Inside the New CJIS Security Policy Requirements: What You Need to Know

The 2024 update to the Criminal Justice Information Services (CJIS) security policy introduces several new requirements designed to enhance data protection and compliance. This blog focuses on four key areas: policies and procedures, software and usage restrictions, configuration change control, and configuration baselines and automation. Understanding these updates is essential for agencies striving to meet evolving security standards and safeguard critical information.

Policies and Procedures 

Policies and procedures form the governance layer of cybersecurity. Without them, security initiatives lack consistency, accountability, and enforcement. They also define acceptable use and access control and guide the development of incident response, configuration management, and risk management processes. Effective policies and procedures make a structured, enforceable security framework possible, help personnel better understand their security responsibilities, and enable effective audits and enforcement to ensure compliance.

Best practices for crafting and implementing effective policies and procedures include the following:

• Define security objectives aligned with business goals.
• Develop policies for key areas: access control, data protection, change management, incident response, and compliance.
• Ensure that procedural guidance supports policies (e.g., how to conduct vulnerability scans, change controls, or user-access reviews).
• Train employees and enforce adherence to policies and procedures.
• Regularly review and update policies and procedures as threats evolve.

Software Usage Restrictions 

Software usage restrictions are critical because uncontrolled software installations create security gaps, increasing malware, shadow IT, and compliance risks. (Shadow IT refers to employees using IT resources without approval; it can lead to data breaches, compliance breaches, and an expanded attack surface.) Cyberattackers can better leverage unauthorized applications and vulnerable software without such restrictions to gain an initial foothold. Restrictions pertaining to software execution mitigate zero-day threats and reduce the attack surface.

Examples include application allowlisting — also known as application whitelisting — a tactic designed to limit the applications that can run on a network. Effective restrictions reduce the attack surface by preventing unauthorized software from running; improve compliance with regulations that require software control; and limit malware and ransomware incidents due to reduced execution paths.

Best practices for implementing software usage restrictions include the following:

• Create an allowlist (i.e., approved applications and services).
• Use group policies, mobile device management, or endpoint security tools to enforce software restrictions.
• Monitor application usage via endpoint security logs and audit reports.
• Limit administrative privileges to block unauthorized software installations.
• Implement sandboxing, a cybersecurity tactic that isolates untrusted programs in a controlled environment, and/or containerization, which packages applications in self-contained units that run on a shared operating system so that malicious code in one “container” doesn’t affect others.

Configuration Change Control

Misconfigurations are one of the leading causes of cybersecurity breaches. Unauthorized changes can introduce vulnerabilities, weaken defenses, and/or diminish cybersecurity security monitoring. Effective configuration-change control ensures that only approved and tested changes are deployed, reducing operational risk. It also prevents unauthorized or accidental changes that introduce cybersecurity risks; improves accountability and traceability of configuration modifications; and ensures that systems maintain compliance with security baselines.

Best practices for implementing configuration change control include the following:

• Establish a Change Advisory Board (CAB) to review security-impacting changes.
• Define change-control procedures (e.g., who approves, how changes are tested, rollback plans).
• Use a ticketing system (e.g., Jira, ServiceNow) to track and document changes.
• Implement version control and automated deployment tools to enforce consistency.
• Perform post-change validation to confirm that security settings remain intact.

Configuration Baselines and Automation

They are essential for ensuring that all systems start in a secure state and remain consistent over time. They also reduce human error by enforcing predefined security settings, supporting compliance, and continuous monitoring by keeping environments uniform. The results are reduced security risks from misconfigurations, improved consistency across all environments, minimized vulnerabilities, and faster deployment of security updates and patches.

Best practices for implementing configuration baselines and automation include the following:

• Develop security baselines based on Security Technical Implementation Guides, Center for Internet Security Benchmarks, and/or the National Institute of Standards and Technology Cybersecurity Framework.
• Use automation tools (e.g., Ansible, Terraform, Microsoft System Center Configuration Manager, Intune) to deploy and enforce baselines.
• Monitor compliance using Security Incident and Event Management or compliance-assessment tools (e.g., Nessus, Microsoft Defender for Endpoint).
• Perform regular audits to identify drift and automatically remediate deviations.

Governance, Risk, and Compliance (GRC) in the CJIS Security Policy

The latest CJIS security policy updates align closely with Governance, risk, and compliance (GRC) principles, reinforcing the need for a structured, repeatable approach to cybersecurity and regulatory adherence. Governance sets the policies and oversight necessary to enforce software-usage restrictions and configuration controls. At the same time, risk management ensures that cybersecurity threats, misconfigurations, and operational vulnerabilities are continuously assessed and mitigated. Compliance, the third pillar of GRC, enables agencies to track security baselines, implement automation, and maintain audit readiness. By integrating a GRC framework, agencies not only can meet CJIS requirements but also strengthen overall cybersecurity maturity, ensuring long-term resilience against evolving threats.

A future blog will explore the remaining four new CJIS requirements — impact analysis and control verification; enhanced system inventory requirements; configuration settings best practices; and protecting information location — so stay tuned!

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.