CJIS & Smartphones: Best Practices for Keeping Data Secure & CJIS Compliant
Smartphones have become an indispensable tool for LEOs – from capturing incident photos to completing reports, the number of uses for smartphones keeps growing.
Since the use of smartphones in public safety typically involves some type of criminal justice information, having the right technology and procedures to ensure compliance with CJIS policy is critical.
Below are some key steps and resources for navigating CJIS compliance for mobile devices.
- Know your state’s CSO: CSOs (CJIS Systems Officers) are responsible for monitoring compliance with CJIS policy, and in certain areas of security policy, processes not expressly authorized and documented in CJIS policy should be submitted to the state CSO before being implemented. For advanced authentication and compensating controls on mobile devices, it is particularly important to coordinate with your state CSO for review and approval on any plans (more on these topics below).
- Review current operations and infrastructure: If officers are already accessing CJI from MDTs in their unit or other devices not physically located in agency buildings, your agency likely has some CJIS infrastructure processes already in place. Assess how existing processes can be used or updated to apply to using smartphones in the field.Also consider consulting other agencies in your state who have successfully implemented a CSO-approved smartphone program for their officers. Using the same approach as a model for your own agency’s program will save time and increase the likelihood of CSO approval.
- Implement Mobile Device Management: Mobile Device Management (MDM), also known and Enterprise Mobile Management, is required by CJIS policy for direct access to criminal justice information. With an effective MDM solution, agencies can streamline device configuration, manage OS updates, and remotely lock or wipe lost or stolen phones.
At minimum, an agency’s MDM tool should have the following capabilities to be CJIS compliant:
- Remote device lock and/or wipe
- Automatically wipe devices after a specified number of failed access attempts
- Determine the location of agency-controlled devices
- Detect rooted and jailbroken devices
- Detect unauthorized software or applications
- Set and lock device configuration
- Detect unauthorized configurations
- Apply mandatory policy settings on the device
- Enforce folder or disk-level encryption
- Prevent unpatched devices from accessing CJI or CJI systems
In addition to MDM, there should be a clear, documented policy for officers and staff to immediately report missing, stolen or lost devices to appropriate agency personnel. Immediate reporting allows agencies to take appropriate action, such as remotely locking or wiping the device, to prevent unauthorized access to CJI.
- Get to know the CJIS requirements for Advanced Authentication & Compensating Controls: Any mobile devices that access or store CJI must have advanced authentication (also called two-factor or multifactor authentication) to be CJIS compliant, unless the access to CJI data is indirect. Under CJIS Policy 188.8.131.52.1, the designated CSO will make the final determination as to whether access is considered indirect.
With Advanced authentication users must enter something they have (like a single-use code or a hard token) or something they are (a biometric like Facial Recognition or Fingerprint) in addition to their initial username and password. This adds an extra layer of security in case an officer’s username and password are compromised.
Meeting AA requirements while balancing officer safety and efficiency is one of the more challenging areas of creating a CJIS compliant smartphone program. Agencies are exploring AA methods that are more convenient for officers in the field, such as using a device certificate as the second factor.
Since authentication technology is constantly evolving, so some methods that are more secure and/or efficient may not be explicitly mentioned in CJIS policy. In these cases, CJIS allows for ‘Compensating Controls,’ which are alternative security processes that provide the same or greater level of protection as AA. Again, these controls are subject to review and approval by the designated CSO before they can be considered CJIS compliant.
Requirements Companion Document to the FBI CJIS – This 35-page supporting document for CJIS policy gives a concise overview of the ‘Shall’ statements included in the full policy document
NIST Special Policy 800-63 – Since the FBI and NIST work together on CJIS security practices, reviewing NIST recommendations can be helpful for developing mobile device policy.