![]() Fingerprint-based record checks may not be required for all cloud provider personnel depending upon the type of service offering and access to encryption keys.For example, Section 5.12.1 Personnel Screening Requirements for Individuals Requiring Unescorted Access to Unencrypted CJI provides important supplemental guidance, as follows: Two areas with significantly updated guidance are related to personnel screening and data encryption with customer managed keys (CMK). In October 2022, the CJIS Security Policy was updated to v5.9.1, which provided important clarifications for the safeguarding of CJI in a cloud computing environment. Key updates to CJIS Security Policy in 2022 The addendum limits the use of CJI to the purposes for which a government agency provided it. It commits the contractor to maintaining a security program consistent with federal and state laws, regulations, and standards. The corresponding NIST SP 800-53 controls are listed for each CJIS Security Policy section.Ī CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps ensure the security and confidentiality of CJI required by the Security Policy. The FBI CJIS Information Security Officer (ISO) Program Office has published a security control mapping of CJIS Security Policy requirements to NIST SP 800-53. These areas correspond closely to control families in NIST SP 800-53, which is also the basis for the US Federal Risk and Authorization Management Program (FedRAMP). In addition to the controls each law enforcement or criminal justice agency is responsible for evaluating, the CJIS Security Policy defines areas that private contractors such as cloud service providers (CSP) must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. ![]() The CJIS Security Policy is updated periodically to reflect evolving security requirements. The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community's Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security requirements and controls to safeguard CJI. The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) – for example, fingerprint records and criminal histories. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |