VMware!SDDC!Product! Applicability!Guide!for!CJIS! v5.2!

Transcription

1 VMwareSDDCProduct ApplicabilityGuideforCJIS v5.2 August2014 v1.0 Product Guide This is the first document in the Compliance Reference Architecture for CJIS. You can find more information on the Framework and download the additional documents from the CJIS Compliance Resources TAB on VMware Solution Exchange here. Applicability

2 Table(of(Contents( EXECUTIVE(SUMMARY(...(5( INTRODUCTION(...(9( OVERVIEW(OF(THE(CJIS(SECURITY(POLICY(AS(IT(APPLIES(TO(CLOUD/VIRTUAL(ENVIRONMENTS(...(12( CLOUD(COMPUTING(AND(VIRTUAL(ENVIRONMENTS(...(14( WHERE(TO(START(J(CONSIDERATIONS(FOR(SYSTEM(OWNERS,(IT(AND(ASSESSORS(...(16( LAWENFORCEMENTCONSIDERATIONS...16 ITCONSIDERATIONS...16 ASSESSMENTCONSIDERATIONS...17 GUIDANCE(FROM(CJIS(SECURITY(POLICY(...(18( VMWARE(TECHNOLOGIES(AND(CJIS(...(22( VMWARE(CJIS(REQUIREMENTS(MATRIX((OVERVIEW)(...(23( CJIS(REQUIREMENTS(MATRIX((BY(VMWARE(SUITE)(...(25( VCLOUDINFRASTRUCTURE...25 VCLOUDNETWORKINGANDSECURITY...29 NSX...33 OPERATIONSMANAGEMENT...38 CJIS(SECURITY(POLICY(...(43( GLOSSARY(OF(TERMS(...(87( ACKNOWLEDGEMENTS(...(89( ABOUTCOALFIRE...89( FIGURE(1:(CJIS(PROGRAM(STRUCTURE(...(9( FIGURE(2:(CJIS(REQUIREMENTS(AND(VMWARE(...(10( FIGURE(3:(VMWARE(+(PARTNER(PRODUCT(CAPABILITIES(FOR(A(TRUSTED(CLOUD(...(11( FIGURE(4:(VIRTUALIZATION(RISK(MITIGATION(...(12( FIGURE(5:(CLOUD(COMPUTING(...(14( FIGURE(6:(VMWARE(SOFTWARE(DEFINED(DATA(CENTER(PRODUCTS(AND(SUITES(...(22( FIGURE(7:(CJIS(SECURITY(REQUIREMENTS(AND(VMWARE(...(23( ( TABLE(1:(HIGHJLEVEL(CJIS(POLICY(AREA(MAPPING(...(7( TABLE(2:(CJIS(REQUIREMENTS(...(24( TABLE(3:(APPLICABILITY(OF(CJIS(CONTROLS(TO(VCLOUD(INFRASTRUCTURE(...(25( TABLE(4:(APPLICABILITY(OF(CJIS(CONTROLS(TO(VCLOUD(NETWORKING(AND(SECURITY(...(29( TABLE(5:(CJIS(CONTROLS(APPLICABILITY(MATRIX(NEED(MORE(SERVICE(COMPOSER(...(34( TABLE(6:(CJIS(CONTROLS(APPLICABILITY(MATRIX(...(39( (

3 Revision(History( ( DATE( REV( AUTHOR( COMMENTS( REVIEWERS( August14, NoahWeisberger InitiallyCreated InternalSME,VMware July MaryBethAngin Updates Compliance&CyberRisk Team Design(Subject(Matter(Experts( Thefollowingpeopleprovidedkeyinputintothisdesign. NAME( (ADDRESS( ROLE/COMMENTS( NoahWeisberger [email protected]( Director Cloud,Virtualization&MobilePractice,Coalfire SatnamPurewal [email protected]( Associate,Coalfire Trademarks( TheVMwareproductsandsolutionsdiscussedinthisdocumentareprotectedbyU.S.andinternationalcopyright andintellectualpropertylaws.vmwareproductsarecoveredbyoneormorepatentslistedat Statesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheir companies. SOLUTION(AREA( VMware(vCloud ( Infrastructure VMware(vCloud (Networking( and(security VMware(NSX VMware(vRealize ( Operations (((formerly( vcenter) KEY(PRODUCTS( VMwareESXi,VMwarevSphere,VMwarevShieldEndpoint,VMware vrealizeserver andvmwarevclouddirector VMwarevCloud NetworkingandSecurityApp,VMwarevCloud NetworkingandSecurityDataSecurity,VMwarevCloud Networkingand SecurityEdgeGateway,VMwarevCloud NetworkingandSecurity Manager VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSX ServiceComposer VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize AutomationCenter,VMwarevRealize LogInsight VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 3 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

4 * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 4 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

5 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 5 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective* Executive(Summary( VMware,theleaderincloudcomputingsoftwareforenterprises,recognizesthetremendousopportunitythat CriminalJusticeInformationServices(CJIS)provideslawenforcementandintelligenceagencieswishingtoleverage VMwaresolutionsfortheirapplications,includingefficiencies,costsavings,cyberdriskmanagement,and compliance.vmwarehasdevelopedareferencearchitectureframework(raf)thatprovidesaconsistentwayfor VMware,itspartners,andorganizationstoassessandevaluatetheimpactofregulationsonvirtualandcloud environments.mostorganizationsbeginthecomplianceprocessbymappingthemandatedrequirementstotheir specificorganizationalneeds.thisisusuallyadifficulttaskthatcanutilizesignificantamountoftimeand resources.tostreamlinetheprocess,vmwarehasestablishedasingleholisticapproachthatcanbeusedto evaluatethevmwareenvironment,partnersolutions,andendusertools. OrganizationscansignificantlyreducethecomplexityandcostofCJISPolicycompliancebyreplacingtraditional nondintegratedsolutionswithintegratedsolutions.vmwarehasmappeditsproductsuitestospecificcjiscontrols whichaddresstheissuesofcomplianceforcjis.asmostorganizationsknow,thereisnosingleproductthatcan meetallofanorganization sneeds.toaddressthisgap,vmware,togetherwiththevmwarepartnerecosystem deliverscompliancedorientedsolutions,enablingcjiscompliancebyautomatingthedeployment,provisioningand operationofregulatedenvironments.vmwareprovidesthesolutionreferencearchitecture,cjisspecificguidance andsoftwaresolutionsthatbusinessesrequiretoachievecontinuouscompliance,alongwithbreakthroughspeed, efficiencyandagilityfortheirdeployments.thesesolutionsdirectlyaddressagencyneedsfor: * Costandinfrastructureefficiency * Simplifiedmanagementandreporting * Infrastructuretransparency * EffectiveCyberdRiskManagement * Abilitytoenableandmaintainasecureandcompliantenvironment TheVMwareComplianceRAF(ReferenceArchitectureFramework)providesaprogrammaticapproachtomap VMwareandpartnerproductstoregulatorycontrols,fromanindependentauditorperspective.Theresultis valuableguidancethatincorporatesbestpractices,design,configurationanddeploymentguidancewith independentauditoroversightandvalidation. VMwarerecognizesthatsecurityandcompliancearecriticalareasthatmustbeaddressedbyallorganizations accessingcriminaljusticeinformation(cji).bystandardizinganapproachtocomplianceandexpandingthe approachtoincludepartners,vmwareprovidescustomersaprovensolutionthatmorefullyaddressestheir complianceneeds.thisapproachprovidesmanagement,itarchitects,administrators,andauditorsahighdegree oftransparencyintorisks,solutions,andmitigationstrategiesformovingcriticalapplicationstothecloudina secureandcompliantmanner.thisisespeciallyimportantwhenthepenaltiesfornoncomplianceareextremely highduetothesensitivityofcji.failingtocomplywiththecjismandatedrequirementscouldmeanrevocationof accessorfines. Complianceisdefinedasasetofrequirementsnecessarytomeetasetofminimumcontrols,establishedbythe regulatorygroup.compliancewithallapplicablecontrolscanbechallengingwhenbalancedwiththefactthat criminaljusticeinformationneedstobeavailable24/7inorderforlawenforcement,nationalsecurity,andthe intelligencecommunitypartnerstoprotecttheunitedstateswhilepreservingcivilliberties.thefederalbureauof Investigation(FBI)establishedtheCriminalJusticeInformationServices(CJIS)Divisionin1992tomeetthis

6 challenge.today,cjisisfbi slargestdivisionandprocessesmillionsoftransactionsonadailybasis,withresponse timesrangingfromminutestoseconds. 1 TheCJISDivisionisresponsibleformanyinformationtechnologydbased systemslikethenationalcrimeinformationcenter(ncic),nationalinstantcriminalbackgroundchecksystem (NICS),InterstateIdentificationIndex(III),NationalDataExchange(NdDEx),UniformCrimeReporting(UCR) Program,andtheNextGenerationIdentification(NGI).Thesesystemsprovidestate,local,andfederallaw enforcementandcriminaljusticeagencieswithtimelyandsecureaccesstocritical,personalinformationsuchas fingerprintrecords,criminalhistories,andsexoffenderregistrations. CJISsystemsareaccessedbyCriminalJusticeAgencies(CJA)andNoncriminalJusticeAgencies(NCJA).PertheCJIS Policy,aCJAisacourtorgovernmentalagencythatallocatesbudgettotheadministrationofcriminaljusticeand performstheadministrationofcriminaljusticepursuanttoastatuteorexecutiveorder.examplesofcjas: * * * Policeagencies Correctionalinstitutions PublicdefenderDivisions Inmanycases,theseCJA sarelookingtoleveragethecostsavingsandefficiencieswhichvirtualizationprovides, whileprovidingandmanagingrealdtimeaccesstocriminaljusticeinformation.anexampleofthiswouldbethe patrolofficerneedingtoperformacriminalinformationlookuporopenwarrantsearchfromhispatrolvehicle, leveragingavirtualdesktopenvironmenttokeepallcjicontainedwithinthedatacenter/cloudenvironment. AnNCJAisdefinedasanentitythatprovidesservicesoraccesstocriminaljusticeinformation,suchascivil fingerprintdbasedbackgroundchecks,forpurposesotherthantheadministrationofcriminaljustice.ncja scanbe eitherpublicorprivateentities,andmainlyusecjiforhiring,licensing,andscreeningpurposes.thefollowing organizationsareexamplesoftypicalncjas: * PrivateBackgroundCheckServiceProviders * Licensingdivisions * Schools * Healthcareadministrations JustaswithCJA s,ncja salsohaverequirementsforefficienciesandeffectiveresourcemanagement,whichcan begreatlyenabledbythevmwarevirtualizedinfrastructuremodel,whilemaintainingcompliancewiththecjis programinordertoaccesscjiorchri.anexampleofthiswouldbeaserviceproviderthatwishestoprovide criminalbackgroundcheckservicestootherorganizationsusingawebportal,andwishestovirtualizetheir backenddatacenterinfrastructure. WiththehighvolumeoftransactionsprocesseddailybytheCJISdatabases,itisessentialthatallaccessis authorizedforcriticalandsensitiveinformationatcjis.forthisreason,thereisaneedforapolicytogovern accesstothecjisdatabase. TheCJISPolicywasenactedtofillthisvoid.Thepremiseistoprovideappropriatecontrolstoprotectthefull lifecycleofcriminaljusticeinformation(cji),whetheratrestorintransitbydefiningtheminimumrequirements forthecreation,viewing,modification,transmission,dissemination,storage,anddestructionofcjidata.cjirefers 1 (2013(CJIS(Annual(Report( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 6 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

7 toalldataprovidedforlawenforcementandcivilagenciestoperformtheirmissions,includingbiometric,identity history,biographic,property,andcase/incidentdata.theintentisprotectingcjiuntilitisreleasedtothepublicvia authorizeddisseminationoritispurgedordestroyedinaccordancewithapplicablerecordretentionrules. VMwareispreparedtohelpagenciescomplywiththemandatedrequirementsthroughtheuseofVMware ProductsandSuites.Also,VMware'stechnologypartners'solutionswithintheVMwareComplianceSolution Frameworkmaybeusedtoprovideadditionalcapabilitiesandmoreeffectivelymanagetheprocessofachieving& maintainingcjiscompliancewiththegreatestsecurity,agilityandcostsavings ForthesereasonsVMwarehasenlisteditsAuditPartnerstoengageinaprogrammaticapproachtoevaluate VMwareproductsandsolutionsforCJIScontrolcapabilitiesandthentodocumentthesecapabilitiesintoasetof referencearchitecturedocuments.thefirstofthesedocumentsinthecjisreferencearchitecturesolutionsetis thisdocument,thevmwarecjisproductapplicabilityguide,whichcontainsamappingofthevmwareproducts andfeaturesthatshouldbeconsideredforachievingcjiscompliance.subsequentdocumentsinthisserieswill includethevmwarecjisarchitecturedesignguide,andthevmwarecjislabvalidatedreferencearchitecture. FormoreinformationonthesedocumentsandthegeneralapproachtocomplianceissuespleasereviewVMware's( Approach(to(Compliance. ThisdocumentpresentsdifferentVMwareapplicationsavailabletoorganizationsthatuse(orareconsidering using)virtualizationandcloudtosupportacjiscompliantenvironment.tothatend,coalfirehighlightedthe specificcjisrequirementsthattheseapplicationsaddress,orwhichshouldbeconsideredinanevaluationofthe initialsourcingoftechnologiestobuildacjiscompliantenvironment. Thefollowingtablerepresents atdadglance thehighdlevelapplicabilitymappingforthevmwareproducts includedinthisanalysis,indexedtothe12cjistopdlevelcontrolgroups,andpresentedingreaterdetailbelow. Table(1:(HighJlevel(CJIS(Policy(Area(Mapping( * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 7 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

8 ThecontrolsselectedforthispaperarefromCJISversion5.2.Ithasbeenreviewedandauthoredbyourstaffof CJISauditorsinconjunctionwithVMware. ' ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 8 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

9 Introduction( The*CJIS*Security*Policy*integrates*presidential*directives,*federal*laws,*FBI*directives*and*the*criminal*justice* community s*apb*decisions*along*with*nationally*recognized*guidance*from*the*national*institute*of*standards*and* Technology.**The*Policy*is*presented*at*both*strategic*and*tactical*levels,*is*periodically*updated*to*reflect*the*security* requirements*of*evolving*business*models,*and*features*modular*sections*enabling*more*frequent*updates*to*address* emerging*threats*and*new*security*measures.**the*security*criteria*provided*by*the*policy*assists*agencies*with* designing*and*implementing*systems*to*meet*a*uniform*base*level*of*risk*and*security*protection*while*enabling* agencies*the*latitude*to*institute*more*stringent*security*requirements*and*controls*based*on*their*business*model* and*local*needs.** The*CJIS*Policy*applies*to*every*individual contractor,*private*entity,*noncriminal*justice*agency*representative,*or* member*of*a*criminal*justice*entity with*access*to,*or*who*operates*in*support*of,*criminal*justice*services*and* information.*the*cjis*security*policy*from*version*5.0*forward*is*publically*available*and*can*be*posted*and*shared* without*restrictions.**cjis*5.2*is*the*current*version*and*is*maintained*by*the*fbi*cjis*division*information*security* Officer*(FBI*CJIS*ISO).*** * Compliance*with*the*CJIS*Policy*mandate*was*implemented*in*a*phased*approach.**Unique*and*strong*passwords* were*step*one*with*a*deadline*to*comply*by*september*2010.*the*next*step*was*the*requirement*to*implement* Advanced*Authentication*(AA)*(i.e.*twoYfactor*or*multiYfactor*authentication).*AA*requires*an*additional*authenticator* beyond*the*login*id*and*password.**additional*authenticators*can*be*found*with*biometric*systems,*userybased*public* key*infrastructure*(pki),*smart*cards,*and*software*tokens.*many*local*law*enforcement*agencies*were*not*able*to* meet*the*original*implementation*deadline*of*february*2013,*which*resulted*in*an*extension*to*september*2013.**the* extension*still*did*not*provide*ample*time*for*most*agencies*to*comply*so*the*deadline*was*extended*again*to* September*2014.**There*is*not*likely*to*be*another*extension*and*the*penalties*for*not*complying*include*revocation*of* access,*fines*or*both.*compliance*is*determined*through*audits*once*every*three*years*by*the*cjis*audit*unit*(cau).* The*CJIS*Policy*has*a*shared*management*philosophy*with*federal,*state,*local,*and*tribal*law*enforcement.*The* following*figure*provides*a*visual*categorization*of*functions*and*roles:** Figure(1:(CJIS(Program(Structure( Per*the*Roles*and*Responsibilities*outlined*in*3.2*of*the*CJIS*Policy,*the*CJIS*System*Agencies*(CSA)*are* responsible*for*establishing*and*administering*an*information*technology*security*program*throughout*the*csa s* user*community.*for*example,*in*texas*the*department*of*public*safety*serves*as*the*csa*for*the*state*of*texas.* ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 9 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

10 The*head*of*the*CSA*will*execute*a*signed*written*user*agreement*with*the*FBI*CJIS*Division*stating*its*willingness*to* demonstrate*conformity*with*this*policy*before*accessing*and*participating*in*cjis*records*information*programs.* Each*agency*shall*allow*the*FBI*to*periodically*test*the*ability*to*penetrate*the*FBI s*network*through*the*external* network*connection*or*system.** TheCSAisresponsibleforappointingaCJISSystemsOfficer(CSO)whoisresponsiblefortheadministrationofthe CJISnetworkfortheagency.TheCSOapprovesaccesstoFBICJISsystemsandensurestheCJISDivisionoperating proceduresarefollowedbyallusersoftherespectiveservicesandinformation.althoughtheroleofcsocannot beoutsourcedaccordingtothecjispolicy,theresponsibilitiescanbedelegatedtosubordinateagencies.eachcsa isrequiredtoauditlocalagencieseverythreeyearstoensurecompliancebycjasandncjas. Complianceandsecurityaretopconcernsforlawenforcementandintelligenceagenciesworkingtomeetthe requirementsoutlinedinthecjispolicy.vmwarehelpsagenciesaddressthesechallengesbyprovidingbundled solutions(suites)thataredesignedforspecificusecases.theseusecasesaddressquestionslike HowcanIbe CJIScompliantinaVMwaresupportedenvironment? byprovidinghelpfulinformationforvmwarearchitects,the compliancecommunity,andthirdparties.whileeverycompliancesolutionisunique,vmwarecanprovidea solutionthataddressesapproximately56%ofcjistechnicalcontrolsrequiredforcompliance.figure2below showstheproportionoftechnicalrequirementsaddressedbyvmwareinrelationtothetotalnumberof requirementsthatarenondtechnicalororganizationalresponsibility. Figure(2:(CJIS(Requirements(and(VMware( CJISRequirements OrganizationResponsibilityd NonTechnical VMWareTechnicalProducts ( ( * ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 10( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

11 Figure'3:'VMware'+'Partner'Product'Capabilities'for'a'Trusted'Cloud' Due*to*the*common*capabilities*of*the*VMware*products*and*features*across*all*of*the*CJI*Use*Cases,*understanding* the*relationship*of*these*products*and*features*to*the*twelve*cjis*control*areas*is*fundamental*and*most*broadly* accommodated*in*this*document*with*more*use*case*specific*guidance,*which*will*be*represented*in*the*forthcoming* Architecture*Design*Guide.*RegardlessoftheUseCaseoroperatingenvironmentmodel,theCJIScontrolareas representabroaddbased,balanced,informationsecurityprogramthataddressesthemanagement,operational, andtechnicalaspectsofprotectingfederalinformationandinformationsystems.themanagement,operational, andtechnicalcontrols(i.e.,safeguardsorcountermeasures)areprescribedforaninformationsysteminorderto protecttheconfidentiality,integrity,andavailabilityofthesystemanditsinformation.theoperationalsecurity controlsareimplementedandexecutedprimarilybypeople(asopposedtosystems).themanagementcontrols focusonthemanagementofriskandthemanagementofinformationsystemsecurity.thetechnicalsecurity controlsareimplementedandexecutedprimarilybytheinformationsystemthroughmechanismscontainedinthe hardware,software,orfirmwarecomponentsofthesystem. Acomprehensiveassessmentofthemanagement,operationalandtechnicalcontrolsthathavebeenselectedfor the informationsystem isrequiredaspartoftheauthorizationprocess.thisassessmentmustdeterminethe extenttowhichallselectedcontrolsareimplementedcorrectly,operatingasintended,andproducingdesired outcomeswithrespecttomeetingthesecurityrequirementsforthesystem.anunderstandingofcjiscontrolsas implementedwithvmwarelendsitselftonotonlyharmonizingtheongoingcomplianceoftheprivatecloud environmentbutalsothesharedresponsibilityforcomplianceinthepubliccloudenvironment.thiscommonset ofwelldunderstoodpoliciesandproceduresimplementedinacommonvmwaresoftwaredefineddatacenter architecturesacrossprivateandpubliccloudenablesnotonlythehybridcloudtobecomerealitybutopensup tremendousopportunitiesfortightercontrolandagility. * ' * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 11( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

12 Overview(of(the(CJIS(Security(Policy(as(it(Applies(to(Cloud/Virtual( Environments( Complianceandsecurityaretopconcernsforlawenforcementandintelligenceagenciesworkingtomeetthe requirementsoutlinedinthecjispolicy.failingtocomplywiththerequirementsofthepolicycouldresultinloss ofaccessthatiscriticaltoperformdailydutiesineffectiveandefficientmanner.itcouldalsoimpactthesafetyof thepublictheyaretryingtoprotect.failingtocomplycouldmeanheavyfinesthatcouldputastrainonalready limitedbudgets.vmwarehasmappedproductsuitestocjisrequirementswhichreducesthetimeandresources requiredtoevaluatedifferentsolutions. VariousstateshavecontactedtheFBICJISISOtorequestguidanceoncomplianceinvirtualenvironments.TheCJIS Divisionunderstandthebenefitsofvirtualizationbutalsorequiresafoundationofsecurityprotectionmeasures.In AppendixGoftheCJISPolicy,thebenefitsandvulnerabilitiesareidentifiedandsoarethemitigatingfactors: (Figure(4:(Virtualization(Risk(Mitigation( BENEFITS( VULNERABILITIES( MITIGATIONS( * Makebetteruseofunderd utilizedserversby consolidatingtofewer machinessavingon hardware,environmental costs,management,and administrationoftheserver infrastructure. * Legacyapplicationsunableto runonnewerhardware and/oroperatingsystemscan beloadedintoavirtual environment replicatingthe legacyenvironment. * Providesforisolatedportions ofaserverwheretrustedand untrustedapplicationscanbe ransimultaneously enabling hotstandbysforfailover. * Enablesexistingoperating systemstorunonshared memorymultiprocessors. * Systemmigration,backup, andrecoveryareeasierand moremanageable. * HostDependent. * Ifthehostmachinehasaproblem thenallvmscouldpotentially terminate. * Compromiseofthehostmakesit possibletotakedowntheclient servershostedontheprimary hostmachine. * Ifthevirtualnetworkis compromisedthentheclientis alsocompromised. * Clientshareandhostsharecanbe exploitedonbothinstances. Potentiallythiscanleadtofiles beingcopiedtothesharethatfill upthedrive. * * Environmentandaccesstothe physicalenvironment. * Configurationandpatch managementofthevirtual machineandhost,i.e.keep operatingsystemsand applicationpatchesuptodate onbothvirtualmachinesand hosts. * Installtheminimum applicationsneededonhost machines. * Practiceisolationfromhost andvirtualmachine. * Installandkeepupdated antivirusonvirtualmachines andthehost. * Segregationofadministrative dutiesforhostandversions. * Auditloggingaswellas exportingandstoringthelogs outsidethevirtual environment. * Encryptingnetworktraffic betweenthevirtualmachine andhostidsandips VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 12( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

13 monitoring. * Firewalleachvirtualmachine fromeachotherandensure thatonlyallowedprotocols willtransact. * * Not*every*consumer*of*FBI*CJI*services*will*encounter*all*of*the*policy*areas*therefore*the*circumstances*of* applicability*are*based*on*individual*agency/entity*configuration*and*usage.*there*are*116*requirements*mandated*in* the*policy*of*which*72*will*be*the*responsibility*of*the*individual*agency/entity.**the*remaining*44*can*be*met*through* a*combination*of*vmware*and*the*individual*agency/entity s*controls.*** CJIScompliancewassetinamandatereleasedbytheFBIonJanuary1,2011.Thecurrentversion5.2wasreleased onaugust9,2013.ithasbeenapprovedbythecjisadvisorypolicyboard.itcanbefoundat: * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 13( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

14 Cloud(Computing(and(Virtual(Environments( Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomove applicationsandevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloud computing. Thereareavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsare importantastheyserveasthebasisformakingbusiness,security,andauditdeterminations.vmwaredefines cloudorutilitycomputingasthefollowing( cloud/faqs.html): Cloud'computing'is'an'approach'to'computing'that'leverages'the'efficient'pooling'of'on6demand,' self6managed'virtual'infrastructure,'consumed'as'a'service.'sometimes'known'as'utility' computing,'clouds'provide'a'set'of'typically'virtualized'computers'which'can'provide'users'with'the' ability'to'start'and'stop'servers'or'use'compute'cycles'only'when'needed,'often'paying'only'upon' usage.. ' Figure(5:(Cloud(Computing( Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveral generallyacceptedservicemodels.thesedefinitionsarelistedbelow: ( * Private(Cloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonpremiseoroffdpremise. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 14( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

15 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 15( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective* * Public(Cloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroupand isownedbyanorganizationthatsellscloudservices. * Hybrid(Cloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)that remainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplication portability;forexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,an organizationcangetthebestofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneeded whilemaintainingcriticalassetsonpremise. * Community(Cloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonpremiseoroff premise. Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtoitshighlyregulatedandcritical applications,itmaywanttostartbyasking: * Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? * WhatservicemodelisusedfortheCJISdataenvironment(SaaS,PaaS,IaaS)? * Whatdeploymentmodelwillbeadopted? * Isthecloudplatformatrustedplatform? The*last*point*is*critical*when*considering*moving*highly*regulated*applications*to*a*cloud*platform.*CJIS*does*not* endorse*or*prohibit*any*specific*service*and*deployment*model,*and*the*appropriate*choice*of*service*and* deployment*models*will*be*driven*by*customer*requirementsa*among*which*the*concept*of*leveraging*a*trusted* platform*for*the*cloudybased*solution*is*a*consideration*which*ideally,*will*be*taken*into*account.* * VMware*is*the*market*leader*in*virtualization,*the*key*enabling*technology*for*cloud*computing.**VMware s*vcloud* Suite*is*the*trusted*cloud*platform*that*customers*use*to*realize*the*many*benefits*of*cloud*computing*including*safely* deploying*business*critical*applications.** Togetstarted,VMwarerecommendsthatallnewcustomersundertakeacomplianceassessmentoftheircurrent environment.vmwareoffersfreecompliancecheckersthatarebasedonvmware svrealizeconfiguration Managersolutions.Customerscansimplypointthecheckeratatargetenvironmentandexecuteacompliance assessmentrequest.theresultantcompliancereportprovidesadetailed rulebyrule indicationofpassorfailure againstagivenstandard.where*compliance*problems*are*identified,*customers*are*directed*to*a*detailed*knowledge* base*for*an*explanation*of*the*problem*posed*by*a*particular*rule*and*information*about*potential*remediation.*to downloadthefreecompliancecheckersclickonthefollowinglink: TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: * VMware(Cloud(Computing(Overview( * (VMware s(vcloud(architecture(toolkit(( * IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram, please [email protected].

16 Where(to(Start(J(Considerations(for(System(Owners,(IT(and(Assessors( Migrating*a*traditional*IT*infrastructure*to*a*virtual*or*cloud*environment*has*a*significant*impact*on*an*organization* that*extends*beyond*information*technology.***security*and*compliance*continue*to*remain*top*concerns*for* management,*it*departments,*and*auditors.**all*three*functions*should*be*represented*and*engaged*to*consider* carefully*the*benefits*and*risks*of*any*it*virtualization*or*cloud*projects.*the*move*to*cloud*and*virtual*environments* has*many*technical*considerations,*but*it*should*also*be*a*business*decision.**organizations*should*review*the* benefits*and*risks*of*their*current*environment*and*compare*them*to*the*different*cloud*deployment*models*and* service*models.( Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofavirtual and/orcloudenvironment. Law(Enforcement(Considerations( 1.* WhenwasthelasttimeyouhadaCJISaudit?Whoconductedit?Didyoupass?Whenisyournextaudit? 2.* Howdoyouseparateapplicationsthathold/handleCJI(CriminalJusticeInformation)fromthosethatdon't? 3.* Howdoyouhandletheprocessingofpaymentsforcitations? 4.* Whatarethemissioncriticalapplicationsyouruninthefieldanddispatchcenters?(CAD(ComputerAided Dispatch),RMS(RecordsManagementService),AVL(AutomaticVehicleLocator),VideoRecordingDevice,LPR (LicensePlateReader) 5.* HowdoyouensureyoumaintaincontinuouscompliancewiththeCJISrequirements? 6.* Howmanyserversinyourdatacenter?VM's?Howaretheyconnected? 7.* AreyouusingAdvancedAuthenticationtoday?Ifso,whatareyouusing? 8.* WhatCADsoftwaredoyouuse?Howoftendoyouupdateit?Whatversionareyouusingnow? 9.* WhatRMSsoftwaredoyouuse?Howoftendoyouupdateit?Whatversionareyouusingnow? 10.* DoyoumaintainaconnectiontoaStateAuthorityortoaRegionalAuthorityforNCICdata? 11.* Whatdoyouknowaboutasoftwaredefinedenterprise? 12.* Howmanypatrolvehiclesinyourfleet? 13.* DoeseveryvehiclehaveaMDT/MCT(MobileDataTerminal/MobileComputerTerminal)? 14.* Whattypeofdevicesandoperatingsystemdoyouuseinyourpatrolcar? 15.* Howdoyoumanagetheendpointdevicesinthepatrolvehicles? 16.* Howdoyoumaintainnetworkcommunicationswhenvehiclesareinthefleet? 17.* Aretheredisconnects?Ifso,whathappensduringthedisconnect? 18.* Dotheyneedtostayconnectedthroughouttheday? 19.* Areyouusingcellularforconnectivity?(Somebigcitiesarestillusingradiowithlessthan19.2kbps connections) 20.* AreyouusinganAPNserviceorDataLinkfromyourcarrier? 21.* DoyouuseaVPNtoday?Ifso,whatkind? 22.* Haveyouconsolidated911services?Ifso,how? 23.* Haveyouconsolidateddispatchservices?Ifso,how? 24.* Howmanydispatchers/dispatchlocations? 25.* Howmanyadministrativestaff? 26.* HowmanyITstaff? 27.* Howdoyoumaintainconnectivitytodispatchcentersduringadisaster? 28.* Whatdisasterplanninghaveyoucompletedtoprotectthedispatchcenters? 29.* Whatdoyouseeastheshortdcomingsofyourcurrentmobileenvironment? 30.* Howdoyouthinkyourofficerswouldanswerthatquestion? IT(Considerations( 1.* HowdoestheITOperationsplanaddressthecompany sstrategicandoperationalgoals? VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 16( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

17 2.* Whatmanualprocessesareinplacethatcanbeautomated? 3.* WhataretheskillsandcapabilitiesoftheITDepartment? 4.* Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5.* WhichITinitiativescurrentlyunderwaycouldimpacttheCJISsystemboundary? 6.* Howisencryptioncurrentlyusedtolimitrisk? 7.* Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourdataresides)? 8.* AretheresecondarysystemsthatmighthaveCJIdata? 9.* HowhassecurityandcomplianceaffectedITOperations? VMwareJSpecific(Assessment(Considerations( 1.* WhatcertificationsdoesyourteamhaveinVMwareproductsorsolutions? 2.* Areyouworkingwithanauditpartnertohelpassessandmanagerisk&complianceconsiderations? 3.* HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 4.* HowlonghavetheybeenworkingwithVMwarearchitectures? 5.* Whatreferencesdotheyhaveforconductingsimilarassessments? * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 17( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

18 Guidance(from(CJIS(Security(Policy( VMwarehasidentifiedthecontrolsintheCJISSecurityPolicythathighlightsomeofthecriticalrequirementsand guidancethatindividualagencies/entitiesarerequiredtoaddressaspartoftheirdeployments.vmwarehasalso providedinformationregardinghowvmwaretoolsaredesignedtohelporganizationsaddressthesecontrols. TheCJISSecurityPolicyisdividedinto12policyareas.Eachpolicyareaprovidesbothstrategicreasoningand tacticalimplementationrequirementsandstandards.componentapplicabilityalignmentwithineachpolicyarea helpagenciesrelatethepolicytotheirownagencycircumstances. Policy(Area(1requiresformalagreementstobeinplacepriortotheexchangeofanyCJI.Italsorequiresthe establishmentofproceduresforhandlingandstorageofinformationsoitisprotectedfromunauthorized disclosure,alterationormisuse.thecsaheadisrequiredtosignawrittenuseragreementwiththefbicjis Divisionstatingtheirwillingnesstodemonstrateconformitywiththepolicybeforeaccessingandparticipatingin CJISrecordsinformationprograms. Policy(Area(2requiresbasicsecurityawarenesstrainingwithinsixmonthsofinitialassignment,andbiennially thereafterforallpersonnelwhohaveaccesstocji.itdetailstherequiredsecuritytrainingbasedontypeofaccess. Policy(Area(3requiresCSAstoestablishanoperationalincidenthandlingcapabilityforagencyinformationsystems thatincludesadequatepreparation,detection,analysis,containment,recovery,anduserresponseactivitiesas wellastrack,document,andreportincidentstoappropriateagencyofficialsand/orauthorities.csaiso sto ensurelasosinstitutethecsaincidentresponsereportingproceduresatthelocallevel. Policy(Area(4requiresagenciestoimplementauditandaccountabilitycontrolstoincreasetheprobabilityof authorizedusersconformingtoaprescribedpatternofbehavior. Policy(Area(5requiresanagencytocreate,modify,disable,anddeleteaccountsonatimelybasis.Agenciesare requiredtovalidateaccountsatleastannually. Policy(Area(6requiresagenciestoidentifysystemusersandprocessesactingonbehalfofusersandauthenticate theidentitiesofthoseusersorprocessesasaprerequisitetoallowingaccesstoagencyinformationsystemsor services. Policy(Area(7requiresonlyqualifiedandauthorizedindividualshaveaccesstoinformationsystemcomponentsfor purposesofinitiatingchanges,includingupgrades,andmodifications. Policy(Area(8requiresmediaprotectionpolicyandproceduresaredocumentedandimplementedtoensurethat accesstoelectronicandphysicalmediainallformsisrestrictedtoauthorizedindividuals. Policy(Area(9requiresthedocumentationandimplementationofphysicalprotectionpolicyandproceduresto ensurecjiandinformationsystemhardware,software,andmediaarephysicallyprotectedthroughaccesscontrol measures. Policy(Area(10requiresapplicationsandservicestohavethecapabilitytoensuresystemintegritythroughthe detectionandprotectionagainstunauthorizedchangestosoftwareandinformation Policy(Area(11requiresformalauditstobeconductedtoensurecompliancewithapplicablestatues,regulations, andpolicies. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 18( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

19 Policy(Area(12definesrequiresforallpersonnelwhohaveaccesstounencryptedCJI.Thefollowingtable summarizesthecjisrequirementsthatcanbemetwiththevmwaresuiteofproducts. * Table(2:(CJIS(Control(Applicability(Mapping( CJIS' Policy' Requirement' Addressed'by'VMware' 5.1' Policy'Area'1:'Information'Exchange'Agreements* * 5.1.1' Information*Exchange* Yes* ' Information*Handling* Yes* ' State*and*Federal*Agency*User*Agreements* No* ' Criminal*Justice*Agency*User*Agreements* No* ' Interagency*and*Management*Control*Agreements* No* ' Private*Contractor*User*Agreements*and*CJIS*Security* No* Addendum* ' Agency*User*Agreements* No* ' Outsourcing*Standards*for*Channelers* No* ' Outsourcing*Standards*for*NonBChannelers* No* 5.1.2' Monitoring,*Review,*and*Delivery*of*Services* No* ' Managing*Changes*to*Service*Providers* Yes* 5.1.3' Secondary*Dissemination* No* 5.1.4' Secondary*Dissemination*of*NonBCHRI*CJI* No* 5.2' Policy'Area'2:'Security'Awareness'Training* * ' All*Personnel* No* ' Personnel*with*Physical*and*Logical*Access* No* ' Personnel*with*Information*Technology*Roles* No* 5.2.2' Security*Training*Records* No* 5.3' Policy'Area'3:'Incident'Response* * 5.3.1' Reporting*Information*Security*Events* Yes* ' FBI*CJIS*Division*Responsibilities** No* ' CSA*ISO*Responsibilities* No* 5.3.2' Management*of*Information*Security*Incidents* No* ' Incident*Handling* Yes* ' Collection*of*Evidence** No* 5.3.3' Incident*Response*Training* No* 5.3.4' Incident*Monitoring* Yes* 5.4' Policy'Area'4:'Auditing'and'Accountability* * 5.4.1' Auditable*Events*and*Content*(Information*Systems)** Yes* ' Events* Yes* ' Content** Yes* 5.4.2' Response*to*Audit*Processing*Failures* Yes* 5.4.3' Audit*Monitoring,*Analysis,*and*Reporting* No* 5.4.4' Time*Stamps* Yes* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 19( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

20 5.4.5' Protection*of*Audit*Information* Yes* 5.4.6' Audit*Record*Retention** Yes* 5.4.7' Logging*NCIC*and*III*Transactions* No* 5.5' Policy'Area'5:'Access'Control* * 5.5.1' Account*Management* Yes* 5.5.2' Access*Enforcement* Yes* ' Least*Privilege* Yes* ' System*Access*Control* Yes* ' Access*Control*Criteria* Yes* ' Access*Control*Mechanisms* Yes* 5.5.3' Unsuccessful*Login*Attempts* Yes* 5.5.4' System*Use*Notification* Yes* 5.5.5' Session*Lock* Yes* 5.5.6' Remote*Access* Yes* ' Personally*Owned*Information*Systems* No* ' Publicly*Accessible*Computers* No* 5.5.7' Wireless*Access*Restrictions* No* ' All*802.11x*Wireless*Protocols* No* ' Legacy*802.11*Protocols* No* ' Cellular*Risk*Mitigations* No* ' Voice*Transmissions*Over*Cellular*Devices* No* ' Mobile*Device*Management*(MDM)** No* ' Bluetooth* No* 5.6' Policy'Area'6:'Identification'and'Authentication* * 5.6.1' Identification*Policy*and*Procedures* Yes* ' Use*of*Originating*Agency*Identifiers*in*Transactions*and* Yes* Information*Exchanges* 5.6.2' Authentication*Policy*and*Procedures* Yes* ' Standard*Authenticators* No* ' Password* Yes* ' Advanced*Authentication*Policy*and*Rationale* Yes* ' Advanced*Authentication*Decision*Tree* No* 5.6.3' Identifier*and*Authenticator*Management* No* ' Identifier*Management* Yes* ' Authenticator*Management* Yes* 5.6.4' Assertions* No* 5.8' Policy'Area'7:'Configuration'Management' * 5.7.1' Access*Restrictions*for*Changes* No* ' Least*Functionality* Yes* ' Network*Diagram* Yes* 5.7.2' Security*of*Configuration*Documentation* No* 5.8' Policy'Area'8:'Media'Protection* * 5.8.1' Media*Storage*and*Access* No* 5.8.2' Media*Transport* No* ' Electronic*Media*in*Transit* No* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 20( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

21 ' Physical*Media*in*Transit* No* 5.8.3' Electronic*Media*Sanitization*and*Disposal* No* 5.8.4' Disposal*of*Physical*Media* No* 5.9' Policy'Area'9:'Physical'Protection* * ' Security*Perimeter* No* ' Physical*Access*Authorizations* No* ' Physical*Access*Control* No* ' Access*Control*for*Transmission*Medium* No* ' Access*Control*for*Display*Medium* No* ' Monitoring*Physical*Access* No* ' Visitor*Control* No* ' Delivery*and*Removal* No* 5.9.2' Controlled*Area* No* 5.10' Policy'Area'10:'System'and'Communications' Protection'and'Information'Integrity* * ' Information*Flow*Enforcement* Yes* ' Boundary*Protection* Yes* ' Encryption* Yes* ' Intrusion*Detection*Tools*and*Techniques* Yes* ' Voice*over*Internet*Protocol* No* ' Cloud*Computing* Yes* ' Facsimile*Transmission*of*CJI* No* ' Partitioning* Yes* ' Virtualization* Yes* ' Patch*Management* Yes* ' Malicious*Code*Protection* Yes* ' Spam*and*Spyware*Protection* No* ' Personal*Firewall* No* ' Security*Alerts*and*Advisories* Yes* ' Information*Input*Restrictions* No* 5.11' Policy'Area'11:'Formal'Audits* * ' Triennial*Compliance*Audits*by*the*FBI*CJIS*Division* No* ' Triennial*Security*Audits*by*the*FBI*CJIS*Division* No* ' Audits*by*the*CSA* No* ' Special*Security*Inquiries*and*Audits* No* 5.12' Policy'Area'12:'Personnel'Security* * ' Minimum*Screening*Requirements*for*Individuals* No* Requiring*Access*to*CJI* ' Personnel*Screening*for*Contractors*and*Vendors* No* ' Personnel*Termination* No* ' Personnel*Transfer* No* ' Personnel*Sanctions* No* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 21( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

22 VMWARE(PRODUCT(APPLICABILITY(GUIDE(FOR(CJIS VMware(Technologies(and(CJIS( VMware*provides*an*extensive*portfolio*of*products*designed*to*help*organizations*support*security*and*compliance*needs.* While*every*environment*has*unique*needs,*VMware*can*provide*a*comprehensive*mix*of*solutions*with*features*that*are* designed*to*assist*with*cjis*compliance.**those*solutions *functionality,*features,*and*applicability*to*specific*cjis* requirements*are*addressed*in*detail*in*the*following*sections.* SOLUTION(AREA VMwarevCloud Infrastructure VMwarevCloud Networking andsecurity VMwareNSX VMwarevRealize Operations (formerly vcenter) KEY(PRODUCTS VMwareESXi,VMwarevSphere,VMwarevShieldEndpoint,VMware vrealizeserver andvmwarevclouddirector VMwarevCloud NetworkingandSecurityApp,VMwarevCloud Networking andsecuritydatasecurity,vmwarevcloud NetworkingandSecurityEdge Gateway,VMwarevCloud NetworkingandSecurityManager VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSXService Composer VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize AutomationCenter,VMwarevRealize LogInsight TodeterminetheproductsandfeaturesavailablewithVMwareSuitespleaserefertoVMware.com:vCloud(Suite(5.5(( vcloud(networking(and(security(suite(5.5(,vrealize(operations(management(suite(6.0,(nsx(6.0( Figure(6:(VMware(Software(Defined(Data(Center(Products(and(Suites( ( VMWARE(PRODUCT(APPLICABILITY(GUIDE(22( ( VMware,(Inc.(3401(Hillview(Avenue(Palo(Alto(CA(94304(USA(Tel(877J486J9273(Fax(650J427J5001( Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecovered byoneormorepatentslistedathttp:// jurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

23 VMware(CJIS(Requirements(Matrix((Overview)( VMwarehascreatedaCJISRequirementsMatrixtoassistorganizationswithanunderstandingofVMwaresolutions, VMwarePartnersolutions(wheretheyoverlap),andtheremainingcustomerresponsibilitiesthatmustbeaddressed separatelybythecustomerthroughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthat thevastmajorityofcjissecurityrequirementscanbeaddressedthroughthevmwaresuitesand/orvmwarepartner solutions. CJIS*Policy*requires*116*controls*to*be*met*in*order*to*be*considered*compliant.**These*controls*can*be*divided*into* technical*(66)*and*nontechnical*controls*(50).**vmware*is*currently*able*to*address*44*of*the*66*technical*controls*with* VMware*products*and*partner*products.**Additionally,*there*are*6*nontechnical*control*requirement*where*VMware*can* support*and*facilitate*the*required*program*areas.* TheremaininggapsinaddressingCJISSecurityrequirementsmaybefilledbythecustomerthroughothertools(i.e. approvingcustomers policies,keepinganupdatednetworkdiagram,approvingchanges,etc.) Figure(7:(CJIS(Security(Requirements(and(VMware( CJISRequirements OrganizationResponsibilityd NonTechnical ( VMWareTechnicalProducts VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 23( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

24 Table(3:(CJIS(Requirements( CJIS(SECURITY(POLICY(REQUIREMENT( #(OF(CJIS(ASSESSMENT(TESTS( TESTS(ADDRESSED(IN( VMWARE'S(PRODUCTS( Information(Exchange(Agreements( 12 1 Security(Awareness(and(Training( 5 0 Incident(Response( 9 4 Auditing(and(Accountability( 10 8 Access(Control( Identification(and(Authentication( 14 8 Configuration(Management( 4 2 Media(Protection( 7 0 Physical(Protection( 10 0 System(and(Communications(Protection(and( Information(Integrity( Formal(Audits( 4 0 Personnel(Security( 5 0 TOTAL( 116( 44( * * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 24( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

25 CJIS(Requirements(Matrix((By(VMware(Suite)( vcloud(infrastructure(( ForthepurposesoftheVMwareApplicabilityGuideforCJIS,vCloudInfrastructureincludesvSphere(ESXi,vCenterServer) andvclouddirector.vsphereprovidesthefoundationofthevirtualarchitectureallowingfortheoptimizationofitassets. vclouddirectorextendsthefoundationofthevspherevirtualarchitecturebyenablingorganizationstobuildsecure clouds*and*fine*tune*for*security*and*compliance*inprivate,multidtenant,mixeddmode,andhybridclouds.asvcloud leveragesthevspherearchitecture,thevspherecomponentsintegratetocreateasinglevcloudthatcanbeoptimizedfor securityandcomplianceconsiderations.whileitencompassesmanyfeaturesforstorage,businesscontinuity,and automation;forthepurposesofthiscjisreferencearchitecture,thecriticalcomponentsthatapplytocjisforvcloud Infrastructureincludethefollowingcomponents: * * * * ESXi( ESXiisatype1hypervisor(baremetal)thatisthefundamentalbuildingblockforvirtualizingphysicalcompute resourcesforcloudcomputingmodels.esxiserversareclusteredwithinthevsphereconstruct,whichoffersmany featuressuchasloadbalancingandhighavailability.theesxikernelhasasmallfootprint,noserviceconsoleandcan limitcommunicationtovcenteraccessonly. vshield(endpoint(j(withintegrationofother3rdpartyendpointsolutions(suchasantidvirus),vshieldendpoint improvestheperformancebyoffloadingkeyantivirusandantidmalwarefunctionstoasecuredvirtualmachineand eliminatingtheantivirusagentfootprintandoverheadinvirtualmachines.( vrealize(server vcenterserverisaserver(virtualorphysical)thatprovidesunifiedmanagementfortheentire virtualinfrastructureandunlocksmanykeyvspherecapabilities.vcenterservercanmanagethousandsofvirtual machinesacrossmultiplelocationsandstreamlinesadministrationwithfeaturessuchasrapidprovisioningand automatedpolicyenforcement. vcloud(director((vcd)dvcdpoolsdatacenterresourcesincludingcompute,storageandnetwork,alongwiththeir relevantpoliciesintovirtualdatacenters.fullyencapsulated,multidtiervirtualmachineservicesaredeliveredas vapps,usingtheopenvirtualizationformat(ovf).endusersandtheirassociatedpoliciesarecapturedin organizations.withprogrammaticandpolicydbasedpoolingofinfrastructure,usersandservices,vmwarevcloud Directorenforcespolicies,whichenableCJISdatatobesecurelyprotected,andnewvirtualmachinesand applicationstobesecurelyprovisionedandmaintained. ThefollowingproductmatrixexplainswhichCJIScontrolsareapplicabletovCloudInfrastructure.Italsoexplainshow vcloudsuiteenablesuserstomeetcjisrequirements.thecontrolshighlightedinboldarethosethathavebeenselected forthecjisbaseline. Table(4:(Applicability(of(CJIS(Controls(to(vCloud(Infrastructure( POLICY(AREA( CONTROLS( ADDRESSED( CJIS(CONTROLS(APPLICABILITY(MATRIX( VCLOUD(INFRASTRUCTURE(DESCRIPTION( Information(Exchange( vrealizessosupportsintegrationwithroledbasedaccesscontrol systems,whichsupportstheagencyneedtodefineroles& responsibilitiesforinclusionininformationexchangeagreements, whicharerequiredforaccesstocjidata. Security(Awareness N/A N/A VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 25( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

26 POLICY(AREA( CONTROLS( ADDRESSED( CJIS(CONTROLS(APPLICABILITY(MATRIX( VCLOUD(INFRASTRUCTURE(DESCRIPTION( Incident(Response 5.3, VMwaresuitesprovidecapabilitiesandinstrumentationwhich cansupporttheagencyneedtoimplementincidentresponse lifecycle,whichincludesdetectionandanalysis,containment, eradication,andrecovery Auditing(and( Accountability( 5.4,5.4.1, , ,5.4.2,5.4.4, 5.4.5,5.4.6 vcloudandvspherehastheabilitytologaccesstocomponents withintheenvironment.individualaccesstocomponentscanbe trackedandlogged.audittrailscancaptureevent,time,action, andothercriticalrequirementsthatarerequiredformonitoring. Logscanbecentrallyconsolidated,reviewed,andretainedfor analysis.allsystemscanbeconfiguredwithtimesynchronization, normallybyenforcingprimaryandsecondaryntpserversinthe cloudenvironment.vspheresyslogcollectorcanbeinstalledon thevcenterserverasacentralpointforcollectionofallesxi syslogstreamsfromhypervisorhosts. Access(Control( 5.5.1,5.5.2, , , ,5.5.3, 5.5.4,5.5.5, ThevCloudSuite5.5canbeconfiguredtolimitaccesstothe agency senvironmentinavarietyofways. vsphereclientandvrealizeservers,byprovidingacentralized interface,canreducetheagencyenvironmentscopeby minimizingthenetworkmanagementandlimitingaccessto critical.forexample,vsphereallowstheagencytolockdown eachesxiserversothatitcanonlybeaccessedviatheprescribed vcenterserver. Additionally,directaccesstocomponentscanbereduced(suchas lockddownmodeforesxi)tominimizetheriskofanydirect consoleorshellaccess.hardeningguidelineshavebeen developedspecificallyforthevcloudinfrastructureenvironment. vclouddirectorandvspherehavebuiltinaccesscontrolsystems inplacesothateachvirtualcomponentcanonlybeaccessedby authorizedusers.systemscanbeaccesseddirectlywithlocal accounts,orcanbemanagedcentrallythrougharolebased accesscontrolsystemsenforcedbyvsphereandintegratedinto centralizedaccesscontrolsystem. AllaccesstovirtualdeviceswithinthevCloudSuiteenvironments canenforceindividualaccess.minimumusernamesand passwordrequirementscanbesetonmanysystemsnatively (suchastheesxihost).othervirtualcomponentscanbe configuredtousecentralizedauthenticationservers(suchas ActiveDirectory)whichcanenforceadditionalcontrolsfor passwordrotation,lockout,durationetc. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 26( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

27 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( Identification(and( Authentication( CONTROLS( ADDRESSED( 5.6,5.6.1, , 5.6.2, , , , , VCLOUD(INFRASTRUCTURE(DESCRIPTION( StoragecomponentscanrequireCHAPorothersupported authentication.othervirtualcomponentscanbeconfiguredto usecentralizedauthenticationservers(suchasactivedirectory) thatcanenforceadditionalcontrolsforpasswordcomplexity. WebbasedmanagementinterfacesforvSphereandvCloud infrastructuresupportsslwithpkicertificateauthority infrastructure.theseinterfacesoperateinvmwareinfrastructure widesinglesignonschemethatcanalsobeconfiguredtoaccept trustedsaml2assertionsfromotheridentityandaccess ManagementSolution. Configuration( Management( , vcloudcomponentssupportthe leastprivilege accessmodel, andhavetheabilitytorestrictaccessbasedonjobrole& function. vrealize*server*also*supports*the*agency*requirement*to*maintain* an*accurate*network*diagram*through*the*ability*to*manage*and* observe*flow*data*and*endpoint*addressing*details.* Media(Protection( N/A N/A Physical(Protection( N/A N/A VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 27( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

28 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 28( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( VCLOUD(INFRASTRUCTURE(DESCRIPTION( System(and( Communications( Protection(and( Information(Integrity( 5.10,5.10.1, , , , , , vspherepooledcomponentsaresharedaspartofvirtualization, assuch,multipleresourcesmaybepartitionedforconsumption andcanbegivenadequatesystemboundaryisolation.allocating resourcesbypriority,utilizingstorageandnetworkingiocontrol, DistributedResourceScheduling,etc.canfurtherenforcethese boundaries.moreonthesesubjectswillbediscussedinthe forthcomingcjisarchitecturedesignguide.vspherevswitches andportgroupscanbeconfiguredtotransmitonspecifiedvlans andvlantrunks. WhenTPMandTXTareenabled,ESXimeasurestheentire hypervisorstackwhenthesystembootsandstoresthese measurementsintheplatformconfigurationregisters(pcr)of thetpm.themeasurementsincludethevmkernel,kernel modules,drivers,nativemanagementapplicationsthatrunon ESXi,andanybootdtimeconfigurationoptions.AllVIBsthatare installedonthesystemaremeasured. VMwareTechnologyPartnersolutionscanusethese measurementstovalidaterunninginstancesofesxiagainsttpm checksumvaluesstoredinthecomputerhardwareplatform ConfigurationRegisters(PCRs).vSpheredoesnotprovideauser interfacetoviewthesemeasurements.thesesolutionscanalso rendereventstothesystemadministratorsthatevacuatehosts thathavefailedthisverification. Thisapproach,coupledwithvarioustamperproofformfactorsof computeandesxiautodeploy,providesa'zerotouch'approach thatismeasuredfortrustattestation.moreonthisapproachis outlinedinthearchitecturedesignguideforcjis. vcloudandvspherehastheabilitytologaccesstocomponents withintheenvironment.individualaccesstocomponentscanbe trackedandlogged.audittrailscancaptureevent,time,action, andothercriticalrequirementsthatarerequiredformonitoring. Logscanbecentrallyconsolidated,reviewed,andretainedfor analysis.allsystemscanbeconfiguredwithtimesynchronization, normallybyenforcingprimaryandsecondaryntpserversinthe cloudenvironment.vspheresyslogcollectorcanbeinstalledon thevcenterserverasacentralpointforcollectionofallesxi syslogstreamsfromhypervisorhosts. Formal(Audits( N/A N/A

29 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( VCLOUD(INFRASTRUCTURE(DESCRIPTION( Personnel(Security( N/A N/A vcloud(networking(and(security( InordertoprovidemultidtenancythroughsegmentationandotheradvancednetworkingfeaturesvCloudDirectoris tightlyintegratedwithvcloudnetworkingandsecurityedgegateway.allofthevcloudnetworkingandsecurity productsprovideasoftwaredbasedapproachtoapplicationanddatasecurityinvirtualandcloudenvironments,which havetraditionallybeenenforcedprimarilythroughphysicalsecurityappliances.whilevcloudnetworkingandsecurity AppandDataSecurityarenotintegrateddirectlywithvCloudDirectortheyarevaluabletoolsformeetingcomplianceina PrivateClouddeploymentmodel.ThefollowingaretheVMwarevCloudNetworkingandSecurityproducts: * App( Protectsapplicationsinavirtualdatacenteragainstnetworkdbasedthreatsbyprovidingafirewallthatis hypervisordbasedandapplicationdaware.vcloudnetworkingandsecurityapphasvisibilityofintradvm communication,andenforcespolicies,firewallrulesbasedonlogicalgroups,andworkloads. * Data(Security ScansforSensitiveDataDiscoveryacrossvirtualizedresourcesallowingtheorganizationstoidentify andsecuredifferenttypesofsensitivedata.forcjis,itprovidesawaytosearchvirtualmachinedatafiles(dataat rest)forsensitiveinformationsuchpersonallyidentifiableinformationmatchingknownpatternsinordertoidentify workloadsandunauthorizeddatastoresnotcurrentlyundercjispolicy. * Edge(Gateway Enhancesprotectionofavirtualdatacenterperimeterbyprovidinggatewaysecurityservices includingcarefulinspectionfirewall,sitedtodsitevpn,loadbalancing,dynamichostconfigurationprotocol(dhcp), andnetworkaddresstranslation(nat).italsohastheabilitytointegratewiththirddpartyidssolutions. * Manager( Managerorchestratestheworkingofalltheabovedmentionedproductsandensuresintegrationwith vrealizeandthevmwaremanagementportfolio. ThefollowingproductmatrixexplainswhichCJIScontrolsareapplicabletovCloudNetworkingandSecurity.Italso explainshowvcloudnetworkingandsecuritysuiteandassociatedproductsassistusersinmeetingcjisrequirements. ThecontrolshighlightedinBoldarethosethathavebeenselectedfortheCJISBaseline. Table(5:(Applicability(of(CJIS(Controls(to(vCloud(Networking(and(Security( POLICY(AREA( CONTROLS( ADDRESSED( CJIS(CONTROLS(APPLICABILITY(MATRIX( VCLOUD(NETWORKING(AND(SECURITY(DESCRIPTION( Information(Exchange(( 5.1.1, , vrealizessosupportsintegrationwithroledbasedaccesscontrol systems,whichsupportstheagencyneedtodefineroles& responsibilitiesforinclusionininformationexchangeagreements, whicharerequiredforaccesstocjidata. Security(Awareness( N/A N/A Incident(Response( ,5.3.4, VMwaresuitesprovidecapabilitiesandinstrumentationwhich VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 29( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

30 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 30( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( VCLOUD(NETWORKING(AND(SECURITY(DESCRIPTION( cansupporttheagencyneedtoimplementincidentresponse lifecycle,whichincludesdetectionandanalysis,containment, eradication,andrecovery Auditing(and( Accountability( 5.4.1, , ,5.4.2,5.4.4, 5.4.5,5.4.6, vcloudnetworkingandsecurityappandedgegatewayhavethe abilitytologaccesstocomponentswithinthevirtualenvironment usingsyslog.individualaccesstoruntimecomponentssuchas virtualfirewallsaswellasadministrativeactivitiesinmanagercan betracked,logged,andenforced.audittrailscancaptureevent, time,action,andothercriticalrequirementsrequiredfor monitoring.logscanbecentrallyconsolidated,reviewed,and retainedforanalysis.allsystemscanbeconfiguredwithtime synchronization,normallybyenforcingprimaryandsecondary NTPserversinthevSphereenvironment. Access(Control( 5.5.1,5.5.2, , , , ,5.5.3,5.5.4, 5.5.5,5.5.6, vcloudnetworkingandsecurityhasbuiltinaccesscontrol systemsinplacesothatonlyauthorizeduserscanaccesseach virtualcomponent.systemscanbeaccesseddirectlywithlocal accounts,orcanbemanagedcentrallythrougharolebased accesscontrolsystemsenforcedbyvsphereandintegratedinto centralizedaccesscontrolsystem. vcloudnetworkingandsecuritysupportsauthenticationbasedon jobclassificationandfunction(rbac),andcanbeconfiguredto requirethatonlytheappropriateadministratorsandsupport personnelhaveaccesstovcloudnetworkingandsecurity componentsandoperations.managerprovidesacentralized solutiontomanageandenforcesecurityprofilesacrossalarge distributedenvironment. vcloud*networking*and*security*edge*gateway*sslyvpn*provides* remote**access*to*a*network*environment.*authentication*may*be* bound*to*active*directory*domain*or*other*policies*that*can*enforce* the*display*of*a*system*use*notification*message,*session*lock* timeout,*failed*login*attempt*lockout,*etc.*as*well*as*role*based* control*of*applications*available*in*that*session.

31 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( Identification(and( Authentication( CONTROLS( ADDRESSED( 5.6,5.6.1, , 5.6.2, , , , , VCLOUD(NETWORKING(AND(SECURITY(DESCRIPTION( vcloudnetworkingandsecurityedgegatewaysupportstwo kindsofvirtualprivatenetworks.ipsecconnectivitytoremote devicesutilizingikeprotocol/authenticationschemesupports alwaysonvpntunnelstoremotesitesorwithincompartmentsof thesameagency. The*Edge*Gateway*SSLYVPN*can*be*integrated*with*Active* Directory*for*enforcing*credential*policies*such*as*password* complexity.*additionally,*advanced*authentication* *i.e.*2*factor* Authentication,*can*be*enabled*for*inbound*SSLYVPN*connections** VMwareTechnologyPartnersolutionscanbeconfiguredfor remoteaccessleveragingradius,cac,pivandothertypesof multidfactorauthenticationschemes. Configuration( Management( , vcloud*networking*and*security*implicitly*supports*the*least* Privilege*access*model*for*all*components,*as*required*by*CJIS* Security*Policy.* Media(Protection( N/A N/A Physical(Protection( N/A N/A vcloud*networking*and*security*also*supports*the*agency* requirement*to*maintain*an*accurate*network*diagram*through*the* ability*to*manage*and*observe*flow*data*and*endpoint*addressing* details. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 31( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

32 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( System(and( Communications( Protection(and( Information(Integrity( CONTROLS( ADDRESSED( 5.10,5.10.1, , , , , VCLOUD(NETWORKING(AND(SECURITY(DESCRIPTION( vcloudnetworkingandsecuritymanagerprovidescentralized managementandcanbeusedtoenforcetheapprovalprocessfor changestonetworkconnections.edgegatewayandappcan controlhowdataflowsoveranetwork.rolesandresponsibilities formanagementcanbeenforcedanddefinedinmanagerand integratedintootherrbacsolutions.edgegatewaycanbeused asafirewalltoseparatewirelessnetworksfromthevirtual infrastructure.bothedgegatewayandappperformstateful inspection(dynamicfiltering).appandedgegatewayalso supportcommentfields,whichcanusedtodocumentthe justificationforeveryopenportandservice.managercanbeused toviewcurrentconfigurationsandallowanadministratorto compareittoanapprovedconfiguration;thisfacilitates confirmationthatrunningconfigurationsfilesforappandedge Gatewayaresecuredandmatchtheapprovedconfigurations. vcloudnetworkingandsecuritycanprovidesegmentationfor vcloudenvironmentsbysegmentingvirtualmachines,port groups,andenforcingperimetersecurity.edgegatewayprovides gatewaysecurityservicesincludingastatefulinspectionfirewall, whichprotectsthenetworkfromtrafficintoandoutofthe virtualizedinfrastructure.appprovidesvisibilityandcontrolfor intradvmcommunication.vclouddirectororchestratesmany featuresandexposesmanyattributesofedgegatewayinits nativeportalinterface.theseorchestratedfeaturesprovidefor multidtenantconsumptionofsharedvsphereresources.more informationonthevcloudarchitectureanditscjiscompliance implicationsaredescribedindetailinthearchitecturedesign GuideforCJIS. vcloudnetworkingandsecuritydatasecurityprovidesscanning ofdataatrestoftheguestvirtualmachinesusingpatternd matchingtechniquesallowingsensitivedata,suchaspii,discovery thatcanautomatestepsforbringingviolationsunderappropriate policiesforprotection. Formal(Audits( N/A N/A Personnel(Security( N/A N/A ( ( ( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 32( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

33 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 33( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' NSX( SoftwareDefinedNetworking(SDN)andNetworkFunctionVirtualization(NFV)aretwocriticaltechnologies,for increasingagilityintheconsumptionofphysicalresourceswithinherentgainsinpolicydbasedmanagementofnetworks. VMware'sentryintothismarketisNSXthat,muchlikeESXi,enablesITtotreatphysicalhostsasapoolofcompute capacity.thensxapproachallowsittotreatitsphysicalnetworkasapooloftransportcapacitythatcanbeconsumed andrepurposedondemand.avirtualmachineisasoftwarecontainerthatpresentslogicalcpu,memoryandstorageto anapplication.similarly,avirtualnetworkisasoftwarecontainerthatpresentslogicalnetworkcomponents logical switches,logicalrouters,logicalfirewalls,logicalloadbalancers,logicalvpnsandmore toconnectedworkloads. LeveragingNSX,logicalnetworksareprogrammaticallycreated,provisionedandmanaged,utilizingtheunderlying physicalnetworkasasimplepacketdforwardingbackplane.networkandsecurityservicesaredistributedandattachedto VMswithinanetwork.AsaVMismovedtoanotherhost,theseservicesstayattachedtotheVMandmovewithit.In addition,asnewvmsareaddedtoanetworktoscaleanapplication,policycanbedynamicallyappliedtothenewvms. NSXalsoreducesthetimeittakestoprovisioncustom,multidtiernetworktopologiesandenterpriseclasssecurity servicesandreducescostsbyeliminatingmanualconfigurations. NSXpoliciesforfirewallandotherthirdpartysolutionsareenabledformanagementwithNSXServiceComposer.Service Composernotonlyallowsyoutomanagegroupsofsecuritypolicydbasedobjectsbutalsotoselectwhichvirtualmachine metadatatagswillbeutilizedtodeterminewhichofthepoliciesshouldbeapplied.servicecomposeralsoallowsfor managingthereadinessofvmwaretechnologypartnersolutionsthatleveragethensxapiforimplementingsecurity servicesintheesxihypervisorkernel. * Logical(Switching( (ThelogicalswitchingcapabilityintheNSXplatformprovidescustomerstheabilitytospinup isolatedlogicall2networkswiththesameflexibilityandagilityastheyhaveforspinningupvirtualmachines.there arefourmaincomponentsthathelpdecoupletheunderlyingphysicalnetworkfabricandprovideavirtualnetwork abstractionlayer,nsxmanager,controllercluster,userworldagentandvxlantunnelendpoint. * Logical(Routing( (TherearetwomodesofroutingsupportedintheNSXplatform:DistributedRoutingand CentralizedRouting.TheDistributedRoutingcapabilityintheNSXplatform(anESXikernelmodule)providesan optimizedandscalablewayofhandlingeastdwesttrafficwithinadatacenter.centralizedlogicalrouting,typically usedfornorthdsouthtraffictoandfromthecloudinfrastructure,isperformedbythensxedge(avirtualappliance). AlongwiththeroutingservicesNSXEdgealsosupportsothernetworkservicesthatincludeDHCP,NAT,Load balancingandvpn. * Logical(Firewall( (TheVMwareNSXplatformincludesdistributedkernelenabledfirewallingwithlinerate performance,virtualizationandidentityawarewithactivitymonitoring,amongothernetworksecurityfeatures nativetonetworkvirtualizationsuchasnetworkisolationandsegmentation. * Service(Composer( (NSXServiceComposeroffersawaytoautomatetheconsumptionofservicesandtheirmapping tovirtualmachinesusinglogicalpolicy.customerscanassignpoliciestogroupsofvirtualmachinesandasmore virtualmachinesareaddedtothegroup,thepolicyisautomaticallyappliedtothevirtualmachine.customerscan buildadvancedworkflowsautomatingsecurity,complianceandnetworkprovisioningincludingloadbalancingand firewallrules. ThefollowingproductmatrixexplainswhichCJIScontrolsareapplicabletoVMwareNSX.ItalsoexplainshowNSXand associatedproductsassistusersinmeetingcjisrequirements.thecontrolshighlightedinboldarethosethathavebeen selectedforthecjisbaseline.

34 Table(6:(CJIS(Controls(Applicability(Matrix(Need(More(Service(Composer( CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( NSX(DESCRIPTION( Information(Exchange(( 5.1.1, , , NSX*supports*vCenter*SSO*and*integrates*with*RoleYBased*Access* Control*systems,*which*supports*the*agency*need*to*define*roles*&* responsibilities*for*inclusion*in*information*exchange*agreements,* which*are*required*for*access*to*cji*data Security(Awareness( N/A N/A Incident(Response( 5.3, ,5.3.4, NSXprovidescapabilitiesandinstrumentationwhichcansupport theagencyneedtoimplementincidentresponselifecycle,which includesdetectionandanalysis,containment,eradication,and recovery Auditing(and( Accountability( 5.4.1, , ,5.4.2,5.4.4, 5.4.5,5.4.6, NSXhastheabilitytologaccesstocomponentswithinthevirtual environmentusingsyslog.individualaccesstoruntime componentssuchasvirtualfirewallsaswellasadministrative activitiesinmanagercanbetracked,logged,andenforced.audit trailscancaptureevent,time,action,andothercritical requirementsrequiredformonitoring.logscanbecentrally consolidated,reviewed,andretainedforanalysis.allsystemscan beconfiguredwithtimesynchronization,normallybyenforcing primaryandsecondaryntpserversinthevsphereenvironment. NSXActivityMonitoringprovidesenhancedvisibilityintoWindows sessioncredentialsanditsnetworkcommunicationsincluding GuestOSprocessorexecutableperformingtheactivityandon whatdomaincredentialauthoritytherebyenhancingaudit informationusedtoinvestigateadherencetosystemwide policies. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 34( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

35 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 35( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( NSX(DESCRIPTION( Access(Control( 5.5.1,5.5.2, , , , ,5.5.3,5.5.4, 5.5.5,5.5.6, VMwareNSX6.0allowsforpreddefinednetworkrulesandpolicies enablingmoreeffectiveinformationflowenforcementatthe networklayer.nsxactivitymonitoringprovidesanindepthlog trailofcomputernames,usersessionidsintheformofactive DirectorySecurityprincipalsandgroupmembershipinthecaseof IdentityFirewallrulesalongwithothertraditionalnetworktuples (sourceip,destinationip,tcpport/protocol).thisdatasource providesthedatanecessarytovalidateagainstassertedpoliciesin athirdpartysiemsolution. NSXhasbuiltinaccesscontrolsystemsinplacesothatonly authorizeduserscanaccesseachvirtualcomponent.systemscan beaccesseddirectlywithlocalaccounts,orcanbemanaged centrallythrougharolebasedaccesscontrolsystemsenforcedby vsphereandintegratedintocentralizedaccesscontrolsystem. NSXsupportsauthenticationbasedonjobclassificationand function(rbac),andcanbeconfiguredtorequirethatonlythe appropriateadministratorsandsupportpersonnelhaveaccessto vcloudnetworkingandsecuritycomponentsandoperations. Managerprovidesacentralizedsolutiontomanageandenforce securityprofilesacrossalargedistributedenvironment. NSXEdgeSSLdVPNprovidesaccesstoaconfiguredWindowsRDP session.thiswindowssessionmaybeboundtoactivedirectory DomainorotherpoliciesthatcanenforcethedisplayofaSystem UseNotificationMessage,sessionlocktimeout,failedlogin attemptlockout,etc.aswellasrolebasedcontrolofapplications availableinthatsession. Identification(and( Authentication( 5.6,5.6.1, , 5.6.2, , , , , NSXEdgesupportstwokindsofVirtualPrivateNetworks.IPsec connectivitytoremotedevicesutilizingike protocol/authenticationschemesupportsalwaysonvpntunnels toremotesitesorwithincompartmentsofthesamecsp. Edge*SSLYVPN*can*be*integrated*with*Active*Directory*for* enforcing*credential*policies*such*as*complexity*as*well*as*rsa* SecurID*for*multiYfactor*authentication,*in*accordance*with* requirements*for*advanced*authentication* *i.e.*multiyfactor* Authentication* *for*remote*connections.* VMwareTechnologyPartnersolutionscanbeconfiguredfor remoteaccessleveragingradius,cac,pivandothertypesof multidfactorauthenticationschemes.

36 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( NSX(DESCRIPTION( Configuration( Management( , NSXnetworkvirtualizationprogrammaticallycreates,snapshots, deletes,andrestoressoftwaredbasedvirtualnetworks.the virtualizationofnetworkingservicesanddevicessuchaslayer2 switching,l3routing,loadbalancingandfirewallservices,allows CloudServiceProvidestocreatecompliantbaselineconfigurations ofnetworkingservicesandarchitectureandmaintainthemunder configurationcontrol.thesecanthenbedeployedtofederal agencycustomerswithouttheriskofmisconfigurationorlengthy replicationofeffortinprovisioningnetworkservices. NSXServiceComposerprovidesforthedevelopmentofFirewall andothervmwaretechnologypartnerpolicies.thesecanbe appliedacrossthesddcenablingcentralconfiguration managementofpoliciesthatdirecttheruntimesecurity componentsofthesddc.thesepoliciescanbedynamic(applied tosecuritygroups)andsupportinclusionofworkloadsbasedon metadatacriteriathatareactivelyqueriedandcanbesetor consumedbyanynsxapiintegratedvmwareortechnology PartnerSolutionwithrulesthatdeterminewheneachpolicyset willbeappliedorrelieved.thesepoliciescanintegratewithother NSXtechnologiessuchasNSXDataSecuritytoquarantineorapply appropriatefirewallrulestodiscoveredworkloadstobebrought undercdemanagedpolicy. NSX*also*supports*the*Agency*requirement*to*maintain*an*accurate* network*diagram*through*the*ability*to*manage*and*observe*both* live*and*historical*network*flow*data. Media(Protection( N/A N/A Physical(Protection( N/A N/A System(and( Communications( Protection(and( Information(Integrity( 5.10,5.10.1, , , , , , , NetworkvirtualizationthroughNSX6.0allowsforpreddefined Layer2toLayer7services.Thisaddsanadditionallayerof separationwithinmultidtenanthostingservicesandmost importantlyreducestheriskofmisconfigurationofnetwork servicesandpotentialexposureofsensitiveinformationanddata tounauthorizednetworksorpersonnel. NSXActivityMonitoringprovidesanindepthlogtrailofcomputer names,usersessionidsintheformofactivedirectorysecurity principalsandgroupmembershipinthecaseofidentityfirewall rulesalongwithothertraditionalnetworktuples(sourceip, destinationip,tcpport/protocol).thisdatasourceprovidesthe datanecessarytovalidateagainstassertedpoliciesinathirdparty SIEMsolution.NSX6.0providesLoadBalancingasaservicewithin thenetworkingsuite.thisserviceenablesworkloaddistribution VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 36( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

37 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( NSX(DESCRIPTION( acrossphysicalserversaswellasdynamicscalabilityforhigh bandwidth. NSXDataSecurityprovidesscanningofdataatrestoftheguest virtualmachinesusingpatterndmatchingtechniquesallowing sensitivedata,suchaspii,discoverythatcanautomatestepsfor bringingviolationsunderappropriatepoliciesforprotection. VMwareNSXNetworkVirtualizationsuiteprovidesthefollowing serviceswhichcanbeconfiguredtosupportboundaryprotection, networksegmentationandtrustedpatchrequirementsforfederal customers: * Logical(Layer(2 EnablingextensionofaL2segment/IP Subnetanywhereinthefabricirrespectiveofthephysical networkdesign. * Distributed(L3(Routing RoutingbetweenIPsubnetscanbe doneinalogicalspacewithouttrafficgoingouttothephysical router.thisroutingisperformedinthehypervisorkernelwith aminimalcpu/memoryoverhead.thisfunctionalityprovides anoptimaldatadpathforroutingtrafficwithinthevirtual infrastructure.similarlythensx6.0edgeprovidesa mechanismtodofulldynamicroutepeeringusingospf,bgp, ISdISwiththephysicalnetworktoenableseamlessintegration. * Distributed(Firewall Securityenforcementisdoneatthe kernelandvniclevelitself.thisenablesfirewallrule enforcementinahighlyscalablemannerwithoutcreating bottlenecksontophysicalappliances.thefirewallisdistributed inkernelandhencehasminimalcpuoverheadandcan performatlinedrate. * Logical(LoadJbalancing SupportforL4dL7loadbalancingwith abilitytodossltermination. * SSLVPNservicestoenableL2VPNservices. Formal(Audits( N/A N/A Personnel(Security( N/A N/A ( ( ( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 37( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

38 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 38( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' Operations(Management( TheVMwareOperationsManagementproductsenableITorganizationstogainbettervisibilityandactionableintelligence toproactivelyfacilitateservicelevels,optimumresourceusage,andconfigurationcomplianceindynamicvirtualand cloudenvironments.whileallofthevmwareproductslistedpriortothispointareleveragedinthebuildingofsecure, compliantsddcsandcloudinfrastructures,theproductsinthissectionareformanagementofthosecomponents beyondtheirsuppliedmanagementinterfaces.productsintheoperationsmanagementsolutionareagenerallyleverage thesameapisthatthemanagementinterfacesofthecloudinfrastructuresolutionsarebuilton,buttendtodosofroma morelifecycledorientedapproachwheretheentireinfrastructureisconcerned.somedothisbycollectingdataacross disparatelayersofcloudinfrastructure,cloudnetworkingandsecurityaswellasendusercomputinginordertoportray amoreholisticdashboardofinformationacrossthosedecoupledyetinterdependentfacetsofvmwaretechnologies.still otherdothisbyexposingapisfromthedisparatelayersintocoarselygrainedworkflowsthatcanbeofferedtobusiness users. * vrealize(operations(manager((vrealize) Usespatentedanalyticsandintegratedapproachtooperations managementinordertoprovidetheintelligenceandvisibilityrequiredtoproactivelymaintainservicelevels, optimumresourceusage,andconfigurationcomplianceindynamicvirtualandcloudenvironments. * vrealize(configuration(manager((vcm) Automatesconfigurationmanagementacrossvirtualandphysicalservers anddesktops,increasingefficiencybyeliminatingmanual,errordprone,andtimedconsumingwork.thisenables enterprisestomaintaincontinuouscompliancebydetectingchangesandcomparingthemtoconfigurationand securitypolicies. * vrealize(infrastructure(navigator((vin) Automaticallydiscoversandvisualizesapplicationandinfrastructure dependencies.itprovidesvisibilityintotheapplicationservicesrunningoverthevirtualdmachineinfrastructureand theirinterrelationshipsfordaydtoddayoperationalmanagement * vrealize(update(manager((vum) Automatestracking,patchingandupdatingforvSpherehosts(ESXihostsand clusters),vmtools,andvmwarevirtualappliances.itprovidesacentralized,automated,actionablepatchcompliance managementsolutiontoconfirmthatapplicablevmwarecomponentsareupdatedandtoenforcethelatestsecurity patches. * vrealize(orchestrator( AvirtualappliancethatautomatestasksforVMwareproductsandenablesorchestration betweenmultiplesolutions.vmwarevrealizeorchestratorallowsadministratorstoautomaticallycreateworkflows thatcapturebestpractices,whichaidinmeasuringcompliance. * vcloud(automation(center((vcac) Isutilizedtoprovidedeliveryandmanagementofinfrastructureand applicationsandservicesthroughtheuseofexistingvmwaretoolsandinfrastructure.applicationscanbedeployed andprovisionedtoendusersthroughtheuseofvcac.additionally,vcaccanbemanagedinaprivate,public, and/orhybridcloud.eachendusercanreceivetheirapplicationorcomputingservicethroughvcacwhichprovides rolebasedentitlementsandgovernancefortheseactivities * vrealize(log(insight Deliversautomatedlogmanagementthroughaggregation,analyticsandsearch,enabling operationalintelligenceandenterprisedwidevisibilityindynamichybridcloudenvironments. ThefollowingproductmatrixexplainswhichCJIScontrolsareapplicabletoVMwareOperationsManagement.Italso explainshowvcenteroperationssuiteandassociatedproductsassistusersinmeetingcjisrequirements.thecontrols highlightedinboldarethosethathavebeenselectedforthecjisbaseline.

39 Table(7:(CJIS(Controls(Applicability(Matrix( CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( VREALIZE(OPERATIONS(MANAGEMENT(DESCRIPTION( Information(Exchange( 5.1.1, , vrealizessosupportsintegrationwithroledbasedaccesscontrol systems,whichsupportstheagencyneedtodefineroles& responsibilitiesforinclusionininformationexchangeagreements, whicharerequiredforaccesstocjidata. Security(Awareness N/A N/A Incident(Response 5.3,5.3.1, , 5.3.4, vrealizeprovidescapabilitiesandinstrumentationwhichcan supporttheagencyneedtoimplementincidentresponse lifecycle,whichincludesdetectionandanalysis,containment, eradication,andrecovery. Nearly*all*of*the*included*products*provide*some*level*of*additive* capability,*reporting,*or*instrumentation*which*can*directly*support*a* robust*incident*management*process. Auditing(and( Accountability( 5.4,5.4.1, , ,5.4.2,5.4.4, 5.4.5,5.4.6, vrealizehastheabilitytomonitoraccesscontrolstothe CustomerenvironmentandtherebymonitorcompliancewithCJIS requirements.specifically,vrealizewillassessandreportonthe following: * Localanddomaindlevelusers(Windows)anduserswithunique usernames(unix,linuxandmacos). * Systempasswordpoliciesforexpiration,length,standards, creationsettings,accessattempts,(canalsoremediate) * Changestouseraccounts,credentialstores,andidentifier objectstoprovidevisibilityandcontroloversystemaccess * Useraccessacrossallthesystemsinthedatacenteratonce * Disableandremoveaccessforterminateduseraccounts * Inactiveaccounts(whichitcanalsodisableandremoveaccess fortheseuseraccounts) * Thestatusofmaintenanceaccountsandtoconfirmthatthey aredisabledandconfiguredtoonlybeusedduringthetimes specified. * Loginpolicies,toincludelockoutsettingsandautodlogout settings,andremediatingasneeded.assessment,reporting andremediationareconductedinaccordancewithscheduling throughvrealize. vrealizewillassess,reportandremediatethefollowing: * Configurationsofthesystemauditingandloggingservicesto VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 39( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

40 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( CONTROLS( ADDRESSED( VREALIZE(OPERATIONS(MANAGEMENT(DESCRIPTION( supportproperloggingacrosssystemcomponents. * vcmcollectsauditlogentriestoprovideasingleviewof events. * Useraccessaudittrailsbyensuringproperpermissionsforlog filesandtheirdirectoriesandalertonchangestocriticalaudit trails. vrealizehastheabilitytotracksystemchangesacrossthousands ofdatapointsand,inconjunctionwithnativeauditing,canbe usedtotrackaccountactivityandsystemmodifications. vrealizecanassessandreportonsyslogconfigurationdetailson UnixandLinuxsystemsthatspecifyremotelogserverswithinthe network.vrealizecanbealsousedtoassess,report,and remediateauditloggingforvmwarecomponentsandguest operatingsystems. ChangeswithinthevirtualenvironmentarecapturedbyvRealize andcanbedisplayedinvcm.vcmcancollectauditlogentries withinanorganizationvdctoallowanorganizationasingleview ofeventswithintheirenvironment.vcmisalsoabletocontrol useraccesstoaudittrailswithinanorganizationbyproviding properpermissionsforlogfilesandtheirdirectories. LogInsightcanbeusedtocollectallsyslogeventsfromVMware andsometechnologypartnersolutions.thesethirdpartiesand VMwarehavebuiltreportsforvisualizingthisdataacrossthe layersofthevmwareagency senvironment. Access(Control( 5.5.1,5.5.2, , , ,5.5.3, 5.5.4,5.5.5,5.5.6 AccesstovRealizecanbecontrolledthroughMicrosoftActive Directory.ThiswillallowvRealizetohelptheusermeettheCJIS requirementsforaccesscontroltothecustomerenvironment. vcloudautomationcentercanleveragethecorevsphereidentity ServicesinfrastructureincludingSingleSignOnprovidedbythat component. vrealizecanbeusedtoautomateandenforcestandardizedrules, accounts,profiles,andsecuritysettingswhenprovisioningof differentconfigurationsofvsphereinfrastructuredesignedto meetcjisrequirements vcloudapplicationdirector(partofvcacenterprise)canbeused toautomateandenforcestandardizedrules,accounts,profiles, andsecuritysettingsinorderthatscopeisnotimpactedasnew machinesaredynamicallyaddedorremoved. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 40( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

41 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( Identification(and( Authentication( CONTROLS( ADDRESSED( 5.6,5.6.1, , 5.6.2, , , VREALIZE(OPERATIONS(MANAGEMENT(DESCRIPTION( vrealizeusestheblowfishencryptionprotocoltosecureall internaluseraccountsandexternalaccounts.forexample,allof theusercredentialsenteredintovrealizeandusedto communicatewithmonitoringtoolsareencryptedwiththis protocol. Configuration( Management( , vrealize*configuration*manager*can*capture*and*manage*changes* across*the*virtual*environment,*and*indicate*any*deviations*from* approved*baseline*configurations.**additionally,*configuration*&* hardening*templates*can*be*used*to*provide*a*baseline*for*building* agencyyspecific*approved*configuration*baselines.* * vrealize*operations*management*can*report*and*alert*upon* changes*to*environmental*or*operating*conditions*within*the*virtual* infrastructure,*which*can*be*a*valuable*tool*for*identifying* configuration*issues*in*the*environment.* * Automation*can*greatly*facilitate*and*enhance*the*configuration* management*processes*by*programmatically*creating*and* managing*environment*configurations.**by*leveraging*welly documented*and*tested*workflows*which*have*been*developed* according*to*a*robust*sdlc*process*to*deploy*infrastructure* components,*much*of*the* human*error *factor*can*be*removed* from*the*configuration*management*lifecycle.**an*example*of*this*is* while*nsx*network*virtualization*programmatically*creates,* snapshots,*deletes,*and*restores*softwareybased*virtual*networks,* leveraging*vrealize*workflows*to*define*what*networks*should*be* configured*as*well*as*how*is*a*powerful*tool*for*enhancing*the* maturity*of*the*configuration*management*program. Media(Protection( N/A N/A Physical(Protection( N/A N/A VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 41( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

42 CJIS(CONTROLS(APPLICABILITY(MATRIX( POLICY(AREA( System(and( Communications( Protection(and( Information(Integrity( CONTROLS( ADDRESSED( 5.10,5.10.1, , , , VREALIZE(OPERATIONS(MANAGEMENT(DESCRIPTION( vrealizehasafirewallenabledtopreventexternalattemptsto portprobe.thevappwillexposeminimalnetworkfootprintwith justtheseportsforinboundconnections: * 443(https) * 22(ssh) * 80(redirectedto443) Additionally,anOpenVPNtunneliscreatedbetweenthetwo virtualmachineswithport1194beingused. vrealizeusestheblowfishencryptionprotocoltosecureall internaluseraccountsandexternalaccounts.forexample,allof theusercredentialsenteredintovrealizeandusedto communicatewithmonitoringtoolsareencryptedwiththis protocol. vrealizesupportstheuseofsslcommunicationforbrowserdtod servercommunications.theuseofsslforbrowserdtodserver communicationisconfigurable. vrealizeorchestratorcanbeusedtoconfigurenewvirtual componentstocommunicateonlywithintheenvironmentin whichtheywereintended.vrealizecanreducethemanual configurationprocesseswhicharepronetousererrorand misconfigurationinalarge,dynamicenvironment. vrealizecanperformfileintegritymonitoring(fim)withinthe CloudComputingArchitectureforcriticalfilesand/ordirectories. Alertscanalsobeestablishedtoalertpersonnelofanychanges madeorattemptedandevenremediateasneeded. vrealizedoesnothaveabuiltinantidvirussolution,butitcanbe usedtoassesandreporttheantidvirusstateofthesystems.this allowsadeterminationthatallsystemshaveantidvirussoftware installedandrunningwiththeupdatedsignaturefiles.vrealize canremediateantidvirusproblemsbyinstallingthecustomer approvedantidvirussoftwareonsystemswhereitisnotinstalled starting/enablingthesoftwareservices. vsphereupdatemanagercanbeusedmonitorvmware infrastructurecomponentsandpushoutcriticalsecurityupdates toallowthelatestsecurityconfigurationstobeenforced. Formal(Audits( N/A N/A Personnel(Security( N/A N/A VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 42( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

43 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 43( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS(Security(Policy( CJIS( POLICY( REQUIREMENT( GUIDANCE( 5.1 Policy(Area(1:(Information(Exchange(Agreements Theinformationsharedthroughcommunication mediumsshallbeprotectedwithappropriate securitysafeguards. Theagreementsestablishedbyentitiessharing informationacrosssystemsandcommunications mediumsarevitaltoensuringallpartiesfully understandandagreetoasetofsecuritystandards Information(Exchange BeforeexchangingCJI,agenciesshallputformal agreementsinplacethatspecifysecuritycontrols. Informationexchangeagreementsshallbe supportedbydocumentationcommittingboth partiestothetermsofinformationexchange. Incaseswhereaninformationexchangeagreement isnotinplace,lawenforcementandcivilagencies shallhavealocalpolicytovalidatearequestorofcji asanauthorizedrecipientbeforedisseminatingcji. Theexchangeofinformationmaytakeseveralforms includingelectronicmail,instantmessages,web services,facsimile,hardcopy,andinformation systemssending,receivingandstoringcji. Informationexchangeagreementsoutlinetheroles, responsibilities,anddataownershipbetween agenciesandanyexternalparties.information exchangeagreementsforagenciessharingcjidata thatissenttoand/orreceivedfromthefbicjisshall specifythesecuritycontrolsandconditions describedinthisdocument.differentagreements andpoliciesapply,dependingonwhethertheparties involvedarecjasorncjas.theremaybeinstances, onanaddhocbasis,wherecjiisauthorizedfor furtherdisseminationtoauthorizedrecipientsnot coveredbyaninformationexchangeagreementwith thereleasingagency.intheseinstancesthe disseminationofcjiisconsideredtobesecondary dissemination Information(Handling Proceduresforhandlingandstorageofinformation shallbeestablishedtoprotectthatinformationfrom unauthorizeddisclosure,alterationormisuse. Theproceduresforhandlingandstorageof informationshallapplytothehandling,processing, storing,andcommunicationofcji.theyapplytothe exchangeofcjinomattertheformofexchange. Furthermore,thepoliciesforinformationhandling andprotectionapplytousingcjisharedwithor receivedfromfbicjisfornoncriminaljustice purposes.noncriminaljusticepurposeincludesthe useofcriminalhistoryrecordsforpurposes authorizedbyfederalorstatelawotherthan purposesrelatingtotheadministrationofcriminal justice.somepurposesareemploymentsuitability, licensingdeterminations,immigrationand naturalizationmatters,andnationalsecurity clearances.

44 CJIS( POLICY( REQUIREMENT( GUIDANCE( State(and(Federal(Agency(User(Agreements EachCSAheadorSIBChiefshallexecuteasigned writtenuseragreementwiththefbicjisdivision statingtheirwillingnesstodemonstrateconformity withthispolicybeforeaccessingandparticipatingin CJISrecordsinformationprograms. Thisagreementshallincludethestandardsand sanctionsgoverningutilizationofcjissystems. EachInterfaceAgencyshallalsoallowtheFBIto periodicallytesttheabilitytopenetratethefbi s networkthroughtheexternalnetworkconnection orsystemperauthorizationofdepartmentofjustice (DOJ)Order2640.2F.Alluseragreementswiththe FBICJISDivisionshallbecoordinatedwiththeCSA head Criminal(Justice(Agency(User(Agreements AnyCJAreceivingaccesstoCJIshallenterintoa signedwrittenagreementwiththeappropriate signatoryauthorityofthecsaprovidingtheaccess. ThewrittenagreementshallspecifytheFBICJIS systemsandservicestowhichtheagencywillhave access,andthefbicjisdivisionpoliciestowhichthe agencymustadhere. Theseagreementsshallinclude:audit, dissemination,hitconfirmation,logging,quality assurance,screening(predemployment)security, timeliness,training,useofthesystem,and validation Interagency(and(Management(Control(Agreements ANCJA(government)designatedtoperform criminaljusticefunctionsforacjashallbeeligible foraccesstothecji.accessshallbepermittedwhen suchdesignationisauthorizedpursuanttoexecutive order,statute,regulation,orinterdagency agreement.thencjashallsignandexecutea managementcontrolagreement(mca)withthe CJA,whichstipulatesmanagementcontrolofthe criminaljusticefunctionremainssolelywiththecja. TheMCAmaybeaseparatedocumentorincluded withthelanguageofaninterdagencyagreement.an exampleofanncja(government)isacity informationtechnology(it)department. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 44( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

45 CJIS( POLICY( REQUIREMENT( GUIDANCE( Private(Contractor(User(Agreements(and(CJIS( Security(Addendum Privatecontractorswhoperformcriminaljustice functionsshallmeetthesametrainingand certificationcriteriarequiredbygovernmental agenciesperformingasimilarfunction,andshallbe subjecttothesameextentofauditreviewasare localuseragencies. TheCJISSecurityAddendumisapprovedbythe AttorneyGeneraloftheUnitedStates.Itspecifically authorizesaccesstochri,limitstheuseofthe informationtothepurposesforwhichitisprovided, ensuresthesecurityandconfidentialityofthe informationisconsistentwithexistingregulations andthecjissecuritypolicy,providesforsanctions, andcontainssuchotherprovisionsastheattorney Generalmayrequire. Allprivatecontractorswhoperformcriminaljustice functionsshallacknowledge,viasigningofthecjis SecurityAddendumCertificationpage,andabideby allaspectsofthecjissecurityaddendum. 1.* Privatecontractorsdesignatedtoperform criminaljusticefunctionsforacjashallbe eligibleforaccesstocji.accessshallbe permittedpursuanttoanagreementwhich specificallyidentifiestheagency spurposeand scopeofprovidingservicesforthe administrationofcriminaljustice.the agreementbetweenthecjaandtheprivate contractorshallincorporatethecjissecurity AddendumapprovedbytheDirectoroftheFBI, actingfortheu.s.attorneygeneral,as referencedintitle28cfr20.33(a)(7). 2.* Privatecontractorsdesignatedtoperform criminaljusticefunctionsonbehalfofancja (government)shallbeeligibleforaccesstocji. Accessshallbepermittedpursuanttoan agreementwhichspecificallyidentifiesthe agency spurposeandscopeofproviding servicesfortheadministrationofcriminal justice.theagreementbetweenthencjaand theprivatecontractorshallincorporatethecjis SecurityAddendumapprovedbytheDirectorof thefbi,actingfortheu.s.attorneygeneral,as referencedintitle28cfr20.33(a)(7). ModificationstotheCJISSecurityAddendumshallbe enactedonlybythefbi. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 45( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

46 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 46( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS( POLICY( REQUIREMENT( GUIDANCE( Agency(User(Agreements ANCJA(public)designatedtorequestcivil fingerprintdbasedbackgroundchecks,withthefull consentoftheindividualtowhomabackground checkistakingplace,fornoncriminaljustice functions,shallbeeligibleforaccesstocji. ANCJA(public)receivingaccesstoCJIshallenter intoasignedwrittenagreementwiththe appropriatesignatoryauthorityofthecsa/sib providingtheaccess. ANCJA(private)designatedtorequestcivil fingerprintdbasedbackgroundchecks,withthefull consentoftheindividualtowhomabackground checkistakingplace,fornoncriminaljustice functions,shallbeeligibleforaccesstocji. ANCJA(private)receivingaccesstoCJIshallenter intoasignedwrittenagreementwiththe appropriatesignatoryauthorityofthecsa,sib,or authorizedagencyprovidingtheaccess. AllNCJAsaccessingCJIshallbesubjecttoall pertinentareasofthecjissecuritypolicy.eachncja thatdirectlyaccessesfbicjishallalsoallowthefbi toperiodicallytesttheabilitytopenetratethefbi s networkthroughtheexternalnetworkconnection orsystemperauthorizationofdepartmentofjustice (DOJ)Order2640.2F. Accessshallbepermittedwhensuchdesignationis authorizedpursuanttofederallaworstatestatute approvedbytheu.s.attorneygeneral. AnexampleofaNCJA(public)isacountyschool boardandanexampleofancja(private)isalocal bank Outsourcing(Standards(for(Channelers Channelersdesignatedtorequestcivilfingerprintd basedbackgroundchecksornoncriminaljustice ancillaryfunctionsonbehalfofancja(public)or NCJA(private)fornoncriminaljusticefunctionsshall beeligibleforaccesstocji. AllChannelersaccessingCJIshallbesubjecttothe termsandconditionsdescribedinthecompact CouncilSecurityandManagementControl OutsourcingStandard.EachChannelerthatdirectly accessescjishallalsoallowthefbitoconduct periodicpenetrationtesting. ChannelersleveragingCJItoperformcivilfunctions onbehalfofanauthorizedrecipientshallmeetthe Accessshallbepermittedwhensuchdesignationis authorizedpursuanttofederallaworstatestatute approvedbytheu.s.attorneygeneral.

47 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 47( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS( POLICY( REQUIREMENT( GUIDANCE( sametrainingandcertificationcriteriarequiredby governmentalagenciesperformingasimilar function,andshallbesubjecttothesameextentof auditreviewasarelocaluseragencies Outsourcing(Standards(for(NonJChannelers Contractorsdesignatedtoperformnoncriminal justiceancillaryfunctionsonbehalfofancja (public)orncja(private)fornoncriminaljustice functionsshallbeeligibleforaccesstocji. AllcontractorsaccessingCJIshallbesubjecttothe termsandconditionsdescribedinthecompact CouncilOutsourcingStandardforNondChannelers. ContractorsleveragingCJItoperformcivilfunctions onbehalfofanauthorizedrecipientshallmeetthe sametrainingandcertificationcriteriarequiredby governmentalagenciesperformingasimilar function,andshallbesubjecttothesameextentof auditreviewasarelocaluseragencies. Accessshallbepermittedwhensuchdesignationis authorizedpursuanttofederallaworstatestatute approvedbytheu.s.attorneygeneral Monitoring,(Review,(and(Delivery(of(Services MCAs,andcontractualagreementswithprivate contractors,theservices,reportsandrecords providedbytheserviceprovidershallberegularly monitoredandreviewed. TheCJA,authorizedagency,orFBIshallmaintain sufficientoverallcontrolandvisibilityintoall securityaspectstoinclude,butnotlimitedto, identificationofvulnerabilitiesandinformation securityincidentreporting/response.theincident reporting/responseprocessusedbytheservice providershallconformtotheincident reporting/responsespecificationsprovidedinthis Policy. AnMCAisanagreementbetweenpartiesthatwish toshareorpoolresourcesthatcodifiesprecisely whohasadministrativecontrolover,versusoverall managementandlegalresponsibilityfor,assets coveredundertheagreement.anmcamustensure thecja sauthorityremainswithregardtoall aspects.themcausuallyresultsinthecjahaving ultimateauthorityoverthecjisupporting infrastructureadministeredbythencja Managing(Changes(to(Service(Providers Anychangestoservicesprovidedbyaservice providershallbemanagedbythecja,authorized agency,orfbi.evaluationoftheriskstotheagency shallbeundertakenbasedonthecriticalityofthe data,system,andtheimpactofthechange. Thisincludesprovisionofservices,changesto existingservices,andnewservices.

48 CJIS( POLICY( REQUIREMENT( GUIDANCE( Secondary(Dissemination IfCHRIisreleasedtoanotherauthorizedagency, andthatagencywasnotpartofthereleasing agency sprimaryinformationexchange agreement(s),thereleasingagencyshalllogsuch dissemination. Alogmustbemaintainedtorecordthesharingof informationwithanauthorizedagencythatisnot partoftheinformationexchangeagreement Secondary(Dissemination(of(NonJCHRI(CJI IfCJIdoesnotcontainCHRIandisnotpartofan informationexchangeagreementthenitdoesnot needtobelogged. LoggingofCJIislimitedtoexchangesthatcontain CHRI. Disseminationshallconformtothelocalpolicy validatingtherequestorofthecjiasanemployee and/orcontractorofalawenforcementagencyor civilagencyrequiringthecjitoperformtheir missionoramemberofthepublicreceivingcjivia authorizeddissemination. 5.2 Policy(Area(2:(Security(Awareness(Training Basicsecurityawarenesstrainingshallberequired withinsixmonthsofinitialassignment,and bienniallythereafter,forallpersonnelwhohave accesstocji. Acceptingsuchdocumentationfromanotheragency meansthattheacceptingagencyassumestherisk thatthetrainingmaynotmeetaparticular requirementorprocessrequiredbyfederal,state,or locallaws. TheCSO/SIBmayacceptthedocumentationofthe completionofsecurityawarenesstrainingfrom anotheragency All(Personnel Ataminimum,thefollowingtopicsshallbe addressedasbaselinesecurityawarenesstraining forallauthorizedpersonnelwithaccesstocji: Securityawarenesstrainingisincludedasa requirementinmanyfederal,stateandinternational regulationsthataddressdataprotection. 1.* Rulesthatdescriberesponsibilitiesand expectedbehaviorwithregardtocjiusage. 2.* Implicationsofnoncompliance. 3.* Incidentresponse(Pointsofcontact;Individual actions). 4.* Mediaprotection. 5.* Visitorcontrolandphysicalaccesstospaces discussapplicablephysicalsecuritypolicyand procedures,e.g.,challengestrangers,report VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 48( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

49 CJIS( POLICY( REQUIREMENT( unusualactivity. 6.* Protectinformationsubjecttoconfidentiality concerns hardcopythroughdestruction. 7.* ProperhandlingandmarkingofCJI. 8.* Threats,vulnerabilities,andrisksassociated withhandlingofcji. 9.* Socialengineering. 10.* Disseminationanddestruction. GUIDANCE( Personnel(with(Physical(and(Logical(Access Inadditionto above,thefollowingtopics,at aminimum,shallbeaddressedasbaselinesecurity awarenesstrainingforallauthorizedpersonnelwith bothphysicalandlogicalaccesstocji: 1.* Rulesthatdescriberesponsibilitiesand expectedbehaviorwithregardtoinformation systemusage. 2.* Passwordusageandmanagement 3.* Protectionfromviruses,worms,Trojanhorses, andothermaliciouscode. 4.* Unknownedmail/attachments. 5.* Webusage. 6.* Spam. 7.* PhysicalSecurity. 8.* Handhelddevicesecurityissues addressboth physicalandwirelesssecurityissues. 9.* Useofencryptionandthetransmissionof sensitive/confidentialinformationoverthe Internet addressagencypolicy,procedures, andtechnicalcontactforassistance. 10.* Laptopsecurity addressbothphysicaland informationsecurityissues. 11.* Personallyownedequipmentandsoftware statewhetherallowedornot(e.g.,copyrights). 12.* Accesscontrolissues addressleastprivilege andseparationofduties. 13.* Individualaccountability explainwhatthis meansintheagency. 14.* Useofacknowledgementstatements Passwordusagemanagementshouldincludedetails oncreation,frequencyofchanges,andprotection. Webusageshoulddescribeallowedusageversus prohibited.itshouldalsostatethemonitoringof useractivity. Physicalsecurityshoulddetailtheincreasedriskto systemsanddata. Desktopsecurityshoulddiscussuseofscreensavers, restrictingvisitors viewofinformationonscreen (mitigating shouldersurfing ),batterybackup devices,allowedaccesstosystems. Protectinformationsubjecttoconfidentiality concernsinsystems,archived,onbackupmedia,and untildestroyed. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 49( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

50 CJIS( POLICY( REQUIREMENT( passwords,accesstosystemsanddata, personaluseandgain. 15.* Desktopsecurity 16.Protectinformation subjecttoconfidentialityconcerns 17.Threats, vulnerabilities,andrisksassociatedwith accessingcjisservicesystemsandservices. GUIDANCE( Personnel(with(Information(Technology(Roles Thefollowingtopicsataminimumshallbe addressedasbaselinesecurityawarenesstraining forallinformationtechnologypersonnel(system administrators,securityadministrators,network administrators,etc.): Securityawarenesstrainingtopicscanvaryby audience.personnelwithtechnologyroleswillneed tohaveahigherlevelofsecurityawareness. 1.* Protectionfromviruses,worms,Trojanhorses, andothermaliciouscode scanning,updating definitions. 2.* Databackupandstorage centralizedor decentralizedapproach. 3.* Timelyapplicationofsystempatches partof configurationmanagement. 4.* Accesscontrolmeasures. 5.* Networkinfrastructureprotectionmeasures Security(Training(Records Recordsofindividualbasicsecurityawareness trainingandspecificinformationsystemsecurity trainingshallbedocumented,keptcurrent,and maintainedbythecso/sib/compactofficer. Maintenanceoftrainingrecordscanbedelegatedto thelocallevel. Maintenanceoftrainingrecordscanbedelegatedto thelocallevel. 5.3 Policy(Area(3:(Incident(Response Agenciesshall:(i)establishanoperationalincident handlingcapabilityforagencyinformationsystems thatincludesadequatepreparation,detection, analysis,containment,recovery,anduserresponse activities;(ii)track,document,andreportincidents toappropriateagencyofficialsand/orauthorities. Therehasbeenanincreaseinthenumberof accidentalormaliciouscomputerattacksagainst bothgovernmentandprivateagencies,regardlessof whetherthesystemsarehighorlowprofile. ISOshavebeenidentifiedasthePOConsecurityd relatedissuesfortheirrespectiveagenciesandshall ensurelasosinstitutethecsaincidentresponse reportingproceduresatthelocallevel. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 50( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

51 CJIS( POLICY( REQUIREMENT( GUIDANCE( Reporting(Information(Security(Events Theagencyshallpromptlyreportincident informationtoappropriateauthorities.information securityeventsandweaknessesassociatedwith informationsystemsshallbecommunicatedina mannerallowingtimelycorrectiveactiontobe taken.formaleventreportingandescalation proceduresshallbeinplace.whereverfeasible,the agencyshallemployautomatedmechanismsto assistinthereportingofsecurityincidents.all employees,contractorsandthirdpartyusersshall bemadeawareoftheproceduresforreportingthe differenttypesofeventandweaknessthatmight haveanimpactonthesecurityofagencyassetsand arerequiredtoreportanyinformationsecurity eventsandweaknessesasquicklyaspossibletothe designatedpointofcontact. Thepromptreportingofinformationsecurityevents isessentialforriskmanagement FBI(CJIS(Division(Responsibilities TheFBICJISDivisionshall: TheFBIestablishedtheCJISDivisiontoserveasthe focalpointandcentralrepositoryforcji. 1.* ManageandmaintaintheCJISDivision s ComputerSecurityIncidentResponseCapability (CSIRC). 2.* Serveasacentralclearinghouseforallreported intrusionincidents,securityalerts,bulletins,and othersecuritydrelatedmaterial. 3.* Ensureadditionalresourcesforallincidents affectingfbicjisdivisioncontrolledsystemsas needed. 4.* Disseminatepromptadvisoriesofsystem threatsandoperatingsystemvulnerabilitiesvia thesecuritypolicyresourcecenteronfbi.gov, toincludebutnotlimitedto:productsecurity Bulletins,VirusBulletins,andSecurityClips. 5.* Trackallreportedincidentsand/ortrends. 6.* Monitortheresolutionofallincidents CSA(ISO(Responsibilities TheCSAISOshall: TheCSAISOservesasthesecuritypointofcontact (POC)totheFBICJISDivisionISO. 1.* Assignindividualsineachstate,federal,and internationallawenforcementorganizationto betheprimarypointofcontactforinterfacing VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 51( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

52 CJIS( POLICY( REQUIREMENT( withthefbicjisdivisionconcerningincident handlingandresponse. 2.* Identifyindividualswhoareresponsiblefor reportingincidentswithintheirareaof responsibility. 3.* Collectincidentinformationfromthose individualsforcoordinationandsharingamong otherorganizationsthatmayormaynotbe affectedbytheincident. 4.* Develop,implement,andmaintaininternal incidentresponseproceduresandcoordinate thoseprocedureswithotherorganizationsthat mayormaynotbeaffected. 5.* Collectanddisseminateallincidentdrelated informationreceivedfromthedepartmentof Justice(DOJ),FBICJISDivision,andother entitiestotheappropriatelocallaw enforcementpocswithintheirarea. 6.* ActasasinglePOCfortheirjurisdictionalarea forrequestingincidentresponseassistance. GUIDANCE( Management(of(Information(Security(Incidents Aconsistentandeffectiveapproachshallbeapplied tothemanagementofinformationsecurity incidents Incident(Handling Theagencyshallimplementanincidenthandling capabilityforsecurityincidentsthatincludes preparation,detectionandanalysis,containment, eradication,andrecovery.whereverfeasible,the agencyshallemployautomatedmechanismsto supporttheincidenthandlingprocess. Responsibilitiesandproceduresshallbeinplaceto handleinformationsecurityeventsandweaknesses effectivelyoncetheyhavebeenreported. Incidentdrelatedinformationcanbeobtainedfroma varietyofsourcesincluding,butnotlimitedto,audit monitoring,networkmonitoring,physicalaccess monitoring,anduser/administratorreports.the agencyshouldincorporatethelessonslearnedfrom ongoingincidenthandlingactivitiesintotheincident responseproceduresandimplementtheprocedures accordingly Collection(of(Evidence Whereafollowdupactionagainstapersonoragency afteraninformationsecurityincidentinvolveslegal action(eithercivilorcriminal),evidenceshallbe collected,retained,andpresentedtoconformtothe rulesforevidencelaiddownintherelevant jurisdiction(s). Documentallbusinessprocesses.Alegalcasewillbe dismissediftheevidenceisnotadmissible. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 52( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

53 CJIS( POLICY( REQUIREMENT( Incident(Response(Training Theagencyshallensuregeneralincidentresponse rolesresponsibilitiesareincludedaspartofrequired securityawarenesstraining. GUIDANCE( Individualsresponsibleforincidentresponseshould betrainedandthetrainingshouldbeupdatedas proceduresandtechnologychange Incident(Monitoring Theagencyshalltrackanddocumentinformation systemsecurityincidentsonanongoingbasis.the CSAISOshallmaintaincompletedsecurityincident reportingformsuntilthesubsequentfbitriennial auditoruntillegalaction(ifwarranted)iscomplete; whichevertimedframeisgreater. 5.4 Policy(Area(4:(Auditing(and(Accountability Agenciesshallimplementauditandaccountability controlstoincreasetheprobabilityofauthorized usersconformingtoaprescribedpatternof behavior.agenciesshallcarefullyassessthe inventoryofcomponentsthatcomposetheir informationsystemstodeterminewhichsecurity controlsareapplicabletothevariouscomponents Auditable(Events(and(Content((Information( Systems) Theagency sinformationsystemshallgenerate auditrecordsfordefinedevents. Theagencyshallspecifywhichinformationsystem componentscarryoutauditingactivities. Theagency sinformationsystemshallproduce,at theapplicationand/oroperatingsystemlevel,audit recordscontainingsufficientinformationto establishwhateventsoccurred,thesourcesofthe events,andtheoutcomesoftheevents.theagency shallperiodicallyreviewandupdatethelistof agencyddefinedauditableevents.intheeventan agencydoesnotuseanautomatedsystem,manual recordingofactivitiesshallstilltakeplace. Incidentmonitoringandtrackingiskeyto demonstratingthatcompliancewithregulations. Auditingcontrolsaretypicallyappliedtothe componentsofaninformationsystemthatprovide auditingcapability(servers,etc.)andwouldnot necessarilybeappliedtoeveryuserdlevel workstationwithintheagency.astechnology advances,morepowerfulanddiversefunctionality canbefoundinsuchdevicesaspersonaldigital assistantsandcellulartelephones,whichmay requiretheapplicationofsecuritycontrolsin accordancewithanagencyassessmentofrisk. Thesedefinedeventsincludeidentifyingsignificant eventswhichneedtobeauditedasrelevanttothe securityoftheinformationsystem. Auditingactivitycanaffectinformationsystem performanceandthisissuemustbeconsideredasa separatefactorduringtheacquisitionofinformation systems. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 53( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

54 CJIS( POLICY( REQUIREMENT( GUIDANCE( Events Thefollowingeventsshallbelogged: InordertomeetCJISrequirements,specificevents mustbelogged. 1.* Successfulandunsuccessfulsystemlogdon attempts. 2.* Successfulandunsuccessfulattemptstouse: a.* accesspermissiononauseraccount,file, directoryorothersystemresource; b.* createpermissiononauseraccount,file, directoryorothersystemresource; c.* writepermissiononauseraccount,file, directoryorothersystemresource; d.* deletepermissiononauseraccount,file, directoryorothersystemresource; e.* changepermissiononauseraccount,file, directoryorothersystemresource. 3.* Successfulandunsuccessfulattemptstochange accountpasswords. 4.* Successfulandunsuccessfulactionsby privilegedaccounts. 5.* Successfulandunsuccessfulattemptsforusers to: a.* accesstheauditlogfile; b.* modifytheauditlogfile; c.* destroytheauditlogfile Content Thefollowingcontentshallbeincludedwithevery auditedevent: Logrecordsshouldbeasconsistentaspossibletoaid inlinkingrecords. 1.* Dateandtimeoftheevent. 2.* Thecomponentoftheinformationsystem(e.g., softwarecomponent,hardwarecomponent) wheretheeventoccurred. 3.* Typeofevent. 4.* User/subjectidentity. 5.* Outcome(successorfailure)oftheevent. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 54( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

55 CJIS( POLICY( REQUIREMENT( Response(to(Audit(Processing(Failures Theagency sinformationsystemshallprovidealerts toappropriateagencyofficialsintheeventofan auditprocessingfailure Audit(Monitoring,(Analysis,(and(Reporting Theresponsiblemanagementofficialshalldesignate anindividualorpositiontoreview/analyze informationsystemauditrecordsforindicationsof inappropriateorunusualactivity,investigate suspiciousactivityorsuspectedviolations,toreport findingstoappropriateofficials,andtotake necessaryactions.auditreview/analysisshallbe conductedataminimumonceaweek.the frequencyofreview/analysisshouldbeincreased whenthevolumeofanagency sprocessing indicatesanelevatedneedforauditreview.the agencyshallincreasethelevelofauditmonitoring andanalysisactivitywithintheinformationsystem wheneverthereisanindicationofincreasedriskto agencyoperations,agencyassets,orindividuals basedonlawenforcementinformation,intelligence information,orothercrediblesourcesof information Time(Stamps Theagency sinformationsystemshallprovidetime stampsforuseinauditrecordgeneration Protection(of(Audit(Information Theagency sinformationsystemshallprotectaudit informationandaudittoolsfrommodification, deletionandunauthorizedaccess Audit(Record(Retention Theagencyshallretainauditrecordsforatleastone (1)year.Oncetheminimumretentiontimeperiod haspassed,theagencyshallcontinuetoretainaudit recordsuntilitisdeterminedtheyarenolonger neededforadministrative,legal,audit,orother operationalpurposes Logging(NCIC(and(III(Transactions Alogshallbemaintainedforaminimumofone(1) yearonallncicandiiitransactions. GUIDANCE( Auditprocessingfailuresinclude,forexample: software/hardwareerrors,failuresintheaudit capturingmechanisms,andauditstoragecapacity beingreachedorexceeded. Itisimportantthatauditreview/analysisisnot reactive.reviewandanalysisshouldbedone consistentlyonceaweek.incasewherethereisan increasedrisk,thereviewandanalysisshouldoccur morefrequently. Thetimestampsshallincludethedateandtime valuesgeneratedbytheinternalsystemclocksinthe auditrecords.theagencyshallsynchronizeinternal informationsystemclocksonanannualbasis. Itisimportanttoprotecttheauditinformationto ensuretheintegrityoftheevidence. Thisincludes,forexample,retentionandavailability ofauditrecordsrelativetofreedomofinformation Act(FOIA)requests,subpoena,andlawenforcement actions. TheIIIportionofthelogshallclearlyidentifyboth theoperatorandtheauthorizedreceivingagency.iii logsshallalsoclearlyidentifytherequesterandthe secondaryrecipient.theidentificationonthelog shalltaketheformofauniqueidentifierthatshall VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 55( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

56 CJIS( POLICY( REQUIREMENT( GUIDANCE( remainuniquetotheindividualrequesterandtothe secondaryrecipientthroughouttheminimumone yearretentionperiod. 5.5 Policy(Area(5:(Access(Control Accesscontrolprovidestheplanningand implementationofmechanismstorestrictreading, writing,processingandtransmissionofcjis informationandthemodificationofinformation systems,applications,servicesandcommunication configurationsallowingaccesstocjisinformation Account(Management Theagencyshallmanageinformationsystem accounts,includingestablishing,activating, modifying,reviewing,disabling,andremoving accounts.theagencyshallvalidateinformation systemaccountsatleastannuallyandshall documentthevalidationprocess.thevalidationand documentationofaccountscanbedelegatedto localagencies. Accesscontrolisessentialtomanagingriskby reducingtheriskofcompromise. Accountmanagementincludestheidentificationof accounttypes(i.e.,individual,group,andsystem), establishmentofconditionsforgroupmembership, andassignmentofassociatedauthorizations.the agencyshallidentifyauthorizedusersofthe informationsystemandspecifyaccess rights/privileges.theagencyshallgrantaccesstothe informationsystembasedon: 1.* Validneeddtodknow/needdtodsharethatis determinedbyassignedofficialduties. 2.* Satisfactionofallpersonnelsecuritycriteria. Theagencyresponsibleforaccountcreationshallbe notifiedwhen: Access(Enforcement Theinformationsystemshallenforceassigned authorizationsforcontrollingaccesstothesystem andcontainedinformation.theinformationsystem controlsshallrestrictaccesstoprivilegedfunctions (deployedinhardware,software,andfirmware)and securitydrelevantinformationtoexplicitlyauthorized personnel. Accesscontrolpolicies(e.g.,identitydbasedpolicies, roledbasedpolicies,ruledbasedpolicies)and associatedaccessenforcementmechanisms(e.g., accesscontrollists,accesscontrolmatrices, cryptography)shallbeemployedbyagenciesto 1.* Auser sinformationsystemusageorneeddtod knoworneeddtodsharechanges. 2.* Auseristerminatedortransferredor associatedaccountsareremoved,disabled,or otherwisesecured. Explicitlyauthorizedpersonnelinclude,forexample, securityadministrators,systemandnetwork administrators,andotherprivilegeduserswith accesstosystemcontrol,monitoring,or administrationfunctions(e.g.,system administrators,informationsystemsecurityofficers, maintainers,systemprogrammers). VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 56( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

57 CJIS( POLICY( REQUIREMENT( controlaccessbetweenusers(orprocessesacting onbehalfofusers)andobjects(e.g.,devices,files, records,processes,programs,domains)inthe informationsystem. GUIDANCE( Least(Privilege Theagencyshallapproveindividualaccessprivileges andshallenforcephysicalandlogicalaccess restrictionsassociatedwithchangestothe informationsystem;andgenerate,retain,and reviewrecordsreflectingallsuchchanges. Theconceptofleastprivilegeisconsideredabest practiceintheinformationsecurityindustry. Theagencyshallenforcethemostrestrictivesetof rights/privilegesoraccessneededbyusersforthe performanceofspecifiedtasks. Theagencyshallimplementleastprivilegebasedon specificduties,operations,orinformationsystems asnecessarytomitigaterisktocji.thislimitsaccess tocjitoonlyauthorizedpersonnelwiththeneed andtherighttoknow. Logsofaccessprivilegechangesshallbemaintained foraminimumofoneyearoratleastequaltothe agency srecordretentionpolicy whicheveris greater System(Access(Control AccesscontrolmechanismstoenableaccesstoCJI shallberestrictedbyobject(e.g.,dataset,volumes, files,records)includingtheabilitytoread,write,or deletetheobjects Access(Control(Criteria AgenciesshallcontrolaccesstoCJIbasedononeor moreofthefollowing: Accesscontrolsshallbeinplaceandoperationalfor allitsystemsto: 1.* Preventmultipleconcurrentactivesessionsfor oneuseridentification,forthoseapplications accessingcji,unlesstheagencygrantsauthority baseduponoperationalbusinessneeds. Agenciesshalldocumenttheparametersofthe operationalbusinessneedsformultiple concurrentactivesessions. 2.* Ensurethatonlyauthorizedpersonnelcanadd, change,orremovecomponentdevices,dialdup connections,andremoveoralterprograms. Accesscontrolmethodologyshouldbeimplemented withaconsistentvision. 1.* Jobassignmentorfunction(i.e.,therole)ofthe userseekingaccess. 2.* Physicallocation. 3.* Logicallocation. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 57( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

58 CJIS( POLICY( REQUIREMENT( GUIDANCE( 4.* Networkaddresses(e.g.,usersfromsiteswithin agivenagencymaybepermittedgreateraccess thanthosefromoutside). 5.* Timedofddayanddaydofdweek/month restrictions Access(Control(Mechanisms Whensettingupaccesscontrols,agenciesshalluse oneormoreofthefollowingmechanisms: 1.* AccessControlLists(ACLs). 2.* ResourceRestrictions. 3.* Encryption.Encryptioncanprovidestrong accesscontrolwhenitisaccompaniedbystrong keymanagement.ifencryptionofstored informationisemployedasanaccess enforcementmechanism,thecryptography usedisfederalinformationprocessing Standards(FIPS)140d2(asamended)compliant. 4.* ApplicationLevel. ACLsarearegisterofusers(includinggroups, machines,processes)whohavebeengiven permissiontouseaparticularobject(system resource)andthetypesofaccesstheyhavebeen permitted. Accesstospecificfunctionsisrestrictedbynever allowinguserstorequestinformation,functions,or otherresourcesforwhichtheydonothaveaccess. Threemajortypesofresourcerestrictionsare: menus,databaseviews,andnetworkdevices. Encryptedinformationcanonlybedecrypted,and thereforeread,bythosepossessingtheappropriate cryptographickey. Inadditiontocontrollingaccessattheinformation systemlevel,accessenforcementmechanismsare employedattheapplicationleveltoprovide increasedinformationsecurityfortheagency Unsuccessful(Login(Attempts Wheretechnicallyfeasible,thesystemshallenforce alimitofnomorethan5consecutiveinvalidaccess attemptsbyauser(attemptingtoaccesscjior systemswithaccesstocji).thesystemshall automaticallylocktheaccount/nodefora10minute timeperiodunlessreleasedbyanadministrator. Thisrequirementisaminimum.Agenciesmay choosetoimplementamorestringentlimit System(Use(Notification Theinformationsystemshalldisplayanapproved systemusenotificationmessage,beforegranting access,informingpotentialusersofvarioususages andmonitoringrules. Thesystemusenotificationmessageshall,ata minimum,providethefollowinginformation: 1.* Theuserisaccessingarestrictedinformation system. 2.* Systemusagemaybemonitored,recorded,and subjecttoaudit. 3.* Unauthorizeduseofthesystemisprohibited andmaybesubjecttocriminaland/orcivil penalties. 4.* Useofthesystemindicatesconsentto monitoringandrecording. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 58( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

59 CJIS( POLICY( REQUIREMENT( Session(Lock Theinformationsystemshallpreventfurtheraccess tothesystembyinitiatingasessionlockaftera maximumof30minutesofinactivity,andthe sessionlockremainsineffectuntiltheuser reestablishesaccessusingappropriateidentification andauthenticationprocedures.usersshalldirectly initiatesessionlockmechanismstoprevent inadvertentviewingwhenadeviceisunattended Remote(Access Theagencyshallauthorize,monitor,andcontrolall methodsofremoteaccesstotheinformation system. Theagencyshallemployautomatedmechanismsto facilitatethemonitoringandcontrolofremote accessmethods.theagencyshallcontrolallremote accessesthroughmanagedaccesscontrolpoints. Theagencymaypermitremoteaccessforprivileged functionsonlyforcompellingoperationalneedsbut shalldocumenttherationaleforsuchaccessinthe securityplanfortheinformationsystem. GUIDANCE( Asessionlockisnotasubstituteforloggingoutof theinformationsystem.intheinterestofofficer safety,devicesthatare:(1)partofapolicevehicle; or(2)usedtoperformdispatchfunctionsand locatedwithinaphysicallysecurelocation,are exemptfromthisrequirement.note:anexampleof asessionlockisascreensaverwithpassword. Remoteaccessisanytemporaryaccesstoan agency sinformationsystembyauser(oran informationsystem)communicatingtemporarily throughanexternal,nondagencydcontrollednetwork (e.g.,theinternet) Personally(Owned(Information(Systems Apersonallyownedinformationsystemshallnotbe authorizedtoaccess,process,storeortransmitcji unlesstheagencyhasestablishedanddocumented thespecifictermsandconditionsforpersonally ownedinformationsystemusage.authorizedbyod devicesshallbecontrolledusingtherequirementsin Section Cellular. Thiscontroldoesnotapplytotheuseofpersonally ownedinformationsystemstoaccessagency s informationsystemsandinformationthatare intendedforpublicaccess(e.g.,anagency spublic websitethatcontainspurelypublicinformation) Publicly(Accessible(Computers Publiclyaccessiblecomputersshallnotbeusedto access,process,storeortransmitcji.publicly accessiblecomputersincludebutarenotlimitedto: hotelbusinesscentercomputers,conventioncenter computers,publiclibrarycomputers,publickiosk computers,etc. Thiscontroldoesnotapplytotheuseofpersonally ownedinformationsystemstoaccessagency s informationsystemsandinformationthatare intendedforpublicaccess(e.g.,anagency spublic websitethatcontainspurelypublicinformation) Wireless(Access(Restrictions Theagencyshall:(i)establishusagerestrictionsand implementationguidanceforwirelesstechnologies; and(ii)authorize,monitor,controlwirelessaccessto theinformationsystem. Wirelesstechnologies,inthesimplestsense,enable oneormoredevicestocommunicatewithout physicalconnections withoutrequiringnetworkor peripheralcabling. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 59( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

60 CJIS( POLICY( REQUIREMENT( All(802.11x(Wireless(Protocols Agenciesshall: 1.* PerformvalidationtestingtoensurerogueAPs (AccessPoints)donotexistinthe WirelessLocalAreaNetwork(WLAN)andto fullyunderstandthewirelessnetworksecurity posture. 2.* MaintainacompleteinventoryofallAccess Points(APs)and802.11wirelessdevices. 3.* PlaceAPsinsecuredareastoprevent unauthorizedphysicalaccessanduser manipulation. 4.* TestAPrangeboundariestodeterminethe preciseextentofthewirelesscoverageand designtheapwirelesscoveragetolimitthe coverageareatoonlywhatisneededfor operationalpurposes. 5.* Enableuserauthenticationandencryption mechanismsforthemanagementinterfaceof theap. 6.* EnsurethatallAPshavestrongadministrative passwordsandensurethatallpasswordsare changedinaccordancewithpolicy. 7.* EnsuretheresetfunctiononAPsisusedonly whenneededandisonlyinvokedbyauthorized personnel.restoretheapstothelatestsecurity settings,whentheresetfunctionsareused,to ensurethefactorydefaultsettingsarenot utilized. 8.* Changethedefaultservicesetidentifier(SSID) intheaps.disablethebroadcastssidfeatureso thattheclientssidmustmatchthatoftheap. ValidatethattheSSIDcharacterstringdoesnot containanyagencyidentifiableinformation (division,department,street,etc.)orservices. 9.* Enableallsecurityfeaturesofthewireless product,includingthecryptographic authentication,firewall,andotherprivacy features. 10.* Ensurethatencryptionkeysizesareatleast 128dbitsandthedefaultsharedkeysare replacedbyuniquekeys. 11.* Ensurethattheadhocmodehasbeendisabled unlesstheenvironmentissuchthattheriskhas GUIDANCE( Examplesofwirelesstechnologiesinclude,butare notlimitedto:802.11x,cellularnetworks,bluetooth, satelliteandmicrowave.wirelesstechnologies requireatleasttheminimumsecurityappliedto wiredtechnologyand,baseduponthespecific technology,mayrequiresomeadditionalsecurity controls. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 60( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

61 CJIS( POLICY( REQUIREMENT( beenassessedandistolerable.note:some productsdonotallowdisablingthisfeature;use withcautionorusedifferentvendor. 12.* Disableallnonessentialmanagementprotocols ontheapsanddisablehypertexttransfer protocol(http)whennotneededorprotect HTTPaccesswithauthenticationand encryption. 13.* Enablelogging(ifsupported)andreviewthe logsonarecurringbasisperlocalpolicy.ata minimumlogsshallbereviewedmonthly. 14.* Segregate,virtually(e.g.virtuallocalarea network(vlan)andacls)orphysically(e.g. firewalls),thewirelessnetworkfromthe operationalwiredinfrastructure.limitaccess betweenwirelessnetworksandthewired networktoonlyoperationalneeds. 15.* Whendisposingofaccesspointsthatwillno longerbeusedbytheagency,clearaccesspoint configurationtopreventdisclosureofnetwork configuration,keys,passwords,etc. GUIDANCE( Legacy(802.11(Protocols Agenciesshallfollowtheguidelinesbelowregarding wirelessimplementationandcaseswherethewep andwpasecurityfeaturesareusedtoprovide wirelesssecurityinconjunctionwiththecjis requiredminimumencryptionspecifications. 1.* Deploymediaaccesscontrol(MAC)access controllists(acl);however,macaclsdonot representastrongdefensemechanismby themselvesbecausetheyaretransmittedinthe clearfromwlanclientstoapssotheycanbe capturedeasily. 2.* EnableWEP/WPA. 3.* Ensurethedefaultsharedkeysarereplacedby moresecureuniquekeys. 4.* Enableutilizationofkeydmappingkeysrather thandefaultkeyssothatsessionsareunique whenusingwep. WiredEquivalentPrivacy(WEP)andWidFiProtected Access(WPA)cryptographicalgorithms,usedbyall pred802.11iprotocols,donotmeettherequirements forfips140d2andaretobeusedonlyifadditional securitycontrolsareemployed. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 61( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

62 CJIS( POLICY( REQUIREMENT( GUIDANCE( Cellular(Risk(Mitigations Organizationsshall,ataminimum,ensurethat cellulardevices: 1.* Applyavailablecriticalpatchesandupgradesto theoperatingsystemassoonastheybecome availableforthedeviceandafternecessary testing. 2.* Areconfiguredforlocaldeviceauthentication. 3.* Useadvancedauthentication. 4.* EncryptallCJIresidentonthedevice. 5.* Erasecachedinformationwhensessionis terminated. 6.* EmploypersonalfirewallsorrunaMobile DeviceManagement(MDM)systemthat facilitatestheabilitytoprovidefirewallservices fromtheagencylevel. 7.* EmployantivirussoftwareorrunaMDMsystem thatfacilitatestheabilitytoprovideantivirus servicesfromtheagencylevel. Cellulartelephones,smartphones(i.e.Blackberry, iphones,etc.),personaldigitalassistants(pda),and aircards areexamplesofcellularhandhelddevices ordevicesthatemploycellulartechnology. Additionally,cellularhandhelddevicestypically includebluetooth,infrared,andotherwireless protocolscapableofjoininginfrastructurenetworks orcreatingdynamicadhocnetworks.cellular devicesareatriskduetoamultitudeofthreatsand consequentlyposearisktotheenterprise. Threatstocellularhandhelddevicesstemmainly fromtheirsize,portability,andavailablewireless interfacesandassociatedservices.examplesof threatstocellularhandhelddevicesinclude:loss, theft,ordisposal,unauthorizedaccess,malware, spam,electroniceavesdropping,electronictracking (threattosecurityofdataandsafetyoflaw enforcementofficer),cloning(notasprevalentwith latergenerationcellulartechnologies),andserverd residentdata Voice(Transmissions(Over(Cellular(Devices AnycellulardeviceusedtotransmitCJIviavoiceis exemptfromtheencryptionandauthentication requirementswhenanofficerdeterminesthereisan immediateneedforthecjitofurtheran investigationorsituationsaffectingthesafetyofan officerorthegeneralpublic. TheuseofacellulardevicetotransmitCJIviavoiceis theofficer sdecision Mobile(Device(Management((MDM) Devicesthathavebeenrooted,jailbroken,orhave hadanyunauthorizedchangesmadetothemshall notbeusedtoprocess,store,ortransmitcjidataat anytime.inadditiontothesecuritycontrols describedinthispolicy,agenciesshallimplement thefollowingcontrolswhenallowingcjiaccessfrom cell/smartphonesandtabletdevices: MDMfacilitatestheimplementationofsound securitycontrolsformobiledevicesandallowsfor centralizedoversightofconfigurationcontrol, applicationusage,anddeviceprotectionand recovery[ifsodesiredbytheagency]. 1.* CJIisonlytransferredbetweenCJIauthorized applicationsandstorageareasofthedevice. 2.* MDMwithcentralizedadministrationcapableof atleast: i.* ii.* iii.* Remotelockingofdevice Remotewipingofdevice Settingandlockingdevice VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 62( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

63 CJIS( POLICY( REQUIREMENT( iv.* v.* configuration Detectionof rooted and jailbroken devices Enforcefolderordisklevelencryption GUIDANCE( Bluetooth Agenciesshall: 1.* Provideuserswithalistofprecautionary measurestheyshouldtaketobetterprotect handheldbluetoothdevicesfromtheft.the organizationanditsemployeesshouldbe responsibleforitswirelesstechnology componentsbecausetheftofthose componentscouldleadtomaliciousactivities againsttheorganization sinformationsystem resource. 2.* MaintainacompleteinventoryofallBluetoothd enabledwirelessdevicesandaddresses (BD_ADDRs).Acompleteinventoryof Bluetoothdenabledwirelessdevicescanbe referencedwhenconductinganauditthat searchesforunauthorizeduseofwireless technologies. 3.* ChangethedefaultsettingoftheBluetooth devicetoreflecttheorganization ssecurity policy.becausedefaultsettingsaregenerally notsecure,acarefulreviewofthosesettings shouldbeperformedtoensurethatthey complywiththeorganization ssecuritypolicy. 4.* SetBluetoothdevicestothelowestnecessary andsufficientpowerlevelsothattransmissions remainwithinthesecureperimeterofthe organization.settingbluetoothdevicestothe lowestnecessaryandsufficientpowerlevel ensuresasecurerangeofaccesstoauthorized users.theuseofclass1devicesshouldbe avoidedduetotheirextendedrange (approximately100meters). 5.* Choosepersonalidentificationnumber(PIN) codesthataresufficientlyrandomandlong. AvoidstaticandweakPINs,suchasallzeroes. PINcodesshouldberandomsothatthey cannotbeeasilyreproducedbymalicioususers. Bluetoothisanopenstandardforshortdrangeradio frequency(rf)communicationandisusedprimarily toestablishwirelesspersonalareanetworks (WPAN),commonlyreferredtoasadhocnetworks orpiconets.apiconetiscomposedoftwoormore Bluetoothdevicesinclosephysicalproximitythat operateonthesamechannelusingthesame frequencyhoppingsequenceandcanscaleto includeuptosevenactiveslavedevicesandupto 255inactiveslavedevices.Bluetoothvoiceanddata transfertechnologyhasbeenintegratedintomany typesofbusinessandconsumerdevices,including cellularphones,personaldigitalassistants(pda), laptops,automobiles,printers,andheadsets. Bluetoothdoesnotprovideenddtodend,audit,or nondrepudiationsecurityservices.ifsuchservices areneeded,theyshallbeprovidedthrough additional,higherdlayermeansinadditiontothe Bluetoothspecificationand802.11standards. Thecryptographicalgorithmsemployedbythe BluetoothstandardarenotFIPSapproved.When communicationsrequirefipsdapproved cryptographicprotection,thiscanbeachievedby employingapplicationdlevelfipsdapproved encryptionoverthenativebluetoothencryption. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 63( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

64 CJIS( POLICY( REQUIREMENT( LongerPINcodesaremoreresistanttobrute forceattacks.forbluetoothv2.0(orearlier) devices,aneightdcharacteralphanumericpin shallbeused. 6.* Forv2.1devicesusingSecureSimplePairing, avoidusingthe JustWorks model.the Just Works modeldoesnotprovideprotection againstmandindthedmiddle(mitm)attacks. DevicesthatonlysupportJustWorksshouldnot beprocuredifsimilarlyqualifieddevicesthat supportoneoftheassociationmodels(i.e. NumericComparison,OutofBand,orPasskey Entry)areavailable. 7.* Bluetoothdevicesshouldbeconfiguredby defaultas,andremain,undiscoverableexcept asneededforpairing.bluetoothinterfaces shouldbeconfiguredasnonddiscoverable, whichpreventsvisibilitytootherbluetooth devicesexceptwhendiscoveryisspecifically needed.also,thedefaultselfdidentifyingor discoverablenamesprovidedonbluetooth devicesshouldbechangedtoanonymous unidentifiablenames. 8.* InvokelinkencryptionforallBluetooth connectionsregardlessofhowneedless encryptionmayseem(i.e.nosecuritymode1). Linkencryptionshouldbeusedtosecureall datatransmissionsduringabluetooth connection;otherwise,transmitteddatais vulnerabletoeavesdropping. 9.* Ifmultidhopwirelesscommunicationisbeing utilized,ensurethatencryptionisenabledon everylinkinthecommunicationchain.every linkshouldbesecuredbecauseoneunsecured linkresultsincompromisingtheentire communicationchain. 10.* Ensuredevicemutualauthenticationis performedforallaccesses.mutual authenticationisrequiredtoprovide verificationthatalldevicesonthenetworkare legitimate. 11.* Enableencryptionforallbroadcasttransmission (EncryptionMode3).Broadcasttransmissions securedbylinkencryptionprovidealayerof securitythatprotectsthesetransmissionsfrom GUIDANCE( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 64( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

65 CJIS( POLICY( REQUIREMENT( userinterceptionformaliciouspurposes. 12.* Configureencryptionkeysizestothemaximum allowable.usingmaximumallowablekeysizes providesprotectionfrombruteforceattacks. 13.* Establisha minimumkeysize forany negotiationprocess.establishingminimumkey sizesensuresthatallkeysarelongenoughtobe resistanttobruteforceattacks. 14.* UseSecurityMode3inordertoprovidelinkd levelsecuritypriortolinkestablishment. 15.* Usersdonotaccepttransmissionsofanykind fromunknownorsuspiciousdevices.these typesoftransmissionsincludemessages,files, andimages.withtheincreaseinthenumberof Bluetoothenableddevices,itisimportantthat usersonlyestablishconnectionswithother trusteddevicesandonlyacceptcontentfrom thesetrusteddevices. GUIDANCE( 5.6 Policy(Area(6:(Identification(and(Authentication Theagencyshallidentifyinformationsystemusers andprocessesactingonbehalfofusersand authenticatetheidentitiesofthoseusersor processesasaprerequisitetoallowingaccessto agencyinformationsystemsorservices Identification(Policy(and(Procedures Eachpersonwhoisauthorizedtostore,process, and/ortransmitcjishallbeuniquelyidentified.a uniqueidentificationshallalsoberequiredforall personswhoadministerandmaintainthesystem(s) thataccesscjiornetworksleveragedforcjitransit. AgenciesshallensurethatalluserIDsbelongto currentlyauthorizedusers.identificationdatashall bekeptcurrentbyaddingnewusersanddisabling and/ordeletingformerusers. Identifyingandauthenticationusersandprocesses priortoallowingaccessisabestpracticeregardless ofindustry. Theuniqueidentificationcantaketheformofafull name,badgenumber,serialnumber,orother uniquealphanumericidentifier.agenciesshall requireuserstoidentifythemselvesuniquelybefore theuserisallowedtoperformanyactionsonthe system. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 65( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

66 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 66( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS( POLICY( REQUIREMENT( GUIDANCE( Use(of(Originating(Agency(Identifiers(in( Transactions(and(Information(Exchanges AnFBIauthorizedoriginatingagencyidentifier(ORI) shallbeusedineachtransactiononcjissystemsin ordertoidentifythesendingagencyandtoensure theproperlevelofaccessforeachtransaction.the originalidentifierbetweentherequestingagency andthecsa/sib/channelershallbetheori,and otheragencyidentifiers,suchasuseridentification orpersonalidentifier,anaccessdevicemnemonic, ortheinternetprotocol(ip)address. Agenciesmayactasaservicingagencyandperform transactionsonbehalfofauthorizedagencies requestingtheservice.servicingagencies performinginquirytransactionsonbehalfofanother agencymaydosousingtherequestingagency sori. ServicingagenciesmayalsousetheirownORIto performinquirytransactionsonbehalfofa requestingagencyifthemeansandproceduresare inplacetoprovideanaudittrailforthecurrent specifiedretentionperiod.becausetheagency performingthetransactionmaynotnecessarilybe thesameastheagencyrequestingthetransaction, thecsa/sib/channelershallensurethattheorifor eachtransactioncanbetraced,viaaudittrail,tothe specificagencywhichisrequestingthetransaction. AgenciesassignedaP(limitedaccess)ORIshallnot usethefullaccessoriofanotheragencytoconduct aninquirytransaction. Audittrailscanbeusedtoidentifytherequesting agencyifthereisareasontoinquireintothedetails surroundingwhyanagencyrananinquiryona subject Authentication(Policy(and(Procedures Authenticationreferstomechanismsorprocesses thatverifyusersarevalidoncetheyareuniquely identified.thecsa/sibmaydevelopan authenticationstrategywhichcentralizesoversight butdecentralizestheestablishmentanddaily administrationofthesecuritymeasuresforaccessto CJI. Eachindividual sidentityshallbeauthenticatedat eitherthelocalagency,csa,siborchannelerlevel. Theauthenticationstrategyshallbepartofthe agency sauditforpolicycompliance.thefbicjis Divisionshallidentifyandauthenticateallindividuals whoestablishdirectwebdbasedinteractivesessions withfbicjisservices.thefbicjisdivisionshall authenticatetheoriofallmessagedbasedsessions Authenticationreferstomechanismsorprocesses thatverifyusersarevalidoncetheyareuniquely identified.

67 CJIS( POLICY( REQUIREMENT( betweenthefbicjisdivisionanditscustomer agenciesbutwillnotfurtherauthenticatetheuser norcapturetheuniqueidentifierfortheoriginating operatorbecausethisfunctionisperformedatthe localagency,csa,siborchannelerlevel. GUIDANCE( Standard(Authenticators Agenciesshallnotallowthesameauthenticator(i.e., password,pin)tobeusedmultipletimesonadevice orsystem. Authenticatorsarethesomethingyouknow, somethingyouare,orsomethingyouhavepartof theidentificationandauthenticationprocess. Examplesofstandardauthenticatorsinclude passwords,tokens,biometrics,andpersonal identificationnumbers(pin) Password Agenciesshallfollowthesecurepassword attributes,below,toauthenticateanindividual s uniqueid.passwordsshall: Thesepasswordrequirementsaretheminimum requiredtocomplywiththepolicy.agenciesmay choosetoimplementmorestringentrequirements. 1.* Beaminimumlengthofeight(8)characterson allsystems. 2.* Notbeadictionarywordorpropername. 3.* NotbethesameastheUserID. 4.* Expirewithinamaximumof90calendardays. 5.* Notbeidenticaltothepreviousten(10) passwords. 6.* Notbetransmittedintheclearoutsidethe securelocation. 7.* Notbedisplayedwhenentered Advanced(Authentication(Policy(and(Rationale TherequirementtouseornotuseAAisdependent uponthephysical,personnelandtechnicalsecurity controlsassociatedwiththeuserlocation.aashall notberequiredforusersrequestingaccesstocji fromwithintheperimeterofaphysicallysecure location,whenthetechnicalsecuritycontrolshave beenmet.conversely,ifthetechnicalsecurity controlshavenotbeenmet,aashallberequired eveniftherequestforcjioriginatesfromwithina physicallysecurelocation.section provides agencieswithadecisiontreetohelpguideaa decisions. Thetwoauthenticationfactorsshallbeunique(i.e. password/tokenorbiometric/passwordbutnot password/passwordortoken/token). AdvancedAuthentication(AA)providesfor additionalsecuritytothetypicaluseridentification andauthenticationofloginidandpassword,such as:biometricsystems,userdbasedpublickey infrastructure(pki),smartcards,softwaretokens, hardwaretokens,paper(inert)tokens,or Riskd basedauthentication thatincludesasoftware tokenelementcomprisedofanumberoffactors, suchasnetworkinformation,userinformation, positivedeviceidentification(i.e.deviceforensics, userpatternanalysisanduserbinding),user profiling,andhighdriskchallenge/response questions. Authenticatorsarethesomethingyouknow, somethingyouare,orsomethingyouhavepartof theidentificationandauthenticationprocess. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 67( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

68 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 68( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' CJIS( POLICY( REQUIREMENT( GUIDANCE( INTERIMCOMPLIANCE: 1.* Forinterimcompliance,usersaccessingCJIfrom devicesassociatedwith,andlocatedwithin,a policevehicleareexemptfromtheaa requirementuntilseptember30th2014ifthe informationsystembeingusedhasnotbeen procuredorupgradedanytimeafterseptember 30th,2005.ForthepurposesofthisPolicy,a policevehicleisdefinedasanenclosedcriminal justiceconveyancewiththecapabilityto comply,duringoperationalperiods,with Section * InternetProtocolSecurity(IPSec)doesnot meetthe2011requirementsforadvanced authentication;however,agenciesthathave funded/implementedipsecinordertomeetthe AArequirementsofCJISSecurityPolicyv.4.5 maycontinuetoutilizeipsecforaauntil September30,2014. EXCEPTION: AAshallberequiredwhentherequestedservicehas builtaaintoitsprocessesandrequiresauserto provideaabeforegrantingaccess. EXAMPLES: a.* Auser,irrespectiveofhis/herlocation,accesses theleowebsite.theleohasaabuiltintoits servicesandrequiresaapriortogranting access.aaisrequired. b.* Auser,irrespectiveoftheirlocation,accessesa State sportalthroughwhichaccesstocjiis facilitated.thestateportalhasaabuiltintoits processesandrequiresaapriortogranting access.aaisrequired. Examplesofstandardauthenticatorsinclude passwords,tokens,biometrics,andpersonal identificationnumbers(pin). Examples: a.* ApoliceofficerrunsaqueryforCJIfromhis/her laptopmountedinapolicevehicle.thepolice officerleveragesacellularnetworkasthe transmissionmedium;authenticatesthedevice usingipseckeyexchange;andtunnelsacross thecellularnetworkusingtheipsecvirtual privatenetwork(vpn).ipsecwasfundedand installedinordertomeettheaarequirements ofcjissecuritypolicyversion4.5.aa requirementsarewaiveduntilseptember30, b.* AdetectiveaccessesCJIfromvariouslocations whileinvestigatingacrimescene.thedetective usesanagencymanagedlaptopwithipsec installedandleveragesacellularnetworkasthe transmissionmedium.ipsecwasfundedand installedinordertomeettheaarequirements ofcjissecuritypolicyversion4.5.aa requirementsarewaiveduntilseptember30, 2014.

69 CJIS( POLICY( REQUIREMENT( GUIDANCE( Advanced(Authentication(Decision(Tree ThefollowingAADecisionTreeassistsdecision makersindeterminingwhetherornotaais required. 1.* Canrequest soriginatinglocationbe determinedphysically? Ifeither(a)or(b)belowaretruetheanswerto theabovequestionis yes.proceedto question2. a.* TheIPaddressisattributedtoaphysical structure;or b.* Themnemonicisattributedtoaspecific deviceassignedtoaspecificlocationthatis aphysicalstructure. 'If'neither'(a)'or'(b)'above'are'true'then'the' answer'is' no.'skip'to'question'number'4.' 2.* Doesrequestoriginatefromwithinaphysically securelocation(thatisnotapolicevehicle)as describedinsection5.9.1?ifeither(a)or(b) belowaretruetheanswertotheabove questionis yes.proceedtoquestion3. a.* TheIPaddressisattributedtoaphysically securelocation;or b.* Ifamnemonicisuseditisattributedtoa specificdeviceassignedtoaspecific physicallysecurelocation. If'neither'(a)'or'(b)'above'are'true'then'the' answer'is' no.'decision'tree'completed.'aa' required.' 3.* Areallrequiredtechnicalcontrolsimplemented atthislocationoratthecontrollingagency?if either(a)or(b)belowaretruetheanswerto theabovequestionis yes.decisiontree completed.aarequirementwaived. a.* Appropriatetechnicalcontrolslistedin Sections5.5and5.10areimplemented;or b.* Thecontrollingagency(i.e.parentagencyor agencyleveragedasconduittocji)extends itswideareanetworkcontrolsdowntothe requestingagencyandtheextended controlsprovideassuranceequalorgreater tothecontrolslistedinsections5.5and UsethisdecisiontreetoestablishwhetherAAis requiredforanentity. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 69( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

70 CJIS( POLICY( REQUIREMENT( If'neither'(a)'or'(b)'above'are'true'then'the' answer'is' no.'decision'tree'completed.'aa' required.' 4.* Doesrequestoriginatefromanagencyd manageduserdevice?ifeither(a)or(b)below aretruetheanswertotheabovequestionis yes.proceedtoquestion5. a.* ThestaticIPaddressorMACaddresscanbe tracedtoregistereddevice;or b.* Certificatesareissuedtoagencymanaged devicesonlyandcertificateexchangeis allowedonlybetweenauthenticationserver andagencyissueddevices. If'neither'(a)'or'(b)'above'are'true'then'the' answer'is' no.'decision'tree'completed.'aa' required.' 5.* Istheagencymanageduserdeviceassociated withandlocatedwithinalawenforcement conveyance?ifanyofthe(a),(b),or(c) statementsbelowistruetheanswertothe abovequestionis yes.proceedtoquestion6. a.* ThestaticIPaddressorMACaddressis associatedwithadeviceassociatedwitha lawenforcementconveyance;or b.* Thecertificatepresentedisassociatedwith adeviceassociatedwithalawenforcement conveyance;or c.* Themnemonicpresentedisassociatedwith aspecificdeviceassignedandthatdeviceis attributedtoalawenforcement conveyance. If'none'of'the'(a),'(b),'or'(c)'statements'above' are'true'then'the'answer'is' no.'skip'to' question'number'7.' 6.* Hastherebeenanacquisitionorupgradesince 2005? Ifanyofthe(a),(b),(c),or(d)statementsbelow aretruetheanswertotheabovequestionis yes.proceedtoquestionnumber7. a.* The greendscreen MDTshavebeen replacedwithlaptopsorothermobile GUIDANCE( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 70( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

71 CJIS( POLICY( REQUIREMENT( devices;or b.* Anupgradeoftechnologyexceeding25%of thecostofthesystembeingupgradedhas takenplace;or c.* Anyupgradetothesystemencryption modulehastakenplace;or d.* Anyupgradetothesystemthatisnot replacingliketechnologyhastakenplace. If'none'of'the'(a),'(b),'(c),'or'(d)'statements' above'are'true'then'the'answer'is' no.' Decision'tree'completed.'AA'requirement' waived.' 7.* WasIPSecimplementedtomeetthe requirementsofpolicyversion4.5? Ifeither(a)or(b)belowaretruetheanswerto theabovequestionis yes.decisiontree completed.aarequirementiswaived. a.* ThebudgetacquisitionofIPSecwas completedpriortojanuary1st,2009and IPSecwassubsequentlyimplemented;or b.* ImplementationofIPSecwascompleted priortojanuary1st,2009. If'neither'(a)'or'(b)'above'are'true'then'the' answer'is' no.'decision'tree'completed.'aa' required.' GUIDANCE( Identifier(and(Authenticator(Management Theagencyshallestablishidentifierand authenticatormanagementprocesses Identifier(Management Inordertomanageuseridentifiers,agenciesshall: 1.* Uniquelyidentifyeachuser. 2.* Verifytheidentityofeachuser. 3.* Receiveauthorizationtoissueauseridentifier fromanappropriateagencyofficial. 4.* Issuetheuseridentifiertotheintendedparty. 5.* Disabletheuseridentifierafteraspecified periodofinactivity. 6.* Archiveuseridentifiers. Theseprocessesshouldbedocumented. Thestepstouniquelyidentifyandverifyeachuseris anessentialstepinprotectingdataandinformation systems. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 71( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

72 CJIS( POLICY( REQUIREMENT( Authenticator(Management Inordertomanageinformationsystem authenticators,agenciesshall: 1.* Defineinitialauthenticatorcontent. 2.* Establishadministrativeproceduresforinitial authenticatordistribution,for lost/compromised,ordamagedauthenticators, andforrevokingauthenticators. 3.* Changedefaultauthenticatorsupon informationsysteminstallation. 4.* Change/refreshauthenticatorsperiodically. GUIDANCE( Informationsystemauthenticatorsinclude,for example,tokens,userdbasedpkicertificates, biometrics,passwords,andkeycards.usersshall takereasonablemeasurestosafeguard authenticatorsincludingmaintainingpossessionof theirindividualauthenticators,notloaningor sharingauthenticatorswithothers,andimmediately reportinglostorcompromisedauthenticators Assertions Assertionmechanismsusedtocommunicatethe resultsofaremoteauthenticationtootherparties shallbe: 1.* Digitallysignedbyatrustedentity(e.g.,the identityprovider). 2.* Obtaineddirectlyfromatrustedentity(e.g. trustedbroker)usingaprotocolwherethe trustedentityauthenticatestotherelyingparty usingasecureprotocol(e.g.transportlayer security[tls])thatcryptographically authenticatestheverifierandprotectsthe assertion. Assertionsgeneratedbyaverifiershallexpireafter 12hoursandshallnotbeacceptedthereafterbythe relyingparty. Identityproviderscanbeleveragedtoidentify individualsandasserttheindividual sidentitytoa serviceortoatrustedbrokerwhowillindturnassert theidentitytoaservice Access(Restrictions(for(Changes Plannedorunplannedchangestothehardware, software,and/orfirmwarecomponentsofthe informationsystemcanhavesignificanteffectson theoverallsecurityofthesystem Least(Functionality Theagencyshallconfiguretheapplication,service, orinformationsystemtoprovideonlyessential capabilitiesandshallspecificallyprohibitand/or restricttheuseofspecifiedfunctions,ports, protocols,and/orservices. Thegoalistoallowonlyqualifiedandauthorized individualsaccesstoinformationsystem componentsforpurposesofinitiatingchanges, includingupgrades,andmodifications. Leastfunctionalityisasimilarconcepttoleast privilege.itisimportanttoensuringthe confidentiality,integrityandavailabilityofdata. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 72( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

73 CJIS( POLICY( REQUIREMENT( GUIDANCE( Network(Diagram Theagencyshallensurethatacompletetopological drawingdepictingtheinterconnectivityofthe agencynetwork,tocriminaljusticeinformation, systemsandservicesismaintainedinacurrent status.thenetworktopologicaldrawingshall includethefollowing: Networkdiagramsprovideavisualrepresentationof allcomponentsandareanessentialtoolwhen managingincidents. 1.* Allcommunicationspaths,circuits,andother componentsusedfortheinterconnection, beginningwiththeagencydownedsystem(s)and traversingthroughallinterconnectedsystems totheagencyenddpoint. 2.* Thelogicallocationofallcomponents(e.g., firewalls,routers,switches,hubs,servers, encryptiondevices,andcomputer workstations).individualworkstations(clients) donothavetobeshown;thenumberofclients issufficient. 3.* ForOfficialUseOnly (FOUO)markings. 4.* Theagencynameanddate(day,month,and year)drawingwascreatedorupdated Security(of(Configuration(Documentation Agenciesshallprotectthesystemdocumentation fromunauthorizedaccessconsistentwiththe provisionsdescribedinsection5.5accesscontrol. Thesystemconfigurationdocumentationoften containssensitivedetails(e.g.descriptionsof applications,processes,procedures,datastructures, authorizationprocesses,dataflow,etc.) 5.8 Policy(Area(8:(Media(Protection Mediaprotectionpolicyandproceduresshallbe documentedandimplementedtoensurethataccess toelectronicandphysicalmediainallformsis restrictedtoauthorizedindividuals. Proceduresshallbedefinedforsecurelyhandling, transportingandstoringmedia Media(Storage(and(Access Theagencyshallsecurelystoreelectronicand physicalmediawithinphysicallysecurelocationsor controlledareas.theagencyshallrestrictaccessto electronicandphysicalmediatoauthorized individuals. Ifphysicalandpersonnelrestrictionsarenotfeasible thenthedatashallbeencryptedpersection Media(Transport Theagencyshallprotectandcontrolelectronicand physicalmediaduringtransportoutsideof controlledareasandrestricttheactivitiesassociated withtransportofsuchmediatoauthorized personnel. Transportreferstoinformationthatisphysically movedtoanotherlocation. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 73( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

74 CJIS( POLICY( REQUIREMENT( Electronic(Media(in(Transit Controlsshallbeinplacetoprotectelectronicmedia containingcjiwhileintransport(physicallymoved fromonelocationtoanother)tohelpprevent compromiseofthedata.encryptionistheoptimal controlduringtransport;however,ifencryptionof thedataisn tpossibletheneachagencyshall instituteothercontrolstoensurethesecurityofthe data Physical(Media(in(Transit Thecontrolsandsecuritymeasuresinthisdocument alsoapplytocjiinphysical(printeddocuments, printedimagery,etc.)form Electronic(Media(Sanitization(and(Disposal Theagencyshallsanitize/overwriteatleastthree timesordegausselectronicmediapriortodisposal orreleaseforreusebyunauthorizedindividuals. Inoperableelectronicmediashallbedestroyed(cut up,shredded,etc.).theagencyshallmaintain writtendocumentationofthestepstakentosanitize ordestroyelectronicmedia.agenciesshallensure thesanitizationordestructioniswitnessedor carriedoutbyauthorizedpersonnel Disposal(of(Physical(Media Physicalmediashallbedestroyedbyshreddingor incineration.agenciesshallensurethedisposalor destructioniswitnessedorcarriedoutbyauthorized personnel. GUIDANCE( Electronicmedia meanselectronicstoragemedia includingmemorydevicesinlaptopsandcomputers (harddrives)andanyremovable,transportable digitalmemorymedia,suchasmagnetictapeordisk, opticaldisk,flashdrives,externalharddrives,or digitalmemorycard. Physicalmediashallbeprotectedatthesamelevel astheinformationwouldbeprotectedinelectronic form. Mediasanitizationhelpspreserveconfidentiality whenmediaisdisposed. Physicalmediashallbesecurelydisposedofwhenno longerrequired,usingformalprocedures.formal proceduresforthesecuredisposalordestructionof physicalmediashallminimizetheriskofsensitive informationcompromisebyunauthorized individuals. 5.9 Policy(Area(9:(Physical(Protection Physicalprotectionpolicyandproceduresshallbe documentedandimplementedtoensurecjiand informationsystemhardware,software,andmedia arephysicallyprotectedthroughaccesscontrol measures Security(Perimeter Theperimeterofphysicallysecurelocationshallbe prominentlypostedandseparatedfromnondsecure locationsbyphysicalcontrols.securityperimeters shallbedefined,controlledandsecuredinamanner acceptabletothecsaorsib. Physicalsecurityreducesthethreatofaphysical attack. Securityperimeteristheboundarythatseparates yoursystemsfromexternalsystems. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 74( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

75 CJIS( POLICY( REQUIREMENT( Physical(Access(Authorizations Theagencyshalldevelopandkeepcurrentalistof personnelwithauthorizedaccesstothephysically securelocation(exceptforthoseareaswithinthe permanentfacilityofficiallydesignatedaspublicly accessible)orshallissuecredentialstoauthorized personnel Physical(Access(Control Theagencyshallcontrolallphysicalaccesspoints (exceptforthoseareaswithinthefacilityofficially designatedaspubliclyaccessible)andshallverify individualaccessauthorizationsbeforegranting access Access(Control(for(Transmission(Medium Theagencyshallcontrolphysicalaccessto informationsystemdistributionandtransmission lineswithinthephysicallysecurelocation. GUIDANCE( Thelistofpersonnelwithauthorizedaccesstothe physicallysecureaccessshouldbereviewedona regularbasis. Accessshouldbeverifiedpriortoaccessbeing granted.thisisanindustrystandard. Physicalsecurityprovidesanotherlayerof protectionforcji Access(Control(for(Display(Medium Theagencyshallcontrolphysicalaccessto informationsystemdevicesthatdisplaycjiandshall positioninformationsystemdevicesinsuchawayas topreventunauthorizedindividualsfromaccessing andviewingcji. Thisrequirementisusuallyreinforcedduringsecurity awarenesstraining Monitoring(Physical(Access Theagencyshallmonitorphysicalaccesstothe informationsystemtodetectandrespondto physicalsecurityincidents Visitor(Control Theagencyshallcontrolphysicalaccessby authenticatingvisitorsbeforeauthorizingescorted accesstothephysicallysecurelocation(exceptfor thoseareasdesignatedaspubliclyaccessible).the agencyshallescortvisitorsatalltimesandmonitor visitoractivity Delivery(and(Removal Theagencyshallauthorizeandcontrolinformation systemdrelateditemsenteringandexitingthe physicallysecurelocation Controlled(Area Theagencyshall,ataminimum: 1.* LimitaccesstothecontrolledareaduringCJI Monitoringiscriticaltodetectingpatternsandasa resultidentifyingintruders. Mostorganizationshavepoliciesinplacerequiring allvisitorscheckinbeforebeingescortedwhileon site. Thiscontrolhelpspreventunauthorizeddisclosureof CJI. Ifanagencycannotmeetallofthecontrolsrequired forestablishingaphysicallysecurelocation,buthas anoperationalneedtoaccessorstorecji,the VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 75( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

76 CJIS( POLICY( REQUIREMENT( GUIDANCE( processingtimestoonlythosepersonnel authorizedbytheagencytoaccessorviewcji. 2.* Lockthearea,room,orstoragecontainerwhen unattended. 3.* Positioninformationsystemdevicesand documentscontainingcjiinsuchawayasto preventunauthorizedindividualsfromaccess andview. 4.* Followtheencryptionrequirementsfoundin Section forelectronicstorage(i.e.data atrest )ofcji Policy(Area(10:(System(and(Communications( Protection(and(Information(Integrity Applications,services,orinformationsystemsmust havethecapabilitytoensuresystemintegrity throughthedetectionandprotectionagainst unauthorizedchangestosoftwareandinformation. Thissectiondetailsthepolicyforprotectingsystems andcommunicationsinfrastructures Information(Flow(Enforcement Thenetworkinfrastructureshallcontroltheflowof informationbetweeninterconnectedsystems. agencyshalldesignateanarea,aroom,orastorage container,asacontrolledareaforthepurposeof daydtoddaycjiaccessorstorage. Examplesofsystemsandcommunications safeguardsrangefromboundaryandtransmission protectiontosecuringanagency svirtualized environment. Informationflowcontrolregulateswhere informationisallowedtotravelwithinan informationsystemandbetweeninformation systems(asopposedtowhoisallowedtoaccessthe information)andwithoutexplicitregardto subsequentaccessestothatinformation.inother words,controllinghowdatamovesfromoneplace tothenextinasecuremanner.examplesofcontrols thatarebetterexpressedasflowcontrolthanaccess control(seesection5.5)are: 1.* PreventCJIfrombeingtransmittedunencrypted acrossthepublicnetwork. 2.* Blockoutsidetrafficthatclaimstobefrom withintheagency. 3.* Donotpassanywebrequeststothepublic networkthatarenotfromtheinternalweb proxy. Specificexamplesofflowcontrolenforcementcan befoundinboundaryprotectiondevices(e.g. proxies,gateways,guards,encryptedtunnels, firewalls,androuters)thatemployrulesetsor establishconfigurationsettingsthatrestrict informationsystemservicesorprovideapacket filteringcapability. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 76( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

77 CJIS( POLICY( REQUIREMENT( GUIDANCE( Boundary(Protection Theagencyshall: 1.* ControlaccesstonetworksprocessingCJI. 2.* Monitorandcontrolcommunicationsatthe externalboundaryoftheinformationsystem andatkeyinternalboundarieswithinthe system. 3.* EnsureanyconnectionstotheInternet,other externalnetworks,orinformationsystems occurthroughcontrolledinterfaces 4.* Employtoolsandtechniquestomonitor networkevents,detectattacks,andprovide identificationofunauthorizeduse. 5.* Ensuretheoperationalfailureoftheboundary protectionmechanismsdonotresultinany unauthorizedreleaseofinformationoutsideof theinformationsystemboundary(i.e.the deviceshall failclosed vs. failopen ). 6.* Allocatepubliclyaccessibleinformationsystem components(e.g.publicwebservers)to separatesubnetworkswithseparate,network interfaces.publiclyaccessibleinformation systemsresidingonavirtualhostshallfollow theguidanceinsection toachieve separation Encryption( 1.* Encryptionshallbeaminimumof128bit. 2.* WhenCJIistransmittedoutsidetheboundaryof thephysicallysecurelocation,thedatashallbe immediatelyprotectedviacryptographic mechanisms(encryption). 3.* WhenCJIisatrest(i.e.storedelectronically) outsidetheboundaryofthephysicallysecure location,thedatashallbeprotectedvia cryptographicmechanisms(encryption). 4.* Whenencryptionisemployed,the cryptographicmoduleusedshallbecertifiedto meetfips140d2standards. 5.* Foragenciesusingpublickeyinfrastructure technology,theagencyshalldevelopand implementacertificatepolicyandcertification Someexamplesofinterfacesare:proxies,gateways, routers,firewalls,encryptedtunnels). Note'1:Subsequentversionsofapproved cryptographicmodulesthatareundercurrentreview forfips140d2compliancycanbeusedintheinterim untilcertificationiscomplete. Note'2:WhileFIPS197(AdvancedEncryption Standard)certificationisdesirable,aFIPS197 certificationaloneisinsufficientasthecertificationis forthealgorithmonlyvs.thefips140d2standard whichcertifiesthepackagingofanimplementation. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 77( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

78 CJIS( POLICY( REQUIREMENT( GUIDANCE( practicestatementfortheissuanceofpublic keycertificatesusedintheinformationsystem. Registrationtoreceiveapublickeycertificate shall: a.* b.* c.* Includeauthorizationbyasupervisor oraresponsibleofficial. Beaccomplishedbyasecureprocess thatverifiestheidentityofthe certificateholder. Ensurethecertificateisissuedtothe intendedparty Intrusion(Detection(Tools(and(Techniques Theagencyshallimplementnetworkdbasedand/or hostdbasedintrusiondetectiontools. TheCSA/SIBshall,inaddition: Intrusiondetectioniskeytominimizingtheimpact ofanyunauthorizedaccesstothesystem. 1.* Monitorinboundandoutbound communicationsforunusualorunauthorized activities. 2.* Sendindividualintrusiondetectionlogstoa centralloggingfacilitywherecorrelationand analysiswillbeaccomplishedasasystemwide intrusiondetectioneffort. 3.* Employautomatedtoolstosupportneardreald timeanalysisofeventsinsupportofdetecting systemdlevelattacks Voice(over(Internet(Protocol( Thefollowingadditionalcontrolsshallbe implementedwhenanagencydeploysvoipwithina networkthatcontainsunencryptedcji: 1.* Establishusagerestrictionsandimplementation guidanceforvoiptechnologies. 2.* Changethedefaultadministrativepasswordon theipphonesandvoipswitches. 3.* UtilizeVirtualLocalAreaNetwork(VLAN) technologytosegmentvoiptrafficfromdata traffic. VoiceoverInternetProtocol(VoIP)hasbeen embracedbyorganizationsgloballyasanadditionto, orreplacementfor,publicswitchedtelephone network(pstn)andprivatebranchexchange(pbx) telephonesystems.theimmediatebenefitsare lowercoststhantraditionaltelephoneservicesand VoIPcanbeinstalledindlinewithanorganization s existinginternetprotocol(ip)services.amongvoip s risksthathavetobeconsideredcarefullyare:myriad securityconcerns,costissuesassociatedwithnew networkinghardwarerequirements,andoverarching qualityofservice(qos)factors. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 78( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

79 CJIS( POLICY( REQUIREMENT( Cloud(Computing ThemetadataderivedfromCJIshallnotbeusedby anycloudserviceproviderforanypurposes.the cloudserviceprovidershallbeprohibitedfrom scanningany ordatafilesforthepurposeof buildinganalytics,datamining,advertising,or improvingtheservicesprovided Facsimile(Transmission(of(CJI CJItransmittedviafacsimileisexemptfrom encryptionrequirements Partitioning Theapplication,service,orinformationsystemshall separateuserfunctionality(includinguserinterface services)frominformationsystemmanagement functionality. Theapplication,service,orinformationsystemshall physicallyorlogicallyseparateuserinterface services(e.g.publicwebpages)frominformation storageandmanagementservices(e.g.database management).separationmaybeaccomplished throughtheuseofoneormoreofthefollowing: 1.* Differentcomputers. 2.* Differentcentralprocessingunits. 3.* Differentinstancesoftheoperatingsystem. 4.* Differentnetworkaddresses. 5.* OthermethodsapprovedbytheFBICJISISO. GUIDANCE( Organizationstransitioningtoacloudenvironment arepresenteduniqueopportunitiesandchallenges (e.g.,purportedcostsavingsandincreased efficienciesversusalossofcontroloverthedata). Reviewingthecloudcomputingwhitepaper (AppendixG.3),thecloudassessmentlocatedwithin thesecuritypolicyresourcecenteronfbi.gov,nist SpecialPublications(800d144,800d145,and800d 146),aswellasthecloudprovider spoliciesand capabilitieswillenableorganizationstomake informeddecisionsonwhetherornotthecloud providercanofferservicethatmaintainscompliance withtherequirementsofthecjissecuritypolicy. FaxescontainingCJIareexempt. Asresourcesgrowscarce,agenciesareincreasing thecentralizationofapplications,services,and systemadministration.advancedsoftwarenow providestheabilitytocreatevirtualmachinesthat allowsagenciestoreducetheamountofhardware needed.althoughtheconceptsofpartitioningand virtualizationhaveexistedforawhile,theneedfor securingthepartitionsandvirtualizedmachineshas evolvedduetotheincreasingamountofdistributed processingandfederatedinformationsourcesnow availableacrosstheinternet. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 79( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

80 CJIS( POLICY( REQUIREMENT( Virtualization Virtualizationreferstoamethodologyofdividing theresourcesofacomputer(hardwareand software)intomultipleexecutionenvironments. Virtualizedenvironmentsareauthorizedforcriminal justiceandnoncriminaljusticeactivities.inaddition tothesecuritycontrolsdescribedinthecjispolicy, thefollowingadditionalcontrolsshallbe implementedinavirtualenvironment: 1.* Isolatethehostfromthevirtualmachine.In otherwords,virtualmachineuserscannot accesshostfiles,firmware,etc. 2.* Maintainauditlogsforallvirtualmachinesand hostsandstorethelogsoutsidethehosts virtualenvironment. 3.* VirtualMachinesthatareInternetfacing(web servers,portalservers,etc.)shallbephysically separatefromvirtualmachinesthatprocesscji internally. 4.* Devicedriversthatare critical shallbe containedwithinaseparateguest Patch(Management Theagencyshallidentifyapplications,services,and informationsystemscontainingsoftwareor componentsaffectedbyrecentlyannounced softwareflawsandpotentialvulnerabilitiesresulting fromthoseflaws. Theagency(orthesoftwaredeveloper/vendorin thecaseofsoftwaredevelopedandmaintainedbya vendor/contractor)shalldevelopandimplementa localpolicythatensurespromptinstallationof newlyreleasedsecurityrelevantpatches,service packsandhotfixes. GUIDANCE( Virtualizationreferstoamethodologyofdividingthe resourcesofacomputer(hardwareandsoftware) intomultipleexecutionenvironments.virtualized environmentsareauthorizedforcriminaljusticeand noncriminaljusticeactivities. Thefollowingareadditionaltechnicalsecurity controlbestpracticesandshouldbeimplemented whereverfeasible: 1.* Encryptnetworktrafficbetweenthevirtual machineandhost. 2.* ImplementIDSandIPSmonitoringwithinthe virtualmachineenvironment. 3.* Virtuallyfirewalleachvirtualmachinefromeach other(orphysicallyfirewalleachvirtualmachine fromeachotherwithanapplicationlayer firewall)andensurethatonlyallowedprotocols willtransact. 4.* Segregatetheadministrativedutiesforthe host. Localpoliciesshouldincludesuchitemsas: 1.* Testingofappropriatepatchesbefore installation. 2.* Rollbackcapabilitieswheninstallingpatches, updates,etc. 3.* Automaticupdateswithoutindividualuser intervention. 4.* Centralizedpatchmanagement. Patchrequirementsdiscoveredduringsecurity assessments,continuousmonitoringorincident responseactivitiesshallalsobeaddressed expeditiously. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 80( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

81 CJIS( POLICY( REQUIREMENT( Malicious(Code(Protection Theagencyshallimplementmaliciouscode protectionthatincludesautomaticupdatesforall systemswithinternetaccess. Theagencyshallemployvirusprotection mechanismstodetectanderadicatemaliciouscode (e.g.,viruses,worms,trojanhorses)atcriticalpoints throughoutthenetworkandonallworkstations, serversandmobilecomputingdevicesonthe network.theagencyshallensuremaliciouscode protectionisenabledonalloftheaforementioned criticalpointsandinformationsystemsandresident scanningisemployed Spam(and(Spyware(Protection Theagencyshallimplementspamandspyware protection Personal(Firewall Apersonalfirewallshallbeemployedonalldevices thataremobilebydesign(i.e.laptops,handhelds, personaldigitalassistants,etc.). GUIDANCE( AgencieswithsystemsnotconnectedtotheInternet shallimplementlocalprocedurestoensuremalicious codeprotectioniskeptcurrent(i.e.mostrecent updateavailable). Theagencyshall: 1.* Employspamprotectionmechanismsatcritical informationsystementrypoints(e.g.firewalls, electronicmailservers,remotedaccessservers). 2.* Employspywareprotectionatworkstations, serversandmobilecomputingdevicesonthe network. 3.* Usethespamandspywareprotection mechanismstodetectandtakeappropriate actiononunsolicitedmessagesand spyware/adware,respectively,transportedby electronicmail,electronicmailattachments, Internetaccesses,removablemedia(e.g. diskettesorcompactdisks)orotherremovable mediaasdefinedinthispolicy. ForthepurposeofthisPolicy,apersonalfirewallis anapplicationthatcontrolsnetworktraffictoand fromauserdevice,permittingordenying communicationsbasedonpolicy.ataminimum,the personalfirewallshallperformthefollowing activities: 1.* ManageprogramaccesstotheInternet. 2.* Blockunsolicitedrequeststoconnecttotheuser device. 3.* FilterincomingtrafficbyIPaddressorprotocol. 4.* Filterincomingtrafficbydestinationports. 5.* MaintainanIPtrafficlog. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 81( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

82 CJIS( POLICY( REQUIREMENT( Security(Alerts(and(Advisories Theagencyshall: 1.* Receiveinformationsystemsecurity alerts/advisoriesonaregularbasis. 2.* Issuealerts/advisoriestoappropriatepersonnel. 3.* Documentthetypesofactionstobetakenin responsetosecurityalerts/advisories. 4.* Takeappropriateactionsinresponse. 5.* Employautomatedmechanismstomake securityalertandadvisoryinformationavailable throughouttheagencyasappropriate. GUIDANCE( Itisessentialtokeepcurrentwithsecurity alerts/advisoriestoreducetheriskofknown vulnerabilitiesbeingexploited Information(Input(Restrictions Theagencyshallrestricttheinformationinputto anyconnectiontofbicjisservicestoauthorized personnelonly Policy(Area(11:(Formal(Audits Formalauditsareconductedtoensurecompliance withapplicablestatutes,regulationsandpolicies Triennial(Compliance(Audits(by(the(FBI(CJIS(Division TheCJISAuditUnit(CAU)shallconductatriennial auditofeachcsainordertoverifycompliancewith applicablestatutes,regulationsandpolicies.this auditshallincludeasampleofcjasand,in coordinationwiththesib,thencjas.auditsmaybe conductedonamorefrequentbasisiftheaudit revealsthatanagencyhasnotcompliedwith applicablestatutes,regulationsandpolicies.thefbi CJISDivisionshallalsohavetheauthoritytoconduct unannouncedsecurityinspectionsandscheduled auditsofcontractorfacilities. Restrictionsonpersonnelauthorizedtoinput informationtotheinformationsystemmayextend beyondthetypicalaccesscontrolsemployedbythe systemandincludelimitationsbasedonspecific operational/projectresponsibilities. Auditshelpensurecomplianceiscontinuous. TheFBICJISDivisionisauthorizedtoconductaudits, onceeverythree(3)yearsasaminimum,toassess agencycompliancewithapplicablestatutes, regulationsandpolicies Triennial(Security(Audits(by(the(FBI(CJIS(Division TheFBICJISDivisionisauthorizedtoconduct securityauditsofthecsaandsibnetworksand systems,onceeverythree(3)yearsasaminimum, toassessagencycompliancewiththecjissecurity Policy.ThisauditshallincludeasampleofCJAsand NCJAs.Auditsmaybeconductedonamorefrequent basisiftheauditrevealsthatanagencyhasnot compliedwiththecjissecuritypolicy. Auditsmaybeconductedonamorefrequentbasisif necessary. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 82( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

83 CJIS( POLICY( REQUIREMENT( Audits(by(the(CSA EachCSAshall: 1.* Ataminimum,trienniallyauditallCJAsand NCJAswhichhavedirectaccesstothestate systeminordertoensurecompliancewith applicablestatutes,regulationsandpolicies. 2.* IncoordinationwiththeSIB,establishaprocess toperiodicallyauditallncjas,withaccessto CJI,inordertoensurecompliancewith applicablestatutes,regulationsandpolicies. 3.* Havetheauthoritytoconductunannounced securityinspectionsandscheduledauditsof Contractorfacilities Special(Security(Inquiries(and(Audits AllagencieshavingaccesstoCJIshallpermitan inspectionteamtoconductanappropriateinquiry andauditofanyallegedsecurityviolations.the inspectionteamshallbeappointedbytheapband shallincludeatleastonerepresentativeofthecjis Division.Allresultsoftheinquiryandauditshallbe reportedtotheapbwithappropriate recommendations. GUIDANCE( CSAsshouldhaveanauditplanforallCJAsand NCJAstoensuretheyareallauditedtriennially. Agenciesshouldcooperatewithinspectionteams whentheyareonsite Policy(Area(12:(Personnel(Security Thissection ssecuritytermsandrequirementsapply toallpersonnelwhohaveaccesstounencryptedcji includingthoseindividualswithonlyphysicalor logicalaccesstodevicesthatstore,processor transmitunencryptedcji Minimum(Screening(Requirements(for(Individuals( Requiring(Access(to(CJI: 1.* Toverifyidentification,astateofresidencyand nationalfingerprintdbasedrecordchecksshall beconductedwithin30daysofassignmentfor allpersonnelwhohavedirectaccesstocjiand thosewhohavedirectresponsibilityto configureandmaintaincomputersystemsand networkswithdirectaccesstocji.however,if thepersonresidesinadifferentstatethanthat oftheassignedagency,theagencyshall conductstate(oftheagency)andnational fingerprintdbasedrecordchecksandexecutea NLETSCHRIIQ/FQ/AQqueryusingpurposecode C,E,orJdependingonthecircumstances. Havingpropersecuritymeasuresagainsttheinsider threatisacriticalcomponentforthecjissecurity Policy. Federalentitiesbypassingstaterepositoriesin compliancewithfederallawmaynotberequiredto conductastatefingerprintdbasedrecordcheck. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 83( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

84 CJIS( POLICY( REQUIREMENT( Whenappropriate,thescreeningshallbe consistentwith: i.* 5CFR ;and/or ii.* OfficeofPersonnelManagementpolicy, regulations,andguidance;and/or iii.* agencypolicy,regulations,andguidance. 2.* Allrequestsforaccessshallbemadeas specifiedbythecso.thecso,ortheir designee,isauthorizedtoapproveaccesstocji. AllCSOdesigneesshallbefromanauthorized criminaljusticeagency. 3.* Ifafelonyconvictionofanykindexists,the hiringauthorityintheinterfaceagencyshall denyaccesstocji.however,thehiring authoritymayaskforareviewbythecsoin extenuatingcircumstanceswheretheseverity oftheoffenseandthetimethathaspassed wouldsupportapossiblevariance. 4.* Ifarecordofanyotherkindexists,accesstoCJI shallnotbegranteduntilthecsoorhis/her designeereviewsthemattertodetermineif accessisappropriate. 5.* Ifthepersonappearstobeafugitiveorhasan arresthistorywithoutconviction,thecsoor his/herdesigneeshallreviewthematterto determineifaccesstocjiisappropriate. 6.* IfthepersonisemployedbyaNCJA,theCSOor his/herdesignee,and,ifapplicable,the appropriateboardmaintainingmanagement control,shallreviewthemattertodetermineif CJIaccessisappropriate.Thissameprocedure appliesifthispersonisfoundtobeafugitiveor hasanarresthistorywithoutconviction. 7.* IfthepersonalreadyhasaccesstoCJIandis subsequentlyarrestedandorconvicted, continuedaccesstocjishallbedeterminedby thecso.thisdoesnotimplicitlygrant hiring/firingauthoritywiththecsa,onlythe authoritytograntaccesstocji. 8.* IftheCSOorhis/herdesigneedeterminesthat accesstocjibythepersonwouldnotbeinthe publicinterest,accessshallbedeniedandthe person'sappointingauthorityshallbenotified GUIDANCE( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 84( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

85 CJIS( POLICY( REQUIREMENT( inwritingoftheaccessdenial. 9.* Supportpersonnel,contractors,andcustodial workerswithaccesstophysicallysecure locationsorcontrolledareas(duringcji processing)shallbesubjecttoastateand nationalfingerprintdbasedrecordcheckunless theseindividualsareescortedbyauthorized personnelatalltimes. Itisrecommendedindividualbackgroundred investigationsbeconductedeveryfiveyearsunless RapBackisimplemented. GUIDANCE( Personnel(Screening(for(Contractors(and(Vendors Contractorsandvendorsshallmeetthefollowing requirements: Personnelscreeningprocedureshelpensure informationisaccessedbyindividualswithintegrity. 1.* PriortograntingaccesstoCJI,theCGAon whosebehalfthecontractorisretainedshall verifyidentificationviaastateofresidencyand nationalfingerprintdbasedrecordcheck. However,ifthepersonresidesinadifferent statethanthatoftheassignedagency,the agencyshallconductstate(oftheagency)and nationalfingerprintdbasedrecordchecksand executeanletschriiq/fq/aqqueryusing purposecodec,e,orjdependingonthe circumstances. 2.* Ifarecordofanykindisfound,theCGAshallbe formallynotifiedandsystemaccessshallbe delayedpendingreviewofthecriminalhistory recordinformation.thecgashallinturnnotify thecontractordappointedsecurityofficer. 3.* Whenidentificationoftheapplicantwitha criminalhistoryhasbeenestablishedby fingerprintcomparison,thecgaorthecja(if thecgadoesnothavetheauthoritytoview CHRI)shallreviewthematter. 4.* AContractoremployeefoundtohaveacriminal recordconsistingoffelonyconviction(s)shallbe disqualified. 5.* Applicantsshallalsobedisqualifiedonthebasis ofconfirmationsthatarrestwarrantsare outstandingforsuchapplicants. 6.* TheCGAshallmaintainalistofpersonnelwho havebeenauthorizedaccesstocjiandshall, VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 85( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

86 CJIS( POLICY( REQUIREMENT( uponrequest,provideacurrentcopyofthe accesslisttothecso. Applicantswitharecordofmisdemeanoroffense(s) maybegrantedaccessifthecsodeterminesthe natureorseverityofthemisdemeanoroffense(s)do notwarrantdisqualification.thecgamayrequest thecsotoreviewadenialofaccessdetermination. GUIDANCE( Personnel(Termination Theagency,uponterminationofindividual employment,shallimmediatelyterminateaccessto CJI. Thepromptterminationofaccessisessentialto ensuringthelongtermprotectionofcji Personnel(Transfer TheagencyshallreviewCJIaccessauthorizations whenpersonnelarereassignedortransferredto otherpositionswithintheagencyandinitiate appropriateactionssuchasclosingandestablishing accountsandchangingsystemaccessauthorizations. Thepromptterminationofaccessisensures confidentialityandintegrityofinformation Personnel(Sanctions Theagencyshallemployaformalsanctionsprocess forpersonnelfailingtocomplywithestablished informationsecuritypoliciesandprocedures. Theformalsanctionsprocessshouldbepresented duringsecurityawarenesstraining. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 86( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

87 Glossary(of(Terms( CSA( (CJIS(Systems(Agency( TheCSAisresponsibleforestablishingandadministeringaninformationtechnologysecurityprogramthroughoutthe CSA susercommunity,toincludethelocallevels.theheadofeachcsashallappointacjissystemsofficer(cso).the CSAmayimposemorestringentprotectionmeasuresthanoutlinedinthisdocument.(CJISPolicy3.2.1Page5) CSO( (CJIS(Systems(Officer( TheCSOisanindividuallocatedwithintheCSAresponsiblefortheadministrationoftheCJISnetworkfortheCSA. PursuanttotheBylawsfortheCJISAdvisoryPolicyBoardandWorkingGroups,theroleofCSOshallnotbeoutsourced. TheCSOmaydelegateresponsibilitiestosubordinateagencies. SIB( (State(Identification(Bureau( CJA(J(Criminal(Justice(Agency( ACJAisdefinedasacourt,agovernmentalagency,oranysubunitofagovernmentalagencywhichperformsthe administrationofcriminaljusticepursuanttoastatuteorexecutiveorderandwhichallocatesasubstantialpartofits annualbudgettotheadministrationofcriminaljustice.stateandfederalinspectorsgeneralofficesareincluded.(cjis Policy3.2.4Page6) TAC( (Terminal(Agency(Coordinator( TheTACservesasthepointdofdcontactatthelocalagencyformattersrelatingtoCJISinformationaccess.TheTAC administerscjissystemsprogramswithinthelocalagencyandoverseestheagency scompliancewithcjissystems policies.(cjispolicy3.2.3page6) NCJA( (NonJCriminal(Justice(Agency( ANCJAisdefined(forthepurposesofaccesstoCJI)asanentityoranysubunitthereofthatprovidesservicesprimarilyfor purposesotherthantheadministrationofcriminaljustice.(cjispolicy3.2.5page6) CGA( (Contracting(Government(Agency( ACGAisagovernmentagency,whetheraCJAoraNCJA,thatentersintoanagreementwithaprivatecontractorsubject tothecjissecurityaddendum.thecgaenteringintoanagreementwithacontractorshallappointanagency coordinator.(cjispolicy3.2.6page7) AC( (Agency(Coordinator( AnACisastaffmemberoftheCGAwhomanagestheagreementbetweentheContractorandagency.TheACshallbe responsibleforthesupervisionandintegrityofthesystem,trainingandcontinuingeducationofemployeesand operators,schedulingofinitialtrainingandtesting,andcertificationtestingandallrequiredreportsbyncic.(cjispolicy 3.2.7Page7) CSA(ISO( (CJIS(Systems(Agency(Information(Security(Officer( TheCSAISOshallserveasthesecuritypointofcontact(POC)totheFBICJISDivisionISO.(CJISPolicy3.2.8Page7) LASO( (Local(Agency(Security(Officer( EachLASOshallidentifywhoisusingtheCSAapprovedhardware,software,andfirmwareandensurenounauthorized individualsorprocesseshaveaccesstothesame.(cjispolicy3.2.9page8) VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 87( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

88 FBI(CJIS(ISO( (FBI(CJIS(Division(Information(Security(Officer( TheFBICJISISOshallmaintaintheCJISSecurityPolicyanddisseminatetheFBIDirectorapprovedCJISSecurityPolicy.(CJIS Policy3.2.10Page8) MCA( (Management(Control(Agreement( TheNCJAshallsignandexecuteamanagementcontrolagreement(MCA)withtheCJA,whichstipulatesmanagement controlofthecriminaljusticefunctionremainssolelywiththecja.(cjispolicy page16) CHRI( (Criminal(History(Record(Information( AsubsetofCJI.Anynotationsorotherwrittenorelectronicevidenceofanarrest,detention,complaint,indictment, informationorotherformalcriminalchargerelatingtoanidentifiablepersonthatincludesidentifyinginformation regardingtheindividualaswellasthedispositionofanycharges.(cjispolicyad3) Wireless(technologies(referstobutnotlimitedto:02.11x,cellularnetworks,Bluetooth,satelliteandmicrowave.(CJIS Policy5.5.7Page32) Authenticationreferstomechanismsorprocessesthatverifyusersarevalidoncetheyareuniquelyidentified. Authenticatorsarethesomethingyouknow,somethingyouare,orsomethingyouhavepartoftheidentificationand authenticationprocess.examplesofstandardauthenticatorsincludepasswords,tokens,biometrics,andpersonal identificationnumbers(pin).(cjispolicy page39) Advanced(Authenticationisintendedtomeetthestandardsoftwodfactorauthentication.Twodfactorauthentication employstheuseoftwoofthefollowingthreefactorsofauthentication:somethingyouknow(e.g.password),something youhave(e.g.hardtoken),somethingyouare(e.g.biometric).(cjispolicy page40) Electronic(media referselectronicstoragemediaincludingmemorydevicesinlaptopsandcomputers(harddrives) andanyremovable,transportabledigitalmemorymedia,suchasmagnetictapeordisk,opticaldisk,flashdrives,external harddrives,ordigitalmemorycard.(cjispolicy page51) Information(Exchangemaytakeseveralformsincludingelectronicmail,instantmessages,webservices,facsimile,hard copy,andinformationsystemssending,receivingandstoringcji.(cjispolicy5.1.1page15) ACLsarearegisterofusers(includinggroups,machines,processes)whohavebeengivenpermissiontouseaparticular object(systemresource)andthetypesofaccesstheyhavebeenpermitted.(cjispolicy page30) ForthepurposesofthisPolicy,apolice(vehicleisdefinedasanenclosedcriminaljusticeconveyancewiththecapability tocomply,duringoperationalperiods,withsection (cjispolicy page40) ( ( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 88( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

89 Acknowledgements( VMwarewouldliketorecognizetheeffortsoftheVMwareCenterforPolicy&Compliance,VMwarePartnerAlliance,and thenumerousvmwareteamsthatcontributedtothispaperandtotheestablishmentofthevmwarecompliance Program.VMwarewouldalsoliketorecognizetheCoalfireSystemsInc.VMwareTeam controlinterpretationdescribedherein. The'information'provided'by'Coalfire'Systems'and'contained'in'this'document'is'for'educational'and'informational' purposes'only.'coalfire'systems'makes'no'claims,'promises'or'guarantees'about'the'accuracy,'completeness,'or'adequacy' of'the'information'contained'herein.' About(Coalfire ( CoalfireSystemsisaleading,independentinformationtechnologyGovernance,RiskandCompliance(ITGRC)firmthat providesitaudit,riskassessmentandcompliancemanagementsolutions.foundedin2001,coalfirehasofficesindallas, Denver,LosAngeles,NewYork,SanFrancisco,SeattleandWashington,D.C.,andcompletesthousandsofprojects annuallyinretail,financialservices,healthcare,governmentandutilities.coalfirehasdevelopedanewgenerationof clouddbaseditgrctoolsunderthenavis brandthatclientsusetoefficientlymanageitcontrolsandkeeppacewith rapidlychangingregulationsandbestpractices.coalfire ssolutionsareadaptedtorequirementsunderemergingdata privacylegislation,cjisv5.2,glba,ffiec,hipaa/hitech,nerccip,sarbanesdoxleyandfisma.formoreinformation, visitwww.coalfire.com. Disclaimer( *VMwaresolutionsaredesignedtohelporganizationsaddressvariousregulatorycompliancerequirements.This documentisintendedtoprovidegeneralguidancefororganizationsthatareconsideringvmwaresolutionstohelpthem addresssuchrequirements.vmwareencouragesanyorganizationthatisconsideringvmwaresolutionstoengage appropriatelegal,business,technical,andauditexpertisewithintheirspecificorganizationforreviewofregulatory compliancerequirements.itistheresponsibilityofeachorganizationtodeterminewhatisrequiredtomeetanyandall requirements.theinformationcontainedinthisdocumentisforeducationalandinformationalpurposesonly.this documentisnotintendedtoprovidelegaladviceandisprovided ASIS.VMwaremakesnoclaims,promisesor guaranteesabouttheaccuracy,completeness,oradequacyoftheinformationcontainedherein.nothingthatyoureadin thisdocumentshouldbeusedasasubstitutefortheadviceofcompetentlegalcounsel. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 89( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'