GovRAMP's CJIS-Aligned Task Force: Advancing Framework Harmonization and Compliance

In the realm of criminal justice management, compliance with the FBI’s Criminal Justice Information Services (CJIS) standards is essential and required for safeguarding national security and public safety. Yet, the complexity of these standards often poses significant challenges for both cloud technology providers (SaaS, PaaS, and IaaS) and state and local government agencies. Recognizing this, GovRAMP is leading the charge towards greater framework harmonization, aimed at simplifying compliance and understanding of CJIS standards through an innovative Task Force. 

Understanding CJIS: 

At the heart of the CJIS Security Policy lies the mission-critical function of the CJIS Division, serving as the central repository for many vital criminal justice information services. From the National Crime Information Center (NCIC) to the Uniform Crime Reporting (UCR) program, CJIS oversees pivotal technological initiatives like the Next Generation Identification (NGI), NCIC, and the National Incident-Based Reporting System (NIBRS). This centralized hub is dedicated to optimizing the dissemination of essential criminal justice data to authorized entities, bolstering national security efforts. As a result of CJIS, state and local agencies are affected, including traditional law enforcement and judicial agencies as well as many of the administrative services provided by the government. Therefore, the CJIS Security Policy is a policy requirement that all state and local governments must understand and follow.  

The FBI CJIS Security Policy serves as the cornerstone, establishing baseline security criteria and protocols for entities accessing criminal justice information (CJI) which have been mapped to the NIST 800-53 Rev.5 Special Publication of Security and Privacy Controls for Information Systems and Organizations. The CJIS Security Policy encompasses mandates for the encryption, audit logging, transmission, processing, storage, and access of sensitive data, applicable to all organizations with authorized access to CJI. CJI is required to be protected for the full lifecycle of data during processing, transmission, access, and storage. 

Introducing GovRAMP's CJIS-Aligned Task Force: 

Under the guidance of GovRAMP's Executive Director, Leah McGrath, our dedicated team is driving forward a Task Force comprised of law enforcement agencies, industry experts, and cybersecurity professionals. This collaborative effort is further enriched by the advisory role of Chris Weatherly, the FBI CJIS Information Security Officer, providing invaluable insights into CJIS standards.   

By harnessing the collective expertise of diverse stakeholders, the Task Force aims to comprehensively address the challenges encountered by providers and governments in achieving CJIS compliance. In launching this initiative, GovRAMP intends to facilitate greater harmonization of frameworks among CSP's (Cloud Service Providers) and state, local, tribal and territorial agencies and their service providers. 

Objectives of the CJIS-Aligned Task Force: 

The GovRAMP CJIS-aligned overlay would specify specific parameters to enhance GovRAMP's Moderate Impact Level to align with the current Criminal Justice Information Services Security Policy. Service Providers would use the overlay specification to confirm their posture relative to CJIS security control requirements, which simplifies the process of determining a product's likelihood for CJIS conformance for both public and private sector stakeholders.   

GovRAMP's CJIS-Aligned Task Force is guided by several key objectives aimed at enhancing conformance with CJIS standards: 

1. Understanding Conformance Hardships: Through proactive engagement with service providers and government agencies, the Task Force seeks to gain insight into the challenges faced in meeting CJIS standards, fostering a deeper understanding of conformance issues.  
2. CJIS Standard Harmonization: By promoting framework harmonization, the Task Force simplifies the application of CJIS standards, offering clarity and direction for providers and governments. While there is not and will not be a CJIS certification, GovRAMP's CJIS-Aligned overlay aims to indicate a product’s likelihood of meeting CJIS standards. Achieving a GovRAMP verified status with this overlay provides directional guidance, with final CJIS compliance determination resting with relevant agency personnel. The goal of this overlay is to demonstrate conformance with FBI baseline CJIS Security Policy standards, reducing uncertainty for providers and governments. This standard can be further supplemented to meet specific government requirements. GovRAMP is committed to ensuring clarity and understanding for those adhering to CJIS security policy.  
3. Improved Communication: Facilitating enhanced communication channels between CJI stakeholders and the FBI CJIS Division personnel within the public and private sector is a core focus, ensuring comprehensive discussions that address the intricacies of CJIS standards.   
4. Enhanced Education on CJIS Conformance: Recognizing the need for heightened education efforts, the Task Force is committed to delivering comprehensive resources, including blog posts, webinars, and video content, to foster a deeper understanding of the CJIS Security Policy.  

In the pursuit of these objectives, GovRAMP remains steadfast in its commitment to promoting cloud security practices and ensuring the protection of critical criminal justice information. 

Conclusion: 

As the CJIS-AlignedTask Force continues its mission, GovRAMP reaffirms its dedication to advancing framework harmonization and compliance in the realm of criminal justice information management. Through collaborative efforts and educational initiatives, we strive to empower stakeholders with the knowledge and resources needed to navigate the complexities of the CJIS Security Policy standards effectively. Together, we embark on a journey towards a safer, more secure future for all.