CJIS raises a high bar for cybersecurity in law enforcement

There has never been a more important time for state agencies, police departments and other organizations that handle criminal justice data to be aligned and compliant in their cybersecurity policies and practices. At a time when the public sector is being increasingly targeted with cyberthreats like ransomware and phishing, local law enforcement agencies that administer and enforce criminal justice need secure and timely data to investigate and stop numerous types of crimes.

Access to the services that provide this data are a crucial resource and play an important role in our local and national cybersecurity defense. Secure access to data and information supports cybercrime prevention programs and methods that protect citizens from online fraudsters, cyber predators, hackers and insidious attacks in the real world.

The digital world is expanding as a resource hub for broad criminal activity, providing millions of access points for the tools, codes and system information that not only help law enforcement but cybercriminals to find the information they need to do their work. However, with aging technology and valuable data at stake, the opportunities for hackers in the public sector are enormous. Ransomware attacks on municipal governments, schools and other public sector organizations continue to make headlines. Law enforcement agencies and those that support them with information and services are also increasingly vulnerable.

The agency responsible for the data needs of law enforcement is the FBI’s Criminal Justice Information Services (CJIS) division. With responsibility for handling digital identification biometric data, biographic and case history, the CJIS is the largest division of the FBI.

In late 2022, the CJIS updated its security policy, which applies not only to criminal justice agencies, but to organizations of all sizes that manage IT departments within the public sector. The penalties for non-compliance are steep and could result in a loss of access to data, terminated contracts or grants and potential liability in civil lawsuits.

Policy updates are necessary, but they raise the bar for smaller cash-strapped and resource-constrained organizations which already have a hard time meeting the basic IT measures to keep their agencies functional and safe from cyberthreats.

Hacks on municipalities can be expensive and often force technology upgrades that are long overdue. Even with the Infrastructure Investment and Jobs Act (IIJA) starting to roll out millions in spending for such upgrades, we see law enforcement and local government agencies struggling now to adhere to the new requirements.

While CJIS is focused on prevention and best practices, the updated policy can be daunting for a small agency struggling to keep up with even the most basic cyber tools and security measures to defend themselves. With limited funds and a lack of specialized expertise, smaller organizations have a difficult time meeting the compliance mandates which can be complex and hard to pull off.

Case in point: as part of its policy update, the CJIS has introduced several password management requirements that are difficult to understand, let alone implement, without a certified cybersecurity specialist. The CJIS password requirements include:

To read the complete article, visit American City & County.