Law enforcement agencies depend on fast, reliable access to highly sensitive information. In many cases, this information comes from the FBI’s Criminal Justice Information Services division known as CJIS. CJIS is the largest division within the FBI and provides critical data on fugitives and missing persons from the National Crime Information Center (NCIC) and fingerprint data from the Integrated Automated Fingerprint Identification System (IAFIS).
Naturally, the FBI must also ensure that the information it shares remains as safe as possible. This is the purview of the CJIS Security Policy, which lays out detailed and auditable cybersecurity requirements for the many state and local law enforcement agencies that use CJIS information and services.
Like other standards governing federal data, CJIS requirements are based on the security controls defined in NIST’s SP 800-53. As firmware and supply chain security have become priorities within SP 800-53, they have likewise become priorities in the CJIS Security Policy. And for law enforcement agencies, this means that they will likely have hard new cybersecurity requirements that aren’t addressed by their traditional security tools. Let’s take a closer look.
Action Required
For most organizations, firmware and supply chain security have already been on their cybersecurity to-do list. However, the start of a new DOJ audit cycle has moved these issues to the top of the list. As of October 1st, 2023, organizations will need to meet the requirements defined by CJIS Security Policy 5.9.2, which introduces a variety of new firmware-specific requirements. This update to CJIS policy was first published in December of 2022, so agencies have had a bit of time to prepare. But as of October, organizations are out of runway and need to meet the following requirements.
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
The new CJIS Security Policy 5.9.2 introduces an entirely new section dedicated to the integrity of critical code in an organization. Specifically, section SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY sets new requirements to perform firmware integrity checks and to address firmware in detection and response processes.
SI-7 (1) Integrity Checks
Perform an integrity check of software, firmware, and information systems that contain or process CJI at agency-defined transitional states or security relevant events at least weekly or in an automated fashion.
Discussion: Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.
SI-7 (7) Integration of Detection and Response
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: unauthorized changes to established configuration setting or the unauthorized elevation of system privileges.
Discussion: Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.
These requirements are quite clear and are outside the scope of common security tools such as an EDR. Such tools may at best try to check firmware for matches against known threats, but they do not have the vast industry database needed to verify the integrity of what firmware should be present within devices and components.
Eclypsium’s platform directly addresses these requirements in a highly automated and simple way. Simple scans can verify that all critical device code is valid and unaltered and can audit detailed configuration settings to identify problems that could allow attackers to elevate privileges.
SI-2 FLAW REMEDIATION
Section SI-2 clearly calls out that firmware must be addressed as part of an organization’s vulnerability management program.
Install security-relevant software and firmware updates within the number of days listed after the release of the updates;
• Critical – 15 days
• High – 30 days
• Medium – 60 days
• Low – 90 days;
Discussion: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities.
This is another requirement that can require law enforcement agencies to make some important changes. Many organizations lack the tools and processes needed to identify firmware vulnerabilities and apply updates in a timely manner. It is not uncommon for firmware to be years out of date, much less have a program to update firmware on a 15- to 30-day schedule. And once again, many traditional vulnerability scanners struggle to see down to the firmware level or know when new firmware updates are available, especially for components.
Eclypsium once again guides organizations through all phases of the vulnerability management process. The platform identifies if firmware is out of date, identifies and prioritizes any detected vulnerabilities, and helps staff to apply updates.
What’s Around the Corner
Cybersecurity is always a moving target as defenders must constantly adapt to changing risks and threats. And even though current CJIS audits must align to version 5.9.2 of the CJIS policy, it is important to note that version 5.9.3 was already published in September 2023.
This next version of the policy maintains the previous updates and includes a variety of new requirements. This includes AC-4 INFORMATION FLOW ENFORCEMENT which requires organizations to “consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.” This will require organizations to audit network devices and security appliances, which have been heavily targeted by threat actors. Eclypsium provides one of the only options in the industry for detecting if networking devices have been compromised as part of an attack.
Additionally, version 5.9.3 further expands supply chain security and coordination. Supply chain incidents are specifically mentioned in regard to IR-4 INCIDENT HANDLING, IR-5 INCIDENT REPORTING, IR-8 INCIDENT RESPONSE PLAN, and MA-2 CONTROLLED MAINTENANCE.
These examples make it clear that firmware and supply chain security are not a flash in the pan for law enforcement agencies. Security teams have hard requirements that they need to meet today and will have more in the future. Naturally, it will be a priority for agencies such as local police departments and sheriff’s departments to not only address these requirements, but also to do so efficiently with their existing staff. Eclypsium’s platform is purpose-built for exactly this need. To learn more about how we can help you pass your next CJIS audit and improve your security posture, contact us at [email protected].
