Law enforcement agencies across the country are realizing that smartphones are great tools for patrol officers. They can use a smartphone to contact a detained juvenile’s parents, check bed availability at homeless shelters and even translate communications in the field. Smartphones also eliminate the need for single-purpose devices like cameras and audio recorders.
Field operations generally involve criminal justice information (CJI), and taking full advantage of smartphone deployment means being able to query criminal justice databases. To access CJI from a mobile device, agencies must ensure compliance with the security policies established by the FBI’s Criminal Justice Information Services (CJIS) and follow the rules set by their state’s CJIS oversight and auditing entity. Responsibility for compliance falls to each agency’s terminal agency coordinator (TAC), who serves as the primary point of contact for matters relating to CJI access and oversees compliance with CJIS policy.
CJIS compliance is required for officers accessing CJIS-controlled databases or storing CJI on their mobile devices. Agency TACs and IT administrators should closely review CJIS policy for mobilized operations. Here are some steps and key resources for addressing mobile-specific CJIS issues.
1. Assess your operation and infrastructure
Your agency is likely already operating with some CJI access and compliance. Review those processes so you understand your existing network infrastructure and authentication methods. It’s generally better to work from the perspective of adding a capability (i.e., mobile access to CJI) and leverage your already-proven processes. Use this opportunity to look for potential vulnerability points and ways to improve overall network security.
2. Read our comprehensive guide
Agency TACs and supporting IT personnel should review our Comprehensive Guide to CJIS Compliance in a Mobilized Agency. It outlines mobile-specific CJIS requirements and explains concepts like advanced authentication and compensating controls. It’s based on CJIS security policy’s requirements for accessing CJI from mobile devices.
Achieve mobile CJIS compliance at your agency
White Paper
Get expert, practical advice for your mobile deployment so you can be both connected and compliant. Download Now
3. Understand mobile device management
CJIS policy requires that agencies using mobile devices to access or store CJI use a mobile device management (MDM) solution. With an MDM solution, an agency can exercise a great deal of control over its smartphones and disable or wipe a lost or stolen device. Security updates can be assured, and the MDM can be used to locate a missing device. A good MDM solution will not only meet the CJIS requirements but also streamline your smartphone program management.
Tip: Once you have your MDM solution operational, try out some of the features, like remote wiping of information or locating a missing phone. This will not only give you confidence in your system and your ability to use it but will also reduce the time it takes to mitigate a potential compromise of a mobile device.
4. Understand advanced authentication and compensating controls
Advanced authentication (AA), also known as two-factor or multifactor authentication, adds security beyond simple sign-on, and CJIS mandates it for mobile devices accessing or storing CJI. AA requires a user to provide something they know (such as a username and password) and something they either have (such as a one-time code) or something they are (a biometric such as a fingerprint, checked beyond the device itself). In recognition of law enforcement’s unique work environment, CJIS policy allows other methods known as “compensating controls,” if they provide the same protection or better and are approved by the agency’s state-level CJIS Systems Agency (CSA) (see Step 5).
5. Identify your state’s CJIS Systems Officer
The CSA evaluates applications for compensating controls. Each CSA appoints a CJIS Systems Officer (CSO) to monitor compliance. Each agency is required to have a TAC, who should serve as the conduit to communicate with the CSA/CSO. If you have difficulty identifying or contacting your TAC, start with the person in your agency who deals with issues regarding National Crime Information Center (NCIC) access. Ask them to help work you through the chain to the state level. Once you’ve identified the CSO and before you commit to funding, ensure you have the CSO’s concurrence on any CJIS solutions you plan to implement. This is particularly important with compensating controls.
6. Become familiar with NIST 800-63 and FIDO
Although there isn’t a codified relationship between the FBI’s CJIS and the National Institute of Standards and Testing (NIST), they do collaborate on best practices for CJIS security methods. Recent changes in CJIS password requirements are a direct reflection of the work done by NIST and documented in NIST Special Policy 800-63. NIST is also a key participant in the Fast ID Online (FIDO) Alliance, which is pursuing stronger, more practical methods for authenticating online transactions. TACs and IT professionals working in support of a department smartphone program should review NIST 800-63 and the FIDO recommendations.
7. Check with other agencies
Ask around locally to see who has a successful smartphone program. Meet with the people responsible and learn the technical processes they used to achieve CJIS compliance. Also ask to see documentation of their system and their application to the state’s CSA. If their program is successful, you might consider a similar approach with your own, saving time and increasing your likelihood of CJIS approval.
Note: Don’t rely on a vendor’s claim that they are “CJIS-certified” or otherwise preapproved for use. CJIS does not grant certifications. Also, be cautious in relying on a program that has been rolled out in another state; each state is responsible for its own review and approval.
A cautionary note
Some agencies have stipend programs to encourage personal smartphone use for work, commonly known as Bring Your Own Device (BYOD). This can work when smartphone use is limited to basic functions. But a BYOD approach is not advisable for devices accessing or storing CJI. It’s impractical to try to properly manage and control a broad variety of personally owned devices throughout an agency.
Going forward
Agencies should achieve CJIS compliance so officers can access mission-essential and mission-critical information through criminal justice databases. By following the steps above, agency administrators will give field personnel newfound information capability.
Download our comprehensive CJIS compliance guide, which provides practical advice for agencies deploying smartphones and tablets.
