Police Technology for Maintaining CJIS Compliance
When it comes to police technology, security is a major concern. Law enforcement officers at every level handle sensitive data daily, which places them at increased risk for cyberattacks. Furthermore, police departments must adhere to stringent regulations and requirements to maintain access to federal databases.
My colleague Marcus Claycomb, Panasonic Connect’s mobility business development manager, drove this point home recently by citing a recent security breach at the United States Secret Service.
Wes Dobry, principal engineer at Eclypsium, also pointed out that these attacks come in many forms, from “ransomware attacks, data exfiltration, or data collection.”
To combat these threats, The FBI’s Criminal Justice Information Systems (CJIS) Division has updated the requirements for access to its database. With both 2023 and 2024 updates to consider, it’s important for departments to employ law enforcement technology solutions equipped with the highest levels of security to ensure CJIS compliance.
October 2023 Police Technology Requirements
In October 2023, the FBI made major changes to its requirements about hardware and firmware security. Until recently, organizations have focused their security on the areas where users usually interact. And while safeguards such as antivirus programs and secure login policies address these user interactions, vulnerability still remains in the hardware itself.
SI-7 Software, Firmware, and Information Integrity
Since the attack lives on the device itself, it becomes more persistent than a software issue. “Whether we change the hard drive, wipe and replace the operating system — anything up to completely replacing the machine — it’s going to reinfect our network,” Dobry explained.
This persistence translates to huge impact. Instead of losing the device for, say, four hours you can risk up to two weeks of downtime in finding a physical replacement.
CJIS addresses this issue in Section SI-7 Software, Firmware, and Information Integrity. Put simply, the requirement ensures that departments perform validity checks on their hardware and firmware.
Challenges with Validity Checks on Police Technology
Validity checks are more complicated than simply looking at a police laptop to see if it has been tampered with. Is the firmware validated, verified, and known to be good? Has everything been verified on the BIOS level? How can you be sure your police technology is truly secure?
TOUGHBOOK services such as Last Mile Deployment help by augmenting existing IT resources with Panasonic Connect experts during the final steps of your deployment, and Staff Augmentation provides longer term IT support. But how can you validate your security even when there aren’t experts on site?
TOUGHBOOK and Absolute: Making Security Easy
Security apps offer one solution for monitoring and ensuring the security of devices. However, not all security apps are created equal. The effectiveness of most security apps is going to degrade pretty measurably. There are multiple reasons for this:
- Re-imaging can lead to agents not being re-installed.
- Critical files can be corrupted during third-party app installation.
- End users may disable apps (either unintentionally or to achieve better device performance).
- Outside actors (hackers) may target and disable apps.
With these challenges in mind, TOUGHBOOK partners with Absolute, which is uniquely situated on TOUGHBOOK devices by being embedded into both hardware and software, as opposed to existing on the network or cloud. Some of the benefits provided by this partnership include:
- Secure access and factory installation
- BIOS-enabled persistence
- Unbreakable endpoint connection
- Self-healing capabilities (even if BIOS is flashed)
This partnership mitigates the risk of human error and minimizes degradation issues. And by providing better insights and control, organizations can easily verify that their devices remain secure and CJIS-compliant.
October 2024 Police Technology Requirements
To maintain CJIS compliance in 2024, departments will need to assess how end users access their devices. Multi-factor authentication (MFA) will be a requirement, and some processes that formerly met MFA requirements will no longer be sufficient. For instance, unlocking devices with usernames/passwords will not be enough. It’s going to be a little more tedious for the users, but at the same time, it’s going to make everything more secure.
What Counts as MFA?
Any devices that connect to the CJIS database will need phishing-resistant MFA. This means it’s not relying on push authentications like text messages or app-generated codes. To qualify as phishing-resistant, an MFA method must meet one physical object requirement and one of an additional two additional requirements:
- Physical object: A physical object to access their device. Examples include smartcards, keys, and badges.
- Knowledge: A unique piece of information specific to each user, such as a PIN number or password.
- Biometrics: A physical trait used to verify the identity of the end user. Biometrics includes fingerprints and facial scans.
As of October 1, 2024, only devices that meet this threshold will be allowed CJIS access.
How TOUGHBOOK Makes MFA Easy
TOUGHBOOK devices are designed to work in any situation. That includes being easily configurable so that they can meet the specific needs of any agency. In addition to built-in features, TOUGHBOOK also has numerous xPAK options available to facilitate adaptation and personalization, allowing departments to update their tech without needing new devices and eliminating worries about obsolescence.
Examples of how TOUGHBOOK xPAKs can aid CJIS compliance include:
- Physical: xPAKs are available for contact smartcard readers and HF RFID contactless readers. Each card can be programmed for one specific user with that user’s info stored on the card. Cards can also be used for more than just device access (i.e., as a photo ID), eliminating the need for users to carry multiple cards.
- Biometric: TOUGHBOOK devices come standard with support for Windows Hello verification, as well as infrared cameras needed for advanced facial recognition. xPaks are also available for fingerprint recognition, where user info is stored either in an agency’s active directory (AD) or in LDAP structure. For added security, there are also secure core readers that store user info on their individual TOUGHBOOK devices, eliminating the need for database storage.
Trusted Partners Help Achieve CJIS Compliance
Ensuring departments can meet CJIS compliance is a challenge, but it’s also an opportunity. Police technology security is vitally important. Working with a partner like Panasonic Connect simplifies things with law enforcement solutions that offer the high level of security that departments need. This lets everyone get the most out of their tech while enjoying the peace of mind that comes from knowing it will remain secure and CJIS compliant.
For more information about CJIS requirements, see the full webinar on demand.
