How Kiteworks Supports CJIS
How Kiteworks Supports CJIS Compliance
The Criminal Justice Information Services (CJIS) Security Policy, established by the FBI, sets the minimum security requirements for accessing criminal justice information (CJI). This policy applies to every individual—contractor, private entity, non-criminal justice agency representative, or member of a criminal justice entity—who has access to, or operates in support of, criminal justice information and services. Kiteworks provides comprehensive capabilities that address all 13 CJIS policy areas, enabling law enforcement agencies and their partners to securely share and manage sensitive criminal justice data.
CJIS Security Policy Overview
The CJIS Security Policy encompasses 13 distinct policy areas that collectively establish a comprehensive security framework for protecting criminal justice information. These areas cover everything from information exchange agreements to incident response, creating a multi-layered defense strategy that Kiteworks supports through its Private Content Network architecture.
- Policy Area 1: Information Exchange Agreements
- Policy Area 2: Security Awareness Training
- Policy Area 3: Incident Response
- Policy Area 4: Auditing and Accountability
- Policy Area 5: Access Control
- Policy Area 6: Identification and Authentication
- Policy Area 7: Configuration Management
- Policy Area 8: Media Protection
- Policy Area 9: Physical Protection
- Policy Area 10: Systems and Communications Protection and Information Integrity
- Policy Area 11: Formal Audits
- Policy Area 12: Personnel Security
- Policy Area 13: Mobile Devices
Advanced Authentication (MFA for CJI Access)
CJIS requires advanced authentication—specifically multi-factor authentication—for any individual accessing CJI. Kiteworks delivers robust authentication capabilities:
- Multi-Factor Authentication: Enforce MFA for all users accessing criminal justice information, supporting TOTP, SMS, hardware tokens, and certificate-based methods.
- Advanced Authentication at Every Access Point: MFA is required not just at initial login but at every point where CJI is accessed, ensuring continuous verification.
- Integration with Law Enforcement Identity Systems: Support for LDAP, Active Directory, SAML, and other identity providers commonly used in criminal justice environments.
- Session Management: Automatic session timeout and re-authentication requirements prevent unauthorized access from unattended sessions.
Encryption Requirements (FIPS 140-Validated)
CJIS mandates that CJI be encrypted using FIPS 140-validated cryptographic modules when transmitted outside the physically secure location. Kiteworks provides:
- FIPS 140-2/140-3 Validated Encryption: All cryptographic operations use NIST-validated modules meeting CJIS encryption requirements.
- AES-256 Encryption at Rest: Criminal justice information stored in Kiteworks is encrypted with the strongest commercially available encryption.
- TLS 1.2/1.3 in Transit: All data transmissions are encrypted using approved transport layer security protocols.
- End-to-End Encryption: Files remain encrypted from sender to recipient, ensuring CJI is never exposed during transit.
Audit Logging and Accountability
CJIS Policy Area 4 requires comprehensive audit logging of all access to criminal justice information. Kiteworks delivers:
| Audit Requirement | Kiteworks Capability |
|---|---|
| Event logging | Every file access, download, upload, share, and deletion is logged with full details |
| User identification | All actions are tied to authenticated user identities with unique identifiers |
| Timestamp recording | Precise timestamps for every event using synchronized time sources |
| Log protection | Immutable, tamper-evident audit records that cannot be altered or deleted |
| Log retention | Configurable retention periods meeting CJIS minimum requirements |
| Log review | CISO dashboard and reporting tools for regular audit log review |
Personnel Security Screening Support
CJIS requires personnel with access to CJI to undergo fingerprint-based background checks. While Kiteworks does not perform background checks, it supports personnel security through:
- User provisioning workflows that can be integrated with personnel screening processes
- Access controls that prevent unscreened personnel from accessing CJI
- Automated de-provisioning when personnel clearances are revoked
- Documentation and tracking of user access authorizations
Systems and Communications Protection
CJIS Policy Area 10 addresses the protection of systems and communications carrying CJI. Kiteworks provides:
- Boundary Protection: Built-in web application firewall (WAF), network firewall, and intrusion detection systems.
- Network Segmentation: Kiteworks' hardened virtual appliance creates a secure boundary between internal systems and external communication.
- Data Loss Prevention: Content inspection and policy enforcement prevent unauthorized disclosure of CJI.
- Secure Communication Channels: All communications are encrypted and authenticated, preventing interception or tampering.
Access Control Enforcement
Kiteworks implements the access control requirements specified in CJIS Policy Area 5:
- Role-based access controls limiting CJI access to authorized personnel only
- Least-privilege enforcement ensuring users can only access information necessary for their duties
- Geographic and IP-based access restrictions
- Time-based access policies for shift workers and temporary assignments
- Granular folder and file-level permissions
Media Protection and Sanitization
CJIS Policy Area 8 requires proper handling, transport, and disposal of media containing CJI. Kiteworks supports this through:
- Encrypted Storage: All CJI stored in Kiteworks is encrypted, rendering it unreadable without proper authorization.
- Secure File Deletion: When files are deleted, Kiteworks ensures proper sanitization of storage media.
- Download Controls: Prevent unauthorized downloads of CJI to uncontrolled media.
- Digital Rights Management: Control what recipients can do with CJI after it has been shared.
Mobile Device Security
CJIS Policy Area 13 addresses the unique security challenges of mobile devices accessing CJI. Kiteworks provides:
- Secure mobile applications with encrypted containers for CJI
- Remote wipe capabilities for lost or stolen devices
- Mobile device authentication requirements including MFA
- Offline access controls and automatic cache clearing
- Integration with mobile device management (MDM) solutions
Cloud Computing Requirements for CJI
As agencies increasingly consider cloud solutions, CJIS imposes specific requirements for cloud environments hosting CJI. Kiteworks meets these requirements through:
- FedRAMP Authorization: Kiteworks holds FedRAMP High authorization, meeting the highest federal cloud security standards.
- Single-Tenant Architecture: Dedicated instances ensure CJI is never commingled with other customers' data.
- Data Location Controls: Specify exactly where CJI is stored within U.S. boundaries.
- Contractual Safeguards: Kiteworks supports the execution of CJIS Security Addendums for cloud service providers.
Incident Response Reporting
CJIS Policy Area 3 requires documented incident response procedures and timely reporting. Kiteworks enables:
- Real-time security alerts for potential CJI breaches or policy violations
- Detailed forensic data for incident investigation
- Automated notification workflows for required incident reporting
- Integration with FBI CJIS Division incident reporting procedures
- Post-incident analysis tools for identifying root causes and preventing recurrence
By leveraging Kiteworks' comprehensive security controls, law enforcement agencies and their partners can confidently share criminal justice information while maintaining full compliance with FBI CJIS Security Policy requirements.