CJIS Policy v6, Section 5.20.3
Wireless Device Risk MitigationOrganizations shall, at a minimum, ensure that cellular devices:
1. Apply available device critical patches and upgrades to the operating system as soon as they become available and after necessary testing via
Mobile Device Management (MDM) as described in Section 5.20.2.
2. Are configured for local device authentication.
3. Use advanced authentication.
4.
Encrypt all CJI resident on the device.(
see CJIS Policy v6, Section 5.10.1.2 below)
5. Erase cached information when session is terminated.
6. Run a Firewall or a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level.
7. Employ antivirus software or run a MDM system that facilitates the ability to provide
antivirus services from the agency level.
8. Devices must use local authentication methods such as a PIN, password, or biometric, in line with Identification and Authentication controls (see Section 5.20.7.1).
9. Advanced authentication is required unless indirect access methods are used or a CJIS-approved exception applies (see Section 5.20.7.2.1).
10. Wireless access must be authorized, monitored, and controlled per policy (see Section 5.20.2.2).
11. For smartphones and tablets, agencies must approve the use of specific apps and software before use with CJI (see Section 5.20.4.2).
12. Mobile devices must be regularly updated, and patch status monitored (see Section 5.20.4.1).
13. Any lost, compromised, or stolen device must be reported according to agency mobile incident response procedures, especially if the incident occurs outside the U.S. (see Section 5.20.5).
CJIS Policy v6, Section 5.20.2
Mobile Device Management Devices that have had any unauthorized changes made to them (including but not limited to being rooted or jailbroken) shall not be used to process, store, or transmit CJI data at any time. Agencies shall implement the following controls when allowing CJI access from devices running a limited-feature operating system:
1. CJI is only transferred between CJI authorized applications and storage areas of the device.
2. MDM with centralized administration configured and implemented to perform at least:
i. Remote locking of device
ii. Remote wiping of device
iii. Setting and locking device configuration
iv. Detection of “rooted” and “jailbroken” devices
v. Enforcement of folder or disk level encryption
vi. Application of mandatory policy settings on the device
vii. Detection of unauthorized configurations
viii. Detection of unauthorized software or applications
ix. Ability to determine the location of agency controlled devices
x. Prevention of unpatched devices from accessing CJI or CJI systems
xi. Automatic device wiping after a specified number of failed access attempts3. Agencies must set usage restrictions and provide guidance for mobile device use when accessing CJI (see Section 5.20.2.1).
4. Wireless access to CJI systems must be authorized, monitored, and controlled (see Section 5.20.2.2).
5. MDM systems must support centralized management of device configuration, application use, and recovery options (see Section 5.20.2.3).
6. Agencies must have procedures for responding to mobile-related incidents, including reporting lost or compromised devices, especially if it occurs outside the U.S. (see Section 5.20.5).
7. For limited-feature devices that don’t support multiple users, access controls must be enforced through the applications (see Section 5.20.6).
8. Devices must require local authentication and use advanced authentication unless indirect access is used (see Sections 5.20.7.1 and 5.20.7.2.1).
CJIS Policy v6, Section 5.20.4.3
Personal Firewall
A personal firewall shall be employed on all devices that are mobile by design (i.e. laptops, handhelds, personal digital assistants, etc.). For the purpose of this Policy, a personal firewall is an application that controls network traffic to and from a user device, permitting or denying communications based on policy. At a minimum, the personal firewall shall perform the
following activities:
1. Manage program access to the Internet.
2. Block unsolicited requests to connect to the user device.
3. Filter incoming traffic by IP address or protocol.
4. Filter incoming traffic by destination ports.
5. Maintain an IP traffic log.
6. Full-feature OS devices must have a personal firewall installed or provided through MDM (see Section 5.20.4.3).
7. Agencies must configure firewall policies consistent with agency security policies.
8. Firewall functionality must be maintained and regularly reviewed as part of mobile device security management.
CJIS Policy v6, Section 5.10.1.2
Encryption Requirements1. Encryption shall be a minimum of 128 bit.
2. When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption).
EXCEPTIONS: See Sections 5.5.7.3.2 and 5.10.2.
3. When CJI is at rest (i.e. stored electronically) outside the boundary of the physically
secure location, the data shall be protected via cryptographic mechanisms (encryption).
4. When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards.
5. Encryption applies to all electronic data storage and transmission involving CJI, including mobile devices, cloud, and removable media.
6. Encryption keys must be protected and managed per Section 5.10.1.5.
7. Encryption controls must be verified during audits and security assessments.
