Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Submitting Agency

Document Sample
Submitting Agency Powered By Docstoc
					                                                        Chief Information Officers Council – AEIT Advisory Committee
                                                       Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                     Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/        FR Category    Functional Requirement                                                              Additional Comment                                     Applies To:
     Agency       Policy
                                                                                                                                                                                          FDLE   CJ Agencies
                                                                                                                                                                                                   & Data
                                                                                                                                                                                                   Centers
                                                                                                                                                                                                 hosting FBI
                                                                                                                                                                                                  CJIS Data
1    AEIT         FS 119           Policy and     The Data Centers should develop and adopt polices and procedures to adhere          Public Records. Department of State would be
                                   Procedures     to F.S. 119 as it relates to Public Records request and release of information.     the agency to provide clarification on this
                                                                                                                                                                                                      X
                                                  Also including data retention requirements.                                         requirement. The Data Center’s policy should
                                                                                                                                      include policy that it is the agency who owns the
                                                                                                                                      data that has the responsibility to respond to
                                                                                                                                      and release information for Public Records
                                                                                                                                      requests. Since retention is based on the type
                                                                                                                                      of data, it is also the individual agencies who
                                                                                                                                      must define retention schedules for data
                                                                                                                                      although the PDC should develop policies and
                                                                                                                                      procedures ensuring that data retention
                                                                                                                                      schedules are developed and adhered to.
2    AEIT         FS 257           Operations -   The Data Centers should develop and adopt polices and procedures to adhere          Public libraries and state archives, retention
                                   Retention      to F.S. 257 PDCs, should identify public records retention schedules                requirements. Department of State would be
                                                                                                                                                                                                      X
                                                  requirements as it relates to the retention of tapes and other IT data assets.      the agency to provide clarification on this
                                                                                                                                      requirement although responsibility for defining
                                                                                                                                      retention schedules for specific data is the
                                                                                                                                      agency’s responsibility.
3    AEIT         FS 817.5681      Security       The Data Centers should develop and adopt policies and procedures to                Breach Notification
                                                  adhere to F.S. 871.5681 as it relates to information data breach and security
                                                                                                                                                                                                      X
                                                  concerning confidential personal information in third-party possession;
                                                  administrative penalties and financial penalties imposed plus notification
                                                  requirements.
4    AEIT         F.A.C. 60DD-2    Security       The Data Centers should develop and adopt policies and procedures to                State Security Rule NEW TBA 71A-1
                  (Rule 71A-1)                    adhere to Administrative Rule, State Security Rule 60DD-2/ AKA 71A-1 as it
                                                                                                                                                                                                      X
                                                  relates to protection of state data.
5    AEIT         F.A.C. 1B-24     Media          The Data Centers should develop and adopt policies and procedures to                Florida Administrative Code - Destruction of
                                   Disposal       adhere to Florida Administrative Code 1B-24 - destruction of public records         Public documents. . Department of State would
                                                                                                                                                                                                      X
                                                  PDCs, should identify destruction of public records requirements as it relates      be the agency to provide clarification on this
                                                  to the retention of tapes and other IT assets.                                      requirement.
6    AEIT         F.S. 282.318 -   Security       The Data Centers should develop and adopt policies and procedures to                The AEIT/OIS Florida Statute 282.318 and rule
                  Enterprise                      adhere to F.S. 282.318 - To assist the Office of Information Security in carrying   60DD-2 applies specifically to Executive Branch
                                                                                                                                                                                                      X
                  Security of                     out its responsibilities, each agency head shall, at a minimum follow               agencies

Revision Date: 12/6/2010                                                                                                                                                                                   Page 1
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                     Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/        FR Category   Functional Requirement                                                                  Additional Comment        Applies To:
     Agency       Policy
                                                                                                                                                              FDLE     CJ Agencies
                                                                                                                                                                         & Data
                                                                                                                                                                         Centers
                                                                                                                                                                       hosting FBI
                                                                                                                                                                        CJIS Data
                  Data and                       requirements specified in law.
                  Information
                  Technology
7    FDLE         FS 119           Governance    FDLE houses and processes information other than FBI CJIS data that is
                  FS 775.021                     considered sensitive and is exempt from Public/Unauthorized disclosure.
                                                                                                                                                               X
                  FS 790.065                     Under State or Federal Law this information must be protected from
                  FS 874.09                      unauthorized access and dissemination.
                  FS 937.022
                  FS 943.032
                  FS 943.0321
                  FS 943.325
                  FS 943.0435
                  FS 943.053
                  FS 943.057
                  FS 9430585 (4)
8    FDLE         FS 943.05        Operations    Under the authority of Chapter 943.05 and 943.051 Florida Statutes, FDLE
                  FS 943.051                     Criminal Justice Information Program within FDLE serves as the State’s
                                                                                                                                                               X
                                                 central repository for criminal record information and gateway to the Federal
                                                 repository. FDLE is given the authority to maintain the State, Criminal Justice
                                                 Information Repository; the Automated Fingerprint System; Offender Based
                                                 Tracking System; Domestic & Repeat Violence Injunction Statewide
                                                 Verification System (FCIC); Communication System for Criminal Justice
                                                 Information; System for Court Ordered Child Support Obligation (FCIC);
                                                 Retention of Applicant Fingerprints (FALCON).
9    FDLE         FS 943.0311      Security      (1) The executive director of the department (FDLE), or a member of the
                                                 department designated by the executive director, shall serve as the chief of
                                                                                                                                                                            X
                                                 Domestic Security. The chief of Domestic Security shall:
                                                 (a) Coordinate the efforts of the department in the ongoing assessment of this
                                                 state's vulnerability to, and ability to detect, prevent, prepare for, respond to,
                                                 and recover from acts of terrorism within or affecting this state.
                                                 (b) Prepare recommendations for the Governor, the President of the Senate,
                                                 and the Speaker of the House of Representatives, which are based upon
                                                 ongoing assessments to limit the vulnerability of the state to terrorism.
                                                 (c) Coordinate the collection of proposals to limit the vulnerability of the state to
Revision Date: 12/6/2010                                                                                                                                                         Page 2
                                                     Chief Information Officers Council – AEIT Advisory Committee
                                                    Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                  Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/     FR Category    Functional Requirement                                                                Additional Comment        Applies To:
     Agency       Policy
                                                                                                                                                          FDLE     CJ Agencies
                                                                                                                                                                     & Data
                                                                                                                                                                     Centers
                                                                                                                                                                   hosting FBI
                                                                                                                                                                    CJIS Data
                                               terrorism.
                                               (d) Use regional task forces to support the duties of the department set forth in
                                               this section.
                                               (e) Use public or private resources to perform the duties assigned to the
                                               department under this section.
                                               (2) The chief shall conduct or cause to be conducted by the personnel and with
                                               the resources of the state agency, state university, or community college that
                                               owns or leases a building, facility, or structure, security assessments of
                                               buildings, facilities and structures owned or leased by state agencies, state
                                               universities, and community colleges using methods and instruments made
                                               available by the department. Each entity making such an assessment shall
                                               prioritize its security needs based on the findings of its assessment. Each
                                               state agency, state university, and community college shall cooperate with the
                                               department and provide the assistance of employees within existing resources
                                               to provide to the chief information in the format requested by the chief. The
                                               chief must report to the Governor, the President of the Senate, and the
                                               Speaker of the House of Representatives if any state agency, state university,
                                               or community college substantially fails to cooperate with the chief in making a
                                               security assessment of the buildings, facilities, and structures of the state
                                               agency, state university, or community college.
10   FDLE         FS 943.0544   Operations -   The department may develop, implement, maintain, manage, and operate the
                                Connectivity   Criminal Justice Network, which shall be an intraagency information and data-
                                                                                                                                                           X
                                               sharing network for use by the state's criminal justice agencies. The
                                               department, in consultation with the Criminal and Juvenile Justice Information
                                               Systems Council, shall determine and regulate access to the Criminal Justice
                                               Network by the state's criminal justice agencies.
                                               The department may enter into an agreement with any entity to facilitate the
                                               department's responsibilities for receiving, maintaining, managing, processing,
                                               allowing access to, and disseminating criminal justice information, intelligence,
                                               data, or criminal history records and information, or to otherwise accomplish
                                               the duties and responsibilities related to information and records as defined in
                                               this chapter. The department may enter into agreements by which products,
                                               programs, or services of value to the department or the information needs of
                                               criminal justice agencies are provided in lieu of all or part of a fee, commission,
Revision Date: 12/6/2010                                                                                                                                                     Page 3
                                                    Chief Information Officers Council – AEIT Advisory Committee
                                                   Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                 Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/     FR Category   Functional Requirement                                                               Additional Comment      Applies To:
     Agency       Policy
                                                                                                                                                        FDLE   CJ Agencies
                                                                                                                                                                 & Data
                                                                                                                                                                 Centers
                                                                                                                                                               hosting FBI
                                                                                                                                                                CJIS Data
                                              royalty, or charge that might be otherwise assessed by the department upon
                                              an entity entering into an agreement with the department. Any entity under
                                              contract with the department to perform all or part of the department's
                                              information functions or duties shall, as specified in the contract, be performing
                                              such functions or duties as a criminal justice agency for purposes of handling,
                                              collecting, managing, or disseminating criminal justice information, intelligence,
                                              data, histories, and other records. Disclosure of such information to an entity
                                              under such a contract does not waive any confidentiality or exemption from
                                              disclosure under s. 119.07 or any other applicable law.
11   FDLE         FS 943.0525   Governance    Criminal justice information systems; use by state and local agencies.--As a
                                              condition of participating in any criminal justice information system established
                                                                                                                                                                    X
                                              by the Criminal Justice Information Program or of receiving criminal justice
                                              information, state and local agencies shall be required to execute appropriate
                                              user agreements and to comply with applicable federal laws and regulations,
                                              this chapter, and rules of the department. The program shall, by rule, adopt a
                                              user agreement that must include, but is not limited to, compliance with the
                                              provisions of s. 943.052. The user agreement between the department and the
                                              criminal justice agency shall include conspicuous language that any criminal
                                              justice agency's failure to comply with laws, rules, and the user agreement
                                              shall constitute grounds for immediate termination of services. The department
                                              shall terminate the services to the criminal justice agency until the agency is in
                                              compliance. However, the department shall not terminate access to wanted
                                              persons or wanted property record information services to a law enforcement
                                              agency.
12   FDLE         FS 943.055    Audit         Criminal justice agencies disseminating criminal justice information derived
                                              from a Department of Law Enforcement criminal justice information system
                                                                                                                                                                    X
                                              shall maintain a record of dissemination in accordance with rules adopted by
                                              the Department of Law Enforcement.
                                              The Criminal Justice Information Program shall arrange for any audits of state
                                              and local criminal justice agencies necessary to assure compliance with
                                              federal laws and regulations, this chapter, and rules of the Department of Law
                                              Enforcement pertaining to the establishment, operation, security, and
                                              maintenance of criminal justice information systems.

Revision Date: 12/6/2010                                                                                                                                                 Page 4
                                                        Chief Information Officers Council – AEIT Advisory Committee
                                                       Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                      Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/         FR Category   Functional Requirement                                                                Additional Comment                                     Applies To:
     Agency       Policy
                                                                                                                                                                                          FDLE     CJ Agencies
                                                                                                                                                                                                     & Data
                                                                                                                                                                                                     Centers
                                                                                                                                                                                                   hosting FBI
                                                                                                                                                                                                    CJIS Data
13   FDLE         CJIS Security     Governance    The CJIS Systems Agency (CSA) is responsible for establishing and                     3.0 Roles and Responsibilities - CJIS Policy
                  Policy 3.1 CJIS                 administering an IT security program throughout the CSA's user community, to          NOTE: FDLE is the CJIS Systems Agency
                                                                                                                                                                                           X
                  Systems                         include the local levels. The CJIS Systems Officer is therefore responsible to        (CSA) for the State of Florida
                  Agencies                        set, maintain, and enforce the following:                                             The CJ Agency maintains the authority to hire
                                                  a) Standards for the selection, supervision, and separation of personnel who          and fire staff accessing / maintaining FBI/CJIS
                                                  have CJIS systems access.                                                             Systems. This includes the background
                                                  b) Policy governing the operation of computers, access devices, circuits, hubs,       process needing to be completed by a CJ
                                                  routers, firewalls, and other components that comprise and support a                  Agency, as opposed to by a Data Center
                                                  telecommunications network and related CJIS systems used to process, store,           directly or other managing non-CJ Agency. It
                                                  or transmit criminal justice information, guaranteeing the priority, integrity, and   also includes review and decision making
                                                  availability of service needed by the criminal justice community.                     authority regarding background results and post
                                                  c) Responsibility for the management of security control shall remain with the        background subsequent arrest notification. In a
                                                  criminal justice agency. Security control includes the authority to set and           consolidated Data Center environment where
                                                  enforce policy governing the operation of computers, circuits, and                    multiple LE Agencies reside the
                                                  telecommunications terminals used to process, store, or transmit CJIS data            recommendation is that a single Agency provide
                                                  and to guarantee the priority service needed by the criminal justice community.       this CJ oversight.
                                                  This control is to ensure that privatization and/or delegation to non-criminal
                                                  justice agencies does not diminish the existing degree of control exercised by        3.1 CJIS Systems Agencies Continued
                                                  the CSA prior to the CFR changes in October, 1999 as stated in the March              Also Refer to Criminal Justice User Agreement
                                                  2000 White Paper on Management Control.                                               (CJUA) Sec III para 3.b
                                                  d) Responsibility for the management control of network security shall remain
                                                  with the criminal justice agency. Management control of network security
                                                  includes the authority to set and enforce policy governing the operation of
                                                  circuits and network equipment used to transmit CJIS data and to guarantee
                                                  the priority service as determined by the criminal justice community. If the CSA
                                                  is not satisfied that the CSA exercises the necessary management control of
                                                  network security on any network segment transmitting CJIS data, then that
                                                  network segment shall be considered a foreign network. The CSA shall meet
                                                  all necessary security requirements in connecting to that foreign network
                                                  segment, such as encryption, firewalls, etc. applied to the transmission of CJIS
                                                  data over the Internet or any foreign network.

                                                  FDLE as CSA shall also establish an information security structure that
                                                  provides for an ISO and shall ensure that each Interface Agency having
Revision Date: 12/6/2010                                                                                                                                                                                     Page 5
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                              Additional Comment        Applies To:
     Agency       Policy
                                                                                                                                                         FDLE     CJ Agencies
                                                                                                                                                                    & Data
                                                                                                                                                                    Centers
                                                                                                                                                                  hosting FBI
                                                                                                                                                                   CJIS Data
                                                access to a criminal justice network has someone designated as the Local
                                                Agency Security Officer (LASO).
15   FDLE         CJIS Security   Governance    Pursuant to The Bylaws for the CJIS Advisory Policy Board and Working
                  Policy 3.2                    Groups, the CSO shall be responsible for the following:
                                                                                                                                                          X
                                                a) Ensure appropriate use, enforce system discipline, and ensure CJIS
                                                Division operating procedures are followed by all users of the respective
                                                telecommunications links.
                                                b) Ensure state/federal agency compliance with policies approved by the CJIS
                                                APB and adopted by the FBI.
                                                c) Approve FBI CJIS systems access.
                                                d) Assume ultimate responsibility for managing the security of CJIS systems
                                                within their state or agency.
                                                e) Perform other related duties outlined by the user agreements with the FBI
                                                CJIS Division.
16   FDLE         CJIS Security   Governance    Local Agency Security Officers (LASO) shall be responsible for the following:
                  Policy 3.4                    a) Identify who is using the CSA approved hardware, software, and firmware
                                                                                                                                                                       X
                                                and ensure no unauthorized individuals or processes have access to the
                                                same.
                                                b) Identify and document how the equipment is connected to the state system.
                                                c) Ensure that personnel security screening procedures are being followed as
                                                stated in this policy.
                                                d) Ensure the approved and appropriate security measures are in place and
                                                working as expected.
                                                e) Support policy compliance and keep the state/federal ISO informed of
                                                security incidents.
17   FDLE         CJIS Security   Security      Each Interface Agency shall be responsible for enforcing systems security
                  Policy 4.1                    standards for their agency, in addition to all of the other agencies and entities
                                                                                                                                                                       X
                                                which the Interface Agency provides CJIS records information services.
                                                Interface Agencies shall have documented procedures in place
                                                to monitor all security policies, including those through state and local audit
                                                programs with appropriate points of contact as coordinated with the ISO.
                                                Interface Agencies shall also have procedures in place to delete the
                                                passwords, log-ons, etc., of separated employees.

Revision Date: 12/6/2010                                                                                                                                                    Page 6
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                  Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                            Additional Comment                                Applies To:
     Agency       Policy
                                                                                                                                                                                 FDLE   CJ Agencies
                                                                                                                                                                                          & Data
                                                                                                                                                                                          Centers
                                                                                                                                                                                        hosting FBI
                                                                                                                                                                                         CJIS Data
18   FDLE         CJIS Security   Security      Authorized users shall access CJIS systems and disseminate CJIS data only
                  Policy 4.2                    for the purposes for which they are authorized. Each criminal justice and non-
                                                                                                                                                                                             X
                                                criminal justice agency authorized to access FBI CJIS systems shall have a
                                                written policy for the discipline of CJIS policy violators.
                                                See FBI CJIS Security Policy version 4.5 Appendix C (C.12), "Standards of
                                                Discipline," for general guidance as to what the policy should include.
19   FDLE         CJIS Security   Security      The CSO shall ensure that security awareness training is provided at least
                  Policy 4.3                    once every two years to all personnel who manage or have access to FBI CJIS
                                                                                                                                                                                             X
                                                systems. All new employees who have access to FBI CJIS systems and all
                                                appropriate IT personnel shall receive security awareness training within six
                                                (6) months of their appointment or assignment. Documentation pertaining to
                                                the materials used and those employees which receive security awareness
                                                training shall be maintained in a current status.
20   FDLE         CJIS Security   Security -    The computer site and related infrastructures (e.g., information system
                  Policy 4.4.1    Physical      servers, controlled interface equipment, associated peripherals,
                                                                                                                                                                                             X
                                                communications equipment, wire closets, patch panels, etc., including police
                                                vehicles if they house equipment which provides access to the CJIS network)
                                                must have adequate physical security at all times to protect against any
                                                unauthorized access to or routine viewing of computer devices, access
                                                devices, and printed and stored data.
21   FDLE         CJIS Security   Security -    All mobile/remote devices, including all handheld and small form factor devices
                  Policy 4.4.2    Physical      such as Personal Digital Assistants (PDAs), purchased after September 30,
                                                                                                                                                                                             X
                                                2005 shall meet the approved form of data encryption and advanced
                                                authentication. All remote clients shall meet this requirement by September 30,
                                                2010. Encryption 7.1.2 Policy shall be established by the CSA regarding the
                                                security for mobile and remote devices.
                                                Advanced Authentication - 4.4.2 & 7.2 FDLE has not established any policies
                                                for mobile devices beyond what is in th FBI Security Policy. Each User agency
                                                is expected to develop and enforce mobile/remote policies that meet the FBI
                                                Security Policy standards.
22   FDLE         CJIS Security   Security -    All visitors to computer centers and/or terminal areas shall be escorted by
                  Policy 4.4.3    Physical      authorized personnel at all times.
                                                                                                                                                                                             X
23   FDLE         CJIS Security   Personnel -   a) To verify identification, state of residency and national fingerprint-based    The original reason behind the 30 day leeway
                  Policy 4.5      Background    record checks shall be conducted within 30 days upon initial employment or        was due to processing time for hardcard
                                                                                                                                                                                             X
Revision Date: 12/6/2010                                                                                                                                                                          Page 7
                                                  Chief Information Officers Council – AEIT Advisory Committee
                                                 Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                               Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/   FR Category   Functional Requirement                                                                Additional Comment                                    Applies To:
     Agency       Policy
                                                                                                                                                                                     FDLE   CJ Agencies
                                                                                                                                                                                              & Data
                                                                                                                                                                                              Centers
                                                                                                                                                                                            hosting FBI
                                                                                                                                                                                             CJIS Data
                                            assignment for all personnel who have authorized access to FBI CJIS systems           fingerprints. With current electronic submission
                                            and those who have direct responsibility to configure and maintain computer           of fingerprints turnaround time for criminal
                                            systems and networks with direct access to FBI CJIS systems. Federal entities         history responses is within 48 hours. Based on
                                            bypassing state repositories in compliance with federal law may not be                technology and significantly reduced response
                                            required to conduct a state fingerprint-based record check. All requests for          time, FDLE is currently modifying Florida’s
                                            systems access shall be made as specified by the CSO. The CSO, or their               Criminal Justice User Agreement to state that
                                            official designee, is authorized to approve CJIS systems access. All official         the fingerprint based background check must be
                                            designees to the CSO shall be from an authorized criminal justice agency.             completed prior to assignment or access. The
                                            b) If a felony conviction of any kind exists, the hiring authority in the Interface   Data Centers should consider completing this
                                            Agency shall deny systems access. However, the hiring authority in the                process prior to employment of any new staff.
                                            Interface Agency may ask for a review by the CSO in extenuating
                                            circumstances where the severity of the offense and the time that has                 Clarification Regarding Who is required to
                                            passed would support a possible variance.                                             complete the fingerprint based criminal history
                                            c) If a record of any other kind exists, systems access shall not be granted until    check conducted by the Primary CJ Agency in
                                            the CSO or his/her official designee reviews the matter to determine if systems       the Data Center:
                                            access is appropriate.
                                            d) If the person appears to be a fugitive or appears to have an arrest history        Physical Access:
                                            without conviction for a felony or serious misdemeanor, the CSO or his/her            Any personnel with physical access to the data
                                            official designee shall review the matter to determine if systems access is           center which processes or stores FBI CJIS data
                                            appropriate.                                                                          must successfully complete a fingerprint based
                                            e) If the person is employed by a non-criminal justice agency, the CSO or             criminal history check as required by the CJIS
                                            his/her official designee, and if applicable, the appropriate board maintaining       Security policy and conducted by the primary CJ
                                            administrative control, shall review the matter to determine if systems access        Agency in the Data Center
                                            is appropriate. This same procedure applies if this person is found to be a
                                            fugitive or has an arrest history for a felony or serious misdemeanor without         Logical Access with no Logical Separation
                                            conviction.                                                                           of Data:
                                            f) If the person already has systems access from another law enforcement              Any Agency personnel (Data Center or other)
                                            agency, e.g., shared dispatchers, the CSO or his/her designee may grant               with logical access for the purpose of remote
                                            systems access prior to the confirmation of the new state of residency and            administration, to the data center which
                                            national fingerprint-based record check. This does not implicitly grant               processes or stores FBI CJIS data where that
                                            hiring/firing authority with the CSA, only the authority to grant FBI CJIS            FBI CJIS data is not logically separated from
                                            systems access.                                                                       other agency data (CJIS or non-CJIS) must
                                            g) If the CSO or his/her designee determines that CJIS systems access by the          successfully complete a fingerprint based
                                            person would not be in the public interest, access shall be denied and the            criminal history check as required by the CJIS
Revision Date: 12/6/2010                                                                                                                                                                              Page 8
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                             Additional Comment                                      Applies To:
     Agency       Policy
                                                                                                                                                                                        FDLE   CJ Agencies
                                                                                                                                                                                                 & Data
                                                                                                                                                                                                 Centers
                                                                                                                                                                                               hosting FBI
                                                                                                                                                                                                CJIS Data
                                                person's appointing authority shall be notified in writing of the access denial.   Security policy and conducted by the primary CJ
                                                h) Support personnel, contractors, and custodial workers who access                Agency in the Data Center.
                                                computer terminal areas shall be subject to a state of residency and national
                                                fingerprint-based record check, unless these individuals are escorted by
                                                authorized personnel at all times. "Authorized personnel" are those                Logical Access with Logically Separated
                                                persons who have passed a state and national fingerprint-based record              Data:
                                                check and have been granted access.                                                If the PDC logically separates and secures
                                                                                                                                   individual Criminal Justice agency’s data
                                                                                                                                   through the use of VLANS, Firewalls or other
                                                                                                                                   similar methods, any individual agency
                                                                                                                                   personnel with logical access to the Data Center
                                                                                                                                   for the purpose of remote administration of their
                                                                                                                                   agency’s systems may remotely administer their
                                                                                                                                   agency’s data without needing to complete the
                                                                                                                                   fingerprint based background check conducted
                                                                                                                                   by the Primary Criminal Justice Agency in the
                                                                                                                                   Data Center. CJ Agencies of course must
                                                                                                                                   follow the CJIS Security Policy regarding
                                                                                                                                   criminal history checks within their own
                                                                                                                                   agencies. The exception to criminal history
                                                                                                                                   checks for logical access in the PDC would be
                                                                                                                                   the PDC employees who would have logical
                                                                                                                                   access to all if not most systems and must have
                                                                                                                                   the criminal history check for logical or physical
                                                                                                                                   access.
24   FDLE         CJIS Security   Media         a) When no longer usable, diskettes, tape cartridges, ribbons, hard copies,
                  Policy 4.6      Disposal      print-outs, and other similar items used to process CJIS data shall be
                                                                                                                                                                                                    X
                                                destroyed by shredding (which must occur before destruction), incineration, or
                                                degaussing, considering whichever method is available, appropriate, and cost
                                                effective. This list is not all-inclusive.
                                                b) IT systems which have processed or stored CHRI shall not be released from
                                                control until the equipment is sanitized and all stored information has been
                                                cleared. The sanitization method shall be approved by the CSO.


Revision Date: 12/6/2010                                                                                                                                                                                 Page 9
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                              Additional Comment                           Applies To:
     Agency       Policy
                                                                                                                                                                              FDLE   CJ Agencies
                                                                                                                                                                                       & Data
                                                                                                                                                                                       Centers
                                                                                                                                                                                     hosting FBI
                                                                                                                                                                                      CJIS Data
25   FDLE         CJIS Security   Media Reuse   IT storage media that will be reused by another entity shall be sanitized. The      4.7 Media Reuse
                  Policy 4.7                    steps taken to sanitize shall be documented by the releasing agency.
                                                                                                                                                                                          X
26   FDLE         CJIS Security   Security –    The User (CJ Agency / State Data Center) will immediately notify FDLE if any        5.0 Computer Security Incident Response
                  Policy 5.4      Incident      suspected compromise of the CJNet (including any application that includes          Capability (CSIRC)
                                                                                                                                                                                          X
                  User            Response      FBI data).                                                                          5.4 Investigating Incidents
                  Agreement Sec                 CSA responsibilities for computer incident response shall include:                  Also Refer to CJUA Sec III para 5
                  3 paragraph 5                 a) Notify the FBI CJIS Division ISO or the FBI CJIS Division CSIRC either by
                                                telephone or e-mail within four hours after the resolution of a security incident
                                                on a network. However, if a CJIS Division system may be compromised, the
                                                CSA shall immediately notify the FBI CJIS Division's ISO and the CSIRC by
                                                calling the CJIS Division switchboard at 304-625-2000 or via email on the LEO
                                                network at iso@leo.gov. The ISO shall also notify the CSO that an intrusion
                                                incident might be occurring or has occurred. LASOs shall notify the ISO at their
                                                CSA level of incidents and compromises at the local level.
                                                b) Document the incident from beginning to end.
                                                c) Determine the nature and scope of the incident:
                                                1) Look for modifications to system software and configuration files.
                                                2) Look for tools installed by the intruder.
                                                3) Check other local component systems for modification.
                                                4) Check remote component systems for modifications.
                                                5) Notify the affected LASO(s) to check for systems at other sites that may be
                                                involved.
                                                6) As necessary, coordinate with the appropriate legal department to ensure
                                                proper handling of the incident (e.g., wiretapping, chain of evidence, etc.).
                                                d) Resolve the problem and get the system back to normal operations. If an
                                                intrusion is in progress, make a risk-based management decision to either
                                                leave the system attached or disconnect from the network. DO NOT POWER
                                                DOWN THE SYSTEM. This may cause the loss of valuable information
                                                regarding the intrusion.
27   FDLE         CJIS Security   Security –    CJIS Information must be in a secure Law Enforcement Sensitive Facility             5.0 Computer Security Incident Response
                  Policy 5.4      Physical      location that provides adequate protection from damage due to environmental         Capability (CSIRC)
                                                                                                                                                                                          X
                                  Security      factors. The server site must have adequate physical security to protect            5.4 Investigating Incidents Continued
                                                against any unauthorized viewing                                                    Also Refer to CJUA Sec III para 5

Revision Date: 12/6/2010                                                                                                                                                                  Page 10
                                                         Chief Information Officers Council – AEIT Advisory Committee
                                                        Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                      Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category      Functional Requirement                                                               Additional Comment                                  Applies To:
     Agency       Policy
                                                                                                                                                                                         FDLE   CJ Agencies
                                                                                                                                                                                                  & Data
                                                                                                                                                                                                  Centers
                                                                                                                                                                                                hosting FBI
                                                                                                                                                                                                 CJIS Data
28   FDLE         CJIS Security   Availability -   Each system shall be supported by a well-written contingency plan. Each              5.0 Computer Security Incident Response
                  Policy 5.6      Recovery         Interface Agency should routinely review, test, and update their contingency         Capability (CSIRC)
                                                                                                                                                                                                     X
                                                   plan to enable vital operations and resources to be restored as quickly as           5.6 Recovery
                                                   possible and keep system down-time to an absolute minimum, providing
                                                   reasonable continuity of support if events occur that prevent normal operation.
                                                   When an intrusion has been detected and causes significant damage to a
                                                   computer system, the contingency plan should allow for the disinfection, repair,
                                                   and/or upgrade of the system to be restored as quickly as possible.
29   FDLE         CJIS Security   Governance       Non-criminal justice agencies designated to perform criminal justice                 6.0 Originating Agency Identifiers (ORI),
                  Policy 6.4                       dispatching functions or data processing/information services for a criminal         Authorizations and User Agreements
                                                                                                                                                                                                     X
                                                   justice agency shall be eligible for access to the CJIS records information          6.4 Non-Criminal Justice Agency User
                                                   systems. Access shall be permitted when such designation is authorized               Agreements
                                                   pursuant to Executive Order, statute, regulation, or inter-agency agreement. All     It is recommended that the State Primary Data
                                                   non-criminal justice agencies accessing CJIS systems shall be subject to all         Centers must execute a Management Control
                                                   CJIS Division operational policies, rules, and regulations. Security control         Agreement with each Interface CJ Agency
                                                   responsibility shall remain with the criminal justice agency.                        supported to access FBI Criminal Justice Data.
                                                   Each non-criminal justice agency that directly accesses the FBI CJIS Division        This agreement includes the terms and
                                                   systems shall also allow the FBI to periodically test the ability to penetrate the   conditions of the FDLE CJIS User Agreement
                                                   FBI network through the external network connection or system per                    that is executed with each CJA.
                                                   authorization of DOJ Order 2640.2E.
30   FDLE         CJIS Security   Governance       Each criminal and non-criminal justice agency with a direct communications           6.0 Originating Agency Identifiers (ORI),
                  Policy 6.5                       link to FBI CJIS systems shall acknowledge the existence of the connection(s)        Authorizations and User Agreements
                                                                                                                                                                                                     X
                                                   through a letter of acknowledgment per DOJ Order 2640.2E. The letter serves          6.5 Direct Communications Links Under the
                                                   only as an acknowledgment of the direct telecommunications line and under            Authority of an Interface Agency or Other
                                                   no circumstances negates a previously signed user agreement with the                 Controlling Agency
                                                   Interface Agency or other controlling agency.
31   FDLE         CJIS Security   Governance       Private contractors (non-governmental) shall be permitted access to CJIS             6.0 Originating Agency Identifiers (ORI),
                  Policy 6.6                       record information systems pursuant to an agreement which specifically               Authorizations and User Agreements
                                                                                                                                                                                                     X
                                                   identifies the contractor's purpose and scope of providing services for the          6.6 Private Contractor User Agreements
                                                   administration of criminal justice. The agreement between the criminal justice       Also Refer to CJUA Sec III para 9
                                                   government agency and the private contractor shall incorporate the CJIS
                                                   Security Addendum approved by the Director of the FBI (acting for the U.S.
                                                   Attorney General), as referenced in Title 28 CFR 20.33
                                                   (a)(7). Private contractors who perform the administration of criminal justice
Revision Date: 12/6/2010                                                                                                                                                                             Page 11
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                               Additional Comment                              Applies To:
     Agency       Policy
                                                                                                                                                                                  FDLE   CJ Agencies
                                                                                                                                                                                           & Data
                                                                                                                                                                                           Centers
                                                                                                                                                                                         hosting FBI
                                                                                                                                                                                          CJIS Data
                                                shall meet the same training and certification criteria required by governmental
                                                agencies performing a similar function, and shall be subject to the same extent
                                                of audit review as are local user agencies.
32   FDLE         CJIS Security   Security -    The ISO shall establish procedures for documenting, maintaining, and                 7.0 Technical Security
                  Policy 7.1      Electronic    updating criminal justice information network configurations and shall distribute    7.1 Documentation of Network Configuration
                                                                                                                                                                                              X
                                                these procedures and any changes to the Interface Agency's direct users. The         Also Refer to CJUA sec 3 para 4c
                                                ISO shall ensure that a complete topological drawing which depicts the
                                                interconnectivity of the Interface Agency's network configuration is maintained
                                                in a current status by the Interface Agency. This topological drawing shall
                                                include the following:
                                                a) All communications paths, circuits, and other components used for the
                                                interconnection, beginning with the organization-owned system(s) and
                                                traversing through all interconnected systems to the organization end-point.
                                                b) The logical location of all components (e.g., firewalls, routers, switches,
                                                hubs, servers, encryption devices, and computer workstations). Individual
                                                workstations (clients) do not have to be shown. An annotation of the number of
                                                clients and their ORI designations is sufficient.
                                                c) The words "FOR OFFICIAL USE ONLY" shall appear near the bottom of the
                                                page containing the drawing. Records of wireless device identification (ID)
                                                numbers and contact numbers of commercial wireless providers shall also be
                                                maintained to allow for deactivation of lost or stolen devices. The USER
                                                (Interface Agency) must maintain, in current status, and provide upon request
                                                by FDLE a complete topological drawing, which depicts the User's network
                                                configuration as connected to CJNet. This documentation must clearly
                                                indicate all network connections, service agencies and interfaces to other
                                                information systems.
33   FDLE         CJIS Security   Security -    A "physically secure location" is a criminal justice facility, an area, a room, a    7.0 Technical Security
                  Policy 7.2.2    Physical      group of rooms, or a police vehicle that is/are subject to criminal justice agency   7.2 Physically Secure Location
                                                                                                                                                                                              X
                                                management control/security addendum and which contain hardware,                     7.2.2 Definition
                                                software, and/or firmware (e.g., information system servers, controlled              Also Refer to CJUA Sec III para 2
                                                interface equipment, associated peripherals or communications equipment,
                                                wire closets, patch panels, etc.) that provide access to the CJIS network.
                                                Physical security perimeters shall be defined by the CSO. Law enforcement
                                                sensitive facilities and restricted/controlled areas shall be prominently posted
Revision Date: 12/6/2010                                                                                                                                                                      Page 12
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                               Additional Comment                       Applies To:
     Agency       Policy
                                                                                                                                                                           FDLE   CJ Agencies
                                                                                                                                                                                    & Data
                                                                                                                                                                                    Centers
                                                                                                                                                                                  hosting FBI
                                                                                                                                                                                   CJIS Data
                                                and separated from non-sensitive facilities and non-restricted/controlled areas
                                                by physical barriers that restrict unauthorized access. Every physical access
                                                point to sensitive facilities or restricted areas housing information systems that
                                                access, process, or display CJIS data shall be controlled/secured in a manner
                                                which is acceptable to the CSO during both working and non-working hours.
34   FDLE         CJIS Security   Security -    As of September 30, 2005, any procurement or upgrade for a system which is           7.0 Technical Security
                  Policy 7.2.3    Physical      considered part of--or is accessing a criminal justice information system            7.2 Physically Secure Location
                                                                                                                                                                                       X
                                                between--secure locations via the Internet, wireless, or dial-in connection from     7.2.3 Secure Locations
                                                a remote location, shall use, at a minimum, a Virtual Private Network (VPN) or       Also Refer to CJUA Sec III para 4.b
                                                any combination of security tools that provide approved encryption and
                                                advanced authentication as defined in this policy. By September 30, 2013, all
                                                systems must comply.
35   FDLE         CJIS Security   Security -    Each person who is authorized to store, process and/or transmit information on       7.0 System Logon
                  Policy 7.3.1    Electronic    a FBI CJIS system shall be uniquely identified by use of a unique identifier. A      7.3.1 Identification /Userid
                                                                                                                                                                                       X
                                                unique identification shall also be required for all persons who administer and      Also Refer to CJUA Sec III para 10
                                                maintain the system(s) that access CJIS data and/or networks. The unique
                                                identification can take the form of a full name, badge number, serial number or
                                                other unique alphanumeric identifier.
                                                Organizations shall require users to identify themselves uniquely before the
                                                user is allowed to perform any actions on the system. Organizations shall
                                                ensure that all user IDs belong to currently authorized users. Identification
                                                data shall be kept current by adding new users and disabling former users.
36   FDLE         CJIS Security   Security -    If passwords are used, organizations shall ensure the following secure               7.0 System Logon
                  Policy 7.3.3    Electronic    password attributes:                                                                 7.3.3 Passwords
                                                                                                                                                                                       X
                                                a) Passwords shall be a minimum length of eight (8) characters on systems            Also Refer to CJUA Sec III para 10
                                                procured after September 30, 2005, and on all systems by September 30,
                                                2010.
                                                b) Passwords shall not be a dictionary word or proper name.
                                                c) Passwords and the User id shall not be the same.
                                                d) Passwords shall be changed within a maximum of every 90 days.
                                                e) All systems procured after September 30, 2005 shall prevent password
                                                reuse of the last ten (10) passwords.
                                                f) Passwords shall not be transmitted in the clear outside the secure domain.

Revision Date: 12/6/2010                                                                                                                                                               Page 13
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                             Additional Comment                          Applies To:
     Agency       Policy
                                                                                                                                                                            FDLE   CJ Agencies
                                                                                                                                                                                     & Data
                                                                                                                                                                                     Centers
                                                                                                                                                                                   hosting FBI
                                                                                                                                                                                    CJIS Data
37   FDLE         CJIS Security   Security -    The network infrastructure shall control the flow of information between           7.0 System Logon
                  Policy 7.5      Electronic    interconnected systems. Information flow security controls regulates where         7.5 Information Flow Security Controls
                                                                                                                                                                                        X
                                                information is allowed to travel within an information system and between          Also Refer to CJUA Sec II para 1
                                                information systems (as opposed to who is allowed to access the information)       & Sec III para 4.d
                                                and without explicit regard to subsequent accesses to that information. In other
                                                words, controlling how data moves from one place to the next in a secure
                                                manner. A few generalized examples of information flow security controls are:
                                                1. Prevent FBI CJIS data from being transmitted unencrypted across the public
                                                network
                                                2. Block outside traffic that claims to be from within the agency; and
                                                3. Not passing web requests to the public network that are not from the internal
                                                web proxy.
                                                Specific examples of flow control enforcement can be found in boundary
                                                protection devices (e.g., proxies, gateways, guards, encrypted tunnels,
                                                firewalls, and routers that employ rule sets .or established configuration
                                                settings that restrict information system services or provide a packet filtering
                                                capability.
38   FDLE         CJIS Security   Security -    The Interface Agency shall develop and maintain the security documentation         7.0 System Logon
                  Policy 7.6      Electronic    to address access control. Access control enforces authorization, which is the     7.6 Access Control
                                                                                                                                                                                        X
                                                granting of rights, by the owner, or controller of a resource, for others to
                                                access that resource. Host-based mechanisms include, but are not limited fo
                                                file passwords, access control lists and disk encryption. Network-based
                                                techniques involve access control enforcement functions, which allow or block
                                                access requests. Firewalls are a useful way to address network access
                                                control. Another alternative is to employ access prevention mechanisms which
                                                deny access to all unauthorized users. Where technically feasible the
                                                information system shall enforce a limit of no more than 5 consecutive invalid
                                                access attempts by a user (attempting to access Criminal Justice Information
                                                (CJI) or systems with access to CJI). The information system shall
                                                automatically lock the account/node for a minimum 10 minute time period
                                                unless unlocked by a system administrator.
                                                The information system shall prevent further access to the system by initiating
                                                a session lock after a maximum of 30 minutes of inactivity, and the session
                                                lock remains in effect until the user reestablishes access using appropriate
Revision Date: 12/6/2010                                                                                                                                                                Page 14
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category    Functional Requirement                                                              Additional Comment                       Applies To:
     Agency       Policy
                                                                                                                                                                           FDLE   CJ Agencies
                                                                                                                                                                                    & Data
                                                                                                                                                                                    Centers
                                                                                                                                                                                  hosting FBI
                                                                                                                                                                                   CJIS Data
                                                 identification and authentication procedures. Users can directly initiate session
                                                 lock mechanisms to prevent inadvertent viewing when a device is unattended.
                                                 A session lock is not a substitute for logging out of the information system. In
                                                 the interest of officer safety, devices that are part of a police vehicle or are
                                                 used to conduct dispatch functions and are within a physically secure location
                                                 are exempt from this requirement. Note: an example of a session lock is a
                                                 screen saver with password. The agency shall enforce the most restrictive set
                                                 of rights/privileges or access needed by users for the performance of specified
                                                 tasks. The agency shall implement least privilege based on specific duties,
                                                 operations and/or information systems as necessary to mitigate risk to FBI
                                                 CJIS data. This limits access to FBI CJIS data to only authorized personnel
                                                 with the need and the right to know.
39   FDLE         CJIS Security   Operation -    A “public network” segment for CJIS purposes is defined as a                        7.0 System Logon
                  Policy 7.7      Communicati    telecommunications infrastructure consisting of network components that are         7.7 Public Networks Segments
                                                                                                                                                                                       X
                                  ons            not owned, operated, and managed solely by a criminal justice agency, i.e., a       Also Refer to CJUA Sec III para 4.b
                                                 telecommunications infrastructure which supports a variety of users other than
                                                 criminal justice or law enforcement. Examples of public networks/segments
                                                 include, but are not limited to: dial-up and Internet connections, Asynchronous
                                                 Transfer Mode (ATM) clouds, Frame Relay clouds, wireless networks, wireless
                                                 links, and cellular telephones. All public network segments must be protected
                                                 by encryption standards that are stated in this security policy when passing
                                                 FBI CJIS Data.
40   FDLE         CJIS Security   Operation -    The Interface Agency's responsibilities for dial-up access are as follows:          7.0 System Logon
                  Policy 7.8      Connectivity   a) The Interface Agency may authorize employees and/or authorized third             7.8 Dial-up Access
                                                                                                                                                                                       X
                                                 parties (e.g., vendors, etc.) to use dial-up connections to gain access to the      Also Refer to CJUA Sec III para 4.a
                                                 Interface Agency's network.
                                                 b) Dial-up access shall be strictly controlled using an authentication
                                                 mechanism as previously defined in this policy.
                                                 c) Advanced authentication for dial-up access shall be included in all
                                                 procurements after September 30, 2005.
                                                 d) Dial-back functions shall be recognized as insufficient because they are
                                                 easily compromised.
                                                 e) The Interface Agency shall have written procedures for dial-up access and
                                                 track those who are authorized users. The Interface Agency shall also develop
Revision Date: 12/6/2010                                                                                                                                                               Page 15
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category    Functional Requirement                                                             Additional Comment       Applies To:
     Agency       Policy
                                                                                                                                                          FDLE   CJ Agencies
                                                                                                                                                                   & Data
                                                                                                                                                                   Centers
                                                                                                                                                                 hosting FBI
                                                                                                                                                                  CJIS Data
                                                 and maintain the security documentation to address user identity and agency
                                                 association, the authorization of the user and
                                                 the level of access authorized, the purpose of use, and the location of fixed-
                                                 based dial-up sites.
                                                 f) If known, the location of the remote dial-up sites shall be noted for
                                                 documentation purposes.
                                                 g) Each authorized dial-up user shall be issued a unique identifier.
                                                 h) All CJIS transactions and messages sent and received on the dial-up
                                                 system (successful and unsuccessful) shall be logged.
                                                 i) The system shall be able to identify the transaction from the automated
                                                 transaction log for all dial-up circuits.
                                                 j) Automatic logging shall include session initiation and termination messages,
                                                 failed access attempts, and all forms of access violations such as attempts to
                                                 access data beyond the level of authorized access.
                                                 k) Access to the transaction log shall be highly controlled.
                                                 l) The transaction logs shall be maintained for a minimum of twelve (12)
                                                 months for the purpose of a security audit review.
                                                 m) All hosts which are connected to internal networks via dial-up shall use the
                                                 most up-to-date anti-virus software. This includes personal computers.
41   FDLE         CJIS Security   Operation -    The CSA is authorized to grant Internet access, to include Internet dial-up        7.0 System Logon
                  Policy 7.9      Connectivity   access, and to support CJIS processing when a minimum set of technical and         7.9 Internet Access
                                                                                                                                                                      X
                                                 administrative requirements have been met, to include advanced
                                                 authentication and encryption. To assure the security of CJIS systems from
                                                 unauthorized Internet access and to preserve the confidentiality, integrity, and
                                                 availability of CJIS information as it is processed; CJIS transactions shall be
                                                 permitted over the Internet only after the following minimum requirements have
                                                 been implemented:
                                                 a) Advanced authentication as defined within this policy.
                                                 b) Networks in which some terminals or access devices have CJIS access
                                                 and/or Internet access (e.g., peer-to-peer relationships, large mainframes and
                                                 servers that house web sites) shall be protected by firewall-type devices.
                                                 These devices shall implement a minimum firewall profile
                                                 in order to provide a point of defense and a controlled and audited access to
                                                 servers, both from inside and outside the CJIS networks.
Revision Date: 12/6/2010                                                                                                                                              Page 16
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category    Functional Requirement                                                          Additional Comment                       Applies To:
     Agency       Policy
                                                                                                                                                                       FDLE   CJ Agencies
                                                                                                                                                                                & Data
                                                                                                                                                                                Centers
                                                                                                                                                                              hosting FBI
                                                                                                                                                                               CJIS Data
                                                 c) Data which is at risk on access devices and workstations shall have the
                                                 residual CJIS data protected by the methods of removal, encryption, or
                                                 erasure.
                                                 d) All CJIS data transmitted through any Internet connection shall be
                                                 immediately protected with a minimum of 128-bit encryption.
                                                 e) All Internet contracts after September 30, 2005 shall support a minimum of
                                                 128-bit encryption which has been certified by the NIST or Canada’s
                                                 Communications Establishment (CSE) to ensure that cryptographic modules
                                                 meet FIPS Publication140-2 for "Security Requirements for Cryptographic
                                                 Modules."
42   FDLE         CJIS Security   Operations -   a) All wireless upgrades contracted after September 30, 2002 shall support a    7.0 System Logon
                  Policy 7.10     Connectivity   minimum of 128-bit encryption for all data. Any procurement for wireless        7.10 Wireless
                                                                                                                                                                                   X
                                                 devices after September 30, 2005, shall require a minimum of 128-bit            7.7 Public Network Segments
                                                 encryption with NIST or CSE certification of the cryptographic module to        Also Refer to CJUA Sec III para 4.b
                                                 ensure it meets FIPS Publication 140-2 for "Security Requirements for
                                                 Cryptographic Modules." Any wireless device with a required minimum of 128-
                                                 bit encryption procured before September 30, 2005, does not require NIST or
                                                 CSE certification until September 30, 2010.
                                                 b) All currently-in-use symmetric and asymmetric mobile data terminal crypto-
                                                 systems shall have key lengths of at least 56 bits or more; however, these
                                                 currently-in-use systems shall meet the minimum 128-bit encryption
                                                 requirement for data by the close of September 30, 2005 when sanctions for
                                                 noncompliance will take effect. See FBI CJIS Security Policy version 4.5
                                                 Appendix C (C.6) for more details pertaining to the "Sunset Clause."
                                                 c) All wireless links or server access points must be protected by
                                                 authentication to ensure protection from unauthorized system access. For
                                                 additional guidance and information see FBI CJIS Security Policy version 4.5
                                                 Appendix C (C.10) for "Wireless Implementation Guidelines."
                                                 NOTE: All wireless upgrades and new wireless devices communicating
                                                 through public networks must immediately employ, at a minimum, a
                                                 personal/software based firewall where commercially available by more than
                                                 one vendor. Any wireless devices procured before April 30, 2007 do not
                                                 require a personal/software based firewall until September 30, 2010. This
                                                 would include all devices used to manage, administer or monitor systems that
Revision Date: 12/6/2010                                                                                                                                                           Page 17
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category    Functional Requirement                                                               Additional Comment                       Applies To:
     Agency       Policy
                                                                                                                                                                            FDLE   CJ Agencies
                                                                                                                                                                                     & Data
                                                                                                                                                                                     Centers
                                                                                                                                                                                   hosting FBI
                                                                                                                                                                                    CJIS Data
                                                 process FBI CJIS Data.
43   FDLE         CJIS Security   Security -     a) All CJIS data transmitted through any public network segment or over dial-        7.0 System Logon
                  Policy 7.12     Encryption     up or Internet connections shall be immediately protected with a minimum of          7.12 Encryption
                                                                                                                                                                                        X
                                                 128-bit encryption. This requirement also applies to any private data circuit that   Also Refer to CJUA Sec III para 4.b
                                                 is shared with non-criminal justice users and/or is not under the direct
                                                 management control of a criminal justice agency.
44   FDLE         CJIS Security   Operations -   a) Networks in which some terminals, and/or access devices have CJIS                 7.0 System Logon
                  Policy 7.13.1   Connectivity   access and/or Internet access (e.g., peer to peer relationships, large               7.13 Firewalls
                                                                                                                                                                                        X
                                                 mainframes and servers that house web sites) shall be protected by network           7.13.1 Network Firewalls
                                                 firewall type devices. These devices shall implement a minimum firewall profile      Also refer to 7.10 Wireless
                                                 in order to provide a point of defense and a controlled and audited access to
                                                 servers, both from inside and outside the CJIS networks.
                                                 b) Network firewall architectures shall prevent unauthorized access to CJIS
                                                 data and all network components providing access to the FBI CJIS Wide Area
                                                 Network (WAN), either directly or indirectly through connections to other
                                                 networks. Network firewall policies shall be concerned with securing the total
                                                 site. This must include all forms of access, wireless, dial in, off site, Internet
                                                 access, and others.
                                                 c) Network firewall operating system builds shall be based upon minimal
                                                 feature sets. (It is extremely important that all unnecessary operating system
                                                 features are removed from the build prior to network firewall implementation,
                                                 especially compilers.) All unused networking protocols shall be removed from
                                                 the network firewall operating system build.
                                                 d) Any appropriate operating system patches shall be applied before any
                                                 installation of network firewall components, and procedures shall be developed
                                                 to ensure that the network firewall patches remain current while the network
                                                 firewall retains its statefulness.
                                                 e) All unused network services or applications shall be removed or disabled.
                                                 Only network services that are required shall be permitted through the network
                                                 firewall. Allowed services shall be documented as to the service allowed, the
                                                 description of service, and the business requirement for service.
                                                 f) All unused user or system accounts shall be disabled.
                                                 g) All default vendor accounts shall have the passwords changed prior to the
                                                 network firewall going on line.
Revision Date: 12/6/2010                                                                                                                                                                Page 18
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category    Functional Requirement                                                              Additional Comment                       Applies To:
     Agency       Policy
                                                                                                                                                                           FDLE   CJ Agencies
                                                                                                                                                                                    & Data
                                                                                                                                                                                    Centers
                                                                                                                                                                                  hosting FBI
                                                                                                                                                                                   CJIS Data
                                                 h) Unused physical network interfaces shall be disabled or removed from the
                                                 server chassis.
                                                 i) Only network firewalls employing multiple network interfaces (a.k.a. dual
                                                 homed) are permitted. A network firewall having less than two network
                                                 interfaces or otherwise conducting inbound and outbound traffic on a single
                                                 network line shall not be permitted.
                                                 j) A network firewall implementation shall not reside on a shared server
                                                 platform offering general network file and print services to a user community.
                                                 k) All network firewalls shall be backed up immediately prior to production
                                                 release. (As a general principle, all network firewall backups should be full
                                                 backups as there is no real requirement or need for incremental backups.)
45   FDLE         CJIS Security   Operations -   A personal Firewall is defined for CJIS Security Policy purposes only as a          7.0 System Logon
                  Policy 7.13.3   Connectivity   firewall that can operate with only one network interface on a personal             7.13 Firewalls
                                                                                                                                                                                       X
                                                 computer, or other handheld computing device. The handheld devices                  7.13.3 Personal Firewalls
                                                 referenced here shall included Personal Digital Assistants (PDAs), Personal
                                                 Electronic Devices (PEDs), cell phones, smart phones, and other multifunction
                                                 handheld devices.
                                                 A personal firewall must meet requirements listed in a) or b) below.
                                                 a) Any personal firewall certified by one of the following:
                                                 1) NIST Common Criteria Evaluation and Validation (as reported on the web
                                                 page at http://www.niap-ccevs.org/cc-scheme/).
                                                 2) ICSA Labs Certified - tested and verified by ICSA Labs, a consortium of
                                                 vendors.
                                                 3) Checkmark certified - tested and verified by Western Information Labs, a
                                                 consortium of vendors.
                                                 b) An "uncertified" personal firewall providing all of the following services:
                                                 1) Manage program access to the Internet.
                                                 2) Block unsolicited requests to connect to the PC.
                                                 3) Filter Incoming traffic by IP address or protocol.
                                                 4) Filter Incoming traffic by destination ports.
                                                 5) Filter outgoing traffic by IP address, protocol, source and destination ports.
                                                 6) Maintain an IP traffic log.
46   FDLE         CJIS Security   Governance     The CSA shall conduct security audits for operational systems at least once         7.0 System Logon
                  Policy 7.14                    every three (3) years. All Interface Agencies shall establish an audit trail        7.14 Audit Trails and Audit Records
                                                                                                                                                                                       X
Revision Date: 12/6/2010                                                                                                                                                               Page 19
                                                          Chief Information Officers Council – AEIT Advisory Committee
                                                         Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                       Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/          FR Category    Functional Requirement                                                              Additional Comment                                   Applies To:
     Agency       Policy
                                                                                                                                                                                          FDLE   CJ Agencies
                                                                                                                                                                                                   & Data
                                                                                                                                                                                                   Centers
                                                                                                                                                                                                 hosting FBI
                                                                                                                                                                                                  CJIS Data
                                                    capable of monitoring successful and unsuccessful log on attempts; file             Also Refer to CJUA Sec II para 2
                                                    access, type of transaction, and password changes. All audit trail files shall be
                                                    protected to prevent unauthorized changes or destruction.
47   FDLE         CJIS Security      Operations -   All IT systems with CJIS connectivity shall employ virus protection software.       7.0 System Logon
                  Policy 7.15        Connectivity   Anti-virus software shall:                                                          7.15 Virus Protection
                                                                                                                                                                                                      X
                                                    1) Detect and eliminate viruses on computer workstations, laptops, servers,         Also Refer to CJUA Sec III para 4.e
                                                    and simple mail transfer protocol gateways,
                                                    2) Be enabled on workstations and servers at start-up and employ resident
                                                    scanning,
                                                    3) On servers, update virus signature files immediately, or as soon as possible,
                                                    with each new release.
48   FDLE         CJIS Security      Operations -   As coordinated through the particular CSA, each Interface Agency shall also         7.0 System Logon
                  Policy 7.16        Communicati    allow the FBI to periodically test the ability to penetrate the FBI's network       7.16 Penetration Testing
                                                                                                                                                                                                      X
                                     ons            through the external network connection or system per authorization of DOJ          Also Refer to CJUA Sec III para 6
                                                    Order 2640.2E.
49   FDLE         CJIS Security      Policy and     FDLE and FBI CJIS data can only be accessed and disseminated for an                 8.0 Use and Dissemination of Criminal History
                  Policy 8.2 - 8.3   Procedures     authorized purpose. This includes maintenance of an IT System. CJIS                 Record Information (CHRI) and NCIC "Hot File"
                                                                                                                                                                                                      X
                                                    systems data is sensitive information and security shall be afforded to prevent     Information
                                                    any unauthorized access, use or dissemination of the information. Improper          Also Refer to CJUA Sec II para 1
                                                    access, use and/or dissemination of CHRI and hot file information is serious        & Sec II para 1.b(vi)
                                                    and may result in the imposition of administrative sanctions including, but not
                                                    limited to, termination of services and state and federal criminal penalties.
50   FDLE         CJIS Security      Policy and     An automated log shall be maintained for a minimum of one (1) year on all           8.4 Subject: Logging
                  Policy 8.4         Procedures     NCIC and III transactions. The III portion of the automated log shall clearly       Also Refer to CJUA Sec II para 1.b(ix)
                                                                                                                                                                                                      X
                                                    identify both the operator and the authorized receiving agency. III logs shall
                                                    also clearly identify the requester and the secondary recipient. The
                                                    identification on the log must take the form of a unique identifier that must
                                                    remain unique to the individual requester and to the secondary recipient
                                                    throughout the minimum one year retention period.
51   FDLE         CJIS Security      Policy and     The transfer of FBI CJIS CHRI by using the Internet and associated electronic       8.5 Transfers of FBI CJIS CHRI via the Internet
                  Policy 8.5         Procedures     media such as mail facilities, remote access file transfers, and any other file     Also Refer to CJUA Sec III para 4.b
                                                                                                                                                                                                      X
                                                    modifications shall be permitted provided all technical security requirements
                                                    have been met. (See Section 7.0, “Technical Security.”)

Revision Date: 12/6/2010                                                                                                                                                                              Page 20
                                                        Chief Information Officers Council – AEIT Advisory Committee
                                                       Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                     Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/         FR Category   Functional Requirement                                                               Additional Comment                                     Applies To:
     Agency       Policy
                                                                                                                                                                                         FDLE     CJ Agencies
                                                                                                                                                                                                    & Data
                                                                                                                                                                                                    Centers
                                                                                                                                                                                                  hosting FBI
                                                                                                                                                                                                   CJIS Data
52   FDLE         CJIS Security     Policy and    Each CSA shall establish a system to, at a minimum, triennially audit all            9.1 Triennial Audits by the CSA
                  Policy 9.1        Procedures    criminal justice and non-criminal justice agencies which have direct access to       Also Refer to CJUA Sec II para 2
                                                                                                                                                                                          X
                                                  the state system in order to ensure compliance with agency and FBI CJIS
                                                  Division policy and regulations.
53   FDLE         CJIS Security     Policy and    The CJIS Division's IT Security Program shall conduct a technical security           9.3 Technical Security Reviews by the FBI CJIA
                  Policy 9.3        Procedures    review of the Interface Agencies' networks and systems. This review shall            Division
                                                                                                                                                                                                       X
                                                  evaluate the implementation of the technical security provisions of the CJIS         Also Refer to CJUA Sec II para 2
                                                  Security Policy. The program for the Technical Security Reviews is managed
                                                  by the CJIS Division's IT Security Program.
54   FDLE         CJIS Security     Policy and    All agencies having direct access to FBI CJIS systems and the III data shall         9.4 Special Security Inquiries and Audits
                  Policy 9.4        Procedures    permit an inspection team to conduct an appropriate inquiry and audit of any         Also Refer to CJUA Sec II para 2
                                                                                                                                                                                                       X
                                                  alleged security violations. The inspection team shall be appointed by the APB
                                                  and shall include at least one representative of the CJIS Division. All results of
                                                  the inquiry and audit shall be reported to the APB with appropriate
                                                  recommendations.
55   FDLE         Federal           Governance    Federal Regulations 28 CFR (part 20), the National Crime Prevention and              Please refer to the following Criminal Justice
                  Regulations 28                  Privacy Compact Act of 1999 (Public Law 105-251), the FBI's CJIS Security            User Agreement sections:
                                                                                                                                                                                                       X
                  CFR (part 20)                   Policy, the Florida Statute 943.054, prohibits sharing criminal justice              CJUA Sec II para 1.b (vi)
                  National Crime                  information with non-governmental agencies. The State Data Center has no             & Sec II 1.b (ix) ( c)
                  Prevention and                  authority to release criminal justice information or give access to information      & Sec II para 1.b (x)
                  Privacy                         restricted to the administration of criminal justice.                                & Sec II para 6.d
                  Compact Act of
                  1999 (Public
                  Law 105-251)
                  FBI's CJIS
                  Security Policy
                  Florida Statute
                  943.054
                  User
                  Agreement
                  Sec2
                  paragraph 1
56   FDLE         28 C.F.R. §       Security      (g) … Each intelligence project shall assure that the following security             It is suggested that these requirements will be
                  23.20                           requirements are implemented:                                                        addressed in any Master Agreement that the
                                                                                                                                                                                          X
Revision Date: 12/6/2010                                                                                                                                                                               Page 21
                                                    Chief Information Officers Council – AEIT Advisory Committee
                                                   Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                 Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/     FR Category   Functional Requirement                                                              Additional Comment                                     Applies To:
     Agency       Policy
                                                                                                                                                                                    FDLE     CJ Agencies
                                                                                                                                                                                               & Data
                                                                                                                                                                                               Centers
                                                                                                                                                                                             hosting FBI
                                                                                                                                                                                              CJIS Data
                                              (1) Where appropriate, projects must adopt effective and technologically            State Primary Data Centers and FDLE develop
                                              advanced computer software and hardware designs to prevent unauthorized             and execute for CJIS Data processing.
                                              access to the information contained in the system;
                                              (2) The project must restrict access to its facilities, operating environment and
                                              documentation to organizations and personnel authorized by the project;
                                              (3) The project must store information in the system in a manner such that it
                                              cannot be modified, destroyed, accessed, or purged without authorization;
                                              (4) The project must institute procedures to protect criminal intelligence
                                              information from unauthorized access, theft, sabotage, fire, flood, or other
                                              natural or manmade disaster;
                                              (5) The project must promulgate rules and regulations based on good cause
                                              for implementing its authority to screen, reject for employment, transfer, or
                                              remove personnel authorized to have direct access to the system; and
                                              (6) A project may authorize and utilize remote (off-premises) system data
                                              bases to the extent that they comply with these security requirements.
57   FDLE         28 C.F.R. §   Security      (f) Security. Wherever criminal history record information is collected, stored,    It is suggested that these requirements will be
                  20.21                       or disseminated, each State shall insure that the following requirements are        addressed in any Master Agreement that the
                                                                                                                                                                                     X
                                              satisfied by security standards established by State legislation, or in the         State Primary Data Centers and FDLE develop
                                              absence of such legislation, by regulations approved or issued by the               and execute for CJIS Data processing.
                                              Governor of the State.
                                              (1) Where computerized data processing is employed, effective and
                                              technologically advanced software and hardware designs are instituted to
                                              prevent unauthorized access to such information.
                                              (2) Access to criminal history record information system facilities, systems
                                              operating environments, data file contents whether while in use or when stored
                                              in a media library, and system documentation is restricted to authorized
                                              organizations and personnel.
                                              (3)(i) Computer operations, whether dedicated or shared, which support
                                              criminal justice information systems, operate in accordance with procedures
                                              developed or approved by the participating criminal justice agencies that
                                              assure that:
                                              (a) Criminal history record information is stored by the computer in such
                                              manner that it cannot be modified, destroyed, accessed, changed, purged, or
                                              overlaid in any fashion by non-criminal justice terminals.
Revision Date: 12/6/2010                                                                                                                                                                          Page 22
                                                    Chief Information Officers Council – AEIT Advisory Committee
                                                   Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                  Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/     FR Category   Functional Requirement                                                                Additional Comment                                       Applies To:
     Agency       Policy
                                                                                                                                                                                        FDLE     CJ Agencies
                                                                                                                                                                                                   & Data
                                                                                                                                                                                                   Centers
                                                                                                                                                                                                 hosting FBI
                                                                                                                                                                                                  CJIS Data
                                              (b) Operation programs are used that will prohibit inquiry, record updates, or
                                              destruction of records, from any terminal other than criminal justice system
                                              terminals which are so designated.
                                              (c) The destruction of records is limited to designated terminals under the
                                              direct control of the criminal justice agency responsible for creating or storing
                                              the criminal history record information.
                                              (d) Operational programs are used to detect and store for the output of
                                              designated criminal justice agency employees all unauthorized attempts to
                                              penetrate any criminal history record information system, program or file.
                                              (e) The programs specified in paragraphs (f)(3)(i)(b) and (d) of this section are
                                              known only to criminal justice agency employees responsible for criminal
                                              history record information system control or individuals and agencies pursuant
                                              to a specific agreement with the criminal justice agency to provide such
                                              programs and the program(s) are kept continuously under maximum security
                                              conditions.
                                              (f) Procedures are instituted to assure that an individual or agency authorized
                                              direct access is responsible for (1) the physical security of criminal history
                                              record information under its control or in its custody and (2) the protection of
                                              such information from unauthorized access, disclosure or dissemination.

58   FDLE         FDLE Policy   Personnel -   The Florida Department of Law Enforcement (FDLE) will conduct background              FDLE Policy and Procedures 3.1
                  3.1           Background    investigations on all prospective members and other non-members (e.g.,                The State's Primary Data Center personnel will
                                                                                                                                                                                         X
                                              interns, custodial workers, volunteers, task force members, contract                  be expected to meet the FDLE Background
                                              employees and their employing entity, and other personal services (OPS)               Standards to determine their suitability to
                                              employees who may have access to Departmental facilities or sensitive data.           access FDLE Sensitive and FBI CJIS Data.
                                              [CALEA 32.2.1] Background investigations will be conducted as required by
                                              law or to evaluate an applicant or other person’s qualifications, character,          Results of the Office of Executive Investigations
                                              integrity and suitability for placement in a position of public trust for access to   (OEI) will be forwarded to the CJIS CSO for the
                                              FDLE facilities, property or information resources. FDLE will also conduct            State Data Center employees assigned or to be
                                              background investigations for entities other than FDLE as authorized or               assigned to systems containing FBI CJIS and
                                              required by statute. The depth of the background conducted is commensurate            Sensitive Intelligence/Criminal History
                                              with the level of responsibility, access to protected areas within FDLE               Information databases. Based on the FBI CJIS
                                              structure, or access to sensitive information or databases.                           Security Policy, at section 4.5, and Federal
                                              A. The appropriate Executive Council member will assure that a minimum                Regulations: “If a record of any kind exists,
Revision Date: 12/6/2010                                                                                                                                                                              Page 23
                                                  Chief Information Officers Council – AEIT Advisory Committee
                                                 Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                               Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/   FR Category   Functional Requirement                                                              Additional Comment                                      Applies To:
     Agency       Policy
                                                                                                                                                                                     FDLE   CJ Agencies
                                                                                                                                                                                              & Data
                                                                                                                                                                                              Centers
                                                                                                                                                                                            hosting FBI
                                                                                                                                                                                             CJIS Data
                                            background on non-FDLE persons such as vendors, custodial personnel,                systems access shall not be granted until the
                                            contract employees, painters, carpet workers, or kitchen workers OPS                CSO or his/her official designee reviews the
                                            employees or task force members having access to FDLE facilities,                   matter to determine if systems access is
                                            information resources, or property are satisfactorily completed prior to granting   appropriate.” Further, “If the CSO or his/her
                                            such access. Any investigation must as a minimum include an FCIC/NCIC               designee determines that CJIS systems access
                                            criminal history and wanted check, a check in FDLE indices (AIM & InSite), a        by the person would not be in the public
                                            driver’s license check, and a fingerprint check. Further, non-FDLE member           interest, access shall be denied and the
                                            contractors/sub-contractors working on site or who have access to the FDLE          person's appointing authority shall be notified in
                                            data systems or conducts work or actions on behalf of FDLE are required to          writing of the access denial.”
                                            have a full background investigation. A preliminary background investigation
                                            must be completed prior to authorized entry into a FDLE facility, access to data
                                            systems and/or commencement of any contract work. The number of
                                            background elements conducted on non-FDLE persons depends upon the
                                            level of access to FDLE facilities/data and the type of service performed by
                                            that person. The Background/Security Check Matrix is a guideline for the
                                            minimum required elements of a background. Additional background elements
                                            may be conducted at the discretion of the supervisor/region. These
                                            background inquiries must be completed prior to allowing access to
                                            individuals.
                                            B. Non-FDLE persons having access to sensitive intelligence/criminal
                                            information databases, FDLE's automated investigative management system,
                                            domestic security task forces or other task force activity, will require
                                            backgrounds.
                                            Background checks for Non-FDLE persons will include:
                                            - FCIC/NCIC History/Wanted;
                                            - FDLE Indices (AIM & Insight);
                                            - Driver License;
                                            - Automated Database (Accurint or current data source);
                                            - Credit History;
                                            - Employment Verification;
                                            - Birth & Citizenship Verification;
                                            - FBI Fingerprint;
                                            - Local LE Record;
                                            - State Attorney's Office Inquiry;
Revision Date: 12/6/2010                                                                                                                                                                         Page 24
                                                     Chief Information Officers Council – AEIT Advisory Committee
                                                    Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                  Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/      FR Category   Functional Requirement                                                              Additional Comment                                       Applies To:
     Agency       Policy
                                                                                                                                                                                       FDLE     CJ Agencies
                                                                                                                                                                                                  & Data
                                                                                                                                                                                                  Centers
                                                                                                                                                                                                hosting FBI
                                                                                                                                                                                                 CJIS Data
                                               - Local & State - Civil & Criminal Court Inquries;
                                               - PACER - Federal Civil & Criminal Court Inquries;
                                               - Drug Screen;
                                               - and Three Personal References.
                                               A preliminary background investigation must be completed prior to authorized
                                               access to data systems and/or commencement of any contract work. The
                                               number of background elements conducted on non-FDLE persons depends
                                               upon the level of access to FDLE facility (including outsourced facilities)/data
                                               and the type of service performed by that person.
                                               Final authorization will be contingent upon the completion of the background
                                               investigation.
59   FDLE         FDLE Policy    Personnel -   FDLE members will obey all laws and regulations and maintain the highest            Background Checks and Policies, Professional
                  3.4            Background    standard of professional and ethical behavior at all times. Members are             Standards of Member Conduct
                                                                                                                                                                                        X
                  F.A.C. -                     considered to be all personnel employed by FDLE, including those employed           The State's Primary Data Center personnel will
                  Section 11I-                 under OPS, interns, and others as identified by the appropriate Special Agent       be expected to meet the FDLE Background
                  1.011                        in Charge (SAC) or Program Director. For the purpose of this                        Standards to determine their suitability to
                                               policy/procedure, members will also include those contract employees working        access FDLE Sensitive and FBI CJIS Data.
                                               on site within an FDLE facility (which includes any outsourced facility which
                                               FBI CJIS information resides). Acts of misconduct and work standards                In 1989, Section 112.0455, Florida Statutes,
                                               violations are described in Section 11I-1.011, Florida Administrative Code, in      Florida’s “Drug-Free Workplace Act” (hereafter
                                               FDLE policies and in other administrative rules applicable to state employees.      referred to as the “Act”) became law. Prior to
                                               In the absence of specific rules or standards of conduct, all members must          the Act, FDLE maintained a drug-free policy and
                                               exercise good judgment, avoiding even the appearance of impropriety.                drug-testing program. FDLE continues to
                                               FDLE will employ and retain only persons free of illegal use of controlled          maintain that policy and, consistent with
                                               substances or other drugs. Drug testing is required of all job applicants. FDLE     applicable law and regulations, engages in its
                                               members may be required to undergo drug testing upon reasonable suspicion           drug testing program. “Drug” as defined in the
                                               of illegal use of controlled substances or other drugs, to determine fitness for    Act means alcohol, including distilled spirits,
                                               duty, to investigate unlawful drug use, or as otherwise authorized by law.          wine, malt beverages, and intoxicating liquors;
                                               Follow-up drug testing may be required of any member as allowed by law.             amphetamines; cannabinoids (including
                                               Drug testing will ensure that members and applicants meet the character,            marijuana and hashish); cocaine; phencyclidine
                                               integrity and suitability standards set by the agency. [CALEA 26.1.1]               (PCP); hallucinogens; methaqualone; opiates;
                                               1. FDLE prohibits the unlawful manufacture, distribution, dispensing,               barbiturates; benzodiazepines; synthetic
                                               possession, or use by any FDLE member of a controlled substance (any                narcotics; designer drugs; or a metabolite of any
                                               substance listed in Section 893.03, Florida Statutes) or drug (alcohol (including   of the above substances.
Revision Date: 12/6/2010                                                                                                                                                                             Page 25
                                                  Chief Information Officers Council – AEIT Advisory Committee
                                                 Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                               Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/   FR Category   Functional Requirement                                                              Additional Comment      Applies To:
     Agency       Policy
                                                                                                                                                     FDLE   CJ Agencies
                                                                                                                                                              & Data
                                                                                                                                                              Centers
                                                                                                                                                            hosting FBI
                                                                                                                                                             CJIS Data
                                            distilled spirits, wine, malt beverages, and intoxicating liquors), amphetamines,
                                            cannabis, cocaine, phencyclidine (PCP), hallucinogens, methaqualone,
                                            opiates, barbiturates, benzodiazepines, synthetic narcotics, designer drugs, or
                                            a metabolite of any of the above).
                                            2. Analysis of specimens (tissue or product of the human body, including, but
                                            not limited to, urine or blood, capable of revealing the presence of drugs or
                                            their metabolites) may be utilized to evaluate whether evidence of illegal
                                            controlled substance or other drug use by prospective members exists. Drug
                                            testing methods shall be fair and reasonable and may include job applicant
                                            testing, reasonable suspicion testing, fitness for duty testing, or follow-up
                                            testing. Illegal use of controlled substances or other drugs is a crime, and
                                            FDLE members are to avoid all criminal conduct.
                                            3. Any applicant for employment found to have violated the standards
                                            articulated in this policy/procedure shall, consistent with existing law and
                                            regulation, be rejected. Nothing in this policy/procedure may be construed to
                                            prevent or otherwise limit FDLE from discharging a member for violation of law
                                            or rules when such termination is based upon evidence other than the results
                                            of a drug test.
                                            4. Under Rule 11I-1.011(9), Florida Administrative Code, FDLE members are
                                            required to submit immediately a written report that any member of the
                                            Department, including oneself, is under investigation by any criminal justice
                                            agency. This requirement includes any investigation of suspected illegal
                                            involvement (to include but not limited to possession, use, sale, delivery, etc.)
                                            with controlled substances or other drugs.
                                            5 .Any member or other person associated with this Department in an
                                            employment, intern, or volunteer capacity must, in addition to the other
                                            requirements of this policy/procedure, advise FDLE of conviction of any
                                            criminal drug statute violation within one (1) work day after such conviction. As
                                            utilized within this policy/procedure, “conviction” means a defendant was found
                                            guilty after trial, or pled guilty or “no contest,” without regard to whether
                                            adjudication was withheld or sentence was suspended, and regardless of
                                            whether an appeal from the “conviction” is being pursued.
                                            6.The drug testing procedures provided by this policy/procedure, by the Florida
                                            Drug-Free Workplace Act and associated rules or regulations do not restrict
Revision Date: 12/6/2010                                                                                                                                         Page 26
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                                  Additional Comment                                     Applies To:
     Agency       Policy
                                                                                                                                                                                          FDLE     CJ Agencies
                                                                                                                                                                                                     & Data
                                                                                                                                                                                                     Centers
                                                                                                                                                                                                   hosting FBI
                                                                                                                                                                                                    CJIS Data
                                                more extensive drug testing pursuant to federal law or regulations that
                                                specifically preempt state and local regulation of drug testing; that have been
                                                enacted or implemented in connection with the operation or use of federally
                                                regulated facilities; that require, as a part of a federal contract, drug testing for
                                                safety, or protection of sensitive or proprietary data or national security, or that
                                                otherwise require drug testing as a part of federally regulated activity.
                                                7.JOB APPLICANT TESTING (Finalists for positions): FDLE considers all
                                                positions within the Department to be either “safety-sensitive” as used in the
                                                Drug-Free Workplace Act or special risk. All finalists for full or part-time
                                                employment, contract employment, internships, and certain designated
                                                volunteer positions must submit to a “job applicant” drug test. Refusal by a
                                                finalist to submit to the drug test, refusal to participate in the drug test in the
                                                manner required, or a positive confirmed drug test result indicating the illegal
                                                use of a controlled substance or other drug will be a basis for rejecting the
                                                finalist.
60   FDLE         FDLE Policy     Personnel -   FDLE will review or investigate all complaints received that allege a member            Background Checks and Policies, Professional
                  3.5             Background    has violated law, policy, procedures or otherwise has failed to conduct himself         Standards and Disciplinary Actions
                                                                                                                                                                                           X
                                                or herself in a manner expected.                                                        The CSO will review any complaints and
                                                Any member who becomes the subject of an investigation, receives notice of a            determine the suitability of that individual to
                                                complaint that could result in criminal prosecution has been made against the           continue to work with CJIS data. A report will
                                                member, or against whom a criminal prosecution has been initiated must                  be sent to the hiring office as to continued
                                                provide written notification via chain-of-command to Office of Executive                acceptance or rejection of access to CJIS data.
                                                Investigations (OEI) no later than one work day after the investigation,
                                                complaint or prosecution has been made known to the member. Any member
                                                who becomes aware of an investigation, complaint, or prosecution as stated
                                                above affecting any other FDLE member should immediately notify OEI in
                                                writing unless the affected member has already provided written notification.
                                                All complaints will be reported to the subject member’s supervisor, Executive
                                                Policy Board member, and OEI, and thereafter will be treated as confidential in
                                                accordance with Florida Statutes.
61   FDLE         User            Security      Use of the CJNet and any system accessed via the CJNet is restricted to the             FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec                 administration of criminal justice or as otherwise specifically authorized or           authorized purposes. This includes
                                                                                                                                                                                                        X
                  2 paragraph 1                 required by statute. Operators shall access any IT components containing                maintenance for an authorized system.
                  CJIS Security                 criminal justice information only for those purposes for which they are
Revision Date: 12/6/2010                                                                                                                                                                                Page 27
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                               Additional Comment                                 Applies To:
     Agency       Policy
                                                                                                                                                                                     FDLE   CJ Agencies
                                                                                                                                                                                              & Data
                                                                                                                                                                                              Centers
                                                                                                                                                                                            hosting FBI
                                                                                                                                                                                             CJIS Data
                  Policy Sec                    authorized. Use of the CJNet and any system accessed via the CJNet is
                  8.2.1                         restricted to the administration of criminal justice or as otherwise specifically
                                                authorized or required by statute. Information obtained from the FCIC/NCIC
                                                files, or computer interfaces to other state or federal systems, by means of
                                                access granted through CJNet, can only be used for authorized purposes in
                                                compliance with FCIC/NCIC and III rules, regulations and operating
                                                procedures, and state and federal law. It is the responsibility of the User to
                                                insure access to CJNet is for authorized purposes only, and to regulate proper
                                                use of the network and information at all times. The User must establish
                                                appropriate written standards, which may be incorporated with existing codes
                                                of conduct, for disciplining violators of this and any incorporated policy. If the
                                                User provides an interface between FDLE and other criminal justice agencies
                                                it must abide by all of the provisions of this agreement. Agencies that access
                                                FDLE systems by interfacing through other agencies must, likewise, abide by
                                                all provisions of this agreement. An Interagency User Agreement is required
                                                when access to CJNet is provided by the User to another agency.
62   FDLE         User            Policy and    vi) DISSEMINATION: Information obtained from the FCIC/NCIC hot files,                FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec   Procedures    CJNet or computer interfaces to other state or federal systems, by means of          authorized purposes. This includes
                                                                                                                                                                                                 X
                  2 paragraph 1                 access granted pursuant to Section 943.0525, F.S., can only be used for              maintenance for an authorized system.
                  (b) (vi)                      official criminal justice purposes.
                                                Compliance with Chapter 119, F.S., is accomplished by directing record
                                                requests to FDLE per Chapter 11C-6, F.A.C., and section 943.053(3), F.S. It
                                                is the responsibility of the User to ensure that access to the CJNet is for
                                                authorized criminal justice purposes only, and to regulate proper access to and
                                                use of the network and information at all times.
                                                The User will disseminate CHRI derived from federal records or systems only
                                                to criminal justice agencies and only for criminal justice purposes. Criminal
                                                justice purposes include criminal justice employment screening.
                                                The User, if functioning in the capacity of a pretrial release program or
                                                providing CHRI for a pretrial release program, may disseminate Florida public
                                                record information only, in compliance with s. 907.043 (3)(b)7, F.S., which
                                                requires “each pretrial release program to prepare a register displaying
                                                information that is relevant to the defendants released through such a
                                                program.” This dissemination shall be restricted to county probation services
Revision Date: 12/6/2010                                                                                                                                                                         Page 28
                                                        Chief Information Officers Council – AEIT Advisory Committee
                                                       Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                     Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/         FR Category   Functional Requirement                                                               Additional Comment                                 Applies To:
     Agency       Policy
                                                                                                                                                                                       FDLE   CJ Agencies
                                                                                                                                                                                                & Data
                                                                                                                                                                                                Centers
                                                                                                                                                                                              hosting FBI
                                                                                                                                                                                               CJIS Data
                                                  offices and those criminal justice entities providing the probation offices with
                                                  information obtained via the FCIC II message switch for the administration of
                                                  criminal justice.
63   FDLE         User              Policy and    vii) RETENTION: Criminal history records, whether retrieved from III or the          FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec     Procedures    state system, which the User maintains, must be kept in a secure records             authorized purposes. This includes
                                                                                                                                                                                                   X
                  2 paragraph 1                   environment to prevent unauthorized access.                                          maintenance for an authorized system.
                  (b) (vii)                       (a) Retention of criminal history records, whether retrieved from III or the state
                                                  system, for extended periods should only be considered when the time
                                                  sensitivity of the specific record is important.
                                                  (b) When retention of criminal history records, whether retrieved from III or the
                                                  state system, is no longer required, final disposition will be accomplished in a
                                                  secure manner in compliance with state law, FCIC/NCIC and III rules,
                                                  regulations and operating procedures to preclude unauthorized access.
                                                  (c) Because CHRI may become outdated at any time, a current criminal history
                                                  record check should be performed whenever CHRI is used or relied upon by
                                                  the User. Entry or retention of criminal history records in a separate or local
                                                  database would be inconsistent with this principle, and is therefore
                                                  discouraged. The retention of criminal history records, whether retrieved from
                                                  III or the state system, in a secondary (non-FDLE) database is not authorized
                                                  by law.
64   FDLE         User              Policy and    ix) LOGGING: Each interface agency accessing FCIC/NCIC Hot File and III              FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec     Procedures    systems shall ensure that an automated log is maintained. The Hot File               authorized purposes. This includes
                                                                                                                                                                                                   X
                  2 paragraph 1                   portion of this log must be maintained for a minimum of twelve months, and the       maintenance for an authorized system.
                  (b) (ix)( c)                    III portion must be maintained for a minimum of four years.
                  paragraph 1 (b)                 (c) The User may only disseminate information to another authorized recipient
                  (x)                             and must maintain a record of any dissemination of state or federal criminal
                                                  history information. This record will reflect at a minimum: (1) date of release;
                                                  (2) to whom the information relates; (3) to whom the information was released;
                                                  (4) the State Identification (SID) and/or the FBI number(s); and (5) the purpose
                                                  for which the information was requested. The User must also be able to
                                                  identify the reason for all III inquiries upon request from the FBI or FDLE.
                                                  x) INFORMATION ACCESS: The User will allow only properly screened,
                                                  authorized personnel performing a criminal justice function who have received
                                                  proper security training to have access to information contained within the
Revision Date: 12/6/2010                                                                                                                                                                           Page 29
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                                 Additional Comment                                 Applies To:
     Agency       Policy
                                                                                                                                                                                       FDLE   CJ Agencies
                                                                                                                                                                                                & Data
                                                                                                                                                                                                Centers
                                                                                                                                                                                              hosting FBI
                                                                                                                                                                                               CJIS Data
                                                CJNet, FCIC/NCIC or other state criminal justice information system files. The
                                                User will also provide assistance to other criminal justice agencies not
                                                equipped with direct FCIC access in compliance with FCIC/NCIC and III rules,
                                                regulations and operating procedures, but only to the extent that such
                                                assistance is not otherwise prohibited.
                                                FDLE reserves the right to deny FCIC, CJNet or related programs/ systems
                                                access to any individual based on valid, articulable concerns for the security
                                                and integrity of FCIC, CJNet or related programs/systems.
65   FDLE         User            Policy and    2. AUDITS: All agencies having access to CJNet, FCIC/NCIC and the III data             FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec   Procedures    shall permit an FDLE appointed inspection team to conduct inquiries with               authorized purposes. This includes
                                                                                                                                                                                                   X
                  2 paragraph 2                 regard to any allegations or potential security violations, as well as for routine     maintenance for an authorized system.
                  paragraph 3                   audits.
                  (a)(d)(f)                     FDLE conducts regularly scheduled compliance and technical security audits
                  paragraph 4                   of every agency accessing the CJNet to ensure network security, conformity
                                                with state law, and compliance with all applicable FDLE, CJNet, FCIC/NCIC
                                                and III rules, regulations and operating procedures. Compliance and technical
                                                security audits may be conducted at other than regularly scheduled times.
                                                3. TRAINING: The User is responsible for complying with training
                                                requirements established in CJIS Security Policy and the rules, regulations,
                                                and policies established by FCIC/NCIC, III, FDLE and other CJNet
                                                applications. The User is responsible for remaining current in the applications,
                                                procedures, and policies and ensuring personnel attend these training
                                                sessions.
                                                a. Only operators who have successfully completed CJIS certification shall be
                                                allowed to have unsupervised access to the FCIC/NCIC system.
                                                d. The User will require all information technology (IT) personnel, including any
                                                vendor who will in the course of their official duties initiate a transaction to the
                                                FCIC II message switch, to successfully complete CJIS certification.
                                                f. The User will require all IT personnel, including any vendor, responsible for
                                                maintaining/supporting any IT component used to process, store or transmit
                                                any unencrypted information to or from the FCIC II message switch, to
                                                successfully complete the CJIS Online Security Training provided by FDLE.
                                                4. RELOCATION: Should the User desire to relocate the data circuit(s) and/or
                                                equipment connected to CJNet, the User must provide FDLE written notice 90
Revision Date: 12/6/2010                                                                                                                                                                           Page 30
                                                         Chief Information Officers Council – AEIT Advisory Committee
                                                        Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                      Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/          FR Category   Functional Requirement                                                              Additional Comment                                    Applies To:
     Agency       Policy
                                                                                                                                                                                          FDLE   CJ Agencies
                                                                                                                                                                                                   & Data
                                                                                                                                                                                                   Centers
                                                                                                                                                                                                 hosting FBI
                                                                                                                                                                                                  CJIS Data
                                                   days in advance of the projected move. All costs associated with the
                                                   relocation of the equipment and the data circuit(s), including delays in work
                                                   order dates, will be borne by User unless FDLE has funding to make changes
                                                   without charge. The repair and cost of any damages resulting from such
                                                   relocation will be the User’s responsibility. The User must also provide 90
                                                   days advance notice when requesting additional access to FCIC/CJNet.
66   FDLE         User               Policy and    6. CRIMINAL HISTORY RECORDS: FDLE is authorized to establish an                     FDLE / FBI CJIS Data can only be accessed for
                  Agreement Sec      Procedures    intrastate automated fingerprint identification system (IAFIS) and an intrastate    authorized purposes. This includes
                                                                                                                                                                                                      X
                  2 paragraph 6                    system for the communication of information relating to crimes, criminals and       maintenance for an authorized system.
                  (b)( c)(d)(e)(f)                 criminal activity.
                                                   To support the creation and maintenance of the criminal history files, the User,
                                                   as appropriate, will:
                                                   b. Provide security for CHRI and systems that process or store CHRI, and
                                                   security training for personnel who receive, handle or have access to CHRI.
                                                   c. Screen all personnel who will have direct access to CHRI and reject for
                                                   employment personnel who have violated or appear unwilling or incapable of
                                                   abiding by the requirements outlined in this agreement.
                                                   d. Defer to FDLE on any determination as to what purposes qualify for criminal
                                                   justice versus non-criminal justice designation, as well as with respect to other
                                                   purposes that may be authorized by law.
                                                   e. Pursuant to a signed interagency agreement as authorized by Florida
                                                   Statutes and/or federal regulations, the User may share state CHRI.
                                                   Dissemination of information requires compliance with all applicable statutes,
                                                   FCIC/NCIC and III rules, regulations and operating procedures, including
                                                   logging. Agencies must maintain confidentiality of such record information that
                                                   is otherwise exempt from Section 119.07(1), F.S., as provided by law.
                                                   f. Provide security and establish policies to prevent unauthorized access to or
                                                   dissemination of sealed records.
67   FDLE         User               Personnel -   The User must ensure compliance with the FBI CJIS Security Policy and the            The original reason behind the 30 day leeway
                  Agreement Sec      Background    rules, regulations, policies and procedures established for CJNet, FCIC/NCIC,       was due to processing time for hardcard
                                                                                                                                                                                                      X
                  3 paragraph 1                    III and NLETS, which include but are not limited to System Security, Personnel      fingerprints. With current electronic submission
                                                   Security, Physical Security, User Authorization, Technical Security,                of fingerprints turnaround time for criminal
                                                   Dissemination of Information Obtained from the Systems, and Destruction of          history responses is within 48 hours. Based on
                                                   Records. By accepting access as set forth above, the User agrees to adhere          technology and significantly reduced response
Revision Date: 12/6/2010                                                                                                                                                                              Page 31
                                                  Chief Information Officers Council – AEIT Advisory Committee
                                                 Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                               Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/   FR Category   Functional Requirement                                                               Additional Comment                                   Applies To:
     Agency       Policy
                                                                                                                                                                                   FDLE   CJ Agencies
                                                                                                                                                                                            & Data
                                                                                                                                                                                            Centers
                                                                                                                                                                                          hosting FBI
                                                                                                                                                                                           CJIS Data
                                            to the following security policies in order to ensure continuation of that access:   time, FDLE is currently modifying Florida’s
                                            The User is required to conduct a background investigation on all personnel          Criminal Justice User Agreement to state that
                                            who are authorized to access FCIC/NCIC/III/CJNet data or systems. IT                 the fingerprint based background check must be
                                            personnel who maintain/support information technology components used to             completed prior to assignment or access. The
                                            process, transmit or store unencrypted data to and/or from the FCIC II               Data Centers should consider completing this
                                            message switch, and other personnel accessing workstation areas that are             process prior to employment of any new staff.
                                            unescorted by authorized personnel. Good management practices dictate the
                                            investigation should be completed prior to employment, but it must, at a             Clarification Regarding Who is required to
                                            minimum, be conducted within the first thirty (30) days of employment or             complete the fingerprint based criminal history
                                            assignment. The User may conduct a preliminary on-line criminal justice              check conducted by the Primary CJ Agency in
                                            employment check. Before the background is completed the following                   the Data Center:
                                            requirements must be met:
                                            a. The User must submit applicant fingerprints for positive comparison against       Physical Access:
                                            the state and national criminal history and for searching of the Hot Files.          Any personnel with physical access to the data
                                            b. If a record of any kind is found, the User will not permit the operator to have   center which processes or stores FBI CJIS data
                                            access to the FCIC/NCIC system nor access workstation areas. The User will           must successfully complete a fingerprint based
                                            formally notify the FDLE CJIS Systems Officer (CSO) indicating access will be        criminal history check as required by the CJIS
                                            delayed pending review of the criminal history.                                      Security policy and conducted by the primary CJ
                                            c. When identification of the applicant has been established by fingerprint          Agency in the Data Center
                                            comparison and the applicant appears to be a fugitive, have pending criminal
                                            charges; have an arrest history for a felony or serious misdemeanor; have            Logical Access with no Logical Separation
                                            been found guilty of, regardless of adjudication, or entered a plea of nolo          of Data:
                                            contendere or guilty to any felony or serious misdemeanor; or to be under the        Any Agency personnel (Data Center or other)
                                            supervision of the court, the User will refer the matter to the FDLE CSO for         with logical access for the purpose of remote
                                            review.                                                                              administration, to the data center which
                                            d. Applicants who have been found guilty of, regardless of adjudication, or          processes or stores FBI CJIS data where that
                                            entered a plea of nolo contendere or guilty to a felony, will generally be denied    FBI CJIS data is not logically separated from
                                            access to FCIC/NCIC. For applicants who have been adjudicated guilty of or           other agency data (CJIS or non-CJIS) must
                                            have had adjudication withheld on a misdemeanor, the User will notify the            successfully complete a fingerprint based
                                            CSO of the misdemeanor(s) and acknowledge an intent to permit FCIC/CJNet             criminal history check as required by the CJIS
                                            access. Access will also generally be denied to any person under court               Security policy and conducted by the primary CJ
                                            supervision for a criminal offense or against whom criminal charges are              Agency in the Data Center.
                                            pending. If a determination is made by FDLE that FCIC/NCIC access by the
                                            applicant would not be in the public interest, such access will be denied and
Revision Date: 12/6/2010                                                                                                                                                                       Page 32
                                                        Chief Information Officers Council – AEIT Advisory Committee
                                                       Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                     Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/         FR Category   Functional Requirement                                                              Additional Comment                                      Applies To:
     Agency       Policy
                                                                                                                                                                                           FDLE   CJ Agencies
                                                                                                                                                                                                    & Data
                                                                                                                                                                                                    Centers
                                                                                                                                                                                                  hosting FBI
                                                                                                                                                                                                   CJIS Data
                                                  the User will be notified in writing of the access denial.                          Logical Access with Logically Separated
                                                  e. Once the original background screening has been completed, if the User           Data:
                                                  learns that a CJIS certified employee has a criminal history or pending             If the PDC logically separates and secures
                                                  charge(s), the User will first determine if the pending charge(s) or record(s)      individual Criminal Justice agency’s data
                                                  adversely affect(s) the employee’s continued employment/access/status with          through the use of VLANS, Firewalls or other
                                                  the User. If the employee is placed on leave, terminated or denied access to        similar methods, any individual agency
                                                  FCIC by the User, as a result of any pending or unresolved charge(s), the User      personnel with logical access to the Data Center
                                                  will notify the CSO of the action taken. Generally, denial of access, pending       for the purpose of remote administration of their
                                                  satisfactory resolution of any such charge(s), and notification to the CSO of       agency’s systems may remotely administer their
                                                  that action, will be deemed sufficient corrective action by the User. If the User   agency’s data without needing to complete the
                                                  determines that no action is required while the charge(s) are pending or            fingerprint based background check conducted
                                                  unresolved; i.e., that the employee will continue to be allowed access to FCIC,     by the Primary Criminal Justice Agency in the
                                                  the User will notify the CSO and explain its rationale for continued access.        Data Center. CJ Agencies of course must
                                                  FDLE reserves the right, as CSA, to deny access to FCIC and associated              follow the CJIS Security Policy regarding
                                                  databases until any such charge(s) are resolved or the situation is clarified.      criminal history checks within their own
                                                  f. The User will have a written policy for discipline of personnel who access       agencies. The exception to criminal history
                                                  CJNet for purposes that are not authorized, disclose information to                 checks for logical access in the PDC would be
                                                  unauthorized individuals, or violate FCIC/NCIC or III rules, regulations or         the PDC employees who would have logical
                                                  operating procedures.                                                               access to all if not most systems and must have
                                                                                                                                      the criminal history check for logical or physical
                                                                                                                                      access.
68   FDLE         User              Security -    2. PHYSICAL SECURITY: The User will determine the perimeter for the
                  Agreement Sec     Physical      physical security of devices that access or provide access to CJNet. Access
                                                                                                                                                                                                       X
                  3 paragraph 2                   shall be limited as to allow completion of required duties. The User must have
                  & Sec 3                         a written policy that ensures and implements security measures, secures
                  paragraph 3 (b)                 devices that access FCIC/NCIC/CJNet and prevents unauthorized use or
                  CJIS Security                   viewing of information on these devices. The use of screen blanking software
                  Policy Section                  with password protection is recommended for devices that access FCIC/NCIC
                  4.4.1                           when the operator may leave the computer unsupervised. FDLE reserves the
                  CJIS Security                   right to object to equipment location, security measures, qualifications and
                  Policy Sec                      number of personnel who will be accessing FCIC/NCIC and to suspend or
                  7.2.2                           withhold service until such matters are corrected to its reasonable satisfaction.
                                                  3. ADMINISTRATIVE SECURITY: The User must designate individual agency
                                                  contacts to assist the User and FDLE with the information services covered by
Revision Date: 12/6/2010                                                                                                                                                                               Page 33
                                                         Chief Information Officers Council – AEIT Advisory Committee
                                                        Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                      Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/          FR Category   Functional Requirement                                                               Additional Comment      Applies To:
     Agency       Policy
                                                                                                                                                             FDLE   CJ Agencies
                                                                                                                                                                      & Data
                                                                                                                                                                      Centers
                                                                                                                                                                    hosting FBI
                                                                                                                                                                     CJIS Data
                                                   this agreement. Training for these positions is provided by FDLE, and the
                                                   User must ensure that its designee is keenly aware of the duties and
                                                   responsibilities of each respective position. The User is required to provide
                                                   FDLE with up-to-date contact information.
                                                   b. INFORMATION SECURITY OFFICER: Agencies accessing the FCIC/NCIC
                                                   system and/or the CJNet, must designate an Information Security Officer (ISO)
                                                   to ensure security of the FCIC/NCIC workstations, the connection to CJNet,
                                                   and any access to the information services provided on CJNet to or by the
                                                   User. FDLE reserves the right to object to the Users appointment of a TAC,
                                                   LAI, CJNet Point of Contact or ISO based on valid, articulable concerns for the
                                                   security and integrity of FCIC, CJNet or related programs/systems.
                                                   CJIS Information must be in a secure Law Enforcement Sensitive Facility
                                                   location that provides adequate protection from damage due to environmental
                                                   factors. The server site must have adequate physical security to protect
                                                   against any unauthorized viewing or access to servers or access devices. The
                                                   physical security perimeter is defined by the CSO. FDLE provides the
                                                   necessary parameters while each individual LE Agency will dictate their
                                                   requirements for security of CJIS information.
69   FDLE         User               Security      4. TECHNICAL SECURITY
                  Agreement Sec                    a. Dial-up services to FCIC/NCIC and CJNet will be permitted provided the
                                                                                                                                                                         X
                  3 paragraph 4                    User establishes appropriate security measures to ensure compliance with all
                  (a)(b)(c                         rules, regulations, procedures, and the FBI CJIS Security Policy.
                  )(d)(e)(f)(g)(h)                 b. All FCIC/NCIC/III data transmitted over any public network segment must be
                                                   encrypted as required by the FBI CJIS Security Policy. This requirement also
                                                   applies to any private data circuit that is shared with non-criminal justice users
                                                   and/or is not under the direct security control of a criminal justice agency.
                                                   c. The User must maintain, in current status, and provide upon request by
                                                   FDLE a complete topological drawing, which depicts the User’s network
                                                   configuration as connected to CJNet. This documentation must clearly
                                                   indicate all network connections, service agencies and interfaces to other
                                                   information systems.
                                                   d. The User will ensure only authorized criminal justice agencies or agencies
                                                   authorized by FDLE are permitted access to the CJNet via the User’s CJNet
                                                   connection.
Revision Date: 12/6/2010                                                                                                                                                 Page 34
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                   Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                              Additional Comment        Applies To:
     Agency       Policy
                                                                                                                                                         FDLE     CJ Agencies
                                                                                                                                                                    & Data
                                                                                                                                                                    Centers
                                                                                                                                                                  hosting FBI
                                                                                                                                                                   CJIS Data
                                                e. The User must ensure all devices with connectivity to CJNet employ virus
                                                protection software and such software shall be maintained in accordance with
                                                the software vendor’s published updates.
                                                f. FCIC and CJNet may only be accessed via computers or interface devices
                                                owned by the User or contracted entity. Vendors under contract with the User
                                                may be allowed access provided all requirements of the DOJ Security
                                                Addendum are complied with and member security training is current.
                                                g. The User will ensure that CJNet-only devices have a Windows or network
                                                type password to prevent unauthorized access.
                                                h. To ensure appropriate security precautions are in place, and upon approval
                                                from the FDLE Network Administration staff, the User may employ wireless
                                                network connectivity (for example the 802.11 wireless
                                                networking protocol).
70   FDLE         User            Security      5. COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY: The User
                  Agreement Sec                 must have a written policy documenting the actions to be taken in response to
                                                                                                                                                                       X
                  3 paragraph 5                 a possible computer security incident. The policy should include identifying,
                  UA Sec 3                      reporting, investigating and recovery from computer security incidents. The
                  paragraph 6                   User will immediately notify FDLE of any suspected compromise of the CJNet.
                  UA Sec 3                      6. PENETRATION TESTING: The User shall allow the FBI and/or FDLE to
                  paragraph 7                   periodically test the ability to penetrate the CJNet through the external network
                  CJIS Security                 connection or system.
                  Policy 3.4.e                  7. SECURITY AUTHORITY: All policies, procedures and operating
                                                instructions contained in the FBI CJIS Security Policy and FCIC/NCIC, III and
                                                NLETS documents, operating manuals and technical memoranda, are hereby
                                                incorporated into and made a part of this agreement, except to the extent that
                                                they are inconsistent herewith or legally superseded by higher authority.
                                                Security breaches must immediately be reported to the affected agency’s ISM,
                                                the Agency CJIS CSO and the State CJIS ISO.
71   FDLE         User            Security      9. PRIVATE VENDORS: Private vendors which, under contract with the User,
                  Agreement Sec                 are permitted access to information systems that process FCIC/NCIC/III data,
                                                                                                                                                          X            X
                  3 paragraph 9                 shall abide by all aspects of the FBI CJIS Security Addendum. The contract
                  CJIS Section                  between the User and the vendor will incorporate the Security Addendum to
                  6.6                           ensure adequate security of FCIC/NCIC/III data. The User will maintain the
                                                Security Addendum Certification form for each member of the vendor staff with
Revision Date: 12/6/2010                                                                                                                                               Page 35
                                                       Chief Information Officers Council – AEIT Advisory Committee
                                                      Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                    Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/        FR Category   Functional Requirement                                                             Additional Comment                           Applies To:
     Agency       Policy
                                                                                                                                                                              FDLE   CJ Agencies
                                                                                                                                                                                       & Data
                                                                                                                                                                                       Centers
                                                                                                                                                                                     hosting FBI
                                                                                                                                                                                      CJIS Data
                                                 access to information systems that process FCIC/NCIC/III data. Private
                                                 vendors permitted such access should be aware of the provisions of s.
                                                 817.5681, regarding breach of security of personal information.

                                                 Utilization of a State Privatized (non Governmental Data Center) must adopt
                                                 the policy components of the FBI CJIS Security Policy DOJ Security
                                                 Addendum in regards to all aspects of the access of criminal history
                                                 information requests (CHIR). Separate data centers participating within the
                                                 State's Primary Data Centers would have to individually adhere to the CJIS
                                                 Security Policy guidelines for all Criminal Justice / LE entities they support
                                                 through CJIS application processing.
72   FDLE         User             Security -    10. PASSWORDS: The User will ensure that all personnel who initiate a
                  Agreement Sec    Electronic    transaction to the FCIC II message switch have a separate and distinct
                                                                                                                                                                                          X
                  3 paragraph 10                 password for the software/interface used to initiate the transaction. The User
                                                 will ensure that all interfaces with the FCIC II message switch, operated by the
                                                 User, follow the password requirements as outlined in the FBI CJIS Security
                                                 Policy.
73   FDLE         User             Personnel     11. INDIVIDUAL USER ACCESS: The User will deactivate individual user
                  Agreement Sec                  access to eAgent and/or other FCIC interfaces, other CJNet applications, and
                                                                                                                                                                                          X
                  3 paragraph 11                 FBI Law Enforcement On-line (LEO), upon separation, reassignment or
                                                 termination of duties, provide individual user access is no longer required for
                                                 the administration of criminal justice.
                                                 A method must be established for removing access for terminating employees
                                                 or those transferring to positions where access to any IT component used to
                                                 process FBI CJIS data is no longer required.
74   FDLE         CJIS Security    Security -    Data backup media must be stored in a secure, off-site location that is only       Also Refer to CJUA Sec II para 1.b(vii)
                  Policy Sec 6.4   Physical      accessible to authorized personnel.                                                & Sec II 6.e
                                                                                                                                                                                          X
                  & 8.2.1
75   FDLE         CJIS Security    Governance    If multiple facilities are shared by the Criminal Justice / LE community there
                  Policy CJISD-                  must be interagency agreements made with each CJ/LE entity to adhere to
                                                                                                                                                                                          X
                  ITS-DOC-                       compliance requirements for the CJIS Security Policy. One entity at each
                  081140-4.5                     Shared Resource Center can be designated as oversight for that center for
                                                 compliance of the CJIS Security Policy. It is suggested that FDLE (as CSA)
                                                 would be the oversight at the facility it shares with any other CJ/LE entity).
Revision Date: 12/6/2010                                                                                                                                                                  Page 36
                                                      Chief Information Officers Council – AEIT Advisory Committee
                                                     Law Enforcement Requirements For Data Center Consolidation Workgroup
                                                                  Law Enforcement Requirements for Data Center Consolidation

     Submitting   Law/Rule/       FR Category   Functional Requirement                                                          Additional Comment      Applies To:
     Agency       Policy
                                                                                                                                                     FDLE   CJ Agencies
                                                                                                                                                              & Data
                                                                                                                                                              Centers
                                                                                                                                                            hosting FBI
                                                                                                                                                             CJIS Data
76   FDLE         CJIS Security   Policy and    The State's Primary Data Centers will need to give direct access to the State
                  Policy CJISD-   Procedures    of Florida CSA (FDLE), the designated Oversight CJ/LE Entity and the FBI to
                                                                                                                                                                 X
                  ITS-DOC-                      the network and CJIS Information Systems managed for Auditing of
                  081140-4.5                    Compliance to the CJIS Security Policy. This includes testing for penetration
                  FDLE Criminal                 of the State Data Center networks and overall compliance based on the
                  Justice User                  executed Criminal Justice Management Control and User Agreements
                  Agreement                     executed.
77   FDLE         CJIS Security   Policy and    The State's Primary Data Centers must comply with all current and future
                  Policy CJISD-   Procedures    version of the CJIS Security Policy. New changes in the CJIS Security Policy
                                                                                                                                                                 X
                  ITS-DOC-                      (Version 5.0) are estimated to be in effect by January 2011.
                  081140-4.5
78   FDLE         CJIS Security   Personnel -   The State's Primary Data Centers shall educate employees who work on any
                  Policy CJISD-   Training      components utilizing CJIS data through the CJIS Online Security Training
                                                                                                                                                                 X
                  ITS-DOC-                      program conducted by FDLE as per the requirements in the CJIS Security
                  081140-4.5                    Policy & FDLE Policy and Procedures.




Revision Date: 12/6/2010                                                                                                                                         Page 37

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:74
posted:12/6/2010
language:English
pages:37
Lingjuan Ma Lingjuan Ma
About