CJIS-Mandated Vulnerability-Management Deadline is Fast Approaching — Are You Ready?

Last December, the FBI’s Criminal Justice Information Services (CJIS) division issued a mandate that law-enforcement organizations wanting to access its databases must have a cybersecurity vulnerability-management program in place by October of this year.

It makes perfect sense that CJIS would issue this mandate. As the adage goes, a chain is only as strong as its weakest link. What that means, in this case, is that CJIS can ill afford to have its systems and databases compromised by cyberattacks and wants to ensure that the organizations that access those systems and databases have adequate cybersecurity protections in place. If they don’t, then any malware that has infiltrated a law-enforcement organization’s networks and systems could be transferred unwittingly to CJIS’s.

Such an event would be disastrous, considering that law-enforcement organizations nationwide rely on the ability to query CJIS databases for a wide variety of purposes. Examples of CJIS data regularly leveraged by law-enforcement agencies include:

• Criminal histories (e.g., arrests and incarcerations)
• Fingerprints and other biometric information
• Warrants issued (e.g., arrest and bench)
• Firearm transactions (for background checks)
• Registered sex offenders

CJIS plans to start auditing organizations in October. At this point, it is unclear what sanctions it will impose if it discovers that an organization has not complied with this mandate. Equally unclear is the definition of what will constitute compliance. However, it is reasonable to think that CJIS will deny access to its systems and databases to any organization that hasn’t passed muster.

Let me start by defining the term “vulnerability” in this context. It is a weakness in information systems, system security procedures, internal controls, or system implementation that could be exploited or triggered by a cyberattack.

A robust vulnerability-management program is designed to identify, evaluate, and mitigate weaknesses in an organization's information systems and associated controls. At its core, this program involves regular and comprehensive scanning of systems for vulnerabilities and prioritizing them based on potential impact and likelihood of exploitation. The program should integrate seamlessly with an organization’s existing security infrastructure, e.g., firewalls and intrusion-prevention solutions. It also should incorporate automated tools and expert analysis to ensure timely detection of new risks. Finally, an effective vulnerability-management program also entails a well-defined process for patch management and the implementation of appropriate security measures to address identified weaknesses.

But that’s just the beginning. No matter what an organization does, it is extremely likely that cyberattackers will worm their way into its network infrastructure and then search, often for months at a time, for vulnerabilities that can be exploited. The following are the most common mistakes that we uncover when working with clients:

• Processes and tools that enable the organization to manage its cybersecurity vulnerabilities are lacking.
• Automated network and system monitoring tools are lacking.
  • Monitoring should occur at least monthly — weekly and daily are even better.
• An automated patch-management process is lacking.
• Port scanning, which enables an organization to determine whether any ports have been left open inadvertently, is lacking.
• An inventory of devices operating on the network is not conducted regularly, if at all.
• Password auditing tools or processes are lacking.
• The organization fails to keep up with security patches that vendors issue.
• The organization fails to stay abreast of information and emerging or evolving vulnerability trends.
• Organizations that do stay abreast often fail to act upon what they learn promptly.

It is quite possible that organizations — especially smaller ones with limited resources — might not be able to have a comprehensive vulnerability-management program in place. But we believe that it is essential to be able to demonstrate to CJIS that significant progress has been made with more to come in the short term.

MCP’s cybersecurity team can help you establish the processes and procedures that you need, and we recently launched a vulnerability-scanning tool that is quite effective. Let us put our know-how to work to keep you out of CJIS’s crosshairs — please reach out.

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com