Nov 5, 2024
How do you do that?
So now that October 1st is in the rearview mirror and you’re starting to realize there are a whole bunch of “Priority 1” controls that need to be addressed, I just want to remind you that there are other things out there.
I know y’all are thinking, “Larry, we got three years to prepare for those Priority 2, 3, & 4s.”
Oct 1, 2024
Pumpkin spice and CJIS Compliance fright
We are officially into October which means it is Cybersecurity Awareness Month and time for our annual Fall pun newsletter. Don’t worry, we’ll creep it short.
A number of controls from the CJIS Security Policy are now sanctionable from the following control families
Sep 3, 2024
They Want It When???
Now that we’re unofficially done with Summer, temperatures have begun to drop, right? Not here in Florida, and on top of all that there’s a whole lot of new stuff that can be sanctionable starting next month that’ll definitely keep temperatures up.
Last month I reminded everyone that the new version 5.9.5 had been released for everyone’s reading (and compliance) pleasure. Don’t worry, nothing has come out since then, but there are some things that y’all really need to pay attention to.
Aug 1, 2024
The Heat is On...
Hope your summer is going well and you’re staying cool. It’s a tad warm here in North Florida as I’m sure it’s the same where you are.
Well, things are certainly heating up in the CJIS world with the release of the latest update to the CJIS Security policy, verison 5.9.5. I reckon with the summer all nice and warm, we’re all ready to “dive in” (yes, I know it’s sad, but I am dad, so I have an excuse.)
The good news is that there’s only one section or control family that will be updated: Section 5.7 Configuration Management.
Jun 4, 2024
Are we there yet?
Hey Y’all,
It’s been awhile since my last newsletter; my apologies. They keep me busy and I’m trying to understand the modernized CJIS Security Policy (CJISSECPOL) so I can pass it along to y’all. I’m sure by now you’re well aware that we’re in version 5.9.4 (see the last CJIS ACE Newsletter from March.) If you remember properly, this journey started about a year and a half ago with the release of 5.9.1 and I can say that we are almost done with the modernization.
Mar 21, 2024
Will you accept this policy update? 🌹
Ladies and Gentlemen,
With the most dramatic version yet, the newest edition of the CJIS Security Policy, 5.9.4, hit the streets on Leap Day. You may be feeling stressed and overwhelmed with all of the new changes happening, especially if you have an audit coming up soon. You may even be thinking “This changes everything”.
We get it, we’ve been there, and we’re here to help you with your CJIS journey.
Oct 26, 2022
When is a Password not a Password?
Hello again,
Well it happened! CJIS Security Policy version 5.9.1 hit the streets on October 1st, and guess what? The world as we know it didn’t end; well, at least not yet. Don’t worry; there’s more coming.
In the next CJISSECPOL release, we’ll see the update to Section 5.6 Identification and Authentication or as the new control family is called “IA” (that’s easy, right?). This one is going to be a bit of a significant change. Heads-up, I will not be going as in-depth with this one like I did with MP. IA takes us from eight pages in the current policy to a little over 68 pages in the new one.
Sep 24, 2022
It's Almost Here
Hi Y’all,
If you’re reading this it's probably your first newsletter, or maybe you’re bored, or you’re hoping there’s going to be something good. Well, I reckon I have some news, whether it’s good or not will depend on your perspective.
As mentioned in last month’s newsletter, very solid intel says the update to the CJIS Security Policy (version 5.9.1) will be released on October 1st. Several things you need to know. First, and this may seem trivial but it is important, the current acronym for the CJIS Security policy is CSP, but once the update is out it will be CJISSECPOL. The main reason for this change is that in a future update, the term CSP will stand for credential service provider… more on that later.
Jul 27, 2022
Does Hand Sanitizer Work on Hard Drives?
Hey Y’all,
If it seems like this series is never ending, well, you’re close. There have been a lot of changes approved and more are on the way, and this is just part six of the first series! I’m hoping y’all are kinda paying attention to these “ramblings'' so you won’t be caught off guard.
NOTE: These changes have been “approved”, not been published (as of 7/27/2022). We are waiting for the FBI Director’s signature to move forward. Additionally, there may be some minor differences in what I’ve pointed out and what gets published in the CJISSECPOL (by the way that’s the new acronym for the CJIS Security Policy.) I base these newsletters on the APB Topic Papers.
The Control for this newsletter is MP-6 Media Sanitization, and once again this one’s not really new.
MP-6 Media Sanitization
Jun 22, 2022
Planes, Trains, & Automobiles
Hey Y’all,
We’re still working our way through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. Just a quick heads up, there's still no word as to when the new policy will be released but we will be on the front lines and let you know when it appears. As soon as I hear something, I’ll send something out.
The Control for this newsletter is MP-5 Media Transportation, and it too, like the previous from the last newsletter (MP-4 Media Storage), is not really new. The BOLD emphasis is mine. And here we go...
MP-5 MEDIA Transportation
May 4, 2022
No Need for Storage Wars
I’m back!
We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so.
We continue to work through the Media Protection Controls that will become part of the CJISSECPOL in the near future. The Control for this newsletter is MP-4 Media Storage, and guess what? This one is not really new.
MP-4 MEDIA STORAGE
Apr 1, 2022
Mark My Words or Media...
Hello again, Everyone!
We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so.
We have two Controls down, five more to go (including this one.) The Control for this newsletter is MP-3 Media Marking. This is a new one, folks, as we haven’t seen this requirement before in the CSP (by the way, in the future the acronym “CSP” will no longer refer to the CJIS Security Policy, but more on that in another newsletter...)
MP-3 MEDIA MARKING
Feb 4, 2022
Do You Have Access?
Hey y’all,
It’s time for the next installment of “Changes to the CJIS Security Policy.” Last time I talked about the new media protection policy (MP-1). It was kinda long, so I’m gonna give y’all a break this month.
The Control for this time is MP-2 Media Access.
MP-2 MEDIA ACCESS
Control: Restrict access to digital and non-digital media to authorized individuals.
Jan 18, 2022
You Can't Choose Your Control Family
Hey y’all,
I’m back with another edition of “Changes to the CJIS Security Policy.” In our last episode, the CJIS community discovered that changes were afoot with CJIS Security Policy. Let’s continue with one of those changes.
So, the previous newsletter talked about a new format for items in the CSP. These items are called controls and they are presented as part of what is called a “Security and Privacy Control Family”, in a format that includes Title, Control, Discussion, Related Controls, Control Enhancements, References.
Nov 20, 2021
The More Things Change
Hope y’all had all sorts of happiness during your holidays!
Well, it has been some time since I wrote one of these and I figured now would be a good time. It has been over ten years since the CJIS Security Policy was rewritten and I want y’all to know that change is a-comin'!