• Configuration Baselines: Establish and maintain configuration baselines for all systems, networks, and devices that handle CJI. Configuration baselines serve as a reference for the desired and approved configuration settings.
• Change Control Process: Implement a formal change control process to manage and track changes made to system configurations. Changes should be properly documented, reviewed, approved, and tested before being implemented.
• Configuration Documentation: Maintain up-to-date documentation that describes the configuration settings, versions, and changes for each system or device. This documentation should include hardware and software inventories, system configurations, network diagrams, and other relevant information.
• Secure Configuration Standards: Apply secure configuration standards and guidelines, such as those provided by the Center for Internet Security (CIS) or other recognized security frameworks. These standards should cover operating systems, databases, applications, and network devices to ensure that they are configured securely and aligned with industry best practices.
• Unauthorized Configuration Changes: Implement measures to detect and prevent unauthorized changes to system configurations. This can include file integrity monitoring, intrusion detection systems, or configuration monitoring tools that can identify and alert on unauthorized modifications.
• Patch and Vulnerability Management: Establish a process to promptly apply security patches and updates to systems, devices, and software components. Regularly monitor for vulnerabilities and apply patches in a timely manner to address known security weaknesses.
• Secure Default Configurations: Ensure that systems and devices are configured with secure default settings and that unnecessary services, protocols, or features are disabled or removed. This helps reduce the attack surface and minimize the potential for misconfiguration.
• Configuration Compliance Monitoring: Regularly monitor and assess the configuration settings of systems and devices against the established configuration baselines and security standards. This can include conducting configuration audits, vulnerability scanning, or periodic assessments to identify and remediate any configuration deviations or vulnerabilities.
• Configuration Backup and Recovery: Implement a robust backup and recovery process to ensure the availability and integrity of configuration data. Regularly back up system configurations and critical data, and test the restoration process to ensure its effectiveness.
• Configuration Retention: Establish a policy for retaining configuration documentation and change records for an appropriate period. This allows for historical analysis, investigation, and auditing purposes.

By adhering to these configuration management requirements, organizations can enhance the security, integrity, and stability of systems and devices that handle CJI in compliance with the FBI CJIS Security Policy.

We Provide a Full Life Cycle of Solutions for FBI CJIS Policy Compliance

• Gap Assessments
• Policies and Procedures Writing
• Independent CJIS Security Assessments
• CJIS Specific Continuous Monitoring Programs