In Microsoft's continuous effort to provide resources and guidance to agencies to help them meet their CJIS regulatory requirements, Microsoft collaborated with Alan Ferretti, CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing and former CJIS Information Security Officer (ISO), to ponder the following question: "What is a CJIS Technical Audit like and what should an agency do to prepare for one?" With many years of experience, Alan provided an insightful, detailed answer that is important to share. He has been involved in thousands of agency audits, both giving an audit and being audited several times by the FBI Audit Staff as the Texas CJIS System Agency ISO. And, as one would expect, some audits were compliant and some were found noncompliant.
Insights from our discussion
The key to a successful agency audit is founded on preparation, which breaks down into three areas. First and foremost, the agency should have a binder with documentation for the technical audit. Secondly, the appropriate people need to be in the room during the audit. And lastly, each attendee should know which questions they are responsible for answering. If these three simple things are prepared, you will have a successful audit.
The technical audit binder is updated throughout the three-year cycle between audits. It should include items such as the agency standard operational procedures (required in the Policy) for disposal of media that contains Criminal Justice Information (CJI), the agency incident response plan, the security alert and advisory process, account management processes, policy governing the use of personally owned devices to access CJI, personnel sanctions procedures, and other information that may be required in the CJIS Security Policy. Another important component is the fully executed Security Addendum for each vendor company the agency uses to help process CJI. The binder should also contain a copy of the fully executed Management Control Agreement (MCA) for each governmental agency that supports the Law Enforcement agency with access to Criminal Justice Information.
As a critical requirement of the Policy, proof that everyone with access to CJI has been finger printed and has completed Security Awareness training should also be contained in the binder. In the case of vendors, each person with access to CJI should also have a Security Addendum certification page. In addition, a current network diagram, and a copy of (or pointer to) the NIST FIPS encryption certificates should also be included. The binder might overflow into two or three, but it is important to keep each section labeled for easy reference during the audit.
Having the right people in the room for the audit is nearly as important as the documentation. The Terminal Agency Coordinator (TAC) should lead the audit for the agency. Supporting the TAC, the Local Agency Security Officer (LASO) and the Information Technology (IT) support manager should also attend. The Chief or Sherriff are not required to be present, but it is helpful if they have someone attend to represent them.
The agency will be assessed on compliance with each of the "shall" statements in the Policy. These are extracted for your use and can be found on the FBI CJIS website in the Requirements Document. The TAC, LASO, and IT manager should review the list in the requirements document prior to the audit and assign one person to answer each item. Proper preparation can improve the audit for all parties involved. There should never be a disagreement during the audit among the agency participants. All discrepancies should be resolved ahead of time and know what answers will be given and by whom.
All software on all systems should be current versions and include anti-virus software. As an auditor, Alan indicated he could always count on finding a computer off to the side with the power off but connected to the network ready to be used as a backup device. Frequently, it would be years behind on updates. Another often forgotten device when it comes to updates is the Mobile Device Terminal (MDT) in a vehicle. And it goes without saying that none of the technology in use and shown on the network diagram should be at or beyond end-of-life.
If you are using Microsoft Cloud, there are two resources you should be aware of. The first is the CJIS Implementation Guidelines which documents the items Microsoft is responsible for towards compliance and lists the agency responsibilities. Use this to validate you have met your responsibilities towards compliance. The second resource is the Microsoft Employee Adjudication site. This site contains the finger print status of all the Microsoft employees with potential access to CJI and contains their Security Addendum Certification pages. Microsoft employees with access to CJI take CJIS Security Awareness training using Peak Performance's CJIS Online training and results and test data is available to the agency.
In summary, a CJIS Technical Audit is nothing to be feared. It is comforting to know your agency is compliant, and if not, it's important to know what findings need to be addressed. Prepare for the audit, have the binder ready and keep it updated as changes happen during the triennium. During the audit, respond to the questions that are asked but don't deviate and offer more information than required by the auditor's questions. It is critically important to always be truthful in the responses. Watch for the simple things that you take for granted. Better yet, take nothing for granted.
About Alan Ferretti
Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing ( www.diversecomputing.com ). He retired as the CJIS Information Security Officer for the State of Texas after 13 years of service. He was also the Chairman of the Advisory Policy Board CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at firstname.lastname@example.org or (850) 656-3333 ext.293.