Criminal Justice Information Services (CJIS) Compliance at End2End Public Safety
This document is provided for informational purposes only, and it is provided “as is,” without warranties of any kind, whether express or implied. In addition, this document does not create any representations, contractual commitments, conditions or assurances from End2End or any of its related entities. End2End’s responsibilities to its clients are set forth in the contract(s) it has signed with those clients, and this document is not a part of, and does not modify, any such contract. The document reflects End2End’s current CJIS compliance practices, which may be updated from time to time at End2End’s discretion and without advance notice. End2End’s clients and prospects are responsible for making their own assessment of the information contained herein, and/or of End2End’s products and services, each as they may be updated from time to time.
Executive Summary
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to FBI CJIS systems and information for the protection and safeguarding of CJI. Certain End2End clients include CJAs and NJCAs who license End2End products to manage CJI, putting End2End and those clients under a shared responsibility framework with respect to that CJI. End2End manages for compliance with CJIS Security Policy requirements where applicable, such as providing states with fingerprint cards for End2End employees with access to CJI and signing CJIS security addendum agreements with our clients. The purpose of this whitepaper is to provide an overview of End2End’s CJIS compliance program, including the shared responsibility model under which it operates in partnership with its impacted clients.
To access the FBI’s CJIS Security Policy itself, please visit the FBI’s CJIS Security Policy Resource Center.
Criminal Justice Information (CJI), Defined
CJI refers to all of the FBI’s CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws. CJI includes biometric, identity history, person, organization, property and case/incident history data. It also includes FBI’s CJIS-provided data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
Protecting CJI
CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules. The CJIS Security Policy outlines a minimum set of security requirements that create security controls for managing and maintaining CJI data. There is no centralized body authorized to certify compliance with the CJIS Security Policy.
Many vendors incorrectly state that their solution is “CJIS certified.” There is no such thing as being “CJIS certified.”
The FBI has advised that CJAs and NCJAs are ultimately responsible for ensuring compliance, even when they engage with a third-party vendor to provide software or services relating to the agency’s CJI. What is more, those agencies interpret solutions according to the agency’s own risk acceptance standard of what is CJIS-compliant. End2End’s clients include agencies across the United States. To the extent a End2End client’s compliance requirements exceed the minimum established by the FBI’s CJIS Security Policy and conflict with the common standards followed by other End2End clients, End2End expects to work collaboratively with that client/those clients to arrive at a mutually agreeable approach that is consistent with the FBI’s CJIS Security Policy and industry standards. If End2End agrees to take additional measures because of a unique client requirement, End2End reserves the right to attach a fee to those efforts and to deploy them within a timeframe End2End deems commercially reasonable.
To memorialize End2End’s commitment to fulfilling its responsibilities under the CJIS Security Policy, End2End has executed the CJIS Security Addendum. Each End2End employee with access to CJI is also required to sign a CJIS Security Addendum.
The Shared Responsibility Model
End2End has prepared a responsibility matrix that outlines the responsibilities, if any, of End2End and its impacted clients in relation to the relevant security controls the FBI has identified. It is important to note that the matrix is comprehensive, in that it assumes the End2End client is hosted in a End2End data center. If the End2End client is, however, hosted in a client or third-party environment, certain responsibilities will not apply. If you are a self-hosted client, or a client hosted in a third-party environment, and you have questions about which controls do not apply to you, or do not apply to End2End, please contact support@arms.com.
Shared responsibility means, at least, that End2End’s clients remain responsible for managing their client-side environment(s) and their data. This is true even for those clients whose End2End solution is hosted in an End2End cloud. For example, End2End’s clients are responsible for at least:
- User identity management;
- Access control of the ARMS solution;
- Security management and control of terminals that access cloud services, including hardware, software, applications and device rights; and
- Data security (transmission and storage security, integrity protection, backup and recovery, rights and permissions).
To request a copy of the shared responsibility matrix, please send an email to support@arms.com End2End’s impacted clients should review that matrix carefully.
CJIS Policy Areas
The CJIS Security Policy is divided into 13 policy areas. The shared responsibility matrix referenced above details which party is responsible for controls within those policy areas, and how those responsibilities are met. What follows here is an intentionally high-level summary of the policy areas themselves and how End2End addresses them, as applicable.
Policy Area 1 — Information Exchange Agreements
Clients who use a End2End solution to manage CJI must sign a written agreement with End2End to document the extent of their interaction and the policies and procedures that are intended to ensure appropriate safeguards. End2End’s standard license agreements include language directed at these concepts. End2End also has executed the CJIS Security Addendum, as discussed above.
Policy Area 2 — Security Awareness Training
End2End personnel with access to CJI must complete and maintain the FBI-approved Peak Performance CJIS Level 4 Training. End2End maintains records of security awareness training.
Policy Area 3 — Incident Response
End2End follows industry standard incident response protocols, including preparation, detection, analysis, containment, eradication and recovery. End2End’s plan is audited according to the SOC 2, Type 2 Trust Principles. It is important to note that End2End’s clients must also have their own incident response policies and procedures in place, as End2End does not manage or triage client security incidents on its clients’ behalf.
Policy Area 4 — Auditing and Accountability
Agencies must provide for the ability to generate audit records of their systems for defined events. End2End will assist its clients who are undergoing an audit by responding to client inquiries relating to that audit and providing available information in response.
Policy Area 5 — Access Control
End2End has implemented multiple mechanisms addressing login management systems, remote access, and virtual private network (VPN) solutions certified to the FIPS 140-2 standard. End2End has also enacted policies and controls for Wi-Fi, Bluetooth and cellular devices.
Policy Area 6 — Identification and Authentication
End2End provides End2End personnel with unique user identification credentials and requires complex passwords, which must be changed regularly.
Policy Area 7 — Configuration Management
End2End segregates databases containing CJI on the End2End network, and limits user access credentials to End2End resources authorized to access and manage CJI on behalf of End2End’s clients. End2End’s system configuration documentation contains sensitive details (such as descriptions of End2End applications, processes, procedures, data structures, authorization processes, data flow, etc.). End2End protects such system documentation from public access. A high-level network diagram is available upon request to support@arms.com.
Policy Area 8 — Media Protection
End2End secures all CJIS data in its possession in all of its forms, including electronic and hard copy. End2End’s solution is capable of encrypting data in transit and at rest. End2End takes a risk-based approach to identifying, classifying and securing sensitive information as appropriate.
Policy Area 9 — Physical Protection
End2End has designated physically secure locations in applicable End2End office locations and other End2End areas where CJI may be accessed by End2End resources.
Policy Area 10 — Systems and Communications Protection and Information Integrity
End2End takes industry standard measures to safeguard its network and the data on End2End’s network. Those measures include encryption, antivirus tools, and patch management functionality.
Policy Area 11 — Formal Audits
The FBI does not audit third-party vendors such as End2End. Instead, the FBI audits law enforcement agencies, such as End2End’s clients. End2End cooperates with its clients during such audits as necessary.
Policy Area 12 — Personnel Security
End2End conducts background checks, including fingerprinting, on all End2End personnel with physical or logical access to unencrypted CJI. End2End maintains records of the results of those checks.
Policy Area 13 — Mobile Devices
This policy area requires law enforcement agencies to establish usage restrictions and implementation guidance for mobile devices, and to authorize, monitor, and control wireless access.
Conclusion
Data security is constantly evolving, and the requirements around CJIS compliance are no exception. End2End takes its data security and CJIS compliance obligations seriously, and continuously works to enhance and refine its data security programs. This whitepaper may be updated to reflect End2End’s most current practices, and we encourage you to return to the compliance page on our website for the most current information.
We are committed to partnering with our clients in this effort. The resources we have committed to that partnership are significant, and include the appointment of CJIS security officers, executive-level oversight, engagement of a third-party CJIS compliance consultant, participation in bi-annual FBI Advisory Policy Board meetings, and leveraging internal resources to foster a culture of compliance across the End2End community.