Establish and maintain formal agreements for sharing Criminal Justice Information (CJI) with external entities.

• IEA.1 - Agreement Documentation

  Document all information exchange agreements with specifics on data handling and security responsibilities.

• IEA.2 - Data Handling Controls

  Implement specific data handling controls as outlined in the information exchange agreements.

Ensure all personnel with access to CJI receive regular security awareness training.

• SAT.1 - Initial Training

  Provide comprehensive security awareness training to all new personnel before granting access to CJI.

• SAT.2 - Annual Refresher Training

  Conduct annual refresher security awareness training for all personnel with access to CJI.

• SAT.3 - Role-Based Training

  Provide role-based security training tailored to the specific responsibilities of different job functions.

Establish and maintain an incident response plan to effectively handle security incidents involving CJI.

• IR.1 - Incident Response Plan Development

  Develop a comprehensive written incident response plan that outlines procedures for identifying containing eradicating recovering from and following up on security incidents.

• IR.2 - Incident Reporting Procedures

  Establish clear procedures for personnel to report suspected or actual security incidents.

• IR.3 - Incident Response Testing

  Conduct periodic testing of the incident response plan to ensure its effectiveness.

Implement auditing mechanisms to track access to and use of CJI and establish accountability for security actions.

• AA.1 - Audit Logging

  Enable comprehensive audit logging for all systems that process store or transmit CJI.

• AA.2 - Regular Audit Log Review

  Establish a process for the regular review and analysis of audit logs.

• AA.3 - Accountability for Actions

  Ensure that all actions taken on systems containing CJI can be attributed to a specific individual.

Implement controls to limit access to CJI to only authorized personnel on a need-to-know basis.

• AC.1 - Role-Based Access Control Implementation

  Implement role-based access control (RBAC) to assign access permissions based on job roles and responsibilities.

• AC.2 - Principle of Least Privilege Enforcement

  Enforce the principle of least privilege by granting users only the minimum level of access required for their job functions.

• AC.3 - Physical Access Control to Data Areas

  Implement physical access controls to restrict unauthorized entry to areas where CJI is processed stored or transmitted.

Establish and implement robust identification and authentication mechanisms for accessing CJI.

• IA.1 - Unique User Identification

  Assign a unique identifier to each individual with authorized access to CJI.

• IA.2 - Strong Authentication Enforcement

  Enforce strong authentication methods for accessing systems containing CJI.

• IA.3 - Session Management

  Implement session management controls to protect against unauthorized access to active user sessions.

Establish and maintain a secure configuration management process for all systems handling CJI.

• CM.1 - Baseline Configuration

  Establish and document baseline security configurations for all types of systems that process store or transmit CJI.

• CM.2 - Change Control Process

  Implement a formal change control process for all changes to systems containing CJI.

• CM.3 - Vulnerability Management

  Implement a process for identifying assessing and remediating security vulnerabilities in systems handling CJI.

Implement policies and procedures to protect physical and electronic media containing CJI throughout its lifecycle.

• MP.1 - Media Storage and Access Control

  Securely store all physical and electronic media containing CJI in controlled areas with access restricted to authorized personnel.

• MP.2 - Media Transport Procedures

  Establish secure procedures for transporting physical and electronic media containing CJI outside of controlled areas.

• MP.3 - Media Sanitization and Disposal

  Implement procedures for securely sanitizing or destroying media containing CJI when it is no longer needed.

Implement physical security measures to protect the facilities and areas where CJI is processed stored or transmitted.

• PP.1 - Facility Access Control

  Control physical access to facilities housing systems that process store or transmit CJI.

• PP.2 - Workstation Security

  Implement security measures to protect workstations and devices used to access CJI.

• PP.3 - Environmental Controls

  Maintain appropriate environmental controls (temperature humidity power) in facilities housing CJI systems.

Implement security measures to protect systems and communications networks and ensure the integrity of CJI.

• SCP.1 - Network Security Controls

  Implement network security controls to protect the communication pathways for CJI.

• SCP.2 - Malware Protection

  Deploy and maintain anti-malware software on all systems that process store or transmit CJI.

• SCP.3 - Information Integrity Measures

  Implement measures to ensure the accuracy completeness and validity of CJI.

Conduct formal audits to assess compliance with the CJIS Security Policy.

• FA.1 - Internal Audits

  Conduct periodic internal audits to evaluate adherence to CJIS Security Policy requirements.

• FA.2 - External Audits

  Undergo external audits as required by the CJIS Security Policy or relevant authorities.

Implement personnel security practices to ensure that individuals with access to CJI are trustworthy and reliable.

• PS.1 - Background Checks

  Conduct background checks on all personnel prior to granting access to CJI.

• PS.2 - Personnel Termination Procedures

  Establish and implement procedures for terminating access to CJI upon personnel termination or transfer.

Establish policies and controls for the use of mobile devices that access store or transmit CJI.

• MD.1 - Mobile Device Policy

  Develop and implement a comprehensive policy for the use of mobile devices accessing CJI.

• MD.2 - Mobile Device Management

  Implement mobile device management (MDM) capabilities to enforce security policies on mobile devices accessing CJI.