CJIS raises a high bar for cybersecurity in law enforcement

There has never been a more important time for state agencies, police departments and other organizations that handle criminal justice data to be aligned and compliant in their cybersecurity policies and practices. At a time when the public sector is being increasingly targeted with cyberthreats like ransomware and phishing, local law enforcement agencies that administer and enforce criminal justice need secure and timely data to investigate and stop numerous types of crimes.

Access to the services that provide this data are a crucial resource and play an important role in our local and national cybersecurity defense. Secure access to data and information supports cybercrime prevention programs and methods that protect citizens from online fraudsters, cyber predators, hackers and insidious attacks in the real world.

The digital world is expanding as a resource hub for broad criminal activity, providing millions of access points for the tools, codes and system information that not only help law enforcement but cybercriminals to find the information they need to do their work. However, with aging technology and valuable data at stake, the opportunities for hackers in the public sector are enormous. Ransomware attacks on municipal governments, schools and other public sector organizations continue to make headlines. Law enforcement agencies and those that support them with information and services are also increasingly vulnerable.

The agency responsible for the data needs of law enforcement is the FBI’s Criminal Justice Information Services (CJIS) division. With responsibility for handling digital identification biometric data, biographic and case history, the CJIS is the largest division of the FBI.

In late 2022, the CJIS updated its security policy, which applies not only to criminal justice agencies, but to organizations of all sizes that manage IT departments within the public sector. The penalties for non-compliance are steep and could result in a loss of access to data, terminated contracts or grants and potential liability in civil lawsuits.

Policy updates are necessary, but they raise the bar for smaller cash-strapped and resource-constrained organizations which already have a hard time meeting the basic IT measures to keep their agencies functional and safe from cyberthreats.

Hacks on municipalities can be expensive and often force technology upgrades that are long overdue. Even with the Infrastructure Investment and Jobs Act (IIJA) starting to roll out millions in spending for such upgrades, we see law enforcement and local government agencies struggling now to adhere to the new requirements.

While CJIS is focused on prevention and best practices, the updated policy can be daunting for a small agency struggling to keep up with even the most basic cyber tools and security measures to defend themselves. With limited funds and a lack of specialized expertise, smaller organizations have a difficult time meeting the compliance mandates which can be complex and hard to pull off.

Case in point: as part of its policy update, the CJIS has introduced several password management requirements that are difficult to understand, let alone implement, without a certified cybersecurity specialist. The CJIS password requirements include:

These updated CJIS password requirements are important and should be met by all law enforcement agencies. However, capabilities such as multi-factor authentication, auditing and monitoring, role based-access control, encrypted storage and secure sharing of sensitive personal data is a tall order for IT departments that are tapped out and focusing on supporting investigations and stopping criminals in their tracks.

IT professionals faced with these, and other similar updates, are looking to cost-effectively defend their networks while meeting all governance, risk and compliance mandates from CJIS and other authorities. They require robust FedRAMP and StateRAMP-authorized solutions to implement these security measures effectively. A zero-knowledge and zero-trust password manager will enable law enforcement agencies to enforce the CJIS requirements for all accounts- allowing users to generate complex passwords and securely store them in an encrypted vault, minimizing the risk of unauthorized access to sensitive systems and data. A FedRAMP and StateRAMP-authorized password management solution takes the guesswork out of meeting these complex requirements.

The nationwide StateRAMP cybersecurity verification program promotes the adoption of secure cloud services across state and local governments by providing a standardized approach to security and risk assessment for cloud technologies. StateRAMP authorization assures that security solutions will have a zero-trust and zero-knowledge protocol for state and local governments, as well as law enforcement agencies, to protect their passwords, data and secrets.

If it weren’t for the FedRAMP and StateRAMP authorization programs, the choices of prevention and security tools could be overwhelming. That’s because the tech industry has been doing its part with advancements in compliance and security tools that take the burden off IT. There are now a range of cost-effective solutions for cybersecurity that include comprehensive, user-friendly platforms and tools that can address the toughest rules and requirements for protecting sensitive data and protecting critical IT systems.

Now more than ever, local governments and criminal justice institutions need to protect their digital assets from ransomware, data breaches and password-related cyberattacks. As cyberthreats like phishing and ransomware become more sophisticated, data governance becomes even more difficult. Tech procurement officers in the public sector will do well to modernize their security processes and password tools in a way that meets the stringent new policy updates and prepares them for the future.

The IIJA and StateRAMP will help.

With all the IIJA funding about to hit the public sector, organizations should be able to tap more resources to help them become part of the modern IT infrastructure that the FBI depends on for its most critical data needs. With the stamp of StateRAMP and FedRAMP-authorized solutions, smaller organizations are in a prime position to meet the CJIS policy updates and modernize their systems and tech protocols. Otherwise, they risk facing steep penalties or worse—finding themselves at the center of a data breach or implicated in a security incident that has far-reaching consequences.

Mike Eppes is the director of public sector at Keeper Security and a cybersecurity professional with a proven track record of taking cybersecurity best practices and helping deploy them at the federal and state level. With his background in cloud security, Eppes is able to simplify complex security issues and provide thoughtful solutions that are digestible by all audiences.