Blog

What’s New in CJIS 5.9.5 as it Relates to Firmware Security?

The Criminal Justice Information Services (CJIS) is a division of the US Federal Bureau of Investigation (FBI) that is the centralized source of criminal justice information (CJI) for state, local, and federal law enforcement and criminal justice agencies and authorized third parties. To ensure the protection of CJI, which provides critical data on fugitives and missing persons from the National Crime Information Center and fingerprint data from the Integrated Automated Fingerprint Identification System, the FBI created the CJIS Security Policy document — a set of guidelines and regulations agencies utilizing CJI and the vendors that work with them must adhere to in order to meet the security requirements of handling protected information.

With the release of the CJIS 5.9.5 security policy, priority designations have been added to the modernized controls. These designations are intended to help agencies prioritize implementation of processes and solutions to achieve compliance with these security controls.  As indicated below, requirements existing prior to the modernization effort as well as requirements designated as P1 in the modernization effort are the top priority and will become sanctionable as of October 1, 2024. All requirements listed as a priority of P2 or lower will be part of a modernization cycle beginning on October 1, 2024 and ending on September 30, 2027. A list of these priority designations can be found in the security policy PDF as well as in the requirements companion document v5.9.5 (Excel file).  

How does Eclypsium Help?

Eclypsium is uniquely positioned to provide agencies with automated and continuous verification of firmware integrity as well as vulnerability and threat detection within system components running firmware or devices with firmware based operating systems. The Eclypsium platform will track adherence to related CJIS security policy, provide details about any compliance issues, recommendations for resolution, as well as the capability to deploy the latest firmware to supported devices directly from the Eclypsium console. 

The list below summarizes the Priority 1 security controls in CJIS Security Policy v 5.9.5 that Eclypsium addresses. Naturally, these are not the only CJIS controls where Eclypsium applies, but we wanted to focus on the most urgent requirements for the sake of brevity.

SI – System and Information Integrity

The SI family of controls includes a variety of P1 requirements that directly require deep firmware security capabilities. SI-2 Flaw Remediation requires teams to address all Critical severity vulnerabilities within 15 days and all High vulnerabilities within 30 days. Eclypsium’s firmware security platform specializes in detecting low-level firmware vulnerabilities that are typically missed by traditional scans and can assist teams to apply the appropriate updates. SI-7 includes multiple requirements related to the ongoing monitoring of the integrity of system firmware. This includes ensuring that firmware has not been altered or tampered with in the supply chain, during a security incident, or during the normal operation of a system.

Security ControlPriorityDeadline
SI-2 Flaw Remediation
P1Oct 1, 2024
SI-3 Malicious Code ProtectionP1Oct 1, 2024
SI-4 System MonitoringP1Oct 1, 2024
SI-7 Software, Firmware and Information IntegrityP1Oct 1, 2024

CM – Configuration Management

One of the biggest changes in version 5.9.5 is the introduction of the CM family of controls. This includes P1 requirements for agencies to maintain detailed configuration baselines (CM-2) and configuration settings (CM-6). The policy calls out the importance of using automated mechanisms such as firmware inventory tools to meet these requirements. CM-8 additionally requires teams to maintain an inventory of components within a system that includes hardware, software, and firmware. Eclypsium can automate the documentation and ongoing monitoring of dozens of components within a system down to the most fundamental firmware.

Security ControlPriorityDeadline
CM-2 Baseline ConfigurationP1Oct 1, 2024
CM-6 Configuration SettingsP1Oct 1, 2024
CM-8 System Component InventoryP1Oct 1, 2024

RA – Risk Assessment

The RA family sets further requirements for scanning and addressing vulnerabilities within systems. The RA controls reiterate the same deadlines seen in SI-2 Flaw Remediation for addressing vulnerabilities (Critical–15 days, High–30 days, Medium–60 days, Low–90 days). The requirements further call out the importance of scanning “infrastructure components (e.g., switches, routers, guards, sensors)…which are often overlooked.”

Security ControlPriorityDeadline
RA-5 Vulnerability Monitoring and ScanningP1Oct 1, 2024

Conclusion

CJIS compliance is one of the most stringent and comprehensive cybersecurity protocols, and its requirements help proactively defend against cyberattacks. Failure to comply with it can lead to denial of access to information in the CJIS system, as well as monetary fines and possible criminal charges. Naturally, it will be a priority for agencies such as local police departments and sheriff’s departments to not only address these requirements, but also to do so efficiently with their existing staff. Eclypsium’s platform is purpose-built for exactly this need. View a sample CJIS compliance report from Eclypsium for an idea of the type of visibility the platform provides. If you’d like to discuss how Eclypsium can help you meet CJIS requirements, contact us.