Firming Up Firmware Integrity for CJIS Compliance
The FBI’s Criminal Justice Information Services Division (CJIS) is responsible for maintaining multiple criminal justice information databases and services. From biometric identification tools (NGI) to nationwide criminal history record information, CJIS maintains data that is vital for law enforcement agencies across the nation. But to access the vital resources CJIS offers, and to protect our national security from nefarious actors, it is imperative police departments maintain CJIS compliance.
That can sometimes be easier said than done.
Threats to information and operational technology are constantly evolving, jeopardizing law enforcement’s ability to meet their mission critical operations. To combat these threats, the Advisory Policy Board (APB), through the FBI CJIS Division, regularly updates security requirements for accessing CJIS data. For police departments with limited IT resources, keeping up with updates can be a challenge. This is where Panasonic Connect’s Smart Compliance, powered by Eclypsium, comes into play. Smart Compliance is designed to simplify firmware integrity and support CJIS compliance. This solution ensures that police departments can focus on their mission-critical responsibilities without compromising security by monitoring CJIS networks and devices for unauthorized firmware changes and potential security breaches. Choosing the right technology partner is pivotal in maintaining the integrity and security of law enforcement operations.
Why Firmware Matters to CJIS Compliance
In December of 2022, CJIS Security Policy (CJISSECPOL) version 5.9.2 added a new section for system requirements. Policy area 5.15 is now dedicated to System and Information Integrity (SI). SI-7 Software, Firmware, and Information Integrity expands security focus beyond hardware and software and into firmware. Specifically, the most updated language calls for:
- Integrity checks: Regularly verify device software, firmware, and information systems for unauthorized changes using integrity checks.
- Integration of Detection and Response: Having a system in place to respond when unauthorized changes are found. Specifically, this section requires that any such events are “tracked, monitored, corrected, and available for historical purposes.”
As of October 2023, these requirements are CJIS auditable and if devices and systems do not meet these requirements, departments risk ongoing sanctions through the APB.
Differences From Previous CJIS Requirements
Prior to SI-7, CJIS primarily focused on ensuring software and device security through tools like antivirus/malware scans or more advanced techniques such as Endpoint Detection and Response (EDR) or Endpoint Protection Platform (EPP).
However, the lack of focus on firmware left a significant vulnerability on end-user devices and network appliances. When a device’s firmware is compromised, it poses significant vulnerabilities to CJIS data, including:
- Threats living on the devices themselves, making them more persistent and challenging to address.
- Solutions that take longer and generally mean losing access to affected devices, leading to major operational disruptions.
- Security tools such as EDR or EPP are not equipped to combat these threats, as they only focus on identifying the version of firmware, not unauthorized changes to the firmware.
SI-7 was added to address these important security issues. However, for many departments, SI-7 poses a challenge as to how to maintain CJIS compliance without a major technology overhaul.
Panasonic Connect’s Smart Compliance Safeguards Police Technology
Recognizing that police departments often struggle with limited IT resources, Panasonic Connect’s Smart Compliance, offers a robust solution. This advanced system monitors CJIS networks for unauthorized firmware changes, ensuring compliance and continuous data access.
Smart Compliance offers numerous benefits for departments:
- No specialized knowledge is required to implement.
- Seamlessly ensures a device or networks firmware integrity without impacting performance.
- Generates the necessary reporting to prove CJIS compliance when a CJIS audit is scheduled.
Smart Compliance safeguards law enforcement technology so agencies can be confident that their devices are compliant with CJISSECPOL firmware integrity requirements.
How Smart Compliance Works
To effectively combat firmware threats, it’s crucial to understand their primary targets. These threats tend to target one of three areas:
- High value laptops: Laptops serve as a great mobile tool as they bring great computing capacity and capability to any environment. This mobility also makes them a vulnerable target when used in untrusted environments and less than secure networks.
- Critical servers: Servers contain a number of complex components which can be targeted. A compromised server can facilitate data theft, enable attackers to lie in wait, or disrupt user access.
- Network and security: By attacking networking appliances, attackers can move laterally within your system and avoid easy detection. In fact, they can even target network controls dedicated to security, compromising the very tools meant to protect.
Understanding potential threats is only the beginning. By utilizing the most comprehensive database of firmware definitions, Panasonic’s Smart Compliance compliments existing systems of critical security controls to protect your devices against threats:
- Asset inventory: Building an extensive inventory of all IT infrastructure allows departments to easily check for unauthorized changes on the hardware, firmware, and software levels. This inventory also allows for better assessment of the inherent risks associated with different IT products.
- Vulnerability management: Once vulnerabilities are understood, hardening the most vulnerable points in an infrastructure mitigates risk. And as insight is gained and compliance issues are updated, regular firmware updates are implemented to ensure continued security and compliance.
- Threat detection and response: Devices are validated that they have not been tampered with and have authentic components, securing the threat to supply chains. Advanced threat detection extends even to threats capable of evading EDR.
Smart Compliance assists in keeping law enforcement agencies CJIS compliant. It also ensures seamless device operation, extends device lifespan for cost savings, and provides insight into product vulnerabilities for smarter IT procurement decisions.
TOUGHBOOK and Future CJIS Compliance Requirements
While CJIS security policy 5.9.2 introduced section SI-7, that is not the only update to CJIS compliance requirements that departments need to know. There are additional cybersecurity-focused requirements necessary prior to October 2024. Specifically, the auditable requirement for agencies to employ multi-factor authentication (MFA). CJISSECPOL 5.9.2. states, “Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric).”
Panasonic TOUGHBOOK® devices come standard with integrated infrared cameras essential for facial recognition. Additionally, TOUGHBOOK devices offer an innovative feature: xPaks (expansion packs) that allow for customization. These xPaks include insertable smartcard readers, contactless HF RFID card readers, and fingerprint scanners (including an Active Directory capable version), ensuring that every device can meet new MFA requirements and remain CJIS compliant.
Smart Compliance Eases Police Technology Concerns
Police technology, like TOUGHBOOK laptops and tablets, is engineered to be available whenever and wherever mission critical duties require. For this technology to be effective, users must trust that their devices are secure. Ensuring device and CJI security transcends mere CJIS compliance—it’s crucial for fulfilling an agency’s mission-critical responsibilities effectively.
Panasonic Connect understands this need and equips police departments with the necessary resources to achieve and uphold CJI security across all their devices. Visit our website to learn more about Smart Compliance.
