Under active development — Content is continuously updated and improved

Home / Frameworks / FBI CJIS / 5 — Policy and Implementation

5 — Policy and Implementation

Official SCF Download

94 requirements in the Policy and Implementation policy area

5.1Information Exchange Agreements

5.1.1Information Exchange Agreement Types

5.1.1.1Information Handling and Protection

5.1.1.2State and Federal Agency User Agreements

5.1.1.3Criminal Justice Agency Agreements

5.1.1.4Interagency and Management Control Agreements

5.1.1.5Private Contractor User Agreements and CJIS Security Addendum

5.1.1.6Agency User Agreements

5.1.1.7Channeler User Agreements

5.1.1.8Contractor Agreements for Noncriminal Justice Functions

5.1.2Monitoring, Review, and Delivery of Services

5.1.2.1Managing Changes to Service Providers

5.1.3Secondary Dissemination

5.1.4Secondary Dissemination of Non-CHRI CJI

5.2Security Awareness Training

5.3Security Awareness Training Requirements

5.4Auditing and Accountability

5.4.1Auditable Events and Content

5.4.1.1Events to be Logged

5.4.1.1.1Content of Audit Records

5.4.2Response to Audit Processing Failures

5.4.3Audit Monitoring, Analysis, and Reporting

5.4.4Time Stamps

5.4.5Protection of Audit Information

5.4.6Audit Record Retention

5.4.7Logging NCIC and III Transactions

5.5Access Control

5.6Identification and Authentication

5.7Configuration Management

5.7.1Access Restrictions for Changes

5.7.1.1Least Functionality

5.7.1.2Network Diagram

5.7.2Security of Configuration Documentation

5.8Media Protection

5.9Physical Protection

5.9.1Physically Secure Location

5.9.1.1Security Perimeter

5.9.1.2Physical Access Authorizations

5.9.1.3Physical Access Control

5.9.1.4Access Control for Transmission Medium

5.9.1.5Access Control for Output Devices

5.9.1.6Monitoring Physical Access

5.9.1.7Visitor Control

5.9.1.8Access Records

5.9.2Controlled Area

5.10Systems and Communications Protection and Information Integrity

5.10.1Information Flow Enforcement

5.10.1.1Boundary Protection

5.10.1.2Encryption

5.10.1.2.1Encryption in Transit

5.10.1.2.2Encryption at Rest

5.10.1.2.3Public Key Infrastructure

5.10.1.3Voice over IP

5.10.1.4Cloud Computing

5.10.2Facsimile Transmission of CJI

5.10.3Partitioning and Virtualization

5.10.3.1Application Partitioning

5.10.3.2Virtual Environment Security

5.11Formal Audits

5.11.1FBI CJIS Division Audit Authority

5.11.1.1Triennial Compliance Audits

5.11.1.2Triennial Security Audits

5.11.2CSA Audit Responsibilities

5.11.3Special Security Inquiries and Audits

5.11.4Compliance Evaluation

5.12Personnel Security

5.12.1Personnel Security Screening

5.12.2Personnel Termination

5.12.3Personnel Transfer

5.12.4Personnel Sanctions

5.13Mobile Devices

5.13.1Mobile Device Management

5.13.1.1Authorized Use

5.13.1.2Personally Owned Mobile Devices

5.13.1.2.1Official Use Mobile Devices

5.13.1.2.2Personal Use Mobile Devices

5.13.1.3Mobile Device Supplemental Guidance

5.13.1.4Mobile Device Disposal

5.13.2Wireless Device Risk Mitigations

5.13.3Cellular Devices

5.13.4Mobile Device Integrity

5.13.4.1Patch and Vulnerability Management

5.13.4.2Malware Protection

5.13.4.3Personal Firewall

5.13.5Mobile Device Incident Reporting

5.13.6Mobile Device Audit and Accountability

5.13.7Mobile Device Access Control

5.13.7.1Mobile Device Session Lock

5.13.7.2Mobile Device Authentication

5.13.7.2.1Advanced Authentication on Mobile Devices

5.13.7.3Mobile Device Remote Wipe

5.14Security Incident Reporting

5.15Criminal Justice Agency User Agreements

5.16Cloud Computing

← Back to all requirements