Who’s the last organization you’d expect to be a cyberattack victim? If you answered law enforcement, you’d be correct—but the problem is, it’s happening right now. Police and law enforcement agencies are under cyber assault, and these developments put sensitive information, ongoing investigations, and the very fabric of justice at grave risk.
A recent study has highlighted several ongoing dangers to law enforcement agencies, including email hacks and cybercriminals using social engineering techniques to issue false subpoenas and Emergency Data Requests to big tech companies like Apple and Meta, to gather detailed information on their targets illegally. This is even more concerning because a Motorola Solutions survey found that only 30% of law enforcement respondents have a plan ready for cyber incidents or use threat intelligence—and just 54% undertake cybersecurity training initiatives.
The escalating threat landscape underscores the vital role of CJIS (Criminal Justice Information Services) security awareness training—a program specifically crafted to guide individuals involved with CJIS in safeguarding critical information. This program encompasses various facets of security, including compliance, data protection, and incident response.
This post will be your “cheat sheet” for everything you need to know about CJIS security compliance, and the CJIS security awareness training your law enforcement organization needs to be prepared for.
What is CJIS security compliance?
CJIS security compliance embodies standards and regulations that direct law enforcement agencies within the United States to secure and preserve Criminal Justice Information (CJI). This information, which contains sensitive data concerning criminal activities, investigations, and individuals, necessitates stringent protection to maintain the confidentiality and effectiveness of law enforcement operations.
The CJIS Security Policy is a robust framework stipulating the minimal security prerequisites and controls to shield Criminal Justice Information (CJI). This dynamic policy encompasses directives issued by the president and the FBI, federal statutes, and decisions rendered by the Advisory Policy Board in the criminal justice community. Additionally, it integrates insights from the National Institute of Standards and Technology (NIST), reflecting evolving security stipulations over time.
An essential aspect of this policy is detailing thirteen critical areas that private entities, including cloud service providers, must scrutinize to ensure their cloud services align with CJIS standards. This evaluation process is closely aligned with the guidelines in NIST 800-53, forming the foundation of the Federal Risk and Authorization Management Program (FedRAMP).
To further fortify the security measures, all private contractors involved in CJI processing must comply with the CJIS Security Addendum. This uniform agreement, endorsed by the US Attorney General, guarantees the security and privacy of CJI, as necessitated by the Security Policy. It binds the contractor to uphold a security regimen that complies with federal and state laws, regulations, and standards while restricting the utilization of CJI to the objectives outlined by the providing government agency.
What are the 4 levels of CJIS security compliance?
To cater to different law enforcement agencies’ unique needs, CJIS security compliance is stratified into four distinct levels, each having specific requirements. These levels are formulated to accommodate varying data types and corresponding security necessities.
Level 1: Basic Security Awareness
Primarily intended for individuals needing rudimentary security training, focusing on the significance of security measures and adherence to CJIS policies.
Level 2: Security Awareness Training
Tailored for those with physical access to CJI, instructing on data access and handling protocols.
Level 3: Additional Security Training
Designed for authorized personnel who can alter or manage CJI, emphasizing responsibilities and security protocols.
Level 4: Advanced Security Training
Geared towards IT personnel and administrators responsible for overseeing the technical infrastructure supporting CJI systems, with education on system security, data integrity protection, and incident response.
Thorough training at all levels not only protects CJI data but also builds an organizational cybersecurity awareness culture.
Who is subject to CJIS security compliance?
Compliance with CJIS security standards is mandatory for everyone interacting with CJI. This encompasses:
- Law enforcement personnel (CJAs)
- Vendors
- Contractors
- Non-criminal justice agencies (NCJAs)
The frequency and duration of CJIS security awareness training may vary based on the compliance level assigned to an agency or individual. They can be influenced by factors such as training format, materials used, and session pacing. Consequently, organizations should customize their training programs to meet their specific needs.
What’s the difference between CJAs and NCJAs?
Criminal justice agencies (CJAs) are directly connected to the criminal justice system. They are responsible for upholding the law.
Examples of CJAs:
- Police Department.
- Sheriff’s Office.
- Federal Bureau of Investigation (FBI).
- State Department of Corrections.
- District Attorney’s Office.
Non-criminal justice agencies (NCJAs) are not directly involved in law enforcement. But, they need to access CJIS data for specific tasks like background checks, licensing, and immigration.
Examples of NCJAs:
- Department of Motor Vehicles (DMV).
- Department of Health.
- Public School District.
- Human Resources Department.
- Environmental Protection Agency (EPA).
What are the CJIS Security Awareness Training Requirements?
Specific requirements are stipulated for each compliance level to ensure that individuals and organizations with access to CJI receive appropriate training to safeguard this information.
Here are the CJIS security awareness training requirements for each level:
| Policy Area | Title | Description |
| 1 | Information Exchange Agreements | Establish formal collaborations between organizations or agencies exchanging CJI, affirming adherence to the requisite CJIS security protocols. |
| 2 | Security Awareness Training | Obligatory basic CJIS security awareness training for all personnel handling CJI, to be completed within six months of their initial appointment. The CSP outlines the specificities of these four distinct training levels. |
| 3 | Incident Response | Development and enactment of protocols to address incident responses, facilitating the identification, containment, alleviation, and recuperation from data infringements or assaults. |
| 4 | Auditing and Accountability | Creation of system audit logs for specified events, particularly scrutinizing all interactions with CJI. This involves tracking the individuals accessing the data, the timing, and the motives behind their access, under the oversight of administrators. |
| 5 | Access Control | Instituting mechanisms to regulate and oversee user accessibility to data and network systems effectively. |
| 6 | Identification and Authentication | Adoption of stringent authentication practices, inclusive of multi-factor authentication, to safeguard sensitive information access. |
| 7 | Configuration Management | Structured management of alterations in software configurations, spanning software updates to hardware modifications, necessitating comprehensive documentation and safeguarding against unauthorized intrusions during transitions. |
| 8 | Media Protection | Guaranteeing the secure disposal or destruction of CJI documents and data once they have surpassed their utility period. |
| 9 | Physical Protection | Mandating robust physical and personnel security measures at all CJIS facilities to shield CJI data, employing means such as surveillance cameras and alarm systems. |
| 10 | System & Communications Protection & Information Integrity | Deployment of fortified network security infrastructure incorporating elements like firewalls, encryption, antivirus software, and intrusion prevention systems to thwart potential breaches. |
| 11 | Formal Audits | Periodic and formalized security evaluations for organizations handling CJI in any capacity, ensuring strict adherence to CJIS security protocols. |
| 12 | Personnel Security | Implementation of comprehensive security vetting processes for all staff, contractors, and vendors accessing CJI, encompassing fingerprint-based checks coordinated with IAFIS alongside residential state verifications. |
| 13 | Mobile Devices | Enforcing a stringent usage policy for all mobile gadgets accessing CJI, potentially supplemented by additional security protocols paralleling the safeguards established for in-house devices. |
It’s imperative to note that this is not a one-off requirement; regular training is essential to keep abreast of evolving threats and the latest best practices and to continuously improve organizational cyber resilience.
Getting certified in CJIS is an important career goal for personnel working with criminal justice information. It shows they meet the necessary security standards and can be trusted with sensitive data.
CJIS certification comes in four different compliance levels, as explained above, and you can get certified at any level based on your job role. However, there are two crucial steps to follow to become CJIS-certified:
1. Meeting Security Requirements
The first step involves following security policies and procedures outlined in the CJIS security policy. It includes understanding encryption principles, password management, and responding to security incidents.
2. Security Awareness Training
The second step is completing security awareness training specific to your CJIS compliance level. It covers various aspects, like access control, incident response, and recognizing and mitigating cyber threats.
CybeReady: The CJIS Security Awareness Training Solution
As law enforcement agencies become increasingly targeted by cybercriminals, protecting sensitive information and upholding the foundations of justice have never been more critical. In this context, CJIS security emerges as a vital shield against potential threats, necessitating regular training and certification to stay ahead of evolving cyber risks.
While CJIS compliance and certification requirements can seem complex, the required cybersecurity awareness training doesn’t have to be. CybeReady offers a comprehensive platform that makes security awareness training effective and manageable.
Featuring customized training modules, engaging and informative learning methods, progress monitoring, and a flexible training pace, CybeReady offers CJA, NCJA, contractor, and vendor organizations programs that ensure you are thoroughly prepared to tackle the challenges of CJIS compliance.
Connect with CybeReady today to learn how we can facilitate effective training for your team.
