Regulatory compliance
CJIS compliance
CJIS compliance means meeting the FBI’s CJIS Security Policy across all 13 policy areas — encryption, access control, audit logging, and physical security for the Criminal Justice Information (CJI) that law enforcement and criminal-justice agencies rely on. WestFax aligns to all 13 policy areas and works collaboratively with agencies toward their own risk-acceptance standards.
CJI refers to all of the FBI’s CJIS-provided data necessary for agencies to perform their mission and enforce the laws — biometric, identity-history, person, organization, property, and case/incident data, including data used to make hiring decisions. It must be protected until it is either released through an authorized disclosure or purged in accordance with retention rules.
How we align
The 13 CJIS policy areas
A high-level summary of each policy area and how WestFax responds. A shared-responsibility matrix details which party is responsible for controls within each area.
Information exchange agreements
Organizations handling CJI must have signed written agreements documenting their interaction and the security policies and procedures between them. WestFax works within these agreements and their required processes and parameters.
Security awareness training
Basic security awareness training is given within the first six months and biennially thereafter for personnel with CJI access. Keeping training current for their own personnel is the customer’s responsibility.
Incident response
WestFax follows industry-standard incident response — preparation, detection, analysis, containment, eradication, and recovery. Clients maintain their own incident response policies; WestFax does not triage customer security incidents on their behalf.
Auditing and accountability
Agencies must be able to generate audit records for defined events. On request, WestFax assists clients undergoing an audit by responding to inquiries and providing all available data.
Access control
WestFax has implemented login management, remote access, and VPN solutions compliant with FIPS 140-2, plus policies and controls for Wi-Fi, cellular, and Bluetooth devices.
Identification and authentication
WestFax provides personnel with unique user identification credentials and requires complex passwords that are changed regularly per our security policies.
Configuration management
WestFax segregates databases containing CJI on its network and limits access credentials to authorized resources. System configuration documentation is protected from public distribution.
Media protection
WestFax secures all CJIS data in its possession in digital form, capable of encrypting data in transit and at rest, using a risk-based approach to classifying and securing sensitive information.
Physical protection
WestFax designates physically secure locations across applicable offices and data center areas where CJI may be accessed by WestFax resources.
Systems & communications protection
Safeguards secure data across the network in motion and at rest: 256-bit AES encryption at rest, directory integration, two-factor authentication, granular permissions, anti-virus and malware scanning, endpoint and API protections, and a comprehensive audit trail.
Formal audits
The FBI audits law enforcement agencies — WestFax’s clients — not third-party vendors directly. WestFax cooperates with its clients during such audits as necessary.
Personnel security
WestFax conducts background checks on all personnel with physical or logical access to unencrypted CJI. By principle of least privilege, no WestFax personnel are granted access to CJI materials beyond what access standards allow.
Mobile devices
WestFax establishes usage restrictions and implementation guidance for mobile devices and controls wireless access at any WestFax data center or office.
Faxing for law enforcement.
WestFax has been a secure cloud fax provider since 1999. Reach out to learn more about our offerings for law enforcement and criminal-justice agencies.
