How to protect your agency’s data in compliance with new CJIS Security Policy guidelines By:

0
8

By Sean Georgia

Thank you for reading this post, don't forget to follow and signup for notifications!

Law enforcement agencies have increased the number of mobile devices in their technology stacks. Rugged laptops and tablets help officers complete their mission-critical tasks more efficiently so they can spend much-needed time interacting with the community and collectively focusing on preventing crime. Mobile computing devices are a much-needed tool for operational effectiveness in an increasingly connected and data-driven law enforcement landscape.

Increasing the number of computing devices deployed across a department to boost efficiency likewise increases the threat landscape for the department. The 2023 Data Breach Investigations Report from Verizon reveals that 20% of incidents and 11% of breaches analyzed were linked to the public sector, the most of any industry. At the same time, only 20% of law enforcement professionals feel their agency is “very prepared” for a cyberattack.

Cyberattacks targeting firmware are especially problematic because they can most often evade detection by traditional vulnerability scanners. In 2021, more than 80% of enterprises had experienced at least one firmware attack in the prior two years, but only 29% of security budgets were allocated to protecting firmware.

The FBI Criminal Justice Information Services (CJIS) Division took notice of firmware vulnerabilities when they published CJIS Security Policy version 5.9.2 (CJISSECPOL version 5.9.2) in December 2022. The policy requires all criminal justice and noncriminal agencies utilizing criminal justice information derived from a federal source to ensure the integrity of firmware on devices and information systems containing, processing, or transmitting criminal justice information.

As of October 2023, compliance with CJISSECPOL version 5.9.2. has been auditable and sanctionable by the Advisory Policy Board. The current CJISSECPOL, version 5.9.5, has further emphasized firmware integrity by making this requirement the highest priority, P1. Agencies will need to update their security protocols before facing audits in the coming years.

Ensuring compliance with these guidelines can be challenging, especially with agencies not accustomed to implementing firmware protections. Let’s explore the details behind these guidelines and tips to ensure compliance.

What does the CJIS Security Policy specify?

Criminal justice information on laptops, tablets and servers, and transmitted through an agency network infrastructure, is protected by controls within the CJISSECPOL. Accordingly, the CJISSECPOL applies to all end-user devices, networks and network appliances that view, process, store and transmit criminal justice information.

CJISSECPOL version 5.9.2 was a major revision requiring all criminal justice information systems to ensure firmware integrity. Departments should already have vulnerability scanners in place, but for the most part, these scanners do not offer visibility into the low-level firmware code to ensure unauthorized changes have not taken place at the firmware level. Agencies failing to implement a firmware integrity solution on each device and network appliance risk a derogatory CJIS audit finding and are extremely vulnerable to a cyberattack.

While firmware integrity compliance has been auditable and sanctionable since October 2023, some agencies know their CJIS audit isn’t scheduled for another few years and may be tempted to hold off on implementing a security solution until that date approaches. However, agencies are responsible for CJIS compliance at all times, not just when their audit is occurring. With the rising threat of firmware attacks, it’s critical to implement the proper security precautions as soon as possible to mitigate risk.

Features to consider for your security solution

Traditional cybersecurity solutions focus on detecting issues such as malware on the operating system, but to detect firmware threats, law enforcement agencies need a firmware integrity solution that works below the operating system level. For computing devices, it is especially important that the solution operates efficiently — when time matters, an officer trying to quickly look up information before responding to a call can ill-afford to contend with slow processing and poor performance from their computer. The latest firmware integrity tools can quickly perform the scan at start-up and then sleep to avoid consuming additional system resources.

Despite their importance, most law enforcement agencies are not utilizing firmware controls at this stage. The controls help agencies verify the integrity of mobile devices and ensure they haven’t been compromised in either production or while in transit from the manufacturer to the department. Additionally, while devices are under agency control, a firmware integrity solution continues to ensure there are no unauthorized changes, neither nefarious nor accidental, to the firmware.

Real-time alerts are also important so departments can begin executing their incident response procedures as quickly as possible. Deploying a comprehensive firmware integrity solution helps agencies comply with the CJISSECPOL to protect criminal justice information and their most sensitive data.

Seek out tech partnerships to ensure firmware integrity

Working with a mobile device provider that offers a firmware integrity solution is part of a holistic security strategy. Department leaders should work with the provider to ensure the mobile devices they implement offer the most comprehensive security features from both a hardware and firmware perspective.

Deploying devices that are modular and user-upgradeable will also help departments adapt to changing technology and security protocols. For instance, another CJISSECPOL requirement, which is auditable as of October 2024, requires departments to implement multi-factor authentication for each device user. As such, each employee will need to utilize two or more of the following: smart card, biometric feature (e.g., fingerprint), and password or PIN. Departments that have modular devices with smart card readers can easily add a fingerprint reader to another device port. This way, employees can conveniently scan their smart card and/or fingerprint before entering a password and accessing the device and mission critical data. Using a device with a modular design assists the department to avoid purchasing entirely new devices when security regulations are updated.

Working with an experienced provider to implement a firmware integrity solution alongside secure hardware features helps streamline the process of complying with the ever-evolving CJISSECPOL. It also allows departments to implement compliance standards now, as required, instead of waiting for their audit to approach.

Implementing rugged computing solutions to meet the demands of law enforcement is non-negotiable. Criminal justice agencies’ compliance with the CJISSECPOL is also non-negotiable. Complying with the CJISSECPOL helps prevent exposure to malicious data breaches and attacks while also safeguarding a department’s most sensitive data.

About the author

Sean Georgia is Territory Account Manager for Professional Services (Public Sector), Panasonic Connect, and retired Director of the Bureau of Communications and Information Services for the Pennsylvania State Police.