• Security Awareness Training: All personnel with access to CJIS systems and data must receive security awareness training at least once a year. The training should cover topics such as the sensitivity of CJIS data, security responsibilities, acceptable use policies, incident reporting procedures, and the potential consequences of non-compliance.
• User Responsibilities: Users must be made aware of their specific responsibilities when accessing and handling CJIS information. This includes adhering to access control policies, protecting user credentials, and reporting any suspicious or unauthorized activities.
• Security Reminders: Regular security reminders should be provided to users to reinforce key security principles and best practices. These reminders can be in the form of emails, newsletters, posters, or other communication channels.
• Incident Reporting: Users should be trained on the proper procedures for reporting security incidents or suspected security breaches. This includes reporting incidents to the appropriate security personnel or CJIS Systems Agency (CSA).
• Data Handling and Disposal: Personnel must be trained on proper data handling and disposal procedures to ensure the secure handling and destruction of CJIS information. This includes guidelines for encryption, data backup, physical security, and secure disposal of media containing CJIS data.
• Remote Access and Mobile Device Security: Users who access CJIS information remotely or using mobile devices must receive specific training on the secure configuration and use of these devices. This includes guidelines for secure connections, two-factor authentication, and protection against loss or theft.
• Third-Party Provider Oversight: If a criminal justice agency uses third-party providers to access or handle CJIS data, the agency must ensure that these providers meet the CJIS security awareness and training requirements. This may involve contractual obligations and regular audits or assessments of the provider's security practices.
• Record Keeping: Agencies must maintain records of security awareness and training activities, including attendance logs, training materials, and any completion certificates. These records may be subject to audit by the CSA or the FBI.

It is crucial for criminal justice agencies and personnel to adhere to the awareness and training requirements outlined in the FBI CJIS Security Policy. By ensuring that personnel are properly trained and aware of their security responsibilities, agencies can reduce the risk of security incidents and maintain the confidentiality, integrity, and availability of CJIS data.

We Provide a Full Life Cycle of Solutions for FBI CJIS Policy Compliance

• Gap Assessments
• Policies and Procedures Writing
• Independent CJIS Security Assessments
• CJIS Specific Continuous Monitoring Programs