CJIS Compliance & Audits in Public Safety

Adhering to stringent cybersecurity standards is not only a good first-line defense against cyber-attacks, but it’s also a requirement for government agencies.

The public sector is seeing an increase in cyber-attacks that threaten organizational and public safety. In 2021, ransomware attacks against state and local governments spiked, with nearly 6 in 10 organizations hit with ransomware, up from one-third from the previous year, according to Sophos research.

Adhering to stringent cybersecurity standards is not only a good first-line defense against cyber-attacks, but it’s also a requirement for government agencies. The Criminal Justice Information Services Division (CJIS) is a central repository of data and services supporting community agencies and municipalities, state and local law enforcement, national security and intelligence, and the public. CJIS data gathered by public safety agencies include criminal background information, fingerprints, personal information, and other sensitive information. The FBI’s largest division, CJIS is comprised of several departments, including:

• Uniform Crime Reporting (UCR)
• National Instant Criminal Background Check System
• National Crime Information Center (NCIC)
• The Integrated Automated Fingerprint Identification System (IAFIS)
• The National Incident-Based Reporting System (NIBRS)

Among some of the strictest cybersecurity standards, CJIS policies help protect agencies against suspicious cyber activity and ransomware attacks. Non-compliance with CJIS not only prevents agencies from accessing FBI databases and the CJIS system but can also result in fines and serious penalties.

Regular FBI Audits Target CJIS Compliance

To ensure state, local, and territorial agencies adhere to CJIS standards, the FBI conducts audits of government agencies to ensure they are doing what's necessary to protect critical data. Every three years, an auditor will visit the agency to conduct an interview and review data and facility security protocols. Specifically, CJIS audits ensure requirements and standards are met for the following 13 security policy areas:

• Information exchange agreements
• Security awareness training
• Incident response
• Auditing and accountability
• Access control
• Identification and authentication
• Configuration management
• Media protection
• Physical protection
• Systems/communications protection & information integrity
• Formal audits
• Personnel security
• Mobile devices

The audit process begins with a set of pre-audit activities and requires agencies to provide information that answers the FBI’s pre-audit questionnaire. The information can include:

• Management control agreements and CJIS security addendums
• Policies and procedures, including personnel sanctions, physical and electronic media protection, and security incident response
• Security awareness training materials and records
• Current technical security audit reports
• Background on the network infrastructure and information systems utilized to store, access, or transmit any Criminal Justice Information
• Description of measures taken to protect those identified networks and information systems

Fortunately, there are several resources that can help agencies prepare to answer the auditor's questions and demonstrate compliance, including an Overview of the FBI Audit Process, CJIS Security Policy,  and Information Technology Security Audit Criminal Justice Agency - Pre-Audit Questionnaire.

A Roadmap to Compliance and Beyond

If you have questions about meeting the requirements of the audits, we can help. The best first step to ensuring you are prepared is to make sure your cybersecurity management plan measures up. Contact us for a tailored Security Survey that provides a roadmap for addressing your top cyber-compliance gaps while leveraging the tools and systems you already have in place.

Contact Solutions II to learn how our Security Survey can deliver a proactive, cyber-resilient roadmap for your agency.