Strengthening the Compliance and Security Posture in Public Safety

The ability to securely exchange information is vital for law enforcement agencies.

Timely information about suspects can make or break investigations and either help or hinder emergency response. But if that information is shared or stored insecurely, data leaks can occur and prevent police from doing their jobs effectively.

There have been over 59 public safety cyber-attacks and more than 204 local government cyber-attacks (disclosed) in the USA in the past 24 months (a rolling quantity, often higher).

To reduce risk, organizations that access criminal justice information (CJI) have to ensure that data is protected. Achieving this goal is the purpose of the Criminal Justice Information Services Security Policy (CJIS Security Policy). The policy provides criminal justice agencies and noncriminal justice agencies with a set of minimum security requirements for access to FBI Criminal Justice Information Services Division systems and data and to safeguard CJI. Meant to protect the entire lifecycle of CJI, the rules call for the information to be secured, whether at rest or in transit.

As part of a series of reports on the subject of compliance, we are releasing a mini-report focused on the CJIS Security Policy and how organizations can meet its demands. The rules span several policy areas, such as configuration management, access control, and the development of information exchange agreements with other organizations. While CJIS Security Policy sets forth the minimum requirements organizations are expected to meet, local agencies may also have more stringent policies of their own. In this way, the CJIS Security Policy represents a critical baseline for the cybersecurity strategies of public safety agencies.

The price of non-compliance can be significant. Failing to comply with the rules can lead to agencies being denied access to critical CJIS data. But there is also the risk of sensitive information falling into the wrong hands. In recent years, sophisticated threat actors have targeted multiple public safety agencies across the country. All it takes is one ransomware infection, and evidence and other information can become compromised. An agency can even be shut down entirely. Unpatched, lost, or stolen devices also pose a threat, making the ability to maintain control and visibility into the security posture of endpoints a must.

Without the safe exchange and storage of information, law enforcement agencies can place both their investigations and personnel at risk. For this reason, it is critical for public safety agencies and other parties authorized to access CJI to keep security at the forefront of their activities and prioritize compliance.

For more information about complying with CJIS Security Policy, download the mini-report here.