Control Audit Matrix

Agencies must put formal agreements in place that specify security controls, roles, responsibilities, and data ownership before exchanging CJI.

Information exchange agreements must specify the security controls and conditions described in the CJIS Security Policy.

The services, reports, and records provided by the service provider shall be regularly monitored and reviewed by the agency.

The agency must maintain visibility into security aspects, including vulnerability identification and incident reporting conforming to CJIS standards.

Changes to services must be managed by the agency and include a risk evaluation based on data criticality and impact.

Develop, document, and disseminate access control policies and procedures to personnel with security responsibilities; review and update annually or after incidents.

Define account types, assign managers, and specify authorized users and attributes including ORI, Sworn Officer status, and Certification Indicators.

Support account lifecycle management using automated mechanisms and notifications.

Automatically remove temporary and emergency accounts within 72 hours.

Disable accounts within one week of expiration, policy violation, or 90 days of inactivity.

Automatically audit account creation, modification, enabling, disabling, and removal actions.

Require users to log out when a work period has been completed.

Disable accounts of high-risk individuals within 30 minutes of discovery.

Enforce approved authorizations for logical access to system resources based on applicable policies.

Provide processes to enable individuals to have access to elements of their personally identifiable information.

Prevent unencrypted CJI transmission over public networks and block spoofed internal traffic.

Identify and document separation of duties to mitigate risk to CJI; define access authorizations accordingly.

Allow only authorized accesses necessary for task completion for users and processes.

Authorize access to security functions (auditing, account management) only for privileged users.

Require privileged users to use non-privileged accounts/roles for non-security functions.

Restrict privileged accounts on the system to privileged users.

Review privileges annually to validate need; reassign or remove as necessary.

Log the execution of privileged functions.

Prevent non-privileged users from executing privileged functions.

Enforce a limit of 5 consecutive invalid attempts within 15 minutes; automatically lock the account.

Display a notification banner before granting access stating usage is restricted and monitored.

Initiate a device lock after 30 minutes of inactivity.

Conceal information previously visible on the display with a publicly viewable image when locked.

Automatically terminate a user session after a user has been logged out.

Identify and document actions that can be performed without authentication (e.g., viewing warning banner).

Establish usage restrictions and connection requirements for each type of remote access allowed.

Employ automated mechanisms to monitor and control remote access methods.

Implement cryptographic mechanisms to protect remote access sessions.

Route remote accesses through authorized and managed network access control points.

Authorize privileged commands via remote access only for compelling operational needs.

Establish configuration requirements and authorize wireless access prior to allowing connections.

Protect wireless access using authentication of authorized users and encryption.

Disable wireless networking capabilities embedded within system components when not intended for use.

Establish configuration requirements and authorize the connection of organization-controlled mobile devices.

Employ full-device or container-based encryption for mobile devices authorized to process CJI.

Establish policies governing external systems; prohibit use of personally-owned devices (BYOD) for CJI.

Permit use of external systems only after verification of controls or retention of agreements.

Restrict the use of organization-controlled portable storage devices on external systems.

Enable authorized users to determine sharing partner restrictions and employ attribute-based access control.

Designate and train individuals for public content; review proposed content for CJI and perform quarterly reviews.

An FBI authorized ORI shall be used in each transaction to identify the sending agency and ensure proper access levels.

Develop, document, and disseminate IA policy and procedures; review annually or after incidents.

Uniquely identify and authenticate organizational users and associate that identification with processes acting on their behalf.

Implement multi-factor authentication (something you know, have, or are) for access to privileged accounts.

Implement multi-factor authentication for access to non-privileged accounts.

Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.

Accept and electronically verify Personal Identity Verification (PIV)-compliant credentials.

Uniquely identify and authenticate agency-managed devices before establishing network connections.

Manage system identifiers by assigning unique IDs to users/devices and preventing reuse for one year.

Manage identifiers by uniquely identifying each individual as agency or non-agency.

Manage authenticators including verification of identity, refresh of memorized secrets annually, and protecting content from disclosure.

Enforce 8-character min length, salt/hash storage, and comparison against compromised lists quarterly.

CSPs creating look-up secrets must use approved random bit generators; secrets must have at least 20 bits of entropy and be used only once.

Out-of-band authenticators must use a separate encrypted channel and prove possession of a specific physical device; VoIP/Email is prohibited.

OTP keys must have 112-bit min strength; nonces must change every 2 mins; verifiers must use approved cryptography.

Software-based keys must use secure storage (TEE/TPM) and not facilitate cloning; hardware keys must have 112-bit min strength.

Enforce access to private keys, map identity to accounts, and validate certificates via trust anchors and local revocation caches.

Protect authenticators commensurate with the highest security category of information accessible through their use.

Obscure feedback of authentication information (e.g., mask with asterisks) to protect against exploitation.

Implement mechanisms for authentication to a cryptographic module that meet legal and regulatory guidelines.

Uniquely identify and authenticate non-organizational users or processes acting on their behalf.

Accept and electronically verify PIV-compliant credentials from other federal, state, local, tribal, or territorial agencies.

Accept only external authenticators that are NIST-compliant and maintain a list of accepted authenticators.

Conform to SAML or OpenID Connect profiles for identity management.

Require re-authentication when roles/credentials change, privileged functions occur, or every 12 hours.

Identity proof users requiring logical access; resolve identities uniquely and verify evidence.

Require evidence of individual identification be presented to the registration authority.

Validate/verify evidence through agency methods; resolve to a unique individual; protect PII.

Send a registration code via out-of-band channel to verify address of record; codes have fixed validity periods.

Develop and disseminate a personnel security policy and procedures; review annually or after incidents and policy changes.

Assign a risk designation to all organizational positions and establish screening criteria for individuals filling those positions.

Conduct state and national fingerprint-based record checks prior to authorizing access; felony convictions normally result in denial unless a variance is granted by the CSO/IA Official.

Disable system access within 24 hours of termination; revoke credentials, retrieve property, and conduct exit interviews on CJI/PII non-disclosure.

Review ongoing need for access upon transfer; modify authorizations and close/establish accounts within 24 hours.

Develop and update access agreements annually; verify individuals sign appropriate agreements (NDA, RoB) prior to access.

Establish security requirements for external providers; require 24-hour notification for provider personnel transfers/terminations.

Employ a formal sanctions process; notify administrators and security personnel within 24 hours of initiating an employee sanction.

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

Develop, document, and disseminate an organization-level awareness and training policy and procedures; review and update annually or after incidents/policy changes.

Provide security/privacy training to all users prior to CJI access and annually thereafter; update content following incidents or CJIS policy changes.

Provide literacy training on recognizing and reporting potential indicators of insider threat, such as inordinate job dissatisfaction or unexplained financial resources.

Provide literacy training on recognizing and reporting social engineering (phishing, impersonation, baiting) and social mining attempts.

Provide specialized training for General and Privileged users covering topics like Least Privilege, Patch Management, and Audit Monitoring.

Provide specialized training for the LASO and personnel with security responsibilities, including summaries of recent state/FBI audit findings.

Provide initial and annual training on the employment and operation of PII processing and transparency controls.

Document and monitor training activities; retain individual training records for a minimum of three years.

Develop, document, and disseminate a system and communications protection policy; review annually or after security incidents.

Separate user functionality from system management functionality physically or logically.

Prevent unauthorized and unintended information transfer via shared system resources (object reuse/residual info protection).

Protect against distributed DoS and DNS attacks using boundary protection and intrusion detection/prevention.

Monitor and control communications at external managed interfaces and implement separated subnetworks for public components.

Limit the number of external network connections to the system to facilitate monitoring.

Implement managed interfaces with traffic flow policies for each external service; review exceptions annually.

Deny network communications traffic by default and allow by exception for systems processing CJI.

Prevent split tunneling for remote devices connecting to organizational systems.

Route all internal traffic to untrusted networks through authenticated proxy servers at managed interfaces.

Monitor for permitted processing of PII at external interfaces and key internal boundaries; document exceptions.

Protect the confidentiality and integrity of transmitted information, including metadata derived from CJI.

Implement cryptographic mechanisms to prevent unauthorized disclosure and detect changes to CJI during transmission.

Terminate network connections at the end of a session or after 1 hour of inactivity.

Establish and manage cryptographic keys (generation, storage, access, destruction) controlled by the agency.

Use FIPS 140-3 certified modules or validated algorithms (AES-128 min) for CJI in-transit; FIPS 140-2 unacceptable after 09/21/2026.

Prohibit remote activation of collaborative devices (cameras/mics) and provide explicit indication of use to local users.

Issue PKI certificates under an agency CA or approved provider; only include approved trust anchors in stores.

Define acceptable mobile code technologies (JavaScript, HTML5); authorize, monitor, and control their use.

Provide data origin authentication and integrity verification (DNSSEC) for authoritative name resolution queries.

Perform data origin authentication and integrity verification on name resolution responses from authoritative sources.

Ensure resolution services are fault-tolerant and implement internal and external role separation.

Protect the authenticity of communications sessions against hijacking and insertion of false info.

Protect CJI at rest outside secure locations using FIPS 140-3 certified modules (128-bit symmetric min) or FIPS 197 (256-bit min).

Implement cryptographic mechanisms to prevent unauthorized disclosure/modification of CJI at rest.

Maintain a separate execution domain for each system process to prevent unauthorized code modification.

Develop, document, and disseminate a media protection policy and procedures; review and update annually or after incidents.

Restrict access to digital (e.g., flash drives, external HDDs) and non-digital (paper, microfilm) media to authorized individuals.

Securely store media within physically secure locations; encrypt CJI on digital media if physical/personnel restrictions are not feasible.

Protect media during transport outside secure areas using encryption; maintain accountability and document all transport activities.

Sanitize or destroy media prior to disposal or reuse using 3-pass overwrite, degaussing, or crosscut shredding for physical paper.

Restrict removable media use; prohibit personally owned media and devices without an identifiable owner.

Develop and disseminate physical and environmental protection policy and procedures; review annually or after incidents.

Maintain an authorized access list for the facility; issue credentials and review the list annually or upon personnel changes.

Enforce access authorizations, maintain audit logs, escort visitors, and inventory physical access devices annually.

Control physical access to information system distribution and transmission lines and devices.

Control physical access to output from monitors, printers, and scanners to prevent unauthorized viewing.

Monitor facility access to detect incidents; review logs quarterly and coordinate with incident response.

Monitor physical access to the facility using intrusion alarms and surveillance equipment.

Maintain visitor access records for one year and review quarterly; report anomalies to security personnel.

Limit PII in visitor access records to the minimum necessary.

Protect data center power equipment and cabling from damage and destruction.

Provide accessible, protected emergency power shutoff capability in data centers.

Provide a UPS for orderly shutdown or transition to alternate power in data centers.

Maintain automatic emergency lighting covering evacuation routes in data centers.

Maintain fire detection and suppression systems with independent energy sources in data centers.

Employ automatic fire detection systems that notify personnel and emergency responders.

Maintain adequate HVAC levels and monitor continuously in data centers.

Protect data center systems from water damage via accessible master shutoff or isolation valves.

Authorize and control system components entering/exiting the facility; maintain records.

Employ controls at alternate work sites (telework), including area locking and device positioning to prevent unauthorized view.

Develop, document, and disseminate a maintenance policy and procedures; review annually or after security incidents.

Schedule, document, and review maintenance; sanitize media before removal; verify controls post-maintenance; include mandatory data fields in records.

Approve, control, and monitor maintenance tools; review previously approved tools prior to each use.

Inspect maintenance tools for improper or unauthorized modifications.

Check media containing diagnostic and test programs for malicious code before use in the system.

Prevent the removal of maintenance equipment containing organizational info via sanitization, destruction, or explicit exemption.

Approve and monitor nonlocal maintenance; employ strong authentication (MFA); terminate sessions upon completion.

Maintain an authorized list of maintenance personnel; verify access authorizations; supervise non-authorized personnel.

Obtain maintenance support and spare parts for critical components within agency-defined RTO/RPO limits.

Prohibit WEP/WPA; implement FIPS-compliant protocols. Managed APs must: (1) test for rogue APs, (2) maintain inventory, (3) secure placement, (4) test range, (8) disable SSID broadcast, (13) use FIPS protocols for management, (14) review logs monthly, and (15) insulate from wired network.

Perform inspection of cellular devices before and after travel outside the U.S. to ensure all controls are in place and functioning.

Cellular devices used to transmit CJI via voice are exempt from encryption and authentication requirements.

Dictate Bluetooth usage based on agency operational processes to mitigate threats like DoS, eavesdropping, and MITM.

When hotspots are allowed: (1) enable encryption, (2) use non-identifiable SSIDs, (3) create PSKs, (4) enable port filtering, and (5) only allow agency-controlled connections.

Implement MDM for limited-feature OS to perform: (a) remote locking, (b) remote wiping, (c) configuration locking, (d) detection of rooted/jailbroken devices, (e) folder/disk encryption, and (k) automatic wiping after failed access attempts.

Ensure devices: (1) apply critical patches immediately, (2) use local auth, (3) use AA for CJI access, (4) encrypt resident CJI, and (5) erase cached info/authenticators upon session termination.

Monitor mobile devices to ensure their patch and update state is current; apply critical upgrades as soon as they become available.

Agencies must have a process to approve specific software/applications. Use MDM to report software inventory to a central console to detect unauthorized apps.

Employ firewalls on full-featured OS devices to: (1) manage internet access, (2) block unsolicited connections, (3) filter by IP/Protocol, (4) filter by port, and (5) maintain an IP traffic log.

Develop enhanced procedures for mobile incidents: loss of control, total loss, compromise, or loss outside the U.S.

On limited-feature operating systems, access control must be accomplished by the application that accesses CJI.

Use local device authentication to unlock the device; authenticators must meet IA requirements.

Use advanced authentication (MFA) for access to CJI from an authorized mobile device unless access is indirect.

CSO-approved compensating controls require: (1) MDM implementation, (2) device registration as identity proof, (3) use of device certificates, and (4) standard authenticator protection.

Protect certificates from extraction; configure for remote wipe or self-deletion after failed attempts; use secure local auth to unlock.

Develop, document, and disseminate an audit and accountability policy and procedures; review and update annually or after security incidents.

Identify and log specific events including logons, attempts to use/create/write/delete/change permissions, privileged actions, and audit log access attempts.

Ensure audit records establish: what happened, when (hh:mm:ss.00), where, the source, the outcome, and the identities involved.

Generate audit records with session duration, source/destination addresses, filenames, and number of bytes sent/received.

Limit PII contained in audit records to the minimum necessary to achieve the purpose based on privacy risk assessment.

Allocate sufficient audit log storage capacity to meet retention requirements.

Alert personnel within one hour of logging failure; restart processes and verify system is logging properly.

Review and analyze system audit records weekly for unusual activity; report findings to security/privacy officials.

Integrate audit record review, analysis, and reporting processes using automated mechanisms.

Analyze and correlate audit records across different repositories (OS, App, DB) to gain situational awareness.

Provide audit record reduction and report generation that supports on-demand review without altering original content.

Provide the capability to sort and search audit records for events of interest based on AU-3 content.

Use internal clocks to generate timestamps to the hundredths of a second (hh:mm:ss.00) using UTC or a fixed offset.

Protect audit information and tools from unauthorized access, modification, or deletion; alert upon detection of unauthorized access.

Authorize access to management of audit functionality only to specific personnel with audit/security responsibilities.

Retain audit records for a minimum of one year or as needed for administrative/legal purposes.

Provide audit record generation capability on all systems generating logs; allow authorized personnel to select event types.

Develop, document, and disseminate a system and information integrity policy; review and update annually or after security incidents.

Identify, report, and correct system flaws; install critical updates within 15 days and high updates within 30 days.

Determine flaw remediation status using scanning tools at least quarterly or following security incidents involving CJI.

Implement signature-based protection at entry/exit points; perform daily scans; block or quarantine malicious code and alert administrators.

Monitor for attacks, unauthorized connections, and system misuse; provide logs to security personnel weekly.

Employ automated tools (e.g., SIEM) to support near real-time analysis of events.

Monitor communications traffic continuously for unusual activities, malicious signaling, or unauthorized exfiltration.

Alert personnel when system-generated indications of compromise or unusual activities occur.

Receive and disseminate security alerts from sources like CISA and MS-ISAC; implement directives within established time frames.

Employ integrity verification tools (hashes, signatures) to detect unauthorized changes to software/CJI; notify personnel and implement IR.

Perform software, firmware, and information integrity checks at least weekly or in an automated fashion.

Incorporate detection of unauthorized privilege elevation or configuration changes into the incident response capability.

Employ spam protection at system entry/exit points to detect and act on unsolicited messages; update based on CM policy.

Automatically update spam protection mechanisms at least daily.

Validate the syntax and semantics of inputs to web/app servers, database servers, and any system processing CJI.

Generate error messages necessary for corrective actions without revealing exploitable info; reveal only to security personnel.

Manage and retain information according to law, regulation, and operational requirements throughout the full lifecycle.

Limit PII processed to the minimum necessary to achieve the collection purpose.

Use data obfuscation, randomization, or synthetic data to minimize PII for research, testing, or training.

Dispose of, destroy, or erase information following the retention period as defined in MP-6.

Implement data execution prevention (DEP) and address space layout randomization (ASLR) to protect system memory.

Develop, document, and disseminate an incident response policy and procedures; review and update annually or after incidents.

Provide incident response training to users consistent with roles prior to system access and annually thereafter.

Provide training on identifying and responding to a breach, including the process for reporting PII loss.

Test the effectiveness of the incident response capability annually using tabletop exercises or simulations.

Coordinate incident response testing with elements responsible for related plans (BCP, DRP, Occupant Emergency).

Implement incident handling for preparation, detection, containment, eradication, and recovery; incorporate lessons learned.

Support incident handling using automated mechanisms such as online management systems and live response data collection.

Track and document incidents including status and pertinent forensics information.

Require personnel to report suspected incidents within one hour; notify confirmed incidents to the CSO or SIB Chief.

Report incidents using automated mechanisms such as email, website posting, or automated tools.

Provide incident information to product/service providers and supply chain organizations related to the incident.

Provide a support resource (e.g., help desk, ticketing) that offers advice and assistance to users for handling incidents.

Increase availability of IR information and support using automated mechanisms like push/pull website queries.

Develop an IRP that provides a roadmap, describes organization, defines metrics, and is approved annually by executive leadership.

Include a process to determine notice requirements and assess harm/mitigation for PII breaches in the IRP.

Develop, document, and disseminate contingency planning policy and procedures; review and update annually or after incidents and exercises.

Develop a system contingency plan identifying essential functions, recovery objectives, priorities, roles, and full restoration without control deterioration.

Coordinate contingency plan development with organizational elements responsible for related plans (BCP, DRP, IRP).

Plan for the resumption of essential mission and business functions within 24 hours of contingency plan activation.

Identify critical system assets supporting essential mission and business functions.

Provide contingency training to users within 30 days of role assumption and annually thereafter; update content after incidents.

Test the contingency plan annually using tabletop exercises or simulations; initiate corrective actions if needed.

Coordinate contingency plan testing with organizational elements responsible for related plans.

Establish a geographically distinct alternate storage site with equivalent security controls for backup information.

Identify an alternate storage site sufficiently separated from the primary site to reduce susceptibility to same threats.

Identify potential accessibility problems to the alternate storage site in area-wide disruptions and outline mitigation.

Establish an alternate processing site with equivalent controls to resume functions within the time period defined in the plan.

Identify an alternate processing site sufficiently separated from the primary site to reduce shared threat susceptibility.

Identify potential accessibility problems to alternate processing sites in area-wide disruptions and outline mitigation.

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with recovery time objectives.

Establish alternate telecommunications services to resume system operations when primary services are unavailable.

Develop service agreements with priority-of-service provisions and request TSP for national security emergency preparedness.

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary services.

Conduct backups of user-level info, system-level info, and documentation; protect backup confidentiality and integrity.

Test backup information to verify media reliability and information integrity.

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of CJI in backups.

Provide for system recovery and reconstitution to a known state after disruption.

Implement transaction recovery for transaction-based systems.

Develop and disseminate a CM policy and procedures; review and update annually and following system changes.

Maintain a current baseline configuration and topological drawing under configuration control; review annually and upon security-relevant changes.

Use automated mechanisms (e.g., config management tools) to maintain the baseline configuration.

Retain at least one previous version of baseline configurations to support rollback.

Issue devices with compliant configurations for travel to high-risk areas; examine and reimage upon return.

Review, approve, and implement configuration changes with impact analyses; retain records for two years.

Test and validate changes before finalizing implementation.

Require security and privacy personnel to be members of the CCB/CAB.

Analyze changes for security/privacy impacts prior to implementation.

After system changes, verify impacted controls are operating as intended.

Enforce physical and logical access restrictions for system changes.

Establish and implement restrictive configuration settings using benchmarks like CIS or STIGs; approve deviations.

Configure system for essential capabilities only; prohibit unneeded ports, protocols, and services.

Review system annually to identify and remove unnecessary/nonsecure functions and services.

Prevent program execution according to rules of behavior or software terms.

Employ a deny-all, permit-by-exception policy for software execution; review the authorized list annually.

Maintain a detailed inventory including model, serial number, manufacturer, and software version; review annually.

Update inventory during component installations, removals, and system updates.

Detect and isolate unauthorized components continuously or at least weekly.

Develop and implement a CM plan addressing roles, responsibilities, and the system development life cycle.

Use software in accordance with contracts and copyright; track quantity licenses; control peer-to-peer sharing.

Establish and enforce software installation policies via automated methods; monitor weekly.

Document the location of CJI and the specific system components on which it resides.

Use automated tools to identify CJI on software and hardware system components.

Develop, document, and disseminate a risk assessment policy and procedures; review annually or after security incidents.

Categorize the system and CJI as "moderate" impact; document results and supporting rationale in the security plan; obtain AO approval.

Conduct risk assessments quarterly to identify threats and vulnerabilities; determine harm likelihood to assets and PII effects on individuals.

Scan for vulnerabilities monthly and upon new reports; remediate Critical (15 days), High (30 days), Medium (60 days), and Low (90 days).

Update system vulnerabilities to be scanned within 24 hours prior to a new scan or upon new reports.

Implement privileged access for vulnerability scanning activities requiring deep inspection of CJI-processing components.

Establish a publicly discoverable reporting channel for vulnerabilities that authorizes good-faith research.

Respond to assessment/audit findings in accordance with risk tolerance; generate POAM entries if mitigation is not immediate.

Perform criticality analysis to identify critical components and functions at all stages of the SDLC.

Develop and disseminate an acquisition policy and procedures; review and update following security incidents.

Determine high-level security/privacy requirements and allocate resources as part of capital planning.

Manage the system using a documented SDLC that integrates security and privacy risk management.

Include security/privacy requirements and acceptance criteria in acquisition contracts using defined language.

Require developers to provide a description of the functional properties of the security controls.

Require developers to provide design and implementation info, including external interfaces and high-level designs.

Require developers to identify functions, ports, protocols, and services intended for organizational use.

Employ only IT products on the FIPS 201-approved list for PIV capabilities.

Obtain or develop admin/user documentation describing secure configuration, vulnerabilities, and user responsibilities.

Apply engineering principles such as layered protections, physical/logical boundaries, and threat modeling in the SDLC.

Implement the principle of minimization using only the PII necessary to perform system engineering.

Require external providers (e.g., government NCJA or private contractors) to sign MCAs or Security Addendums; conduct triennial audits.

Require providers of external services with system connections to identify required ports, protocols, and services.

Require developers to perform configuration management, implement access restrictions for changes, and track security flaws.

Require developers to perform comprehensive testing/regression testing and implement a verifiable flaw remediation process.

Require developers to follow a documented process that addresses security/privacy and identifies standards and tools used.

Require the developer to perform a criticality analysis at SDLC decision points using comprehensive testing.

Replace system components when support is no longer available; provide options for alternative support if replacement is not feasible.

Develop and disseminate an SCRM policy and procedures; review annually or after security incidents involving CJI systems.

Develop a plan for managing supply chain risks across the SDLC; review annually and protect the plan from unauthorized disclosure.

Establish a cross-functional SCRM team (Security, IT, Legal, Acquisition) to lead and support supply chain risk activities.

Use preferred suppliers who provide attestation of compliance with federal or state standards to mitigate supply chain risk.

Establish procedures and agreements with supply chain entities for the notification of compromises to CJI systems.

Inspect CJI systems and components upon initial procurement and periodically to detect tampering.

Dispose of CJI using techniques and methods described in the Media Protection (MP) family.

Develop, document, and disseminate a planning policy and procedures; review and update annually or after security incidents.

Develop plans consistent with enterprise architecture that define components, operational context, roles, info types, and security categorization.

Establish expected behavior rules for system usage; receive documented acknowledgment from users annually or upon revision.

Include restrictions on social media use, posting organizational info on public sites, and using org identifiers for external accounts.

Develop architectures describing protection approaches for CIA and PII; describe dependencies on external systems and review annually.

The CJISSECPOL is centrally managed by the FBI CJIS ISO.

Select a control baseline for the system based on stakeholder needs and impact levels.

Tailor the selected baseline by applying scoping considerations, selecting compensating controls, and assigning parameter values.

Develop, document, and disseminate policies and procedures for system assessment, authorization, and monitoring; review and update annually.

Assess system controls at least once every three years to determine if they are implemented correctly and operating as intended.

Employ independent assessors or assessment teams, free from conflicts of interest, to conduct control assessments.

Manage information exchange via signed written agreements (MOU/ISA) that specify standards, audits, and sanctions.

Log the dissemination of CHRI when released to an authorized agency that is not part of the primary information exchange agreement.

Develop a POAM to track remedial actions for identified weaknesses; update at least every six months.

Assign a senior official to authorize system operation and accept risk; update authorizations at least every three years.

Implement a continuous monitoring strategy including metrics for Account Management, Remote Access, and System Monitoring; report status annually.

Employ independent assessors or assessment teams to monitor system controls on an ongoing basis.

Ensure risk monitoring includes effectiveness, compliance, and change monitoring integrated into the continuous monitoring strategy.

Authorize and document internal connections (components processing/storing CJI); review continued need annually.