CJIS Compliant File Sharing

What CJIS compliance is and why it’s important for law enforcement?

In this article discuss what being ‘CJIS Compliant’ means, how it applies, to your agency, and how you can electronically share files that contain Criminal Justice Information (CJI) while maintaining compliance. First, CJIS (Criminal Justice Information Services), is a division of the FBI that provide “tools and services to law enforcement, national security and intelligence community partners, and the general public.” The CJIS Security Policy integrates presidential directives, federal laws, FBI directives, the criminal justice community’s Advisory Policy Board (APB) decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council (Compact Council).CJIS compliance is the act of complying with CJIS’s Criminal Justice Information Services Security Policy. Many of the security controls are based on NIST 800-53, which is also the basis for many of the Federal Risk and Authorization Management Program (FedRAMP) requirements.

What is the purpose of the CJIS Security Policy?

The explicit purpose of the policy is stated in 1.1: “The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard CJI. This minimum standard of security requirements ensures continuity of information protection. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit.” The policy outlines that CJI includes, but is not limited to biometric, identity history, biographic, property, and case/incident history data. The policy also requires that law enforcement agencies have policies and procedures in place to protect the confidentiality of this sensitive information.

Why is CJIS Compliance important for law enforcement?

CJIS compliance is important for law enforcement for a few reasons. First, The consequences of improperly accessing or using CHRI and NCIC Non-Restricted files information can be severe. This includes termination of services as well state & federal criminal penalties.CJIS compliance ensures that this information is stored securely and is only accessed by authorized personnel. CJIS compliance helps to ensure that law enforcement agencies are able to effectively share information with each other and with other government agencies. This sharing of information is critical for investigating crimes and apprehending suspects. Using CJIS-Compliant file sharing dramatically speeds up these processes, maintains accountability, and reduces friction.

What are the benefits of CJIS-compliant file sharing solution?

There are many benefits to using a CJIS-compliant file sharing solution. First and foremost, it eliminates the need for faxes, USB drives, and physical delivery, which can be cumbersome and time-consuming. Second, it speeds up delivery times, as files can be sent electronically rather than through the mail or by courier. Third, it lowers costs, as no longer need to print/mail documents, buy CDS/DVDs/thumb drives, or deliver CJI records in person. Fourth, it provides better security, as CJIS-compliant solutions are designed to meet the stringent security requirements of the CJIS and remove the element of human error. Finally, it offers better tracking, as CJIS-compliant solutions offer detailed logs of who accessed what files and when.

How to choose the right CJIS-compliant file-sharing solution for your organization

When it comes to choosing a CJIS-compliant file-sharing solution for your organization, the cost is often a primary concern. However, it’s important to remember that the right solution is an investment that can save you time and money in the long run. In addition to cost, another important consideration is whether or not the other party will need to purchase proprietary software or obtain a license in order to access the files you share. Look for a solution that is easy to use and doesn’t require extra software or licensing fees for agencies receiving files from you. By taking the time to find the right solution for your needs, you can ensure that your organization stays compliant, stays on budget, and works well with other agencies.

Tips for implementing CJIS-compliant file sharing

When it comes to file sharing, the CJIS Security Policy is non-negotiable. But that doesn’t mean file sharing has to be complicated or expensive. Implementing a solution doesn’t have to take months either. Here are a few tips for fast, CJIS-compliant file sharing:

– First, determine who needs access to the files and platform. Not every employee needs access to CJI and these users should not be granted access. By limiting access, you’ll stay compliant also limit the risk of a data breach.
– Once you’ve determined who needs access, contact partner agencies and let them know about your new process and tools. This may include setting sending them an invite from your software application.
– finally, make sure to regularly review your users and their access/permissions to ensure they are still CJIS-compliant. The CJIS Security Policy requires that users have the minimum level of access required and that their access is audited annually. Make sure that your solution makes it easy to understand permissions and conduct this audit.

With the right planning, fast and compliant file sharing is easy and achievable.

What features should be considered when selecting a CJIS-compliant file-sharing solution?

When it comes to CJIS-compliant file sharing, here are a few things to keep in mind when making your selection:

First, consider the size of the files that you are sending. If you ever need to send files over 10MB, you will want to avoid email-based solutions, as well as any that have restrictions on file size restrictions. Email servers often block certain types of files as well which can hinder your process.

Second, you will want to be sure that you can use the solution without having to install any software on workstations or local servers. Installed software often needs updates and cannot quickly react to changes in the CJIS Security Policy.

Third, consider your needs. What kind of files do you need to share? How often will you need to share them? How many people will need access? The solution you choose should be scalable, easy to use, and require minimal setup and training. Many agencies have tried to implement a solution using FTP/SFTP but find that this method is difficult to maintain, difficult to control access, and ultimately does not scale well when working with more than 1 agency.

Fourth, take a look at the different options available and compare their features. Make sure they offer the level of security and compatibility you need, as well as any other features that are important to you. When reviewing a vendor’s security, make sure they are compatible with the latest changes to the CJIS security policy. Many companies do an initial CJIS assessment but do not bother with maintaining compliance with their staff or their software.

Finally, if reviewing a web-based or SaaS application, ask the company if it has any form of ‘god-mode’ where their staff can see your records or information. If the software vendor you choose doesn’t need access to your CJI, there is no reason they should be able to access it. Even if the staff is properly trained, this opens up the door for more potential risks.

How much will it cost to implement a CJIS-compliant file-sharing solution?

The price of implementing a CJIS-compliant file-sharing solution can vary greatly depending on the size of the organization and the number of users. This includes the cost of licensing, installation, and training. For larger organizations, the price can increase significantly. The biggest factors determining the price of implementing a CJIS-compliant file-sharing solution will be (1.) how many users require access, (2.) the size of the files, and (3.) if long-term storage is required.

FAQs about CJIS compliance and file sharing for law enforcement

How does a software or vendor become CJIS Certified?

This is a common misconception. There is no formal certification process for CJIS compliance. There are audits and assessments that can be performed either by the FBI or by private companies, like Diverse Computing (CJIS ACE), which performed the assessment of GovTransfer. Compliance with the CJIS Security Policy should be seen as an ongoing process, continually sought by vendors and agencies, as the policy is continually being updated. When reviewing a vendor, ask to see their CJIS policies to see if align with your agency’s standards.

Do CJIS requirements vary by state?

Yes. The FBI CJIS Security Policy outlines the minimum requirements, but the state CJIS Systems Agency (CSA) may add additional requirements. Check with your state CSA to see what additions, if any, have been made.

What agreement is required between a vendor and a Criminal Justice Agency (CJA)?

To allow Criminal and Noncriminal Justice Agencies to contract with private entities, the FBI added the Security Adendum to the CJIS Security Policy. The addendum outlines the boundaries and the requirements for this relationship. The security addendum must be included in the contract between the vendor and the Contracting Government Agency (CGA). H-5 of the CJIS Security Policy provides a sample contract addendum that a vendor can use to amend an existing CJA-vendor contract.

What is a Noncriminal Justice Agency (NCJA)?

A NCJA is defined (for the purposes of access to CJI) as an entity or any subunit thereof that provides services primarily for purposes other than the administration of criminal justice.

What is a Contracting Government Agency (CGA)?

A CGA is a government agency, whether a CJA or a NCJA, that enters into an agreement with a private contractor subject to the CJIS Security Addendum. The CGA entering into an agreement with a contractor shall appoint an agency coordinator.

What is a Criminal Justice Agency (CJA)?

A CJA is defined as a court, a governmental agency, or any subunit of a governmental agency which performs the administration of criminal justice pursuant to a statute or executive order and which allocates a substantial part of its annual budget to the administration of criminal justice. State and federal Inspectors General Offices are included.

What is Criminal History Record Information (CHRI)?

Criminal History Record Information (CHRI), sometimes informally referred to as “restricted data”, is a subset of CJI. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. In addition to the dissemination restrictions outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines CHRI and provides the regulatory guidance for dissemination of CHRI. While the CJIS Security Policy attempts to be architecturally independent, the III and the NCIC are specifically identified in Title 28, Part 20, CFR, and the NCIC Operating Manual, as associated with CHRI.

Still have questions?

Let’s schedule a time to review your goals and find a solution.

By adminPublished On: July 20, 2022Categories: Resources

Tags: CJIS Compliance, CJIS Security Policy, Discovery Software, File-sharing, Inter-Agency, Law enforcement software, Local Background Checks, Secure file transfer, Subpoena Duces Tecum

Join the newsletter.

Continue Reading

Interested GovTransfer? Contact Us

Call us today at (517) 939-9359

Email us

Police Departments

Schools

Prosecutors

Clerks

Credit Unions & Banks

Sheriff’s Offices

State Agencies