Public safety agencies across the country have been preparing to meet new CJIS compliance requirements, taking effect October 1, 2024. As Cybersecurity Month begins, it’s crucial for agencies to ensure they have compliant controls and protocols in place. To help law enforcement agencies, we’ve compiled key questions agencies should ask their vendors to ensure they are staying compliant, protecting their data, and avoiding sanctions.
At Mark43, security is a cornerstone of all that we do. Operating on the AWS GovCloud, we implement advanced security protocols, including FIPS 140-3 encryption, to ensure robust compliance for our customers. Our commitment to transparency and accountability is upheld through rigorous internal assessments based on CJIS standards, alongside comprehensive external audits conducted by our SOC 2 auditor. These measures enable us to continuously enhance customer protection and resilience.
- What are the new CJIS requirements as of October 1, and why were these updates made?
Over the past several years, the FBI’s Criminal Justice Information Services (CJIS) division has continuously updated and modernized the CJIS Security Policy to better align with the National Institute of Standards and Technology (NIST) 800-53 framework. These enhancements aim to strengthen the protection and management of Criminal Justice Information (CJI). While compliance with CJIS requirements is the responsibility of public safety agencies, it is equally essential for their technology vendors to remain informed and adhere to these evolving standards to maintain secure access to critical data. For vendors serving the public safety sector, implementing robust workflows and controls is vital due to the sensitive and mission-critical nature of the information they manage on behalf of their customers.
This latest round of Policy updates has significantly affected roughly 50% of the CJIS Security Policy across several key areas:
- Access Control: Stricter guidelines for user access, including multi-factor authentication (MFA) and regular audits.
- Data Protection: Enhanced encryption requirements for data in transit and at rest.
- Incident Response: Updated protocols for responding to security incidents, including reporting timelines and procedures for addressing breaches.
- Training and Awareness: Increased emphasis on training for personnel handling criminal justice information.
- Third-party Management: More rigorous requirements for managing third-party vendors that access CJIS data.
- Identity and Exit Management: Enhanced protocols for verifying user identities and promptly revoking access when personnel leave or change roles.
- How do the new CJIS requirements ensure enhanced security and compliance?
The updated CJIS policy strengthens security across the criminal justice system by requiring vendors to enhance data controls, especially in response to rising identity-based cyberattacks and phishing. Implementing robust controls around Authentication, maturing Incident Response capabilities, and stronger Encryption protocols are all essential for safeguarding your networks, systems, and mission-critical data. For instance, selecting a phishing-resistant MFA and enforcing exit management protocols will ensure sensitive data stays secure.
- Why is it important for these requirements to be adopted and supported across the business?
Though categorized as “new”, many of these requirements are foundational for compliance and maintaining a secure, resilient ecosystem for public safety agencies. It is crucial for vendors to implement these controls promptly to ensure they can provide evidence when needed to support their customer during an audit.
The updates reinforce strong cybersecurity hygiene, protecting both vendors and their customers from ransomware and other cyber threats. For public safety vendors, adherence to these requirements is critical to safeguarding CAD, RMS, and JMS systems from breaches or leaks on the dark web. In public safety, maintaining data security is not just a priority; it’s a fundamental expectation from constituents. These requirements serve as critical benchmarks and ensure operational continuity and resilience against emerging threats—essential for managing mission-critical public safety data.
At Mark43, our security experts are knowledgeable and understand what it takes to implement the controls effectively. We are dedicated to keeping our customers informed about these changes, their implications, and how they can enhance both security and operations. Ready to learn more? Let’s start the conversation and work together to support a safer tomorrow. Schedule a meeting now to find out how the Mark43 Public Safety Platform can support your mission.