The Policy Recommendations Is Information Bulletin 18 10 Cjis

Understanding the Policy Recommendations in Information Bulletin 18-10 CJIS

Information Bulletin 18-10 issued by the FBI's Criminal Justice Information Services (CJIS) Division represents a critical update to security protocols governing access to sensitive criminal justice data. This bulletin specifically addresses the escalating risks associated with mobile device usage in law enforcement and related agencies, providing essential policy recommendations designed to safeguard Criminal History Record Information (CHRI) and other CJIS data in an increasingly mobile operational environment. Understanding these recommendations is vital for any agency accessing CJIS systems to maintain compliance, protect individual privacy, and uphold the integrity of the justice process.

What is CJIS and Why IB 18-10 Matters

The CJIS Division serves as the central repository for vital criminal justice information shared across federal, state, local, and tribal agencies, including fingerprint records, wanted persons, protection orders, and criminal histories. Access to this data is governed by the stringent CJIS Security Policy, which establishes minimum security standards to prevent unauthorized access, disclosure, or alteration. However, the proliferation of smartphones, tablets, and laptops used by officers in the field, investigators at scenes, and personnel working remotely created new vulnerabilities not fully addressed by the original policy framework. Information Bulletin 18-10, released in 2018, was specifically crafted to bridge this gap. Its core purpose is to extend the foundational CJIS Security Policy requirements to the unique challenges posed by mobile devices accessing CJIS systems, ensuring that the convenience of mobility does not compromise data security. Ignoring these recommendations isn't just a procedural misstep; it risks severe consequences including loss of CJIS access privileges, potential civil liability from data breaches, and erosion of public trust in law enforcement's ability to safeguard sensitive information.

Core Policy Recommendations from IB 18-10

Information Bulletin 18-10 outlines several non-negotiable requirements for agencies permitting mobile device access to CJIS data. These recommendations are not optional suggestions but mandatory components of CJIS compliance for any entity utilizing mobile access:

1. Mandatory Full-Disk Encryption (FDE): All mobile devices (smartphones, tablets, laptops) used to access, store, or transmit CJIS data must employ FIPS 140-2 validated full-disk encryption. This ensures that if a device is lost or stolen, the data stored on it remains unreadable without the correct authentication credentials. The bulletin explicitly states that device-level encryption (like basic PIN protection) is insufficient; robust, validated FDE is required to protect data at rest.

2. Strong Multi-Factor Authentication (MFA): Accessing CJIS systems or applications containing CJIS data from a mobile device necessitates multi-factor authentication. This goes beyond a simple password, requiring at least two distinct factors: something you know (password/PIN), something you have (token, smart device), or something you are (biometric). IB 18-10 emphasizes that MFA must be implemented for the initial access to the CJIS service or application, significantly reducing the risk of unauthorized access even if a device password is compromised.

3. Remote Wipe Capability: Agencies must implement and maintain the ability to remotely wipe all CJIS data from a mobile device in the event of loss, theft, or compromise. This capability must be tested regularly to ensure functionality. The recommendation underscores that the wipe must be comprehensive, targeting not just the CJIS application but any cached data or temporary files that might contain sensitive information residing on the device.

4. Strict Prohibition on Unsecured Public Wi-Fi: Accessing CJIS data via mobile devices over unsecured public wireless networks (like those in coffee shops, airports, or hotels) is expressly forbidden unless a validated Virtual Private Network (VPN) meeting CJIS Security Policy standards is used. The bulletin highlights the significant risk of man-in-the-middle attacks on open networks, which could intercept credentials or data transmissions. Use of a CJIS-compliant VPN creates an encrypted tunnel, securing the data in transit regardless of the underlying network's security.

5. Device Management and Configuration Control: Agencies must establish and enforce strict configuration standards for all mobile devices accessing CJIS data. This includes disabling unnecessary features (like Bluetooth discovery or NFC when not required for specific, approved functions), ensuring automatic screen locking after a short period of inactivity (typically 5 minutes or less), and prohibiting the installation of unauthorized applications that could introduce malware or vulnerabilities. Mobile Device Management (MDM) solutions are strongly recommended, if not implicitly required, to enforce these configurations centrally and consistently.

6. Logging and Monitoring Requirements: All access to CJIS data via mobile devices must be logged and monitored in accordance with the base CJIS Security Policy. This includes recording successful and failed login attempts, data access events, and any security-relevant actions. Agencies must retain these logs for the specified period and ensure they are protected from tampering, enabling effective audit trails and incident investigations related to mobile access.

Implementation Challenges and Practical Solutions

While the policy recommendations in IB 18-10 are clear, implementing them presents practical challenges for agencies, particularly smaller jurisdictions with limited IT resources. Common hurdles include the cost of acquiring MDM