CJIS Policy Requirements for Mobile Devices
CJIS Policy v5.3, Section 5.13.3
Wireless Device Risk Mitigation
Organizations shall, at a minimum, ensure that cellular devices:
1. Apply available device critical patches and upgrades to the operating system as soon as they become available and after necessary testing via Mobile Device Management (MDM) as described in Section 5.13.2.
2. Are configured for local device authentication.
3. Use advanced authentication.
4. Encrypt all CJI resident on the device.( see CJIS Policy v5.3, Section 184.108.40.206 below)
5. Erase cached information when session is terminated.
6. Run a Firewall or a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level.
7. Employ antivirus software or run a MDM system that facilitates the ability to provide
antivirus services from the agency level.
CJIS Policy v5.3, Section 5.13.2
Mobile Device Management
Devices that have had any unauthorized changes made to them (including but not limited to being rooted or jailbroken) shall not be used to process, store, or transmit CJI data at any time. Agencies shall implement the following controls when allowing CJI access from devices running a limitedfeature operating system:
1. CJI is only transferred between CJI authorized applications and storage areas of the device.
2. MDM with centralized administration configured and implemented to perform at least:
i. Remote locking of device
ii. Remote wiping of device
iii. Setting and locking device configuration
iv. Detection of “rooted” and “jailbroken” devices
v. Enforcement of folder or disk level encryption
vi. Application of mandatory policy settings on the device
vii. Detection of unauthorized configurations
viii. Detection of unauthorized software or applications
ix. Ability to determine the location of agency controlled devices
x. Prevention of unpatched devices from accessing CJI or CJI systems xi. Automatic device wiping after a specified number of failed access attempts
CJIS Policy v5.3, Section 220.127.116.11
A personal firewall shall be employed on all devices that are mobile by design (i.e. laptops, handhelds, personal digital assistants, etc.). For the purpose of this Policy, a personal firewall is an application that controls network traffic to and from a user device, permitting or denying communications based on policy. At a minimum, the personal firewall shall perform the
1. Manage program access to the Internet.
2. Block unsolicited requests to connect to the user device.
3. Filter incoming traffic by IP address or protocol.
4. Filter incoming traffic by destination ports.
5. Maintain an IP traffic log.
CJIS Policy v5.3, Section 18.104.22.168
1. Encryption shall be a minimum of 128 bit.
2. When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption).
EXCEPTIONS: See Sections 22.214.171.124.2 and 5.10.2.
3. When CJI is at rest (i.e. stored electronically) outside the boundary of the physically
secure location, the data shall be protected via cryptographic mechanisms (encryption).
4. When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards.