Regulatory compliance

CJIS compliance

CJIS compliance means meeting the FBI’s CJIS Security Policy across all 13 policy areas — encryption, access control, audit logging, and physical security for the Criminal Justice Information (CJI) that law enforcement and criminal-justice agencies rely on. WestFax aligns to all 13 policy areas and works collaboratively with agencies toward their own risk-acceptance standards.

A smiling records specialist at her workstation in a busy police department records office
CJIS
There is no such thing as being “CJIS certified.” No centralized body certifies compliance with the CJIS Security Policy. The FBI has advised that criminal-justice and non-criminal-justice agencies remain ultimately responsible for ensuring compliance, even when they engage a third-party vendor. WestFax works collaboratively with clients toward a mutually agreeable framework consistent with the FBI CJIS Security Policy and industry standards.

CJI refers to all of the FBI’s CJIS-provided data necessary for agencies to perform their mission and enforce the laws — biometric, identity-history, person, organization, property, and case/incident data, including data used to make hiring decisions. It must be protected until it is either released through an authorized disclosure or purged in accordance with retention rules.

How we align

The 13 CJIS policy areas

A high-level summary of each policy area and how WestFax responds. A shared-responsibility matrix details which party is responsible for controls within each area.

Policy Area 1

Information exchange agreements

Organizations handling CJI must have signed written agreements documenting their interaction and the security policies and procedures between them. WestFax works within these agreements and their required processes and parameters.

Policy Area 2

Security awareness training

Basic security awareness training is given within the first six months and biennially thereafter for personnel with CJI access. Keeping training current for their own personnel is the customer’s responsibility.

Policy Area 3

Incident response

WestFax follows industry-standard incident response — preparation, detection, analysis, containment, eradication, and recovery. Clients maintain their own incident response policies; WestFax does not triage customer security incidents on their behalf.

Policy Area 4

Auditing and accountability

Agencies must be able to generate audit records for defined events. On request, WestFax assists clients undergoing an audit by responding to inquiries and providing all available data.

Policy Area 5

Access control

WestFax has implemented login management, remote access, and VPN solutions compliant with FIPS 140-2, plus policies and controls for Wi-Fi, cellular, and Bluetooth devices.

Policy Area 6

Identification and authentication

WestFax provides personnel with unique user identification credentials and requires complex passwords that are changed regularly per our security policies.

Policy Area 7

Configuration management

WestFax segregates databases containing CJI on its network and limits access credentials to authorized resources. System configuration documentation is protected from public distribution.

Policy Area 8

Media protection

WestFax secures all CJIS data in its possession in digital form, capable of encrypting data in transit and at rest, using a risk-based approach to classifying and securing sensitive information.

Policy Area 9

Physical protection

WestFax designates physically secure locations across applicable offices and data center areas where CJI may be accessed by WestFax resources.

Policy Area 10

Systems & communications protection

Safeguards secure data across the network in motion and at rest: 256-bit AES encryption at rest, directory integration, two-factor authentication, granular permissions, anti-virus and malware scanning, endpoint and API protections, and a comprehensive audit trail.

Policy Area 11

Formal audits

The FBI audits law enforcement agencies — WestFax’s clients — not third-party vendors directly. WestFax cooperates with its clients during such audits as necessary.

Policy Area 12

Personnel security

WestFax conducts background checks on all personnel with physical or logical access to unencrypted CJI. By principle of least privilege, no WestFax personnel are granted access to CJI materials beyond what access standards allow.

Policy Area 13

Mobile devices

WestFax establishes usage restrictions and implementation guidance for mobile devices and controls wireless access at any WestFax data center or office.

Faxing for law enforcement.

WestFax has been a secure cloud fax provider since 1999. Reach out to learn more about our offerings for law enforcement and criminal-justice agencies.