"CJIS Compliance" is a buzzword when it comes to public safety software, but what does that really mean when it comes to body worn cameras and evidence management?
CJIS stands for "Criminal Justice Information Services" and the latest security policy guidelines can be found here. Some states, such as Minnesota, consider all body camera footage to be CJIS data. Even in states where there are no laws in place, some agencies wish to follow some or all of the CJIS guidelines as a best practice. On the flip side, some agencies would argue that body camera footage isn't CJIS data at all. Regardless of one's position, choosing a body camera solution that meets CJIS requirements in terms of both storage and software is a wise choice.
The FBI does not issue a "CJIS Certificate" to a company. Instead, each state sets its own procedures to vet vendors for CJIS compliance. In general, the state agency will verify the cloud storage system used, the software infrastructure and functionality, and perform a background check on key vendor personnel. Furthermore, these employees must take an online training class and pass an exam to demonstrate proficiency in the CJIS security policies. A public safety agency wishing to implement a CJIS compliant body camera program should verify that the potential vendor has been vetted by the respective state authority, if such vetting is required.
Key CJIS Features
For CJIS compliance, all footage must be stored in a special storage facility. When it comes to cloud storage, the most common CJIS compliant storage systems are the Microsoft Azure Government cloud followed by the Amazon Web Services (AWS) Government cloud. Vetted personnel support these cloud servers, which are located in the Continental United States. All files are encrypted using FIPS-2 standard and there are redundant storage locations and power supplies.
While having CJIS compliant storage is key, agencies wanting to follow all CJIS guidelines must make sure their body camera vendor has implemented additional features in their evidence management software. Some examples include:
- Two factor authentication based on device and IP address
- Complex passwords which expire every 90 days
- Automatic timeout due to inactivity
- Prohibition of concurrent logins
As mentioned above, Minnesota has some of the most stringent laws when it comes to body camera footage management. In 2016, the legislature passed state statute 13.825, which requires vendors to "protect the data in accordance with the security requirements of the United States Federal Bureau of Investigation Criminal Justice Information Services Division Security Policy". Visual Labs has numerous clients in Minnesota. "We appreciate Visual Labs' adherence to CJIS guidelines. Even with the required security features, the website is very easy to use and has allowed us to readily comply with Minnesota BCA [Bureau of Criminal Apprehension] audits," said Commander Andy Ellickson of the Washington County, Minnesota Sheriff's Office.
Regardless of one's stance on body camera footage as CJIS data, choosing a BWC vendor that complies with CJIS guidelines should bring peace of mind to agencies, and in some cases, is required by law.
Please contact firstname.lastname@example.org with questions or comments about CJIS compliance.