Transcription

CJDN Network SecurityVersion: 04/17/2017Document Number: MNJIS-5002Distribution: BCAPolicy Statement / Objective:The Bureau of Criminal Apprehension’s (BCA) Minnesota Justice Information Services (MNJIS)operates the Criminal Justice Data Communications Network (CJDN) so that authorized agencies canretrieve criminal justice information (CJI) in order to perform their duties. The purpose of this policyis to help those authorized agencies comply with both the current FBI CJIS Security Policy (CSP) andthis Bureau of Criminal Apprehension (BCA) MNJIS CJDN Network Security Policy 5002. The CSPprovides the minimum level of information technology (IT) security requirements acceptable for thetransmission, processing, and storage of the nation's Criminal Justice Information System (CJIS)data. These requirements are necessary to establish uniformity and consistency in safeguarding CJIwhich is accessed via networks throughout the federal, state, and local user communities.The primary intent of this policy is to clarify certain sections of the CSP so that it is easier foragencies to be in compliance and to set statewide standards regarding the security and movement ofCJI within Minnesota.Any security controls listed in this policy that are more restrictive than the CSP will be clearly stated(they are highlighted with bold and italics).Definitions:Many of the terms used in this policy are defined in the CSP and so are not defined in this document.Additional defined terms are found below.Authorized agency: a government agency authorized by the BCA to have access to BCA and FBIresources and that has a valid joint powers agreement or other contract executed by it and the BCA.BCA: The CJIS Systems Agency (CSA) and State Identification Bureau (SIB) for Minnesota.CJI Environment: an authorized agency’s isolated infrastructure where CJI passes is accessed,and/or stored. This includes, but is not limited to, network switches, routers, firewalls, workstations,servers, and virtual environments.CJIS Systems Officer (CSO): the BCA employee responsible for the administration of the systemthat makes it possible to send and retrieve CJI.Criminal Justice Data Communications Network (CJDN): For statutorily authorized users, theCJDN is a connectivity method that has been approved by the BCA.Criminal Justice Information (CJI): Criminal Justice Information is the abstract term used torefer to all data from systems containing, integrated with, or derived from data in the FBI CJISrepositories and also includes data contained in, integrated with or derived from data maintained inBCA repositories and that are necessary for authorized agencies to perform their work.Foreign network: any network or network connection procured only by a Local Agency that hasaccess to the CJDN.Local Agency: any Minnesota agency, including federal agencies that serve part or all of Minnesota,authorized to access the CJDN.Page 1 of 6

MNJIS Terminal: any device used by a Local Agency to connect to the CJDN to retrieve CJI.Examples of a MNJIS Terminal include, but are not limited to, a desktop computer, laptop, tablet,and cellular telephone.Mobile Devices – any portable device used to access CJI via a wireless connection. Examples ofmobile devices are smart phones, cellular phones transmitting CJI, laptops and tablets and otherportable equipment which can easily be moved from one location to another.Non-Physically Secure Location - a non-physically secure location is any area that does not fallunder the definition of a Physically Secure Location.Occasional Unescorted Access is the infrequent access needed for a task in a Physically SecureLocation. Examples are maintaining vending machines and watering plants.Physically Secure Location: a facility, an area, a room, or a group of rooms that have the physicaland personnel security controls sufficient to protect CJI and the associated information systemsubject to the authorized agency’s management and control. Specific information on squad cars andphysical security is found on page 6.Public Key Infrastructure (PKI) – algorithms and encryption that use key pairs to secure CJIwhether in transit or at rest.Wireless Technology is the transmission of voice and/or data communications via radiofrequencies.Policy:This policy addresses the secure operation of computers, access devices, circuits, hubs, routers,firewalls, and other components that comprise and support a data network, telecommunicationsnetwork and related MNJIS systems used to process, store, share, or transmit CJI, guaranteeing thepriority, integrity, and availability of service needed by state and local agencies. This policy alsoapplies to CJI data held by authorized agencies, regardless of the means of storage.Roles and Responsibilities:A. CJIS System Agency Information Security Officer (CSA ISO)1. The CSA ISO is a BCA employee who is responsible for:a. Ensuring agencies conform to the CSP and this policy.b. Ensuring management controls are in place for the CJDN including the management ofState routers, firewalls, and VPN devices.c. Ensuring that state and local agency network topology documentation is current.d. Supporting security-related configuration management for the BCA and LocalAgencies.e. Providing guidance in implementing security measures at the local level.f. Disseminating security-related training materials to local agencies.g. Collecting information about security incidents from LASOs for submission to the FBI.B. Local Agency Security Officer (LASO)1. Each agency head must appoint a LASO for the agency. The LASO, who is the liaison betweenhis/her Local Agency and the CSA ISO, is responsible for ensuring that the agency complieswith both the CSP and this policy.2. The tasks assigned to the LASO in the CSP are modified as follows:a. Identify who is using the CSA approved hardware, software, and firmware and ensureno unauthorized individuals or processes have access to the same.b. Identify and document how the equipment is connected to the state system.MNJIS-5002Version: 04/17/2017Page 2 of 6

c. Ensure that personnel security screening procedures are being followed as stated inthe CSP in coordination with the agency’s Terminal Agency Coordinator (TAC)or Point of Contact (POC).d. Ensure the approved and appropriate security measures are in place and working asexpected.e. Support policy compliance and keep the state/federal ISO informed of securityincidents.f. Ensure the physical security of all MNJIS terminals and equipment in the authorizedagency’s environment that accesses the CJDN or contains CJI.C. Authorized AgencyThe authorized agency using the CJDN is responsible for ensuring that personnel screening isconducted as required by the CSP and Minnesota Statutes, section 299C.46 and that usersreceive initial security awareness training and on-going security awareness training as outlined inthe CSP.D. Standards of Enforcement1. Each Local Agency is responsible for enforcing system security standards for their agency inaddition to all of the other agencies and entities which the Local Agency provides CJIservices. Local Agencies must have written policies to address the security provisions of theCSP and this policy. Local Agencies must also have procedures in place to deactivate thepasswords, log-ons, and other access tools of separated employees.2. Authorized users must access CJIS systems and disseminate CJI only for the purposes forwhich they are authorized. Each authorized agency permitted access to FBI CJIS andMinnesota systems will be held to the provisions of the policies and guidelines set forth in thispolicy as well as the most current version of the CSP.E. Personnel Security1. According to the CSP, any individual with unescorted access in a Physically Secure Locationmust have a national, fingerprint-based background check and complete appropriate securityawareness training. Most individuals will take the security awareness training via the BCA’sLaunch Pad (https://bcanextest.x.state.mn.us/launchpad/) by using the CJIS Onlinefunctionality. Access to these sites is restricted; access is granted by the TAC. As part of thetraining, individuals will be tested as required by the CSO. Each agency is responsible forkeeping documentation of each employee’s completion of security awareness training.2. Once the individual has met the requirements, they can have unescorted access to any partof the Physically Secure Location where there are devices through which CJI can be accessedor where output from those devices can be found in any media (e.g. paper, electronic orother physical format).3. Individuals who do not need to move freely within a Physically Secure Location must beescorted at all times by an individual who has met these Personnel Security requirements.4. For individuals who have Occasional Unescorted Access within a Physically Secure Location,the security awareness training requirement is satisfied by signing an agreementacknowledging that they understand they are working in a location with access to protecteddata, whether access is via a device, printout or overheard conversation and that theprotected data need to “remain in the building.” The agreement must be signed prior togaining access to CJI and must be renewed every two years. A sample agreement can befound on the BCA’s CJDN Secure website, https://app.dps.mn.gov/cjdn/ under MNJISPolicies. Credentials for the CJDN Secure website are obtained from the BCA Service Desk(651-793-2500/ 1-888-234-1119 or [email protected]). The sample agreementcan also be found on the BCA’s Launch Pad in the CJIS Documents folder under the headingSecurity Awareness Training and Testing.F. Personnel Screening for Contractors, Vendors, and Governmental Agencies PerformingCriminal Justice functions on Behalf of an Authorized AgencyAs provided in the CSP, the CSO sets the standard for background checks on contractors andvendors. The BCA will register companies whose employees support authorized agencies inMinnesota after determining that the company is in compliance with the CSP and has signed aMNJIS-5002Version: 04/17/2017Page 3 of 6

Security Addendum with the BCA. Part of the registration will include a determination that the5050 company operates in compliance with the CSP and this policy. The BCA will conduct allnational fingerprint-based background checks on all vendor employees and will be the centralizedrepository for the documentation of security awareness training and testing for those employees.Information on the process is available from the BCA CJIS SAT Screening Unit, *DPS BCA CJISSAT [email protected] Incident Response1. The CSP requires that Local Agencies report a security incident, whether physical or logical,to the FBI via the CSA ISO. Local Agencies are required to have a policy regarding securityincidents and how they are reported. Local Agencies should use NIST Special Publication 80061 as a template for the required incident response policy. The NIST publication can be foundat: ns/NIST.SP.800-61r2.pdf2. The Local Agency must report all suspected security incidents to the CSA ISO within 24 hoursof the initial discovery. Security incidents include loss or theft of media containing CJI (e.g.paper, thumb drive) or equipment, suspicious or malicious software in the Local Agency’senvironment or unusual network activity. Information security events and weaknessesassociated with information systems must be communicated in a manner allowing timelycorrective action to be taken. Formal event reporting and procedures to increase attentiondepending on the severity of the situation must be in place.3. Wherever feasible, the Local Agency must employ automated mechanisms to assist in thereporting of security incidents. All employees, contractors and third party users must bemade aware of the procedures for reporting the different types of events and weaknessesthat might have an impact on the security of agency assets and are required to report anyinformation security events and weaknesses as quickly as possible to the designated point ofcontact.H. FirewallsLocal Agencies with access to a foreign network connected to the CJDN must be protected with afirewall device. This must include all forms of access including wireless, dial-in, off-site, Internetaccess, and others. Firewall architectures must prevent unauthorized access to CJI, the LocalAgency’s network, and all network components.I. Advanced Authentication and Encryption1. The technical security requirements for encryption and advanced authentication for CJItransmitted across the CJDN are as follows:a. Physically Secure Location with direct access to CJDN.i.Must use NIST-certified 140-2 encryption algorithm with a minimum ofa128 bit encryption key.ii.No advanced authentication is required.b. Physically Secure Location to Physically Secure Location to CJDN. For example, a citypolice department has a network connection to the county sheriff’s office which hasdirect access to CJDN.i.Must use NIST-certified 140-2 encryption algorithm with a minimum of a128-bit encryption key.ii.No advanced authentication required.2. Access to CJDN from a location that is not physically secure must use advancedauthentication and encryption. Police vehicles in Minnesota are physically secure and soadvanced authentication and encryption is not required.J. Physically Secure Location1. A Physically Secure Location is a facility, an area, a room, or a group of rooms, that is/aresubject to authorized agency management control and which contain hardware, software,and/or firmware (e.g., information system servers, controlled interface equipment, associatedperipherals or communications equipment, wire closets, patch panels, etc.) that provideaccess to the CJIS and CJDN networks. Physical security perimeters must be acceptable tothe CSO.MNJIS-5002Version: 04/17/2017Page 4 of 6

2. Restricted and controlled areas must be prominently posted and separated from nonphysically secured areas by physical barriers that restrict unauthorized access. Every physicalaccess point to physically secure areas housing information systems that access, process, ordisplay CJI must be secured in a manner which is acceptable to the CSO during both workingand non-working hours. In commercial buildings where the public has completeaccess to the building, the requirement of a physically secure location is met by asecured room within a secured room.3. All CJI transmitted through any public network segment or over Internet connections must beimmediately protected using a NIST certified, FIPS 140-2 encryption algorithm using aminimum of a 128-bit encryption key. This requirement also applies to any private datacircuit.4. Advanced Authentication (AA) is the term describing added security functionality, in additionto the typical user identification and authentication of login ID and password, such as:a. Biometric systemsb. Public Key Infrastructure (PKI)c. Smart cardsd. Software tokens or hardware tokense. “Risk-based Authentication” that includes a software token element comprised of anumber of factors, such as network information, user information, positive deviceidentification (i.e. device forensics, user pattern analysis and user binding) and userprofiling, and also includes high-risk challenge/response questions.5. The objectives of implementing AA are to uniquely and positively identify an authorizedindividual for access to CJI.6. Once authenticated, access to CJI must be though a NIST certified, FIPS 140-2 encryptionalgorithm using a minimum of a 128-bit encryption key.7. Encryption keys, such as pre-shared keys used in a site-to-site VPN, must be changed atleast once a year.8. Digital certificates, whether device and/or user based, must expire and be reissued at leastonce every two years.9. AA does not have to be a part of establishing the encrypted transport.10. No remote access to CJI, from an unsecure location, is permitted unless both AA andcompliant encrypted transport requirements are met.11. The infrastructure for AA/encryption must be on an isolated network, not part of the CJDN ora city/county user network.12. The infrastructure for encryption must isolate authorized agency users from non-authorizedagency users.13. The agency must have a firewall between the CJDN and AA/encryption environments.14. The agency firewall must ensure that only properly authorized and authenticated users maypass through the firewall to access CJI and/or any resources where CJI is in transit or at rest.15. The agency AA/encryption environment may provide access to other non-criminal justiceresources such as email and county/city resources as required.16. Any agency AA methodology must utilize real-time user authentication to an agencycontrolled remote environment. Device authentication and locally cached credentials must notbe used as part of AA.K. Mobile DevicesThe use of mobile devices to access CJI is rapidly changing and the FBI periodically issuesadditional direction on their use. Contact the CSA ISO for the most current requirementsgoverning the use of these devices. The CSA ISO can be reached at [email protected] Software as a Service (SaaS)1. For an Authorized agency who wants to use a private sector vendor to provide SaaS therequirements are:a. An Authorized agency must consult with the BCA to ensure all requirements can be or arebeing met.b. The Authorized agency must send a written request, on agency letterhead, to the CSOrequesting that vendor provide SaaS.c. The Authorized agency must have appropriate agreements in place with BCA.MNJIS-5002Version: 04/17/2017Page 5 of 6

d. The Authorized agency must have written contract with the vendor. The vendor mustcomply with the CSP and this policy as well as any contractors of Vendor.i. If the vendor is in the private sector, the Security Addendum needs to be signedand employees must sign Security Addendum Certification. If the vendor hassubcontractors, there must also be a written agreement between them, along withSecurity Addendum and Security Addendum Certifications.ii. If the vendor is a non-criminal justice government agency, a Management ControlAgreement is needed.e. SaaS must be provided in an isolated network that must reside in the continental UnitedStates.f. Data must be encrypted in transmission and at rest.g. SaaS must be configured so that any agency may only have access to another criminaljustice agency’s data if the access is authorized by Minnesota law and the parties have asigned agreement approving the access.h. Back up security must meet FBI CJIS requirements.i. BCA must have access for audit.j. Vendor/agency responsible for cost of connecting to the vendor, however accomplished.M. Cloud Computing1. Any authorized agency that wants to store CJI in or transmit CJI through a cloud environmentshould consult with the BCA prior to any storage or transmission of CJI. The BCA willreference the most current version of the FBI’s Technical Report entitled “Recommendationsfor Implementation of Cloud Computing Solutions.” (As of April 2017, the report wasavailable at putingreport 20121214.pdf/view).2. Any cloud implementation must host and/or access CJI separately from non-CJI.N. Electronic Media DisposalWhen it is necessary to sanitize or destroy physical media, the use of media sanitization anddestruction methods consistent with the applicable guidance contained in NIST 800-88 (availableat ns/NIST.SP.800-88r1.pdf) and/or DOD5220.22-M (available at 22M.pdf) is required.O. Analytics ToolsAny Local Agency that wishes to use an analytic tool should consult with BCA prior toimplementation to ensure that the tool is in compliance with the CSP and this policy.P. Network ConfigurationThe LASO is responsible for ensuring network complianc