Editor’s Note: To learn more about becoming CJIS compliant with your smartphone deployment, watch a recording of a recently presented webinar, “Achieving CJIS Compliance with Smartphones and Tablets: What You Need to Know.” Presenters include Eric Wood, Chief Innovation Officer at Chula Vista (CA) Police Department, and Chris Weatherly, FBI CJIS ISO.
Smartphones are central to our daily lives. Patrol officers have every reason to expect that the ready access to information they have in civilian life should be reflected in their work environment too.
It’s rare that you’ll find a marked patrol car today that doesn’t have some type of computer mounted inside. They’ve become essential. It’s routine to deadline a vehicle when its computer isn’t working.
Conventional in-vehicle computers have served law enforcement well, but their utility ends when an officer steps out of their vehicle. Mobile devices, especially smartphones, can support officers regardless of their assignment or proximity to a patrol vehicle. Smartphones can even support in-vehicle computing by using Samsung DeX, which allows users to pair their smartphone with a touchscreen and keyboard.
Criminal justice information access
For most law enforcement agencies, fully utilizing smartphones means accessing and reviewing criminal justice information (CJI) databases. Agencies have to comply with requirements established by the Criminal Justice Information Services (CJIS) division of the FBI and follow the rules set by their state’s CJIS Systems Agency (CSA). Note that CJIS compliance is mandatory if you’re accessing CJIS-controlled databases. The rules for CJIS compliance are somewhat complex and subject to a degree of interpretation by different states. The intent is to safeguard both criminal justice database systems and sensitive data associated with personal information, such as an individual’s criminal history.
When a mobile device is used to access CJI, the CJIS Security Policy requires the use of advanced authentication, also known as multifactor or two-factor authentication (CJIS Policy Section 220.127.116.11). Standard authenticators include passwords, hard or soft tokens, biometrics, one-time passwords and PINs. Advanced authentication ensures that only authorized users gain access by adding a step to the sign-on process and requiring users to provide something more than a username and password. The additional information must be something they “have” (e.g., a token that issues a one-time numeric passcode) or something they “are,” meaning something that’s unique to them, such as a fingerprint or other acceptable biometric.
Achieve mobile CJIS compliance at your agency
Get expert, practical advice for your mobile deployment so you can be both connected and compliant. Download Now
Advancing technology offers options that are sometimes more effective at authentication but may not yet be explicitly authorized by the CJIS Security Policy. Fortunately, a degree of flexibility is built into the policy for dealing with these situations. CJIS has a provision known as “compensating controls,” which permits alternative security processes that provide the same or greater level of protection as advanced authentication in circumstances involving legitimate business or technical constraints. Compensating controls may be particularly relevant to agencies that are integrating an expanded smartphone program with legacy infrastructure. Agencies are required to submit an application to their state’s CSA and receive approval before substituting compensating controls for advanced authentication (CJIS Policy Section 18.104.22.168.1).
Mobile device management
CJIS policy mandates the use of a mobile device management (MDM) solution when using mobile devices to access CJI. CJIS policy recognizes that mobile devices are subject to loss or theft, as well as user modification that could possibly compromise security. An MDM allows an agency to prevent unauthorized device settings or actions and to remotely disable or wipe a device that’s lost or stolen. When choosing an MDM, agencies should ensure it can perform all the actions required by CJIS policy (Section 5.13.2):
- Remote locking and/or wiping of device
- Setting and locking device configuration
- Detection of “rooted” and “jailbroken” devices
- Enforcement of folder or disk-level encryption
- Application of mandatory policy settings on the device
- Detection of unauthorized configurations
- Detection of unauthorized software or applications
- Ability to determine the location of agency-controlled devices
- Prevention of unpatched devices from accessing CJI or CJI systems
- Automatic device wiping after a specified number of failed access attempts
An MDM will also ensure security updates are installed promptly (required by CJIS Security Policy Section 22.214.171.124). Some MDM software allows the tracking of a smartphone that has been lost or stolen, aiding in the recovery of a device. CJIS policy recommends adding tracking capability to mitigate the risk of a device coming into the possession of an unauthorized person.
Encryption is required whenever CJI is transmitted or stored (at rest) outside the boundaries of a physically secure location, and this is clearly the operational environment of law enforcement smartphones. The exact standards the data would be required to meet are detailed in CJIS Security Policy (Section 126.96.36.199). Many agencies use a virtual private network (VPN) to meet CJIS encryption requirements. A VPN functions as a secure tunnel that provides an end-to-end encrypted path between the sender and recipient, thereby preventing anyone unauthorized from intercepting the data.
An obvious return on investment
Today’s mobile devices can support a wide range of police operations, and the more that officers can accomplish with a single device, the more effective they’ll be. Establishing a robust and effective CJIS-compliant smartphone program requires a commitment on the part of an agency, but the return on investment (ROI) is substantial, fully supporting mission-critical information needs regardless of an officer’s assignment or proximity to a patrol car.
Download our comprehensive CJIS compliance guide, which provides practical advice for agencies deploying smartphones and tablets.