Authorized Recipient shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. 5.1.2 Monitoring, Review, and Delivery of Services As specified in the inter?agency agreements, MCAs, and contractual agreements with private contractors, the services, reports and records provided by the service provider shall be regularly monitored and reviewed. The A, authorized agency, or FBI shall maintain suf?cient overall control and visibility into all security aspects to include, but not limited to, identification of vulnerabilities and information security incident reporting/response. The incident reporting/response process used by the service provider shall conform to the incident reporting/response specifications provided in this Policy. 5.1.2.1 Managing Changes to Service Providers Any changes to services provided by a service provider shall be managed by the A, authorized agency, or FBI. This includes provision of services, changes to existing services, and new services. Evaluation of the risks to the agency shall be undertaken based on the criticality of the data, system, and the impact of the change. 5.1.3 Secondary Dissemination If CHRI is released to another authorized agency, and that agency was not part of the releasing agency?s primary information exchange agreement(s), the releasing agency shall log such dissemination. 5.1.4 Secondary Dissemination of CJI If CJI does not contain CHRI and is not part of an information exchange agreement then it does not need to be logged. Dissemination shall conform to the local policy validating the requestor of the I as an employee and/or contractor of a law enforcement agency or civil agency requiring the I to perform their mission or a member of the public receiving I via authorized dissemination. 8/4/2014 18 CJISD-ITS-DOC-08140-53 5.1.5 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 3 Information Exchange Agreements Implemented by a Local Police Department A local police department executed a Memorandum of Understanding (MOU) for the interface with their state CSA. The local police department also executed an MOU (which included an MCA) with the county information technology (IT) department for the day?to?day operations of their criminal?justice infrastructure. The county IT department, in turn, outsourced operations to a local vendor who signed the CJ IS Security Addendum. 8/41'2014 CJISD-ITS-DOC-08140-53 19 5.2 Policy Area 2: Security Awareness Training Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CH. The may accept the documentation of the completion of security awareness training from another agency. Accepting such documentation from another agency means that the accepting agency assumes the risk that the training may not meet a particular requirement or process required by federal, state, or local laws. 5.2.1 Awareness Topics A significant number of topics can be mentioned and brie?y discussed in any awareness session or campaign. To help further the development and implementation of individual agency security awareness training programs the following baseline guidance is provided. 5.2.1.1 All Personnel At a minimum, the following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CI I: 1. Rules that describe responsibilities and expected behavior with regard to I usage. Implications of noncompliance. Incident response (Points of contact; Individual actions). Media protection. Visitor control and physical access to spaces?discuss applicable physical security policy and procedures, e. challenge strangers, report unusual activity. Protect information subject to con?dentiality concerns hardcopy through destruction. Proper handling and marking of CH. Threats, vulnerabilities, and risks associated with handling of I. Social engineering. 10. Dissemination and destruction. 5.2.1.2 Personnel with Physical and Logical Access In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical m1 logical access to CH: 1. Rules that describe responsibilities and expected behavior with regard to information system usage. 2. Password usage and management?including creation, frequency of changes, and protection. 3. Protection from viruses, worms, Trojan horses, and other malicious code. 4. Unknown e?mail/attachments. 8/4l'2014 20 CJISD-ITS-DOC-08140-53 99074991 12. 13. 14. 15. 16. 17. Web usage?allowed versus prohibited; monitoring of user activity. Spam. Physical Security?increases in risks to systems and data. Handheld device security issues?address both physical and wireless security issues. Use of and the transmission of sensitive/confidential information over the Internet?address agency policy, procedures, and technical contact for assistance. . Laptop security?address both physical and information security issues. 1 1. Personally owned equipment and software?state whether allowed or not copyrights). Access control issues?address least privilege and separation of duties. Individual accountability?explain what this means in the agency. Use of acknowledgement statements?passwords, access to systems and data, personal use and gain. Desktop security?discuss use of screensavers, restricting visitors? view of information on screen (mitigating ?shoulder sur?ng?), battery backup devices, allowed access to systems. Protect information subject to confidentiality concerns?in systems, archived, on backup media, and until destroyed. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services. 5.2.1.3 Personnel with Information Technology Holes In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel (system administrators, security administrators, network administrators, etc.): 1. 2 3. 4. 5 5.2.2 Protection from viruses, worms, Trojan horses, and other malicious code?scanning, updating de?nitions. Data backup and storage?centralized or decentralized approach. Timely application of system patches?part of configuration management. Access control measures. Network infrastructure protection measures. Security Training Records Records of individual basic security awareness training and speci?c information system security training shall be documented, kept current, and maintained by the Officer. Maintenance of training records can be delegated to the local level. 8/4i'2014 21 CJISD-ITS-DOC-08140-53 5.2.3 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 4 Security Awareness Training Implemented by a Local Police Department A local police department with a staff of 20 sworn law?enforcement officers and 15 support personnel worked with a vendor to develop role?speci?c security-awareness training, and required all staff to complete this training upon assignment and every two years thereafter. The local police department scheduled the sworn law?enforcement training to coincide with their NCIC certification training. The vendor maintained the training records for the police department?s entire staff, and provided reporting to the department to help it ensure compliance with the CJ IS Security Policy. 8/41'2014 CJISD-ITS-DOC-08140-53 22 5.3 Policy Area 3: Incident Response There has been an increase in the number of accidental or malicious computer attacks against both government and private agencies, regardless of whether the systems are high or low profile. Agencies shall: establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii) track, document, and report incidents to appropriate agency of?cials and/or authorities. ISOs have been identified as the POC on security?related issues for their respective agencies and shall ensure LASOS institute the CSA incident response reporting procedures at the local level. Appendix contains a sample incident notification letter for use when communicating the details of an incident to the FBI CJ IS ISO. Refer to Section 5.13.5 for additional incident response requirements related to mobile devices used to access CJI. 5.3.1 Reporting Information Security Events The agency shall report incident information to appropriate authorities. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken. Formal event reporting and escalation procedures shall be in place. Wherever feasible, the agency shall employ automated mechanisms to assist in the reporting of security incidents. All employees, contractors and third party users shall be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of agency assets and are required to report any information security events and weaknesses as quickly as possible to the designated point of contact. 5.3.1.1 Reporting Structure and Responsibilities 5.3.1.1.1 FBI CJIS Division Responsibilities The FBI CJ IS Division shall: 1. Manage and maintain the CJIS Division's Computer Security Incident Response Capability (CSIRC). 2. Serve as a central clearinghouse for all reported intrusion incidents, security alerts, bulletins, and other security?related material. 3. Ensure additional resources for all incidents affecting FBI CJIS Division controlled systems as needed. 4. Disseminate prompt advisories of system threats and operating system vulnerabilities via the security policy resource center on FBI.gov, to include but not limited to: Product Security Bulletins, Virus Bulletins, and Security Clips. 5. Track all reported incidents and/or trends. 6. Monitor the resolution of all incidents. 23 CJISD-ITS-DOC-08140-53 5.3.1.1.2 CSA ISO Responsibilities The CSA ISO shall: 1. Assign individuals in each state, federal, and international law enforcement organization to be the primary point of contact for interfacing with the FBI CJ IS Division concerning incident handling and response. 2. Identify individuals who are responsible for reporting incidents within their area of responsibility. 3. Collect incident information from those individuals for coordination and sharing among other organizations that may or may not be affected by the incident. 4. Develop, implement, and maintain internal incident response procedures and coordinate those procedures with other organizations that may or may not be affected. 5. Collect and disseminate all incident?related information received from the Department of Justice (DOJ), FBI CJIS Division, and other entities to the appropriate local law enforcement POCs within their area. 6. Act as a single POC for their jurisdictional area for requesting incident response assistance. 5.3.2 Management of Information Security Incidents A consistent and effective approach shall be applied to the management of information security incidents. Responsibilities and procedures shall be in place to handle information security events and weaknesses effectively once they have been reported. 5.3.2.1 Incident Handling The agency shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Wherever feasible, the agency shall employ automated mechanisms to support the incident handling process. Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The agency should incorporate the lessons learned from ongoing incident handling activities into the incident response procedures and implement the procedures accordingly. 5.3.2.2 Collection of Evidence Where a follow?up action against a person or agency after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). 5.3.3 Incident Response Training The agency shall ensure general incident response roles responsibilities are included as part of required security awareness training. 24 CJISD-ITS-DOC-08140-53 5.3.4 Incident Monitoring The agency shall track and document information system security incidents on an ongoing basis. The CSA ISO shall maintain completed security incident reporting forms until the subsequent FBI triennial audit or until legal action (if warranted) is complete; whichever time?frame greater. 5.3.5 is Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 5 Incident Response Process Initiated by an Incident in a Local Police Department A state ISO received a noti?cation from a local police department that suspicious network activity from a known botnet was detected on their network. The state ISO began the process of collecting all pertinent information about this incident, e.g. incident date/time, points-of- contact, systems affected, nature of the incident, actions taken, etc. and requested that the local police department confirm that their malware signatures were up to date. The state ISO contacted both the FBI CJIS ISO and state CSO to relay the preliminary details of this incident. The FBI CJ IS ISO instructed the involved parties to continue their investigation and to submit an incident response form once all the information had been gathered. The FBI CJ IS ISO contacted the lead for the FBI CSIRC to inform them that an incident response form was forthcoming. The state ISO gathered the remainder of the information from the local police department and submitted a completed incident response form to the FBI CJIS ISO who subsequently provided it to the FBI CSIRC. The FBI CSIRC notified the Department of Justice Computer Incident Response Team (DOJCIRT). The state ISO continued to monitor the situation, passing relevant details to the FBI CJIS ISO, ultimately determining that the botnet was eliminated from the local police department?s infrastructure. Subsequent investigations determined that the botnet was restricted to the department?s administrative infrastructure and thus no I was compromised. 8/41'2014 CJISD-ITS-DOC-08140-53 25 5.4 Policy Area 4: Auditing and Accountability Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components. Auditing controls are typically applied to the components of an information system that provide auditing capability (servers, etc.) and would not necessarily be applied to every user-level workstation within the agency. As technology advances, more powerful and diverse functionality can be found in such devices as personal digital assistants and cellular telephones, which may require the application of security controls in accordance with an agency assessment of risk. Refer to Section 5.13.6 for additional audit requirements related to mobile devices used to access CJI. 5.4.1 Auditable Events and Content (Information Systems) The agency?s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The agency shall specify which information system components carry out auditing activities. Auditing activity can affect information system performance and this issue must be considered as a separate factor during the acquisition of information systems. The agency?s information system shall produce, at the application and/or operating system level, audit records containing suf?cient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of agency?defined auditable events. In the event an agency does not use an automated system, manual recording of activities shall still take place. 5.4.1.1 Events The following events shall be logged: 1. Successful and unsuccessful system log?on attempts. 2. Successful and unsuccessful attempts to use: access permission on a user account, file, directory or other system resource; a b. create permission on a user account, file, directory or other system resource; .0 write permission on a user account, ?le, directory or other system resource; (1. delete permission on a user account, file, directory or other system resource; e. change permission on a user account, file, directory or other system resource. 3. Successful and unsuccessful attempts to change account passwords. 4. Successful and unsuccessful actions by privileged accounts. 5. Successful and unsuccessful attempts for users to: 8/4f2014 26 CJISD-ITS-DOC-08140-53 a. access the audit log file; b. modify the audit log file; 0. destroy the audit log file. 5.4.1.1.1 Content The following content shall be included with every audited event: Date and time of the event. 2. The component of the information system software component, hardware component) where the event occurred. Type of event. 4. User/subject identity. Outcome (success or failure) of the event. 5.4.2 Response to Audit Processing Failures The agency?s information system shall provide alerts to appropriate agency of?cials in the event of an audit processing failure. Audit processing failures include, for example: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. 5.4.3 Audit Monitoring, Analysis, and Reporting The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected Violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week. The frequency of review/analysis should be increased when the volume of an agency?s processing indicates an elevated need for audit review. The agency shall increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to agency operations, agency assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. 5.4.4 Time Stamps The agency?s information system shall provide time stamps for use in audit record generation. The time stamps shall include the date and time values generated by the internal system clocks in the audit records. The agency shall internal information system clocks on an annual basis. 5.4.5 Protection of Audit Information The agency?s information system shall protect audit information and audit tools from modification, deletion and unauthorized access. 8/4f2014 27 CJISD-ITS-DOC-08140-53 5.4.6 Audit Record Retention The agency shall retain audit records for at least one (1) year. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. 5.4.7 Logging NCIC and Transactions A log shall be maintained for a minimum of one (1) year on all NCIC and transactions. The portion of the log shall clearly identify both the operator and the authorized receiving agency. logs shall also clearly identify the requester and the secondary recipient. The identification on the log shall take the form of a unique identi?er that shall remain unique to the individual requester and to the secondary recipient throughout the minimum one year retention period. 5.4.8 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 6 Local Police Department's Use of Audit Logs A state CSO contacted a local police department regarding potentially inappropriate use of CHRI that was retrieved using the local department?s ORI. The state CSO requested all relevant information from the police department to reconcile state NCIC and logs against local police department logs. The police department provided the combination of their CJI processing application?s logs with relevant operating system and network infrastructure logs to help verify the identity of the users conducting these queries. The review of these logs substantiated the suspicion. 8/41'2014 28 CJISD-ITS-DOC-08140-53 5.5 Policy Area 5: Access Control Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. Refer to Section 5.13.7 for additional access control requirements related to mobile devices used to access CJI. 5.5.1 Account Management The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The agency shall validate information system accounts at least annually and shall document the validation process. The validation and documentation of accounts can be delegated to local agencies. Account management includes the identification of account types individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The agency shall identify authorized users of the information system and specify access rights/privileges. The agency shall grant access to the information system based on: 1. Valid that is determined by assigned of?cial duties. 2. Satisfaction of all personnel security criteria. The agency responsible for account creation shall be notified when: A user?s information system usage or need-to?know or need?to?share changes. 2. A user is terminated or transferred or associated accounts are removed, disabled, or otherwise secured. 5.5.2 Access Enforcement The information system shall enforce assigned authorizations for controlling access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security?relevant information to explicitly authorized personnel. Explicitly authorized personnel include, for example, security administrators, system and network administrators, and other privileged users with access to system control, monitoring, or administration functions system administrators, information system security officers, maintainers, system programmers). Access control policies identity?based policies, role?based policies, rule?based policies) and associated access enforcement mechanisms access control lists, access control matrices, shall be employed by agencies to control access between users (or processes acting on behalf of users) and objects devices, files, records, processes, programs, domains) in the information system. 29 CJISD-ITS-DOC-08140-53 5.5.2.1 Least Privilege The agency shall approve individual access privileges and shall enforce physical and logical access restrictions associated with changes to the information system; and generate, retain, and review records re?ecting all such changes. The agency shall enforce the most restrictive set of rights/privileges or access needed by users for the performance of specified tasks. The agency shall implement least privilege based on speci?c duties, operations, or information systems as necessary to mitigate risk to CJI. This limits access to I to only authorized personnel with the need and the right to know. Logs of access privilege changes shall be maintained for a minimum of one year or at least equal to the agency?s record retention policy whichever is greater. 5.5.2.2 System Access Control Access control mechanisms to enable access to C11 shall be restricted by object data set, volumes, files, records) including the ability to read, write, or delete the objects. Access controls shall be in place and operational for all IT systems to: l. Prevent multiple concurrent active sessions for one user identification, for those applications accessing CJI, unless the agency grants authority based upon operational business needs. Agencies shall document the parameters of the operational business needs for multiple concurrent active sessions. 2. Ensure that only authorized personnel can add, change, or remove component devices, dial-up connections, and remove or alter programs. 5.5.2.3 Access Control Criteria Agencies shall control access to CJ I based on one or more of the following: 1. Job assignment or function the role) of the user seeking access. 2 Physical location. 3. Logical location. 4 Network addresses users from sites within a given agency may be permitted greater access than those from outside). 5. Time?of?day and day?of?week/month restrictions. 5.5.2.4 Access Control Mechanisms When setting up access controls, agencies shall use one or more of the following mechanisms: 1. Access Control Lists (ACLs). ACLs are a register of users (including groups, machines, processes) who have been given permission to use a particular object (system resource) and the types of access they have been permitted. 2. Resource Restrictions. Access to speci?c functions is restricted by never allowing users to request information, functions, or other resources for which they do not have access. Three major types of resource restrictions are: menus, database Views, and network devices. 8/41'2014 30 CJISD-ITS-DOC-08140-53 3. information can only be and therefore read, by those possessing the appropriate key. While can provide strong access control, it is accompanied by the need for strong key management. Follow the guidance in Section 5.10.2 for requirements if of stored information is employed as an access enforcement mechanism. 4. Application Level. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level to provide increased information security for the agency. 5.5.3 Unsuccessful Login Attempts Where technically feasible, the system shall enforce a limit of no more than 5 consecutive invalid access attempts by a user (attempting to access I or systems with access to I). The system shall automatically lock the account/node for a 10 minute time period unless released by an administrator. 5.5.4 System Use Notification The information system shall display an approved system use notification message, before granting access, informing potential users of various usages and monitoring rules. The system use noti?cation message shall, at a minimum, provide the following information: 1. The user is accessing a restricted information system. 2. System usage may be monitored, recorded, and subject to audit. 3. Unauthorized use of the system is prohibited and may be subject to criminal and/0r civil penalties. 4. Use of the system indicates consent to monitoring and recording. The system use noti?cation message shall provide appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remain on the screen until the user acknowledges the notification and takes explicit actions to log on to the information system. Privacy and security policies shall be consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For publicly accessible systems: the system use information is available and when appropriate, is displayed before granting access; (ii) any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and the notice given to public users of the information system includes a description of the authorized uses of the system. 8/41'2014 31 CJISD-ITS-DOC-08140-53 5.5.5 Session Lock The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identi?cation and authentication procedures. Users shall directly initiate session lock mechanisms to prevent inadvertent viewing when a device is unattended. A session lock is not a substitute for logging out of the information system. In the interest of of?cer safety, devices that are: (1) part of a police vehicle; or (2) used to perform dispatch functions and located within a physically secure location; or (3) terminals designated solely for the purpose of receiving alert noti?cations receive only terminals or ROT) used within physically secure location facilities that remain staffed when in operation, are exempt from this requirement. Note: an example of a session lock is a screen saver with password. 5.5.6 Remote Access The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency?s information system by a user (or an information system) communicating temporarily through an external, non?agency-controlled network the Internet). The agency shall employ automated mechanisms to facilitate the monitoring and control of remote access methods. The agency shall control all remote accesses through managed access control points. The agency may permit remote access for privileged functions only for compelling operational needs but shall document the rationale for such access in the security plan for the information system. 5.5.6.1 Personally Owned Information Systems A personally owned information system shall not be authorized to access, process, store or transmit I unless the agency has established and documented the specific terms and conditions for personally owned information system usage. When personally owned mobile devices bring your own device are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices. This control does not apply to the use of personally owned information systems to access agency?s information systems and information that are intended for public access an agency?s public website that contains purely public information). 5.5.6.2 Publicly Accessible Computers Publicly accessible computers shall not be used to access, process, store or transmit CJI. Publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. 5.5.7 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. 32 CJISD-ITS-DOC-08140-53 Figure 7 A Local Police Department?s Access Controls A local police department purchased a new computer?assisted dispatch (CAD) system that integrated with their state I interfaces. In doing so, the police department employed least?privilege practices to ensure that its employees were only given those privileges needed to perform their jobs, and as such, excluding IT administrators, employees had only non- adrninistrative privileges on all equipment they used. The police department also used ACLs in the operating systems to control access to the CAD client?s executables. The CAD system used internal role-based access controls to ensure only those users that needed access to I were given it. The police department performed annual audits of user accounts on all systems under their control including remote access mechanisms, operating systems, and the CAD system to ensure all accounts were in valid states. The police department implemented authentication?failure account lockouts, system use noti?cation via login banners, and screen- saver passwords on all equipment that processes I. CJISD-ITS-DOC-08140-53 33 5.6 Policy Area 6: Identification and Authentication The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems or services. 5.6.1 Identification Policy and Procedures Each person who is authorized to store, process, and/or transmit I shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CH transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identi?cation data shall be kept current by adding new users and disabling and/or deleting former users. 5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges An FBI authorized originating agency identifier (ORI) shall be used in each transaction on CJ IS systems in order to identify the sending agency and to ensure the proper level of access for each transaction. The original identi?er between the requesting agency and the CSA/SIB/Channeler shall be the ORI, and other agency identifiers, such as user identification or personal identifier, an access device mnemonic, or the Internet Protocol (IP) address. Agencies may act as a servicing agency and perform transactions on behalf of authorized agencies requesting the service. Servicing agencies performing inquiry transactions on behalf of another agency may do so using the requesting agency?s ORI. Servicing agencies may also use their own ORI to perform inquiry transactions on behalf of a requesting agency if the means and procedures are in place to provide an audit trail for the current specified retention period. Because the agency performing the transaction may not necessarily be the same as the agency requesting the transaction, the CSA/SIB/Channeler shall ensure that the ORI for each transaction can be traced, via audit trail, to the specific agency which is requesting the transaction. Audit trails can be used to identify the requesting agency if there is a reason to inquire into the details surrounding why an agency ran an inquiry on a subject. Agencies assigned a (limited access) ORI shall not use the full access ORI of another agency to conduct an inquiry transaction. 5.6.2 Authentication Policy and Procedures Authentication refers to mechanisms or processes that verify users are valid once they are uniquely identi?ed. The may develop an authentication strategy which centralizes oversight but decentralizes the establishment and daily administration of the security measures for access to CJI. Each individual?s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency?s audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish 8/4/2014 34 CJISD-ITS-DOC-08140-53 direct web?based interactive sessions with FBI CJIS Services. The FBI CJIS Division shall authenticate the ORI of all message?based sessions between the FBI CJIS Division and its customer agencies but will not further authenticate the user nor capture the unique identifier for the originating operator because this function is performed at the local agency, CSA, SIB or Channeler level. 5.6.2.1 Standard Authenticators Authenticators are (the something you know, something you are, or something you have) part of the identification and authentication process. Examples of standard authenticators include passwords, tokens, biometrics, and personal identification numbers (PIN). Users shall not be allowed to use the same password or PIN in the same logon sequence. 5.6.2.1.1 Password Agencies shall follow the secure password attributes, below, to authenticate an individual?s unique ID. Passwords shall: 1. Be a minimum length of eight (8) characters on all systems. Not be a dictionary word or proper name. Not be the same as the Userid. Expire within a maximum of 90 calendar days. Not be identical to the previous ten (10) passwords. Not be transmitted in the clear outside the secure location. $999393?) Not be displayed when entered. 5.6.2.1.2 Personal Identification Number (PIN) When agencies implement the use of a PIN as a standard authenticator, the PIN attributes shall follow the guidance in section 5.6.2.1.1 (password). When agencies utilize a PIN in conjunction with a certificate or a token g. key fob with rolling numbers) for the purpose of advanced authentication, agencies shall follow the PIN attributes described below. For example: A user certi?cate is installed on a smartphone for the purpose of advanced authentication (AA). As the user invokes that certi?cate, a PIN meeting the below attributes shall be used to access the certi?cate for the AA process. Be a minimum of six (6) digits Have no repeating digits 112233) Have no sequential patterns 123456) Not be the same as the Userid. Expire within a maximum of 365 calendar days. a. If a PIN is used to access a soft certi?cate which is the second factor of authentication, AND the ?rst factor is a password that complies with the requirements in Section 5.6.2.1.1, then the 365 day expiration requirement can be waived by the CSO. 8.1412014 35 CJISD-ITS-DOC-08140-53 6. Not be identical to the previous three (3) PINS. 7. Not be transmitted in the clear outside the secure location. 8. Not be displayed when entered. EXCEPTION: When a PIN is used for local device authentication, the only requirement is that it be a minimum of six (6) digits. 5.6.2.2 Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identi?cation and authentication of login ID and password, such as: biometric systems, user?based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or ?Risk-based Authentication? that includes a software token element comprised of a number of factors, such as network information, user information, positive device identi?cation device forensics, user pattern analysis and user binding), user profiling, and high?risk challenge/response questions. 5.6.2.2.1 Advanced Authentication Policy and Rationale The requirement dependent upon the physical, personnel, and technical security controls associated with the user location and whether CJI is accessed directly or indirectly. AA shall not be required for users requesting access to I from within the perimeter of a physically secure location (Section 5.9), when the technical security controls have been met (Sections 5.5 and 5.10), or when the user has no ability to conduct transactional activities on state and national repositories, applications, or services indirect access). Conversely, if the technical security controls have not been met, AA shall be required even if the request for I originates from Within a physically secure location. Section 5.6.2.2.2 provides agencies with a decision tree to help guide AA decisions. The CSO will make the final determination of whether access is considered indirect. The intent of AA is to meet the standards of two-factor authentication. Two-factor authentication employs the use of two of the following three factors of authentication: something you know password), something you have hard token), something you are biometric). The two authentication factors shall be unique password/token or biometric/password but not password/password or token/token). CSO approved compensating controls to meet the AA requirement on agency?issued smartphones, tablets, and iPads are permitted. Compensating controls are temporary control measures that are implemented in lieu of the required AA control measures when an agency cannot meet a requirement due to legitimate technical or business constraints. The compensating controls shall: 1. Meet the intent of the CJ IS Security Policy AA requirement 2. Provide a similar level of protection or security as the original AA requirement 3. Not rely upon the existing requirements for AA as compensating controls Mobile Device Management (MDM) must be implemented and provide at least two of the other examples of compensating controls listed below. 36 CJISD-ITS-DOC-08140-53 Additionally, compensating controls may rely upon other, non-AA, existing requirements as compensating controls and/or be combined with new controls to create compensating controls. The proposed compensating controls for AA are a combination of controls that provide acceptable assurance it is the authorized user authenticating and not an impersonator or (in the case of agency?issued device used by multiple users) controls that reduce the risk of exposure if information is accessed by an unauthorized party. Examples of AA compensating controls for and agency-issued smartphones and tablets are: - Possession of the agency issued smartphone, tablet, or iPad as an indication it is the authorized user - Implemented password protection on the Mobile Device Management application and/or secure container where the authentication application is stored - Enable remote device locking - Enable remote data deletion - Enable automatic data wipe after predetermined number of failed authentication attempts - Remote device location (GPS) tracking - Require CJ IS Security Policy compliant password to access the device - Use of device certi?cates INTERIM COMPLIANCE: 1. Intemet Protocol Security does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize for AA until September 30, 2014. Examples: EXCEPTION: a. A police of?cer 111118 a query for CJI from his/her laptop mounted in a police vehicle. The police officer leverages a cellular network as the transmission medium; authenticates the device using key exchange; and tunnels across the cellular network using the virtual private network (VPN). was funded and installed in order to meet the AA requirements of IS Security Policy version 4.5. AA requirements are waived until September 30, 2014. . A detective accesses CJI from various locations while investigating a crime scene. The detective uses an agency managed laptop with installed and leverages a cellular network as the transmission medium. was funded and installed in order to meet the AA requirements of CJIS Security Policy version 4.5. AA requirements are waived until September 30, 2014. AA shall be required when the requested service has built AA into its processes and requires a user to provide AA before granting access. EXAMPLES: 8/4i'2014 37 CJISD-ITS-DOC-08140-53 a. A user, irrespective of his/her location, accesses the LEO website. The LEO has AA built into its services and requires AA prior to granting access. AA is required. b. A user, irrespective of their location, accesses a State?s portal through which access to CJI is facilitated. The State Portal has AA built into its processes and requires AA prior to granting access. AA is required. 5.6.2.2.2 Advanced Authentication Decision Tree The following AA Decision Tree, coupled with figures 9 and 10 below, assists decision makers in determining whether or not AA is required. 8/4120 1 4 1. Can request?s originating location be determined physically? If either or below are true the answer to the above question is ?yes?. Proceed to question 2. a. The address is attributed to a physical structure; or b. The mnemonic is attributed to a specific device assigned to a specific location that is a physical structure. If neither or above are true then the answer is Skip to question number 4. Does request originate from within a physically secure location as described in Section 5.9.1? If either or below are true the answer to the above question is ?yes?. Proceed to question 3. a. The address is attributed to a physically secure location; or b. If a mnemonic is used it is attributed to a specific device assigned to a specific physically secure location. If neither or above are true then the answer is Decision tree completed. AA required. Are all required technical controls implemented at this location or at the controlling agency? If either or below are true the answer to the above question is ?yes?. Decision tree completed. AA requirement waived. a. Appropriate technical controls listed in Sections 5.5 and 5.10 are implemented; or b. The controlling agency parent agency or agency leveraged as conduit to CJI) extends its wide area network controls down to the requesting agency and the extended controls provide assurance equal or greater to the controls listed in Sections 5.5 and 5.10. If neither or above are true then the answer is Decision tree completed. AA required. 38 CJISD-ITS-DOC-08140-53 4. Does request originate from an agency-managed user device? If either or below are true the answer to the above question is ?yes?. Proceed to question 5. a. The static IP address or MAC address can be traced to registered device; or b. Certi?cates are issued to agency managed devices only and certi?cate exchange is allowed only between authentication server and agency issued devices. If neither or above are true then the answer is Decision tree completed. AA required. 5. Is the agency managed user device associated with and located within a law enforcement conveyance? If any of the or statements below is true the answer to the above question is ?yes?. Proceed to Figure 9 Step 3. a. The static IP address or MAC address is associated with a device associated with a law enforcement conveyance; or b. The certificate presented is associated with a device associated with a law enforcement conveyance; or c. The mnemonic presented is associated with a speci?c device assigned and that device is attributed to a law enforcement conveyance. If none of the or statements above are true then the answer is Skip to question number 7. 6. Is the user device an agency?issued and controlled smartphone or tablet? If both and below are true, the answer to the above question is ?yes.? Proceed to question number 7. a. The law enforcement agency issued the device to an individual; and b. The device is subject to administrative management control of the issuing agency. If either or above is false, then the answer is Decision tree completed. AA required. 7. Does the agency?issued smartphone have CSO?approved AA compensating controls implemented? If and below are true, the answer to the above question is ?yes.? Decision tree completed. AA requirement is waived. a. An agency cannot meet a requirement due to legitimate technical or business constraints; and b. The CSO has given written approval permitting AA compensating controls to be implemented in lieu of the required AA control measures. 8/41?2014 39 CJISD-ITS-DOC-08140-53 ,1 If either or above is false then the answer is ?no. AA required. Decision tree completed. 5.6.3 Identifier and Authenticator Management The agency shall establish identifier and authenticator management processes. 5.6.3.1 Identifier Management In order to manage user identi?ers, agencies shall: Uniquely identify each user. Verify the identity of each user. Receive authorization to issue a user identifier from an appropriate agency official. Issue the user identifier to the intended party. Disable the user identifier after a specified period of inactivity. Archive user identifiers. 5.6.3.2 Authenticator Management In order to manage information system authenticators, agencies shall: Define initial authenticator content. 2. Establish administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators. 3. Change default authenticators upon information system installation. 4. Change/refresh authenticators periodically. Information system authenticators include, for example, tokens, user?based PKI certi?cates, biometrics, passwords, and key cards. Users shall take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loanng or sharing authenticators with others, and immediately reporting lost or compromised authenticators. 5.6.4 Assertions Identity providers can be leveraged to identify individuals and assert the individual?s identity to a service or to a trusted broker who will in?turn assert the identity to a service. Assertion mechanisms used to communicate the results of a remote authentication to other parties shall be: 1. Digitally signed by a trusted entity the identity provider). 2. Obtained directly from a trusted entity g. trusted broker) using a protocol where the trusted entity authenticates to the relying party using a secure protocol g. transport layer security that authenticates the verifier and protects the assertion. 8/4f2014 4O CJISD-ITS-DOC-08140-53 Assertions generated by a veri?er shall expire after 12 hours and shall not be accepted thereafter by the relying party. 5.6.5 Appendix contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 8 Advanced Authentication Use Cases Use Case 1 A Local Police Department Authentication Control Scenario During the course of an investigation, a detective attempts to access Criminal Justice Information (CJI) from a hotel room using an agency issued mobile broadband card. To gain access, the detective ?rst establishes the remote session via a secure virtual private network (VPN) tunnel (satisfying the requirement for Upon connecting to the agency network, the detective is challenged for a username (identi?cation), password (?something you know?), and a one-time password OTP (?something you have?) from a hardware token to satisfy the requirement for advanced authentication. Once the detective?s credentials are validated, his identity is asserted by the infrastructure to all authorized applications needed to complete his queries. Use Case 2 Use of a Smart Card A user is issued a smart card that is loaded with user?specific digital certificates from a terminal within a controlled area. The user selects an application that will provide access to Criminal Justice Information (CJI) then enters the proper username (identification) and password (?something you know?). Once prompted, the user connects the smart card (?something you have?) to the terminal. The user is prompted to enter a personal identification number (PIN) to unlock the smart card. Once unlocked, the smart card sends the certificates to the authentication management server at the local agency where the combined username, password, and digital user certificates are validated. The user has satisfied the requirement for AA and is granted access to CJI. Use Case 3 Out of Band One?Time?Password (OTP) Mobile phone?based Using an agency? issued laptop, a user connects to the agency network via an agency-issued mobile broadband card and an virtual private network (VPN) tunnel. As part of an on?going investigation, the user initiates an application that will permit access to Criminal Justice Information (CJ I). The user is prompted to enter a username (identi?cation) and a password (?something you know?). Once that has been completed, a text message containing a one?time password (OTP) is sent via text message (out of band) to the user?s agency?issued cell phone. The user is challenged via the CJ I application for that OTP. The user enters the OTP (?something you have?) then the username, password, and OTP are validated. The user has satis?ed the requirement for AA and is granted access to I. 8/41'2014 4] CJISD-ITS-DOC-08140-53 Use Case 4 Improper Use of a One-Time-Password (OTP) Laptop Using an agency? issued laptop, a user connects to the agency network via an agency-issued mobile broadband card and an Virtual private network (VPN) tunnel. As part of an on?going investigation, the user initiates an application that will permit access to Criminal Justice Information (CJ I). The user is prompted to enter a usemame (identification) and a password (?something you know?). Once that has been completed, a one?time password (OTP) is sent to the user?s agency?issued laptop (in band) via pop?up message. The user is challenged via the CJ I application for that however, the delivery of the OTP to the device that is being used to access CJ I (in band) defeats the purpose of the second factor. This method does not satisfy the requirement for AA, and therefore the user should not be granted access to CJ I. See the below explanation: This method of receiving the necessary OTP (in band) does not guarantee the authenticity of the user?s identity because anyone launching the CJI application and entering a valid usemame/password combination is presented the OTP via a pop?up which is intend to be the second factor of authentication. This method makes the application accessible to anyone with knowledge of the valid usemame and password. Potentially, this is no more secure than using only a single factor of authentication. Use Case 5 Risk?based Authentication (RBA) Implementation A user has moved of?ce locations and requires email access (containing Criminal Justice Information) via an Outlook Web Access (OWA) client utilizes a risk?based authentication (RBA) solution. The user launches the OWA client and is prompted to enter a usemame (identi?cation) and a password (?something you know?). The RBA detects this computer has not previously been used by the user, is not listed under the user?s pro?le, and then presents high-risk challenge/response question(s) which the user is prompted to answer. Once the questions have been verified as correct, the user is authenticated and granted access to the email. Meanwhile, the RBA logs and collects a number of device forensic information and captures the user pattern analysis to update the user?s pro?le. The CJIS Security Policy requirements for RBA have been satisfied. Use Case 6 Improper Risk?based Authentication (RBA) Implementation A user has moved of?ce locations and requires access to email containing Criminal Justice Information (CJ I) via an Outlook Web Access (OWA) client utilizing a risk?based authentication (RBA) solution. The user launches the OWA client and is prompted to enter a usemame (identi?cation) and a password (?something you know?). The RBA detects this computer has not previously been used by the user and is not listed under the user?s pro?le. The user is prompted to answer high?risk challenge/response questions for veri?cation and authorization to access to the email; however, if the second authentication factor is to answer additional questions presented every time the user logs on, then this solution is referred to as a knowledge-based authentic on (KBA) solution. A KBA solution does not satisfy the requirement for AA, and therefore the user should not be granted access to I. 8/41'2014 CJISD-ITS-DOC-08140-53 42 See the below explanation: A KBA solution is not a viable advanced authentication (AA) solution per the CJIS Security Policy (CSP). The KBA asks questions and compares the answers to those stored within the user?s pro?le. A KBA is neither a CSP compliant two factor authentication solution, nor does it meet the CSP criteria of a risk?based authentication (RBA) solution which logs and collects a number of device forensic information and captures the user pattern analysis to update the user?s pro?le. Using this collected data, the RBA presents challenge/response questions when changes to the user?s pro?le are noted versus every time the user logs in. Use Case 7 Advanced Authentication Compensating Controls on Agency?Issued Smartphones An authorized user is issued a smartphone that is administratively managed by the agency? installed mobile device management (MDM) solution to ensure device compliance with the CJIS Security Policy. The user initiates an email client on the smartphone that contains emails with CJI. The email client challenges the user to enter a usemame (identification) and a password (one factor: something you know) which are forwarded to the local agency for authentication. The smartphone lacks the technical capability to challenge the user for a second factor of authentication. This email client is used across the state agency so access is a necessity for the user?s job functions. An audit by the CSA identi?es the agency?s use of the agency smartphone as not compliant with AA requirements due to the authorized user authenticating with only one factor instead of the required two factors. Subsequently, the agency performs a risk assessment of their smartphone authentication solution and document a legitimate technical constraint due to the lack of technical solutions for smartphone?based two?factor authentication. The risk assessment identifies the following compensating controls that, when combined with the authorized user authenticating to the local agency with their password, meet the intent of the AA requirement by providing a similar level of security: 1. Enhance smartphone policy to enable possession of the smartphone to be considered a factor of authentication something you have). Require authorized users to treat the smartphone as a controlled device and protect it as they would a personal credit card or an issued ?rearm to ensure only they will be in possession of the device 2. Move the email client used to authenticate with the local agency inside an password-protected secure container on the smartphone ensuring only the authorized user can access the email application to authenticate. 8/41'2014 CJISD-ITS-DOC-08140-53 43 The agency submits an AA compensating controls request to the C80 outlining the technical constraint identi?ed by the risk assessment, what compensating controls will be employed, and the desired duration of the compensating controls. The CSO approves the agency?s request and provides documentation of the approval to the agency to maintain for audit purposes. The agency enacts the compensating controls and informs agency personnel they are permitted to access CJI Via the agency-issued smartphone. 8/41'2014 CJISD-ITS-DOC-08140-53 44 Figure 9 Authentication Decision for Known Location Incoming CJI \Access Request #1 Can request?s physical originating location be determined? See Figure10 Yes #2 Does request originate lrom within a physically secure location? No Yes #3 Are all required technical controls implemented at this location or at controlling agency? Nc Yes Figure 9 08/04/2014 8f4f2014 CJISD-ITS-DOC-08140-5.3 45 Figure 10 Authentication Decision for Unknown Location ?tcoming CJI \Access Reques #1 Can request's physical . originating location be Yes all See Frgure 9 determined? NO #4 Does request originate from an agency-managed No or Unknown user device? Yes #6 Is the user device an agency-issued and controlled smartphone or tablet? Is the agency managed user device associated with and located within a Law Enforcement Cenveyance? #7 Does the agency-issued smartphone have 080- approved compensating controls implemented? ll Go To Figure 9 Step #3 Yes Figure 10 08/04/2014 8l4l2014 46 CJISD-ITS-DOC-08140-53 5.7 Policy Area 7: Configuration Management 5.7.1 Access Restrictions for Changes Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications. Section 5.5, Access Control, describes agency requirements for control of privileges and restrictions. 5.7.1.1 Least Functionality The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. 5.7.1.2 Network Diagram The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix for sample network diagrams. The network topological drawing shall include the following: 1. All communications paths, circuits, and other components used for the interconnection, beginning with the agency?owned system(s) and traversing through all interconnected systems to the agency end?point. 2. The logical location of all components ?rewalls, routers, switches, hubs, servers, devices, and computer workstations). Individual workstations (clients) do not have to be shown; the number of clients is sufficient. 3. ?For Of?cial Use Only? (FOUO) markings. 4. The agency name and date (day, month, and year) drawing was created or updated. 5.7.2 Security of Configuration Documentation The system configuration documentation often contains sensitive details descriptions of applications, processes, procedures, data structures, authorization processes, data ?ow, etc.) Agencies shall protect the system documentation from unauthorized access consistent with the provisions described in Section 5.5 Access Control. 5.7.3 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. 8/4/2014 47 CJISD-ITS-DOC-08140-53 Figure 11 A Local Police Department?s Con?guration Management Controls A local police department decided to update their CAD system, and in doing so tracked all changes made to their infrastructure in a configuration management journal, updated their network topology documents to include all new components in their architecture, then marked all documentation as FOUO and stored them securely. 8143014 CJISD-ITS-DOC-08140-53 4s 5.8 Policy Area 8: Media Protection Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media. 5.8.1 Media Storage and Access The agency shall securely store electronic and physical media within physically secure locations or controlled areas. The agency shall restrict access to electronic and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be per Section 5.10.1.2. 5.8.2 Media Transport The agency shall protect and control electronic and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel. 5.8.2.1 Digital Media during Transport Controls shall be in place to protect digital media containing I while in transport (physically moved from one location to another) to help prevent compromise of the data. as de?ned in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if of the data isn?t possible then each agency shall institute physical controls to ensure the security of the data. 5.8.2.2 Physical Media in Transit The controls and security measures in this document also apply to CJI in physical (printed documents, printed imagery, etc.) form. Physical media shall be protected at the same level as the information would be protected in electronic form. 5.8.3 Electronic Media Sanitization and Disposal The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be destroyed (cut up, shredded, etc.). The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel. 5.8.4 Disposal of Physical Media Physical media shall be securely disposed of when no longer required, using formal procedures. Formal procedures for the secure disposal or destruction of physical media shall minimize the risk of sensitive information compromise by unauthorized individuals. Physical media shall be destroyed by shredding or incineration. Agencies shall ensure the disposal or destruction is witnessed or carried out by authorized personnel. 8/4/2014 49 CJISD-ITS-DOC-08140-53 5.8.5 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 12 A Local Police Department?s Media Management Policies A local police department implemented a replacement CAD system that integrated to their state?s CSA and was authorized to process CH. The police department contracted with an off-site media manager to store backups of their data in the contractor?s vaults, but the contractor was not authorized to process or store I. To ensure the confidentially of the police department?s data while outside its perimeter, they all data going to the contractor with an product that is FIPS 140?2 certified. The police department rotated and reused media through the contractor?s vaults periodically, and when it required destruction, the police department incinerated the media to irreversibly destroy any data on it. 8/4f2014 50 CJISD-ITS-DOC-08140-53 5.9 Policy Area 9: Physical Protection Physical protection policy and procedures shall be documented and implemented to ensure CJ I and information system hardware, software, and media are physically protected through access control measures. 5.9.1 Physically Secure Location A physically secure location is a facility, a police vehicle, or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CH and associated information systems. The physically secure location is subject to criminal justice agency management control; SIB control; FBI CJ IS Security addendum; or a combination thereof. Sections 5.9.1.1 5.9.1.8 describe the physical controls required in order to be considered a physically secure location, while Section 5.12 describes the minimum personnel security controls required for unescorted access to a physically secure location. Sections 5.5, 5.6.2.2.1, and 5.10 describe the requirements for technical security controls required to access I from within the perimeter of a physically secure location without AA. 5.9.1.1 Security Perimeter The perimeter of a physically secure location shall be prominently posted and separated from non?secure locations by physical controls. Security perimeters shall be defined, controlled and secured in a manner acceptable to the CSA or SIB. 5.9.1.2 Physical Access Authorizations The agency shall develop and keep current a list of personnel with authorized access to the physically secure location (except for those areas within the permanent facility officially designated as publicly accessible) or shall issue credentials to authorized personnel. 5.9.1.3 Physical Access Control The agency shall control all physical access points (except for those areas within the facility officially designated as publicly accessible) and shall verify individual access authorizations before granting access. 5.9.1.4 Access Control for Transmission Medium The agency shall control physical access to information system distribution and transmission lines within the physically secure location. 5.9.1.5 Access Control for Display Medium The agency shall control physical access to information system devices that display I and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI. 8/4/2014 51 CJISD-ITS-DOC-08140-53 5.9.1.6 Monitoring Physical Access The agency shall monitor physical access to the information system to detect and respond to physical security incidents. 5.9.1.7 Visitor Control The agency shall control physical access by authenticating visitors before authorizing escorted access to the physically secure location (except for those areas designated as publicly accessible). The agency shall escort visitors at all times and monitor visitor activity. 5.9.1.8 Delivery and Removal The agency shall authorize and control information system?related items entering and exiting the physically secure location. 5.9.2 Controlled Area If an agency cannot meet all of the controls required for establishing a physically secure location, but has an operational need to access or store CJI, the agency shall designate an area, a room, or a storage container, as a controlled area for the purpose of day?to?day I access or storage. The agency shall, at a minimum: 1. Limit access to the controlled area during CJI processing times to only those personnel authorized by the agency to access or view I. 2. Lock the area, room, or storage container when unattended. 3. Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. 4. Follow the requirements found in Section 5.10.1.2 for electronic storage data ?at rest?) of CH. 5.9.3 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. Figure 13 A Local Police Department's Physical Protection Measures A local police department implemented a replacement CAD system that was authorized to process CJI over an VPN tunnel to the state?s CSA. The police department established a physically separated wing within their precinct separated by locked doors, walls, and a monitored security system within which CJI was processed by dispatchers, officers, and detectives. Only those persons with the appropriate authorizations were permitted within this wing unless accompanied by such a person. Within this secure wing the police department further segregated the back?of?ce information systems? infrastructure within a separately controlled area restricted only to those authorized administrative personnel with a need to enter. 8/4f2014 52 CJISD-ITS-DOC-08140-53 5.10 Policy Area 10: System and Communications Protection and Information Integrity Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency?s Virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. This section details the policy for protecting systems and communications infrastructures. Refer to Section 5.13.4 for additional system integrity requirements related to mobile devices used to access CJI. 5.10.1 Information Flow Enforcement The network infrastructure shall control the ?ow of information between interconnected systems. Information ?ow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. In other words, controlling how data moves from one place to the next in a secure manner. Examples of controls that are better expressed as ?ow control than access control (see Section 5.5) are: 1. Prevent I from being transmitted across the public network. 2. Block outside traf?c that claims to be from within the agency. 3. Do not pass any web requests to the public network that are not from the internal web proxy. Specific examples of ?ow control enforcement can be found in boundary protection devices g. proxies, gateways, guards, tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. 5.10.1.1 Boundary Protection The agency shall: 1. Control access to networks processing CJ I. 2. Monitor and control communications at the external boundary of the information system and at key internal boundaries within the system. 3. Ensure any connections to the Internet, other external networks, or information systems occur through controlled interfaces proxies, gateways, routers, firewalls, tunnels). See Section 5.13.4.4 for guidance on personal firewalls. 4. Employ tools and techniques to monitor network events, detect attacks, and provide identification of unauthorized use. 5. Ensure the operational failure of the boundary protection mechanisms do not result in any unauthorized release of information outside of the information system boundary the device shall ?fail closed? vs. ?fail open?). 53 CJISD-ITS-DOC-08140-53 6. Allocate publicly accessible information system components g. public Web servers) to separate sub networks with separate, network interfaces. Publicly accessible information systems residing on a virtual host shall follow the guidance in Section 5.10.3.2 to achieve separation. 5.10.1.2 Commonly available tools often use a key to unlock the cipher to allow data access; this key is called a While similar to a password, a is not used for user authentication. Additionally, the contains stringent character requirements making it more secure and thus providing a higher level of con?dence that the will not be compromised. 1. shall be a minimum of 128 bit. 2. When I is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via mechanisms EXCEPTIONS: See Sections 5.5.7.3.2 and 5.10.2. 3. When CJI is at rest stored electronically) outside the boundary of the physically secure location, the data shall be protected via mechanisms a) When agencies implement on CJI at rest, the used to unlock the cipher shall meet the following requirements: i. Be at least 10 characters ii. Not be a dictionary word. Include at least one (1) upper case letter, one (1) lower case letter, one number, and one special character. iv. Be changed when previously authorized personnel no longer require access. b) Multiple files maintained in the same folder shall have separate and distinct A single may be used to an entire folder or disk containing multiple ?les. All audit requirements found in Section 5.4.1 Auditable Events and Content (Information Systems) shall be applied. 4. When is employed, the module used shall be certified to meet FIPS 140?2 standards. Note 1: Subsequent versions of approved modules that are under current review for FIPS 140?2 compliancy can be used in the interim until certification is complete. Note 2: While FIPS 197 (Advanced Standard) certification is desirable, a FIPS 197 certi?cation alone is insufficient as the certification is for the algorithm only vs. the FIPS 140?2 standard which certifies the packaging of an implementation. 8142014 54 CJISD-ITS-DOC-08140-53 EXCEPTION: When is used for CJI at rest, agencies may use methods that are FIPS 197 certified, 256 bit as described on the National Security Agency (NSA) Suite list of approved algorithms. 5. For agencies using public key infrastructure technology, the agency shall develop and implement a certi?cate policy and certification practice statement for the issuance of public key certificates used in the information system. Registration to receive a public key certificate shall: a) Include authorization by a supervisor or a responsible official. b) Be accomplished by a secure process that verifies the identity of the certificate holder. c) Ensure the certi?cate is issued to the intended party. 5.10.1.3 Intrusion Detection Tools and Techniques The agency shall implement network?based and/or host?based intrusion detection tools. The SIB shall, in addition: 1. Monitor inbound and outbound communications for unusual or unauthorized activities. 2. Send individual intrusion detection logs to a central logging facility where correlation and analysis will be accomplished as a system wide intrusion detection effort. 3. Employ automated tools to support near?real?time analysis of events in support of detecting system?level attacks. 5.10.1.4 Voice over Internet Protocol Voice over Intemet Protocol has been embraced by organizations globally as an addition to, or replacement for, public switched telephone network (PSTN) and private branch exchange (PBX) telephone systems. The immediate benefits are lower costs than traditional telephone services and can be installed in-line with an organization?s existing Internet Protocol (IP) services. Among risks that have to be considered carefully are: myriad security concerns, cost issues associated with new networking hardware requirements, and overarching quality of service ((208) factors. In addition to the security controls described in this document, the following additional controls shall be implemented when an agency deploys within a network that contains CH: 1. Establish usage restrictions and implementation guidance for technologies. 2. Change the default administrative password on the IP phones and switches. 3. Utilize Virtual Local Area Network (VLAN) technology to segment traffic from data traffic. Appendix G.2 outlines threats, vulnerabilities, mitigations, and NIST best practices for 55 CJISD-ITS-DOC-08140-53 5.10.1.5 Cloud Computing Organizations transitioning to a cloud environment are presented unique opportunities and challenges purported cost savings and increased efficiencies versus a loss of control over the data). Reviewing the cloud computing white paper (Appendix G3), the cloud assessment located within the security policy resource center on FBI. gov, NIST Special Publications (800- 144, 800?145, and well as the cloud provider?s policies and capabilities will enable organizations to make informed decisions on whether or not the cloud provider can offer service that maintains compliance with the requirements of the CJ IS Security Policy. The metadata derived from CJ I shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided. 5.10.2 Facsimile Transmission of CJI I transmitted via facsimile is exempt from requirements. 5.10.3 Partitioning and Virtualization As resources grow scarce, agencies are increasing the centralization of applications, services, and system administration. Advanced software now provides the ability to create virtual machines that allows agencies to reduce the amount of hardware needed. Although the concepts of partitioning and Virtualization have existed for a while, the need for securing the partitions and virtualized machines has evolved due to the increasing amount of distributed processing and federated information sources now available across the Internet. 5.10.3.1 Partitioning The application, service, or information system shall separate user functionality (including user interface services) from information system management functionality. The application, service, or information system shall physically or logically separate user interface services public web pages) from information storage and management services g. database management). Separation may be accomplished through the use of one or more of the following: 1. Different computers. 2. Different central processing units. 3. Different instances of the operating system. 4. Different network addresses. 5. Other methods approved by the FBI CJ IS ISO. 5.10.3.2 Virtualization Virtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment: 8/4f2014 56 CJISD-ITS-DOC-08140-53 1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. 2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts? virtual environment. 3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines that process CJ I internally. 4. Device drivers that are ?critical? shall be contained within a separate guest. The following are additional technical security control best practices and should be implemented wherever feasible: 1. network traffic between the virtual machine and host. 2. Implement IDS and monitoring within the virtual machine environment. 3. Virtually firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer ?rewall) and ensure that only allowed protocols will transact. 4. Segregate the administrative duties for the host. Appendix G??l provides some reference and additional background information on virtualization. 5.10.4 System and Information Integrity Policy and Procedures 5.10.4.1 Patch Management The agency shall identify applications, services, and information systems containng software or components affected by recently announced software ?aws and potential vulnerabilities resulting from those ?aws. The agency (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) shall develop and implement a local policy that ensures prompt installation of newly released security relevant patches, service packs and hot fixes. Local policies should include such items as: 1. Testing of appropriate patches before installation. 2. Rollback capabilities when installing patches, updates, etc. 3. Automatic updates without individual user intervention. 4. Centralized patch management. Patch requirements discovered during security assessments, continuous monitoring or incident response activities shall also be addressed expeditiously. 5.10.4.2 Malicious Code Protection The agency shall implement malicious code protection that includes automatic updates for all systems with Internet access. Agencies with systems not connected to the Internet shall implement local procedures to ensure malicious code protection is kept current most recent update available). 8/41'2014 57 CJISD-ITS-DOC-08140-53 The agency shall employ virus protection mechanisms to detect and eradicate malicious code viruses, worms, Trojan horses) at critical points throughout the network and on all workstations, servers and mobile computing devices on the network. The agency shall ensure malicious code protection is enabled on all of the aforementioned critical points and information systems and resident scanning is employed. 5.10.4.3 Spam and Spyware Protection The agency shall implement spam and spyware protection. The agency shall: 1. Employ spam protection mechanisms at critical information system entry points firewalls, electronic mail servers, remote?access servers). 2. Employ spyware protection at workstations, servers and mobile computing devices on the network. 3. Use the spam and spyware protection mechanisms to detect and take appropriate action on unsolicited messages and spyware/adware, respectively, transported by electronic mail, electronic mail attachments, Internet accesses, removable media diskettes or compact disks) or other removable media as defined in this Policy. 5.10.4.4 Security Alerts and Advisories The agency shall: 1. Receive information system security alerts/advisories on a regular basis. 2. Issue alerts/advisories to appropriate personnel. 3. Document the types of actions to be taken in response to security alerts/advisories. 4. Take appropriate actions in response. 5. Employ automated mechanisms to make security alert and advisory information available throughout the agency as appropriate. 5.10.4.5 Information Input Restrictions The agency shall restrict the information input to any connection to FBI CJIS services to authorized personnel only. Restrictions on personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities. 5.10.5 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. 58 CJISD-ITS-DOC-08140-53 Figure 14 A Local Police Department's Information Systems Communications Protections A local police department implemented a replacement CAD system within a physically secure location that was authorized to process I using a FIPS 140?2 VPN tunnel over the Internet to the state?s CSA. In addition to the policies, physical and personnel controls already in place, the police department employed firewalls both at their border and at key points within their network, intrusion detection systems, a patch?management strategy that included automatic patch updates where possible, Virus scanners, spam and spyware detection mechanisms that update signatures automatically, and subscribed to various security alert mailing lists and addressed vulnerabilities raised through the alerts as needed. 8/41?2014 59 5.11 Policy Area 11 Formal Audits Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 5.11.1 Audits by the FBI CJIS Division 5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division The FBI CJ IS Division is authorized to conduct audits, once every three (3) years as a minimum, to assess agency compliance with applicable statutes, regulations and policies. The IS Audit Unit (CAU) shall conduct a triennial audit of each CSA in order to verify compliance with applicable statutes, regulations and policies. This audit shall include a sample of CJAS and, in coordination with the SIB, the NCJAs. Audits may be conducted on a more frequent basis if the audit reveals that an agency has not complied with applicable statutes, regulations and policies. The FBI CJ IS Division shall also have the authority to conduct unannounced security inspections and scheduled audits of Contractor facilities. 5.11.1.2 Triennial Security Audits by the FBI CJIS Division The FBI CJ IS Division is authorized to conduct security audits of the CSA and SIB networks and systems, once every three (3) years as a minimum, to assess agency compliance with the CJIS Security Policy. This audit shall include a sample of CJAS and NCJAs. Audits may be conducted on a more frequent basis if the audit reveals that an agency has not complied with the CJ IS Security Policy. 5.11.2 Audits by the CSA Each CSA shall: 1. At a minimum, triennially audit all CJAs and NCJAs which have direct access to the state system in order to ensure compliance with applicable statutes, regulations and policies. 2. In coordination with the SIB, establish a process to periodically audit all NCJAs, with access to CJI, in order to ensure compliance with applicable statutes, regulations and policies. 3. Have the authority to conduct unannounced security inspections and scheduled audits of Contractor facilities. 5.11.3 Special Security Inquiries and Audits All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJ IS Division. All results of the inquiry and audit shall be reported to the APB with appropriate recommendations. 5.11.4 Appendix I contains all of the references used in this Policy and may contain additional sources that apply to this section. 8l4/2014 60 CJISD-ITS-DOC-08140-53 Figure 15 The Audit of a Local Police Department A local police department implemented a replacement CAD system that integrated to their state?s CSA and was authorized to process CJI. Shortly after the implementation, their state?s CSA conducted an audit of their policies, procedures, and systems that process CH. The police department supplied all architectural and policy documentation, including detailed network diagrams, to the auditors in order to assist them in the evaluation. The auditors discovered a de?ciency in the police department?s systems and marked them ?out? in this aspect of the FBI CJIS Security Policy. The police department quickly addressed the deficiency and took corrective action, notifying the auditors of their actions. 8/41'2014 6] CJISD-ITS-DOC-08140-53 5.12 Policy Area 12: Personnel Security Having proper security measures against the insider threat is a critical component for the CJ IS Security Policy. This section?s security terms and requirements apply to all personnel who have access to CJI including those individuals with only physical or logical access to devices that store, process or transmit CJI. 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint?based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI query using purpose code C, E, or depending on the circumstances. When appropriate, the screening shall be consistent with: 5 CFR 731.106; and/or (ii) Of?ce of Personnel Management policy, regulations, and guidance; and/or agency policy, regulations, and guidance. (See Appendix for applicable guidance regarding noncriminal justice agencies performing adjudication of civil fingerprint submissions.) Federal entities bypassing state repositories in compliance with federal law may not be required to conduct a state ?ngerprint?based record check. 2. All requests for access shall be made as specified by the CS0. The CSO, or their designee, is authorized to approve access to CJI. All CSO designees shall be from an authorized criminal justice agency. 3. If a felony conviction of any kind exists, the hiring authority in the Interface Agency shall deny access to CJI. However, the hiring authority may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance. 4. If a record of any other kind exists, access to CJI shall not be granted until the CS0 or his/her designee reviews the matter to determine if access is appropriate. 5. If the person appears to be a fugitive or has an arrest history without conviction, the CSO or his/her designee shall review the matter to determine if access to I is appropriate. 6. If the person is employed his/her designee, and, if applicable, the appropriate board maintaining management control, shall review the matter to determine if I access is appropriate. This same procedure applies if this person is found to be a fugitive or has an arrest history without conviction. 8/4f2014 62 CJISD-ITS-DOC-08140-53 7. If the person already has access to CJI and is subsequently arrested and or convicted, continued access to I shall be determined by the CSO. This does not implicitly grant hiring/firing authority with the CSA, only the authority to grant access to CJI. 8. If the CSO or his/her designee determines that access to CJ I by the person would not be in the public interest, access shall be denied and the person's appointing authority shall be noti?ed in writing of the access denial. 9. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national ?ngerprint?based record check unless these individuals are escorted by authorized personnel at all times. It is recommended individual background re-investigations be conducted every five years unless Rap Back is implemented. 5.12.1.2 Personnel Screening for Contractors and Vendors In addition to meeting the requirements in paragraph 5.12.1.1, contractors and vendors shall meet the following requirements: 1. Prior to grantng access to CJI, the CGA on whose behalf the Contractor is retained shall verify identification via a state of residency and national fingerprint?based record check. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint?based record checks and execute a NLETS CHRI query using purpose code C, E, or depending on the circumstances. 2. If a record of any kind is found, the CGA shall be formally notified and system access shall be delayed pending review of the criminal history record information. The CGA shall in turn notify the Contractor?appointed Security Officer. 3. When identification of the applicant with a criminal history has been established by fingerprint comparison, the CGA or the CJA (if the CGA does not have the authority to view CHRI) shall review the matter. 4. A Contractor employee found to have a criminal record consisting of felony conviction(s) shall be disqualified. 5. Applicants shall also be disqualified on the basis of confirmations that arrest warrants are outstanding for such applicants. 6. The CGA shall maintain a list of personnel who have been authorized access to I and shall, upon request, provide a current copy of the access list to the CSO. Applicants with a record of misdemeanor offense(s) may be granted access if the CSO determines the nature or severity of the misdemeanor offense(s) do not warrant disqualification. The CGA may request the CSO to review a denial of access determination. 5.12.2 Personnel Termination The agency, upon termination of individual employment, shall immediately terminate access to CJI. 63 CJISD-ITS-DOC-08140-53