CJIS compliance and mobile device security: Don’t wait for a costly breach, take action now
Author: Jamie Italiano
Date modified: September 16, 2024
Time is running out. As of October 1, 2024, the Federal Bureau of Investigation (FBI) requires that organizations who access criminal justice information (CJI) must implement multi-factor authentication (MFA) on all systems that contain CJI. That includes smartphones, tablets, computers and any device or system that is used to access arrest records, forensic evidence, criminal investigation data, and other digital information. This makes the security of these devices, systems and digital transactions paramount to fighting crime and protecting the public.
What are the CJIS policy requirements?
CJIS compliance is strict, requiring anyone who has access to CJIS data to undergo security awareness training within six months of their first assignment, and training must be updated every two years. All smartphones and tablets or other devices must use a CJIS-compliant multi-factor authentication (MFA) process, and they must also be enrolled in an agency-controlled mobile device manager (MDM) capable of remotely locking a device or, if needed, erasing the memory of a lost or compromised device. All work-related data transmitted or stored on a device needs to be encrypted.
What are the new CJIS requirements for 2024?
Come October 1, 2024, any agency that is accessing criminal justice information (CJI) - for example arrest records, digital evidence, text communications - or criminal justice systems and applications must implement multi-factor authentication (MFA). CJIS Security Policy Version 5.9.2 requires that individuals must provide at least two authentication factors to prove they are who they say they are. Failure to comply could result in monetary fines and denial of access to FBI CJIS resources.
No matter if your organization has a bring your own device (BYOD) program or if they are agency-issued devices, non-compliance with CJIS security requirements could result in phishing attacks or other breaches of confidential information.
How does MFA enhance device security?
MFA is a security control that requires a user to provide a combination of two or more different authenticators - an authenticator could be something you know (a password), a biometric (a fingerprint or face ID), or something you have (a security token). This provides two layers of protection in the event one is compromised, like a password is guessed. This makes it harder for unauthorized users or bad actors to gain access to CJI.
What are mobile device management solutions?
Mobile device management (MDM), a requirement of CJIS security policy, provides increased security and remote management of devices and applications set by your IT administrators. Meaning, MDM’s cloud-based platform can help your organization adhere to compliance policies and management functions, like adhere to CJIS security policy.
Mobile devices are critical to law enforcement (LE) agencies dedicated to keeping citizens safe and the data used is extremely sensitive, making stringent mobile device security a must.
What is BYOD policy and how is it different for law enforcement?
Because law enforcement agencies must adhere to a different set of compliance rules than other industries, it’s important to note that BYOD creates the possibility that your personal phone, with your personal information contained within, could potentially become evidence and subject to discovery in court proceedings. Any device accessing any criminal data used by law enforcement must follow FBI Criminal Justice Information Services (CJIS) compliance for mobile device security. The stringent policies of CJIS compliance makes BYOD among LE difficult—but not impossible.
Many organizations have accepted or embraced bring your own device (BYOD) as part of their workplace culture. Some states, for example California, require the employer to compensate their employees for the use of their device when conducting agency business. Compliance regulations including CJIS compliance will dictate how—or if—an organization can adopt BYOD.
BYOD policies can be uniquely tailored to each individual organization. Here is a list of what is included in most mobile threat detection policies:
- Registering all devices used to connect to the corporate network
- Requiring company-determined mobile threat detection software and other security tools on each device
- Regulating apps that can be used for business operations—some policies may also decide to limit any apps on a device approved for BYOD to add layers of security
- Adding permissions for any non-work-approved apps to avoid shadow IT (unauthorized) risks
- Establishing agreements on who owns the phone number (should a personal number be allowed for a business-used phone?), who pays the monthly phone bill and who owns the non-work data on the device
- Regulating access and storage of company assets
- Limiting time dedicated to personal use during work hours
BYOD policy will have a slightly different look for law enforcement under CJIS compliance.
Risks and threats of BYOD for law enforcement
BYOD carries the same threats and risks that corporate-owned devices face; the difference is where responsibility lands. Who is responsible for the mobile device management around those threats, the deployment of mobile threat detection or the mitigation of any cyber incident that occurs? Mobile threats—such as phishing, unsecured Wi-Fi usage or excessive permissions in apps—are potentially a big concern because they can lead to data leakage or data loss, which could result in a significant security issue for LE.
Unique to BYOD are threats caused by cross-contamination. When a mobile device holds both professional and personal credentials, it tends to make mobile device security more difficult. It may even be used by other family members for personal use. That simple action could potentially put you and your agency in violation of CJIS compliance.
What happens if law enforcement BYOD is breached?
If an agent or officer's personal device was lost or stolen, would your IT team be notified? Do you trust your employees to be honest if an important database was manipulated because a family member accessing BYOD thought it was a different application? Do those using BYOD recognize what constitutes a data breach and what types of incidents should be reported?
Of course, these mobile threat detection and device management guidelines should be included in LE BYOD policy, but that doesn't mean the employee will follow the directive. If the device is lost or stolen, they may not worry about the organization's security concerns; they may instead react to their personal losses. If there is another type of incident that is a more clear breach, they may be too afraid of the repercussions to come forward with the truth.
As previously mentioned, all BYOD and mobile device management policies should include clear language outlining the division between personal and work material on mobile devices. That way, when the worst case scenario happens, there are no questions of responsibility. For example, the organization should have the right—and the ability—to remotely wipe any device holding corporate information. There should be a clear reporting policy without intimidation. Rules for working with an employee post-breach should be the same for both BYOD and department-owned devices whenever possible. An officer frightened of losing their job because they lost their phone may remain silent for as long as possible, which could lead to greater risk of compromise for data and assets.
In other industries, BYOD is seen as a cost-saving measure, but don't expect this to be the case in law enforcement. First, devices used by LE need to be reliable; LE shouldn’t use a phone/data service plan that has spotty coverage and limited range. They need devices that are able to handle the mobile device security measures necessary to meet CJIS compliance.
Official department-issued cell phones and smartphones help to enhance both the security and functionality for law enforcement and agencies. Modern 5G-enabled smartphones provide fast, secure, reliable communications and there are many applications designed specifically for first responders.
Understanding the threat landscape
For example, in 2023, the city of Dallas agreed to pay over $8 million for expenses related to a ransomware attack. And according to Forbes, the MOVEit global supply chain attack spanned 790 organizations including 200 government agencies leaking personal identifiable information (PII) including social security numbers, home addresses, income information, medical records, and more.
The attack surface will continue to expand the more we connect: meaning the connection between devices, people, places, partners, applications, and things. Maintaining security is only as strong as your weakest link, which is typically the result of human error according to the 2024 DBIR.
What is phishing-resistant MFA?
The Cybersecurity and Infrastructure Security Agency (CISA) provides guidance on implementing phishing-resistant MFA which helps make it more difficult for criminals or threat actors to gain access to networks and information systems for instance if passwords or personal identification numbers (PINs) are compromised through phishing or other means.
Devices used by LE are valuable to criminals, and not just cyber criminals. The FBI has well-defined parameters of what constitutes personally identifiable information (PII), and PII's protection is a priority in tandem with protecting CJI. Any time a LE device or computer is used, it puts the user's PII at risk, especially if the device ends up in the hands of a criminal. Some agencies may decide that it is better to keep personal and work materials separate, including not conducting private activities on department-issued devices.
Adhering with CJIS compliance
CJIS security policy includes regular software/security updates, multi-factor authentication (MFA), encryption and agency-controlled mobile device management solutions. Mobile device management offers enhanced security and functionality for agencies and first responders.
CJIS compliance helps prevent unauthorized access to sensitive data like CJI.
Verizon offers a comprehensive range of mobility services for public safety customers built on America's most reliable 5G network.1 Verizon also offers a discount program with exclusive offers only for our First Responders. More than 40,000 agencies rely on Verizon Frontline and its mission-critical solutions.
Learn more about mobile device management solutions and mobile cyber security measures from Verizon.
The author of this content, Jamie Italiano, works for Verizon. Jamie Italiano has volunteered alongside the Verizon Frontline Crisis Response team and is Digital Marketing Content Manager for Verizon Business Group.