Welcome to the LASO and CSP Survival Guide. I created this as a resource to myself when I accepted LASO duties to keep our agency CJIS compliant. There's a lot of material to keep track of but hopefully this collection of information is useful to you and your agency as well.
A good portion of this LASO information should be timeless but a few updates will be required.
Update: I moved into another area of focus and no longer perform LASO duties for my agency. If this resource has helped you, feel free to suggest changes or improvements.
It's also worth mentioning your agency will have different policies and procedures so you may have to adapt this guide to fit your needs.
1.0 LASO Position Details
1.1 LASO Personnel Possibilities
- A member of the Local IT Department
- A member of a contracted IT Department
- A member of the city IT Department
- A member of the county IT Department
- A person with a business administration background
- A person with a background in policy adherence or development
If not within the agency, the role of IT supervision can be contracted out to a master IT department.
For example, a Sheriff’s Office can use the main County IT department.
1.2 LASO Required Duties
- Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same.
- It's mostly an IT role in deciding what hardware will be used within the agency.
- Agencies shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
- This is important for employees leaving your agency as well. Make sure you disable the web accounts so they cannot be accessed.
- Your agency should handle this by implementing a policy that covers access to CSA's Crime Information Center (CIC) for new, terminated, or transferred employees.
- Identify and document how the equipment is connected to the state system.
- Network map showing conceptual connections between various agencies.
- Ensure that personnel security screening procedures are being followed as stated in the latest CJIS Security Policy (CSP).
- Fingerprint employee and submit prints to ID Services within 30 days of employment.
- Must be fingerprinted for each new law enforcement agency (lateral hires).
- Don’t forget to email the ID Services staff once an employee has separated from your agency to deactivate their CJIS Security flag.
- Ensure the approved and appropriate security measures are in place and working as expected.
- This is very unique to your agency and dependent on how the IT needs are structured.
- Support policy compliance and ensure the CSA ISO is promptly informed of security incidents.
- Once your agency has established internal policies addressing the needed CJIS Security Awareness topics, make sure all employees follow policies, have access to the policies, and aware of the consequences for breaching policy.
- See provided sample protocols which you can customize to your agency and agency needs.
- Implement an Incident Response Plan within your agency.
1.3 Sample Position Information
If the position occupying the LASO duties is a Coordinatior, Information Security Officer, or security manager, the job description may look something like this:
Under the general direction of the Director of Information Technology, the Information Security Officer (ISO) is responsible for the development and delivery of a comprehensive information security program for the Departments and Divisions of the organization, collectively referred to as the Org. The scope of this activity is Org-wide and includes information in electronic, print and other formats.
The purposes of this program include: to assure that information created, acquired, received by or maintained by the Org, and the information technology infrastructure is protected from external or internal threats; and to assure that the Org complies with statutory and regulatory requirements regarding information access, security, and privacy. This position will also develop and maintain comprehensive systems, network, and application documentation.
1.3.1 Examples of Duties
Function as the LASO per the Criminal Justice Information Services Security Policy to insure compliance with FBI CJIS Security Policy and all applicable security requirements of the criminal justice information network and systems. Act as the Director’s designee representing the Org on Information Security matters; serve as the responsible Org contact person for external agencies and for audits including the CJIS triennial Technical Audit.
Coordinate the development of Org information security and other policies, standards, procedures and processes. Work with the IT divisions and data custodians in the development of such documents. Ensure that Org policies support compliance with external requirements. Oversee the dissemination of policies, standards and procedures to the Org departments, divisions and users.
Coordinate the development and delivery of an education and training program on information security for employees and other authorized users. Coordinate with Human Resources to document security training in the employee’s permanent file.
Develop and implement an ongoing risk assessment program targeting information security; recommend methods for vulnerability detection and remediation and oversee vulnerability testing. Maintain an inventory of all sources of PHI and PII; identify and document risks associated with these sources; identify and document likelihood and impact of each risk; and Identify methods or mitigating or eliminating each risk.
Serve as the Org security compliance officer and LASO with respect to all State and Federal information security policies and regulations including but not limited to HIPPA, PCI, CJIS, Patriot Act, etc. Prepare and submit any required reports to external agencies.
Identify users of CJIS approved hardware, software and firmware and ensure no unauthorized individuals or processes have access to this hardware, software or firmware.
Ensure that CJIS personnel security screening measures are in place and working as expected.
Ensure appropriate physical and digital security is maintained for all areas where CJI, PII, PHI or other covered data is accessed or stored.
Perform audits and inspections of internal Org operations and business associates, its agents, or sub-contractors to ensure compliance.
Work with the Org designated Records Management Liaison Officer (RMLO) and IT Asset Management staff to insure adherence with the policies and procedures.
Develop and implement an Incident Reporting and Response System to address any Org-related security incidents, including defining what incidents require responses and what level or response is needed based on the finding of the Risk Assessment. Respond to alleged policy violations or complaints from external parties. Serve as the official Org contact point for information security including relationships with law enforcement entities. Ensure appropriate communications are issued per statutory and regulatory requirements including promptly notifying the CSA ISO of CJIS related security incidents.
Maintain the IT department’s Continuity of Operations Plan and maintain and coordinate the IT response with regards to other Departments and Divisions Continuity plans.
Keep abreast of the latest security legislation, regulations, advisories, alerts and vulnerabilities pertaining to the Org.
Be knowledgeable of and document the technical aspects of the Org network showing how all CJIS related equipment is connected to the Org network and to the State CJIS system and/or networks.
Maintain physical and digital documentation for all hardware, software and business systems used by the Org including maintaining and up-to-date network diagram.
Perform other duties of a similar nature or level.
22.214.171.124 Training and Experience
Bachelor’s Degree in Information Security or Business Administration or related field and a minimum 5 years experience in information security, business system analysis or information technology or related field; or an equivalent of combined education and/or experience sufficient to successfully perform the duties of the job such as is listed above.
Must complete the online LASO training available on the CSA CJ Network and complete and maintain an active certification status of Level 3 Security Awareness Training within 3 months of employment.
Certification by an industry recognized organization e.g. Microsoft, Cisco, CompTIA, (ISC)², SANS is preferred.
Must pass review by CJIS which includes fingerprinting, state background check through the CSA and national background check through the FBI.
126.96.36.199 Knowledge, Skills, and Abilities
Knowledge of CJIS and potentially other security requirements are highly desired.
Excellent written and oral communications skills are highly desired.
Ability to work collaboratively with a broad range of locations is essential.
Must be able to read, analyze and interpret general computer periodicals, technical manuals and government publications and regulations.
Ability to effectively present information and respond to questions relating information security functions.
2.0 Identifying Terms and Services
2.1 CSA Specific Information
- Identify the name of your CSA (CJIS Systems Agency). This is usually the state you're in.
- Find out the name of the website, portal, or network where you can go to get CJIS related information like training, news, and more.
- Find out who your CSA's Information Security Officer (ISO) is.
2.2 CSA Related Acronyms
|AAA||Application Access Administrator|
|CCC||Central Communication Center|
|CSC||Customer Support Center|
|NCIC||National Crime Information Center|
|DLE||Department of Law Enforcement|
|IDT||Information Delivery Team|
|PAS||Public Access System|
|RMLO||Records Management Liaison Officer|
|User||Agency using CSA services|
These are probably the more important ones you may need to know. More acronyms are available at the end of the article to help reduce the scrolling between the major content.
3.0 CJIS Security Policy
The CJIS Security Policy governs all personnel who have direct access to or unescorted proximity access to CJI. The premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, while at rest or in transit.
The CJIS Security Policy provides:
- Guidance for the creation, viewing, modification, transmission, dissemination, storage and destruction of CJI.
- Rules & Mandates for every contractor, private entity, non criminal justice agency representative, or member of a criminal justice entity with access to, or who operate in support of criminal justice services and information.
- The CSP should be used as a minimum for security
The full lifecycle of the CJI includes:
- Staff members making queries on terminals.
- Location of the CJIS terminals in relation to other additional staff.
- Printing of queried CJI with the actual location of the printer.
- Who has access to CJI in digital and printed form.
- How the CJI is shared or transmitted (fax, email, sending it to MDT screens, etc.).
3.1 CSP Survival Guide
- Re-read the figures.
- Use cases on page 41 are awesome.
- Become familiar with the term FIPS 140-2 certification.
- It deals with encryption.
- There’s a page with all certified encryption certificates.
- Appendix E contains security forms and organization entities.
You accept the attached FBI Security Addendum, acknowledging you will maintain security compliance with federal and state laws, as well as, assessing non-public facing systems for appropriate purposes only.
If a need arises to access Criminal Justice Information Systems (CJIS) directly, each user must be authorized to process or store CJIS data. Authorization is given to those who pass a fingerprint check, a background check, and security awareness training.
4.0 Security Awareness Training
The LASO is not required to administer the CJIS Security Training.
The agency will maintain the CJIS Security Training records at the local level. The training keeper can be an appointed person and not specific to a certain position, including the Terminal Agency Coordinator (TAC).
CJIS Security Awareness training shall be required within 6 months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.
There are 3 types of access to CJI:
- Level 1: Physical Access
- Level 2: Physical and/or Logical
- Level 3: Personnel with Information Technology roles
4.1 Different Levels of Access
4.1.1 Physical Access
Who has physical access?
Anyone with unescorted (unfettered walking access to your secured location) access to areas that process or store CJI.
Common examples include the following roles:
- Building maintenance
- Radio technician vendors
4.1.2 Logical Access
Who has physical and/or logical access?
Any individual with login credentials to a machine and/or service.
4.1.3 Personnel with Information Technology Roles
What does Information Technology personnel encompass?
Anyone with unescorted access to access or work on devices such as networking equipment that process or store CJI.
Access can be something as simple as having a key to the door that secures the networking equipment or as complex as vendors having VPN access (unescorted) to systems that process CJI.
5.0 Implementation Information
5.1 Physically Secure Location Versus Controlled Area
5.1.1 Physically Secure Location
A physically secure location is a facility, a police vehicle, or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems.
The physically secure location is subject to criminal justice agency management control; SIB control, FBI CJIS Security addendum, or a combination thereof.
5.1.2 Controlled Area
If an agency cannot meet all of the controls required for establishing a physically secure location, but has an operational need to access or store CJI, the agency shall designate an area, a room, or a storage container, as a controlled area for the purpose of day-to-day CJI access or storage.
The agency shall, at a minimum:
- Limit access to the controlled area during CJI processing times to only those personnel authorized by the agency to access or view CJI.
- Lock the area, room, or storage container when unattended.
- Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view.
- Follow the encryption requirements found in Section 188.8.131.52 for electronic storage (i.e. data “at rest”) of CJI.
5.2 CJIS AA Notes
Advanced authentication will be required for law enforcement personnel accessing NCIC criminal justice information outside of a secure location.
Authentication refers to the process of verifying a user’s identity when requesting secure access to CJIS systems. Typical One-factor authentication is when a user logs in with only a username and password.
Advanced authentication or “two-factor authentication (2 step, multifactor)” requires an additional separate factor or credential in order to complete the log-in process.
The second credential is often sent as a one time PIN (OTP) that is obtained by something that the user physically has in his or her possession. These OTPs cannot be memorized like standard passwords because they are designed to change every time the user logs in. OTP can be sent through SMS, a phone app, hard token or a paper token.
AA is required when those who access NCIC CJI from a mobile data terminal or handheld device outside of a physically secure location. It’s also required for those who access remotely from an unsecure location.
5.3 New CJIS Connection
In order to access CJI from NCIC, NLETS, or any other CJIS, agencies are required to obtain an Originating Agency Identifier (ORI). This identifier consists of a series of letters and numbers that looks something like this AB######C. The level of access to CJI through this system is dependent upon 2 main factors:
- Your agency's mission
- Statutory authority as mandated by Federal and State regulations
To request an ORI you'll need to furnish the CSA with information on an agency letterhead. Plan to include items such as how your agency plans to utilize the system.
If you're a non-terminal agency, basic information is required but be prepared to have a CSA representative, the terminal agency's ORI, and a letter of agreement between your agency and the terminal agency.
Additional forms will have to be filled out and submitted to the CSA. The exact forms will vary across different CSAs.
5.4 FIPS 140-2 Certification Information
FIPS refers to Federal Information Processing Standards: Security standards. FIPS 140-2 Certified is in reference to tested cryptographic modules. This is essentially what the CJIS Advisory Process, the Working Groups and the Advisory Policy Board, has deemed trustworthy.
- Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules by NIST
- What needs to be encrypted for FIPS 140-2 compliance? by Info Sec Stack Exchange
- Is WinZip AES FIPS 140-2 compliant? by Winzip
The rigorous FIPS testing process eliminates a few legitimate open source options and gives controversy to the necessity of the FIPS 140-2 certification process.
Regardless how you feel about it, it's still worth knowing what it is.
6.0 LASO Survival Guide Conclusion
Thanks for joining me. If your state agency (CSA) organizes and annual training conference, be sure to go. Networking with people and getting your questions answered are essential for great success.
If you've been appointed as a LASO or assist a LASO with similar duties, what have you learned that should be added to this list? Let me know in the comments below.
6.1 More Acronyms Addendum
Here are a few more you need to know to successfully serve as the LASO.
|ACL||Access Control List|
|ADPT||Automated Data Processing and Telecommunications|
|AES||Advanced Encryption Standard|
|AIS||Automated Information System|
|ALG||Application Level Gateways|
|ANSI||American National Standards Institute|
|APB||Advisory Policy Board|
|BD-ADDR||Bluetooth-Enabled Wireless Devices and Addresses|
|BYOD||Bring Your Own Device|
|CAD||Computer Assisted Dispatch|
|CAO||Contract Administration Office|
|CAU||CJIS Audit Unit|
|CCS||Common Channel Signaling|
|CDPD||Cellular Digital Packet Data|
|CFR||Code of Federal Regulations|
|CGA||Contracting Government Agency|
|CHRI||Criminal History Record Information|
|CII||Critical Infrastructure Information|
|CIRC||Computer Incident Response Capability|
|CJA||Criminal Justice Agency|
|CJI||Criminal Justice Information|
|CJIS||Criminal Justice Information Services|
|ConOps||Concept of Operations|
|CSA||CJIS Systems Agency|
|CSA ISO||CJIS Systems Agency Information Security Officer|
|CSIRC||Computer Security Incident Response Capability|
|CSO||CJIS Systems Officer|
|CSP||CJIS Security Policy|
|CTA||Control Terminal Agency|
|CTO||Control Terminal Officer|
|CUI||Controlled Unclassified Information|
|DAA||Designated Approving Authority|
|DES||Data Encryption Standard|
|DFE||Designated Federal Employee|
|DoJ||Department of Justice|
|DoJCERT||DoJ Computer Emergency Response Team|
|DoS||Denial of Service|
|EMM||Enterprise Mobility Management|
|FBI||Federal Bureau of Investigation|
|FBI CJIS ISO||FBI CJIS Division Information Security Officer|
|FIPS||Federal Information Processing Standards|
|FISMA||Federal information Security Management Act|
|FOIA||Freedom of Information Act|
|FOUO||For Official Use Only|
|FSC||Federal Service Coordinator|
|FTP||File Transfer Protocol|
|GPS||Global Positioning System|
|GSM||Global System for Mobile|
|HTML||Hypertext Markup Language|
|HTTP||Hypertext Transfer Protocol|
|IaaS||Infrastructure as a Service|
|IAFIS||Integrated Automated Fingerprint Identification System|
|IDS||Intrusion Detection System|
|III||Interstate Identification Index|
|IPS||Intrusion Prevention System|
|IPSEC||Internet Protocol Security|
|ISA||Interconnection Security Agreement|
|ISO||Information Security Officer|
|ISP||Internet Service Provider|
|JIS||Judicial Inquiry System|
|LAI||Local Agency Instructor|
|LAN||Local Area Network|
|LASO||Local Agency Security Officer|
|LEO||Law Enforcement Online|
|LES||Law Enforcement Sensitive|
|LFOS||Limited Feature Operating System|
|LMR||Land Mobile Radio|
|MAC||Media Access Control|
|MAN||Metropolitan Area Network|
|MCA||Management Control Agreement|
|MDM||Mobile Device Management|
|MDT||Mobile Digital Terminal|
|MITM||Man in the Middle (attack)|
|MMS||Multimedia Messaging Service|
|MOU||Memorandum of Understanding|
|NCJA||Noncriminal Justice Agency|
|NexTEST||Online testing system for CJIS certification via CJNet|
|NICS||National Instant Criminal Background Check System|
|NIPC||National Infrastructure Protection Center|
|NIST||National Institute of Standards and Technology|
|NLETS||International Justice and Public Safety Network|
|OMB||Office of Management and Budget|
|ORI||Originating Agency Identifier|
|OWA||Outlook Web Access|
|Paas||Platform as a Service|
|PBX||Private Branch Exchange|
|PDA||Personal Digital Assistant|
|PII||Personally Identifiable Information|
|PIN||Personal Identification Number|
|PKI||Public Key Infrastructure|
|POC||Point of Contact|
|PSTN||Public Switched Telephone Network|
|QoS||Quality of Service|
|RFC||Request For Comments|
|RSA||Rivest-Shamir-Adelman Public Key Encryption Algorithm|
|SA||Security Addendum (Security & Access)|
|SaaS||Software as a Service|
|SBU||Sensitive But Unclassified, see CUI|
|SCO||State Compact Officer|
|SIB||State Identification Bureau|
|SIM||Subscriber Identity Module|
|SMS||Short Message Service|
|SPRC||Security Policy Resource Center|
|SSI||Sensitive Homeland Security Information/Security Sensitive Information|
|SSID||Service Set Identifier|
|SSL||Secure Socket Layer|
|TAC||Terminal Agency Coordinator|
|TCP/IP||Transmission Control Protocol/Internet Protocol|
|TFTP||Trivial File Transfer Protocol|
|TLS||Transport Layer Security|
|UA or U/A||CSA User Agreement|
|VLAN||Virtual Local Area Network|
|VoIP||Voice Over Internet Protocol|
|VPN||Virtual Private Network|
|WAN||Wide Area Network|
|WEP||Wired Equivalent Privacy|
|WLAN||Wireless Local Area Network|
|WPA||Wi-Fi Protected Access|