As more and more law enforcement organizations issue smartphones to field personnel, the concept of a connected officer is improving operational effectiveness and ready access to mission-critical information. In a smartphone-centric computing environment, officers have ready access to the criminal justice databases they depend on. When mobile devices are used to transmit or store criminal justice information (CJI), agencies must ensure compliance with Criminal Justice Information Services (CJIS) policy and any protocols imposed by their state’s CJIS Systems Agency.
CJIS security policy is designed to protect criminal justice databases and sensitive data. Only authorized users can access CJI, and all connecting devices must be properly secured. The CJIS security policy is over 250 pages, and complying with its rules can be somewhat challenging because technology evolves so quickly. But noncompliance is not an option — and can result in lack of access to key information sources. Samsung Knox, specifically Knox’s secure container capabilities, can provide valuable protection and improve overall device management.
Samsung Knox: Government-certified security
Samsung Knox is a defense-grade solution set for mobile device security that has received multiple U.S. government certifications. Unlike after-market software solutions, Knox begins with a secure foundation built into the chip. It supports comprehensive device configuration at the time of issue, provides powerful remote device management and delivers the ultimate in secure storage.
Remote management of mobile devices — such as enterprise mobility management (EMM) or mobile device management (MDM) — is required before mobile devices can access, transfer or store CJI. The specific requirements are extensive, ranging from remote locking and wiping to detecting unauthorized configurations or software. Knox allows agencies to meet these requirements with confidence.
The Knox secure container
Knox Platform for Enterprise gives all Galaxy smartphones secure container capability — the cyber equivalent of a lockbox. Although CJIS doesn’t require a secure container on a mobile device, it does allow agencies to safeguard sensitive information or prevent access to specific capabilities, as the Knox secure container can be configured to require separate authentication.
Achieve Mobile CJIS Compliance at Your Agency
Get expert, practical advice for your mobile deployment so you can be both connected and compliant. Download Now
Unlike conventional, software-based file storage, the Knox secure container is protected at the hardware level and is hardened to prevent unauthorized bootloaders, modifications and other malicious processes that would exploit data mapping. During the configuration process, the IT administrator can enable or disable container interaction with Bluetooth, near-field communication (NFC), USB access or external storage transfers.
The CJIS perspective
CJIS acknowledges the effectiveness of a secure container for data stored on a device, often referred to as “data at rest,” and provides this recommendation:
“Data accessible on pocket or tablet devices simply through the entry of a single device PIN or password should not be considered secure due to the likelihood of enhanced password guessing based on fingerprints/smudges on the device touch screen,” says the CJIS mobile appendix. “Any data stored on devices of these types should be protected within a separate secure container using Advanced Authentication.”
The Knox secure container is also useful when an agency uses CJIS-permitted compensating controls — alternative security processes that provide similar protection in circumstances involving legitimate business or technical constraints. Law enforcement officers are allowed compensating controls because of their unique operational environment, providing some flexibility in how they accomplish mobile authentication.
Another viable approach is to place a user or device certificate inside the secure Knox container and, when challenged, have the user access Knox and invoke the certificate, essentially providing an authentication response. This example and the use case above fall within the subjective area of compensating controls and are subject to approval by an agency’s state-level CJIS Security Officer (CSO). Compensating controls are temporary, and the state’s CSO determines how long an alternative process may be used. Agencies should seek guidance as to what will be acceptable, especially if the proposed processes are expensive or difficult to implement.
As law enforcement agencies continue to embrace the concept of a connected officer, mobile devices are being used to access CJI, so they’re subject to CJIS policy and any protocols imposed by the state-level CJIS security agency. The use of smartphones to conduct CJI queries is a relatively new capability, and the specifics on CJIS compliance are still evolving, particularly with compensating controls. Samsung Knox enhances agencies’ device control and security, both protecting data and ensuring devices are used only by authorized personnel.