How a Change-Control Board Can Help You Comply with the CJIS Security Policy Mandate

The 2024 updates to the Criminal Justice Information Services (CJIS) security policy mark a significant shift, clearly focusing on enhancing configuration management. From maintaining accurate baseline configurations to ensuring comprehensive change control, these updates aim to strengthen how public-safety and justice organizations manage their systems and data.

Configuration management is the backbone of effective security practices, ensuring that criminal justice information (CJI) systems are secure, stable, and compliant. By introducing new measures like baseline configurations, automated tools for detecting unauthorized changes, and robust change-management processes, CJIS has made it clear that the integrity of systems and data starts with how they are managed and monitored.

New requirements identified in CJIS 5.9.5 include:

• Policy and procedures
• Configuration baselines and automation
• Configuration change control
• Impact analysis and control verification
• Enhanced system inventory requirements
• Configuration settings best practices
• Software and usage restrictions
• Protecting information location

There is a lot of information regarding configuration management to understand. One way to do that is by establishing a change-control board (CCB), which is a powerful strategy for aligning with the updated CJIS requirements, particularly those pertaining to configuration management. A well-structured CCB ensures systematic oversight of changes, reduces risks, and enhances accountability in managing criminal-justice information.

A CCB is a formal body comprised of stakeholders responsible for evaluating, approving, or rejecting proposed changes to system configurations, policies, and processes. Its primary goal is to assess the potential impact of changes on security, privacy, and operational continuity, even for something as simple as a software patch. A CCB also helps to guide the organization on what to do if the implemented changes fail to have the anticipated effect.

Traditionally, public safety and justice organizations have approached network and system changes in an ad hoc manner with little, if any, structure. Given the heightened risks in cybersecurity today and the profound damage that can occur if a breach occurs, it’s imperative that organizations take a different approach. A CCB will deliver the structure that every organization needs, regardless of expertise or resources.

The following is a step-by-step approach to implementing a CCB:

• Define the purpose and scope — The CCB should focus on managing configuration-controlled changes, including hardware, software, and procedural updates that impact CJIS compliance. An example concerns an organization implementing a new vulnerability-scanning tool. A CCB would evaluate its integration, security implications, and alignment with the CJIS requirements.
• Form the CCB team — Core members should include the following, at a minimum:
  • IT security officer or virtual chief information security officer to ensure compliance with security policies).
  • Privacy officer (to address privacy implications).
  • System administrators (to assess technical feasibility).
  • Operational staff (to understand functional impact).
  • Business stakeholders (to align with strategic goals).
• Establish processes and procedures — The CCB operates based on a structured change-management process that includes the following:
  • All changes are submitted using a standardized change-request form, documenting the purpose, scope, and expected impact.
  • The CCB then reviews the request, conducts impact assessments, and identifies security/privacy implications.
  • Decisions are recorded and approved changes are scheduled for implementation.
  • Planned changes undergo testing to verify that they meet the intended security and functional requirements.
  • Approved changes are implemented with CCB oversight.
  • All activities are logged and retained for at least two years.
• Automate where possible — examples include:
  • Using ticketing systems for change requests and tracking.
  • Deploying configuration-management tools to detect unauthorized changes automatically.

Future blogs will explore the updated CJIS requirements identified earlier in this blog in more depth. In the meantime, we would welcome the opportunity to help your organization meet them, so please reach out.

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.