Larry Coffee
Nov 20, 2021
The More Things Change
Hope y’all had all sorts of happiness during your holidays!
Well, it has been some time since I wrote one of these and I figured now would be a good time. It has been over ten years since the CJIS Security Policy was rewritten and I want y’all to know that change is a-comin'!
Now before you go getting all excited, let me say that it is about time. The CJIS Advisory Policy Board (that’s the folks that actually approve the CSP) tries to keep up with technology and change, but it ain’t that easy. A lot of things have come along in the past ten years, and the CSP has to move along.
We all know that sometimes change isn’t easy or fun, but it must happen, and CJIS ACE wants to help y’all prepare. The good news is that it appears that the whole policy will not change in one go like it did back in 2011. It looks like the changes are going to come along in “bite-sized pieces” (my words.) Hopefully, this will make the process easier to manage and understand.
The first round of changes was approved at the December 2021 APB meeting (and still has to be signed off by the FBI Director.) The Security Policy Modernization Task Force focused on an “easier” policy section, 5.8 Media Protection. There are a couple of extra things that have been added, but they aren’t “earth-shattering KaBooms” (yes, I quoted Marvin the Martian.)
The big change is how policy will be presented in CSP. The format is changing to a style that is used in a document called NIST SP 800-53. I mention this because if you are interested it will give you an idea of where we are heading. As a bit of trivia, a lot of the existing policy has its origins in 800-53.
So, the new format of the CSP will be based on “Security and Privacy Control Families”. They are kinda like the existing sections of the current CSP.
In the new policy, the focus is on controls, and the controls are presented in a specific format:
-Title – this is the control family identifier and control name (e.g., MP-2 MEDIA ACCESS, where “MP” is the control family for Media Protection, this is the 2nd one in the family, and it’s about Media Access)
-Control – the base control which may contain organization-defined parameters (essentially, the thing that has to be done, “kinda” like the use of shall statements in the current CSP)
-Discussion – a narrative describing the control and possibly containing examples
-Related Controls – other controls from the baseline which are related (this is good because the CSP is very interconnected with policies and requirements in the other CSP sections)
-Control Enhancements – add either functionality or specificity to the base control, may contain organization-defined parameters (not all Controls have Control Enhancements, in fact, the changes approved by the APB do not have Control Enhancements, but that probably won’t be true for future changes.)
-References – sources for additional information related to the control (these will typically be other documents or publications.)
The Controls that were approved are: MP-1 Policy and Procedures; MP-2 Media Access; MP-3 Media Marking; MP-4 Media Storage; MP-5 Media Transport; MP-6 Media Sanitization; MP-7 Media Use. Notice that most of these are familiar from the existing 5.8.
I’m not going further than this right now; I’m gonna make you wait ‘til next time for more info (no binging on CSP updates for you.)
Again, CJIS ACE is here to help you understand and comply with the CJIS Security Policy; it’s part of our prime directive. For those of you who are CJIS Insight customers, Insight will move with the changes and keep your existing information intact.
I’m looking forward to working with y'all in the coming year, give us a call and see how CJIS ACE can help you.
Y’all take care!