As more law enforcement organizations recognize the value of mobile-connected officers, agencies across the U.S. are expanding their on-duty use of smartphones.

For most agencies, smartphone use includes accessing and reviewing criminal justice information (CJI) databases, which requires compliance with the security policy of the FBI’s Criminal Justice Information Services (CJIS) division as well as the rules set by their state’s CJIS Systems Agency (CSA).

CJIS smartphone compliance involves three main components: mobile device management (MDM), encryption and Advanced Authentication (AA). Your agency can achieve CJIS compliance via several different methods and technologies. You can also research other organizations’ CJIS compliance strategies that have already been approved by a CSA. One mid-sized agency in California, for example, is using the method and technologies outlined below. The name of the agency has been withheld in the interest of operational security.

Hardware and supporting technologies

The California agency selected flagship Samsung smartphones and issued one to each officer. When the officer is given their new smartphone, they’re asked to choose a six-digit PIN that meets CJIS requirements (CJIS Policy 5.6.2.1.2). Each officer is also assigned a security token (often called a “hard” token) that allows them to obtain a one-time password (OTP) for the login process (explained at the end of this section). The agency’s Active Directory (AD), which contains each officer’s network username, is linked to the solution vendor’s security system. This ensures the advanced authentication information is synced and updates are handled automatically, creating a seamless user experience and lessening the need for IT maintenance. Once the device is linked to the directory, the agency’s IT administrator assigns and enrolls the security tokens.

Shop special offers

Find out about offers on the latest Samsung technology.

see deals

Speak to a solutions expert

Get expert advice from a solutions consultant.

Talk to an expert

Mobile device management

When an officer is issued a smartphone, it’s also enrolled in Knox Manage, the agency’s MDM, which applies the agency’s security policies and configurations, such as the PIN requirement and idle lock. Knox Manage exceeds the minimum CJIS requirements for an MDM solution (CJIS Policy 5.13.2).

Encryption

Encryption of data in transit (i.e., being sent or received) is accomplished by using a virtual private network (VPN) supplied by NetMotion, which meets CJIS encryption requirements (CJIS Policy 5.10.1.2.1). NetMotion has the added benefit of session persistence, meaning the user stays logged on even when there’s a drop in network connectivity (e.g., temporary loss of cell signal). Encryption of data at rest (as required by CJIS Policy 5.10.1.2.2) is achieved with Samsung Knox Platform for Enterprise (KPE), which encrypts work data on agency-managed devices at all times, whether a device is powered on or turned off.

Advanced Authentication

The agency’s advanced authentication strategy is best demonstrated by their users’ login process. After unlocking their mobile device by entering their PIN, the officer launches the NetMotion VPN client and enters their username (the same one contained in the agency’s AD). They then use the security token to obtain a six-digit OTP issued by the Thales security system. The officer enters their PIN and then the OTP, resulting in a 12-digit number that completes the password field. Once the officer has entered their login credentials, the Thales security program checks that the first six numbers match the officer’s PIN (something known) and the other six numbers match the OTP (something the officer has), thereby complying with CJIS Policy’s advanced authentication requirement.

Important considerations

To ensure a successful mobile deployment, your agency will need to integrate different products and processes that meet security requirements while maintaining a user-friendly experience for officers in the field. You’ll also need to consider your deployment’s ongoing impact on IT resources.

Achieve mobile CJIS compliance at your agency

White Paper

Get expert, practical advice for your mobile deployment so you can be both connected and compliant. Download Now

The agency in the above example found that the security token approach comes with some challenges. Tokens can be lost or damaged, and the device’s battery has a life of about three years, depending on frequency of use. The agency is now considering switching to a “soft” token approach, which would issue officers an OTP via a smartphone app separate from the login process. These six digits would be entered after the officer’s PIN, just like in the previous advanced authentication method outlined above. This soft token approach may comply with the CJIS requirement for an OTP sent through a “separate communication service channel” (CJIS Policy 5.6.2.2).

To integrate and coordinate all these components, you’ll need a skilled IT team. Most midsize and larger agencies will likely have a capable resource within their city or county IT staff. Agencies that don’t should consider working with a larger or regional agency that can handle some or all of their security-related IT tasks. For an initial query, you can reach out to the agency that handles your county or regional switch for NCIC data. Alternatively, you could work with an IT integrator that specializes in helping agencies achieve CJIS compliance.

On a state-by-state basis

This agency’s strategy is just one example of how an organization can achieve CJIS compliance. The mention of specific products and vendors is not intended as an endorsement.

Remember, CSA approval is granted at the state level. States may interpret CJIS policy slightly differently. Before initiating device procurement, submit your planned course of action to the appropriate CJIS authority ahead of time. As you consult with other agencies in your area about their CJIS-compliant smartphone programs, ask to see their system documentation and application to the state CSA. Also inquire as to what they wish they had done differently, or suggestions they have based on their experience. Taking these steps proactively will help increase your likelihood of CJIS approval — and save you a great deal of time and money.

For more ideas on how to mobilize your agency, discover Samsung’s other innovative solutions designed for public safety officers. You can get help planning and implementing a mobile initiative at your agency with this free practical roadmap.

Posts By

Dale Stockton

Dale Stockton is a 32-year-veteran of law enforcement, having worked in all areas of police operations and retiring as a police captain from Carlsbad, California. He taught criminal justice classes for more than 20 years and is the former Editor-in-Chief of Law Officer Magazine and LawOfficer.com. Stockton is the founder of Below 100, an award-winning officer-safety initiative designed to reduce police line-of-duty deaths and has been involved in the presentation of the program across North America. Stockton is an accomplished technology practitioner and has managed major technology projects for public safety including personnel-locate devices and license plate recognition systems.

View more posts by Dale Stockton