The FBI CJIS (Criminal Justice Information Services) Security Policy includes specific physical protection requirements to ensure the security and integrity of physical assets and facilities that store or process Criminal Justice Information (CJI). These requirements aim to safeguard physical access to sensitive data, prevent unauthorized entry or tampering, and protect the infrastructure that supports information systems.
Key physical protection requirements outlined in the CJIS Security Policy, and additional best practices to employ, per the NIST 800-53 guidelines, are as follows:
Access Control
Implement access controls to restrict physical access to facilities, data centers, server rooms, and areas where CJI is stored or processed. Use methods like access badges, biometric systems, or secure locks to control entry to sensitive areas. Maintain visitor logs and escort procedures to monitor and track visitor access.
Facility Security
Secure all facilities and buildings housing CJI with appropriate physical security measures, including alarms, surveillance cameras, and security personnel. Employ security guards and establish procedures for incident response and emergency situations. Ensure that access points, such as doors and windows, are physically protected against tampering.
Data Center Security
Establish restricted access to data centers or server rooms to only authorized personnel. Use environmental controls (e.g., temperature, humidity) to maintain the proper conditions for equipment and data storage. Implement fire detection and suppression systems to protect against fire hazards.
Media Protection
Store physical media containing CJI (e.g., tapes, hard drives) in secure and locked containers or cabinets. Limit the distribution and transportation of physical media to authorized personnel or trusted third parties. Ensure proper labeling and inventory management for physical media.
Secure Disposal
Develop procedures for the secure disposal of physical media and equipment that store CJI at the end of their lifecycle. Use proper data destruction methods, such as shredding or degaussing, to prevent data recovery.
Monitoring and Surveillance
Install and monitor surveillance cameras in critical areas to detect and record unauthorized activities. Implement alarm systems to alert personnel in case of security breaches or physical incidents.
Physical Security Awareness
Train personnel in physical security best practices, including recognizing and reporting suspicious activities. Conduct periodic security awareness and training programs for all staff members.
Physical Incident Response
Establish incident response procedures for handling physical security incidents, such as break-ins or unauthorized access attempts. Coordinate with law enforcement or appropriate authorities in case of serious incidents.
We Provide a Full Life Cycle of Solutions for FBI CJIS Policy Compliance
- Gap Assessments
- Policies and Procedures Writing
- Independent CJIS Security Assessments
- CJIS Specific Continuous Monitoring Programs