Today s Presenters: Doug Blenman Jr. Steven Doggart How to Comply with FBI CJIS Security Policy
Before we get started Introductions: Doug Blenman Jr. Public Safety Product Manager Steven Doggart Sr. Software Developer Goals for this webinar: Overview of compliancy challenges Outline Versions and key CJIS Security Policies Preview some upcoming CJIS Security Policy changes Demonstrate how IDN Security helps you to comply Questions and Answers Final Housekeeping Items: Special word of thanks to Robert Turner of CommSys This PowerPoint & the recording of this session will be made available via our website afterwards.
FBI CJIS Security Policies Complying can be very challenging and complex: Requires a team effort & coordination with IT staffs Hardware & software providers VPN s to manage Network providers Administration Continual training Complex passwords Plus constantly changing: Technologies Networks Rules
CJIS Policy Versions Where to find the current version: Release 5.1-7/13/12 141 pages Google FBI CJIS Security Policy PDF Version - bottom of the page Upcoming Version: Advisory Policy Board (APB) Meeting took place June 5-6, 2013 in Portsmouth, VA Potential major changes may be pending as a result Release 5.2 is pending (this fall?) http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view
Important v5.1 Policies 5.6.2.1 Standard Authentication (Password) Agencies shall follow the secure password attributes, below, to authenticate an individual s unique ID. Passwords shall: 1. Be a minimum length of eight (8) characters on all systems. 2. Not be a dictionary word or proper name. 3. Not be the same as the user ID. 4. Expire within a maximum of 90 calendar days. 5. Not be identical to the previous ten (10) passwords. 6. Not be transmitted in the clear outside the secure location. 7. Not be displayed when entered.
v5.1 continued 5.6.2.2 Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or Risk-based Authentication that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. 5.9.1.3 Physical Access Control The agency shall control all physical access points (except for those areas within the facility officially designated as publicly accessible) and shall verify individual access authorizations before granting access.
CJIS Policy Update Highlights of the June 5-6, 2013 Meetings: 1. Advanced Authentication (AA) was overhauled Agency issued equipment may end up being considered exempt Mobile Device Management (MDM) will be required 2. The decision about cruisers being considered secure environments was reversed so long as the laptops are FIXED within the vehicle (meaning it is not removable by an officer). 3. A new document was introduced (NIST 800-53 Rev. 4 which was publicly issued on May 7, 2013) & stands to have long-reaching effects on the approaches and requirements. Reminder - these changes aren t policy yet!!!
ID Networks Software This newer version of our security system that we re about to demonstrate has already been integrated into all of our product lines. We are in the process of scheduling or delivering this version to all customers at this time. Anyone using the latest version of our CAD or Mobile software already has it. Please check with your account or project manager for more information if there are any questions. There are many new parts to the security subsystem, but we re only going to be touching on the ones that help you to comply with the CJIS Security Policies. For additional information about additional parts, please contact your project or account managers. We are committed to using right partners, like CommSys and NetMotion, so that we can bring together the right blend of expertise and technology. Now, let s turn it over to Steve for a live demonstration of some of these settings.
Password Settings
2 Factor Login Screen
Require Tokens
Creating New Tokens
Assigning Tokens
Login Attempts
Wrap Up Any questions about today s presentation?
Thank you for attending! Doug Blenman Jr. dblenman@idnetworks.com (440) 536-0189 Steven Doggart sdoggart@idnetworks.com (800) 982-0751 www.idnetworks.com