CJIS Security Policy v5.4 Changes Jeff Campbell FBI CJIS Assistant ISO KCJIS Conference June 8 –...

CJIS Security Policy v5.4 Changes

Jeff CampbellFBI CJIS Assistant ISO

KCJIS ConferenceJune 8 – 9, 2015

CJIS ADVISORY PROCESS

CJISAdvisory

PolicyBoard

9 Subcommittees

5Working Groups

2

CJIS ADVISORY PROCESS

An idea is born . . .

. . . and sent to the state’s CSO

. . . who evaluates and forwards it to the Working Group Chairman . . .

. . . who forwards it to the FBI’s CJIS Division DFO . . .. . . who directs it to

the proper CJIS unit for research and development . . .

If deemed feasible, CJIS writes staff paper and forwards to the Working Groups for consideration.

FBI CJISAfter deliberation, the Working Groups make a recommendation which is forwarded to the Subcommittee . . .

. . . which sends its recommendation to the Board.

The APB’s recommendation is forwarded to the FBI

Director for approval and implementation by CJIS.

CSO WG CHAIR

WG

SUBS FBI DIRECTOR

APB

IDEA

FBI CJIS

3

Minimum requirements for theprotection of criminal justice information (CJI)

Annual release cycle

July / August Time Frame

Incorporates APB approved changes from previous year (2 cycles: Spring / Fall)

Incorporates administrative changes 4

CJIS SECURITY POLICY

Risk-based Approach to Compliance with the CJIS Security Policy

• Executive Summary:“The Policy empowers CSAs with the insight and ability to tune their security programs according to their risks, needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy.”

• Section 2.3 Risk Versus Realism:“Each agency faces risk unique to that agency. It is quite possible that several agencies could encounter the same type of risk however depending on resources would mitigate that risk differently. In that light, a risk-based approach can be used when implementing requirements.”

SIGNIFICANT CHANGES FOR v5.4

5

Section 5.5.6 Remote Access

• Change requirement when documenting remote access for privileged functions

(from why to how):“The agency may permit remote access for privileged functions only for compelling operational needs but shall document the rationale technical and administrative process for such access enabling remote access for privileged functions in the security plan for the information system.”

• Addition of Virtual Escorting for Privileged Functions

6


Virtual Escorting for Privileged Functions

• Must meet ALL these conditions: Session shall monitored at all times by an authorized escort Escort shall be familiar with the system/area where work is

being performed Escort shall have the ability to terminate the session at any

time Remote connection shall be encrypted using FIPS 140-2

certified encryption Remote admin personnel shall be identified prior to access

and authenticated prior to or during the session

7


Section 5.6.2.2 Advanced Authentication

• Clarify Types of Certificates:“Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens,…”

When user-based certificates are used for authentication purposes, they shall:1. Be specific to an individual user and not to a particular device.2. Prohibit multiple users from utilizing the same certificate.3. Require the user to “activate” that certificate for each use in some

manner (e.g. passphrase or user-specific PIN).

8


Standardize Terminology within the Policy

• Criminal Justice ConveyanceSection 5.5.5 Session Lock – “police vehicle”Section 5.6 Identification and Authentication – “law enforcement conveyance”Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Interim Compliance – “police vehicle”Section 5.6.2.2.2(5) Advanced Authentication Decision Tree – “law enforcement conveyance”Section 5.9.1 Physically Secure Location – “police vehicle”Appendix A: Physically Secure Location – “police vehicle”

9


Standardize Terminology within the Policy

• Criminal Justice ProfessionalSection 5.2 Security Awareness Training Figure 4 – “law-enforcement officers”Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Interim Compliance – “police officer”Section 5.9 Physical Security Figure 13 – “dispatch, officers, and detectives”Section 5.13.1.2 Cellular – “law enforcement officer”

10


Section 5.10.1.2(2) Encryption Exception

2. When CJI is transmitted outside the boundary of a physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption).

EXCEPTIONS:b) Encryption shall not be required if the transmission medium meets all of the following requirements:i. The agency owns, operates, manages, or protects the medium.ii. Medium terminates within physically secure locations at both ends with no

interconnections between.iii. Physical access to the medium is controlled by the agency using the requirements

in Sections 5.9.1 and 5.12.iv. Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and

physical) and if feasible countermeasures (e.g., alarms, notifications) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.

v. With prior approval of the CSO.11


Section 5.10.1.2(2) Encryption Exception

Examples:• A campus is completely owned and controlled by a criminal justice agency (CJA) – If

line-of-sight between buildings exists where a cable is buried, encryption is not required.

• A multi-story building is completely owned and controlled by a CJA – If floors are physically secure or cable runs through non-secure areas are protected, encryption is not required.

• A multi-story building is occupied by a mix of CJAs and non-CJAs – If floors are physically secure or cable runs through the non-secure areas are protected, encryption is not required.

12


13


Thomson Correctional Center, Thomson, ILAlcatraz

Virginia State Police HQ, Richmond, VA Randolph Air Force Base, Universal City, TX

14


Section 5.10.3.2 VirtualizationVirtualization refers to a methodology of dividing the resources of a computer (hardware and software) into multiple execution environments. Virtualized environments are authorized for criminal justice and noncriminal justice activities. In addition to the security controls described in this Policy, the following additional controls shall be implemented in a virtual environment:1. Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc.2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts’ virtual environment.3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines (VMs) that process CJI internally or be separated by a virtual firewall.4. Device drivers that are “critical” shall be contained within a separate guest. Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible.

15


Section 5.10.3.2 VirtualizationThe following additional technical security controls shall be applied in virtual environments where CJI is comingled with non-CJI:1. Encrypt CJI when stored in a virtualized environment where CJI is comingled

with non-CJI or segregate and store unencrypted CJI within its own secure VM.2. Encrypt network traffic within the virtual environment.

The following are additional technical security control best practices and should be implemented wherever feasible:1. Encrypt network traffic between the virtual machine and host.1. 2. Implement IDS and/or IPS monitoring within the virtual machine environment.2. 3. Virtually or physically firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) VM within the virtual environment to and ensure that only allowed protocols will transact.3. 4. Segregate the administrative duties for the host.

16


Appendix A Terms and Definitions: NEW

• Certificate Authority (CA) Certificate• Logical Partitioning• Partitioning• Physical Partitioning• Server/Client Computer Certificate (Device-

based)• User Certificate (User-based)• Virtual Escort• Virtual Machine

17


Appendix A Terms and Definitions: MODIFIED

• Criminal Justice Conveyance“A criminal justice conveyance is any enclosed mobile vehicle used for the purposes of criminal justice activities with the capability to comply, during operational periods, with the requirements of Section 5.9.1.3.”

• Guest Operating System“An operating system that has emulated hardware presented to it by a host operating system. Also referred to as the virtualized operating system virtual machine (VM) .”

• Host Operating SystemIn the context of virtualization, the operating system that interfaces with the actual physical hardware and arbitrates between it and the guest operating systems. It is also referred to as a hypervisor.

18


Appendix A Terms and Definitions: MODIFIED

• State of Residency“A state of residency is the state in which an individual claims and can provide documented evidence as proof of being his/her permanent living domicile. CJIS Systems Officers have the latitude to determine what documentation constitutes acceptable proof of residency. Examples of acceptable documented evidence permitted to confirm an individual’s state of residence are: driver’s license, state or employer issued ID card, voter registration card, proof of an address (such as a utility bill with one’s name and address as the payee), passport, professional or business license, and/or insurance (medical/dental) card.”

19


Appendix J Noncriminal Justice Agency Supplemental Guidance

• Updated• From 2 pages to 10• Expanded explanation of Policy sections• Use Cases“This appendix is not intended to be used in lieu of the CJIS Security Policy (CSP) but rather should be used as supplemental guidance specifically for those Noncriminal Justice Agencies (NCJA) with access to Criminal Justice Information (CJI) as authorized by legislative enactment or federal executive order to request civil fingerprint-based background checks for licensing, employment, or other noncriminal justice purposes, via their State Identification Bureau (SIB) and/or Channeling agency. Examples of the target audience for the Appendix J supplemental guidance include school boards, banks, medical boards, gaming commissions, alcohol and tobacco control boards, social services agencies, pharmacy boards, etc.” 20


Administrative Changes

• Section 5.6.2.2.1 Advanced Authentication Policy and Rationale Remove “INTERIM COMPLIANCE”1. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented IPSec in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA until September 30, 2014.

• Update terminology for LEO Change to LEEP (Law Enforcement

Enterprise Portal) 21


• Evaluation of Appendix K• Administrator Accounts for Least Privilege• Assigning Tier Numbers to CJIS Security Policy

Requirements• Security Awareness Training Requirements• Clarification of Out-of-Band Authentication• CSO Delegation Authorizing Personnel

Screening Requirement• CSA Auditing of Vendor Facilities

22

TOPICS IN SPRING APB

• Security Incident Reporting and Incident Response Form

• Mobile Security Task Force Change Recommendations for Section 5.13

• Faxing Requirements in the CJIS Security Policy• Clarifying Personnel Background Check

Requirement for Noncriminal Justice Agencies• Noncriminal Justice Agencies and the Security

Addendum

23

UPCOMING TOPICS FOR FALL APB

Publically Available:

http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view Features:

– Search and download the CSP

– Download the CSP Requirements and Tiering Document

– Use Cases (Advanced Authentication and others to follow)

– Cloud Computing Report & Cloud Report Control Catalog

– Mobile Appendix

– Submit a Question (question forwarded to CJIS ISO Program)

– Links of importance

CJIS Security Policy Resource Center

[email protected]

ISO RESOURCES

mailto:[email protected]

Step #2 Select

“Criminal Justice Information Services”

Step #1 Select

“About Us”

http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view


ISO RESOURCES

Step #3 Select

“Security Policy Resource Center”



ISO RESOURCES

[email protected]



ISO RESOURCES


[email protected]


29


ISO RESOURCES


M y S IG s a r e l i s t e d h e r e

f o r q u ic k a c c e s s

MySIGs are listed here for quick access

CJIS Information Security Office LEEP SIG

ISO RESOURCES

Click here for the SIG home page




ISO RESOURCES

Click here to browse all SIGs





ISO RESOURCES

Expand Access Type and click on

UNRESTRICTED





ISO RESOURCES

Click the CJIS-ISO logo to go

to the SIG





Click here to add the CJIS ISO SIG

to MySIGs

ISO RESOURCES


ISO RESOURCES

Click here for the Forums





ISO RESOURCES

Click here for the CJIS ISO

Forum


CJIS ISO CONTACT INFORMATION

George White, CJIS ISO (304) 625 - [email protected]

Jeff Campbell, CJIS Assistant ISO (304) 625 – [email protected]

Steve Exley, Sr. Consultant/Technical Analyst (304) 625 - [email protected]

[email protected]





QUESTIONS?

Jeff CampbellFBI CJIS Assistant Information Security Officer

CJIS Information Assurance Unit(304) 625 - 4961

[email protected]

[email protected]



CJIS Security Policy v5.4 Changes Jeff Campbell FBI CJIS Assistant ISO KCJIS Conference June 8 –...

Documents

Transcript of CJIS Security Policy v5.4 Changes Jeff Campbell FBI CJIS Assistant ISO KCJIS Conference June 8 –...