Welcome to the LASO and CSP Survival Guide. I created this as a resource to myself when I accepted LASO duties to keep our agency CJIS compliant. There’s a lot of material to keep track of, but hopefully, this collection of information is helpful to you and your agency.

Much of this LASO information should be timeless, but a few updates will be required.

Update: I moved into another area of focus and no longer perform LASO duties for my agency. If this resource has helped you, feel free to suggest changes or improvements.

It’s also worth mentioning your agency will have different policies and procedures, so you may have to adapt this guide to fit your needs.

1.0 LASO Position Details

1.1 LASO Personnel Possibilities

  • A member of the Local IT Department
  • A member of a contracted IT Department
  • A member of the city IT Department
  • A member of the county IT Department
  • A person with a business administration background
  • A person with a background in policy adherence or development

If not within the agency, the role of IT supervision can be contracted out to a master IT department.

For example, a Sheriff’s Office can use the main County IT department.

1.2 LASO Required Duties

  1. Identify who is using the CSA-approved hardware, software, and firmware and ensure that no unauthorized individuals or processes have access to them.
    1. It’s mostly an IT role in deciding what hardware will be used within the agency.
    2. Agencies shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
      1. This is important for employees leaving your agency as well. Make sure you disable the web accounts so they cannot be accessed.
      2. Your agency should handle this by implementing a policy that covers access to CSA’s Crime Information Center (CIC) for new, terminated, or transferred employees.
  2. Identify and document how the equipment is connected to the state system.
    1. Network map showing conceptual connections between various agencies.
  3. Ensure that personnel security screening procedures are followed as stated in the latest CJIS Security Policy (CSP).
    1. Fingerprint employees and submit prints to ID Services within 30 days of employment.
    2. Must be fingerprinted for each new law enforcement agency (lateral hires).
    3. Don’t forget to email the ID Services staff once an employee has separated from your agency to deactivate their CJIS Security flag.
  4. Ensure the approved and appropriate security measures are in place and working as expected.
    1. This is unique to your agency and depends on how the IT needs are structured.
  5. Support policy compliance and ensure the CSA ISO is promptly informed of security incidents.
    1. Once your agency has established internal policies addressing the needed CJIS Security Awareness topics, make sure all employees follow policies, have access to the policies, and are aware of the consequences of breaching policy.
    2. See the sample protocols you can customize to your agency and agency needs.
    3. Implement an Incident Response Plan within your agency.

1.3 Sample Position Information

If the position occupying the LASO duties is a Coordinator, Information Security Officer, or security manager, the job description may look something like this:

Under the general direction of the Director of Information Technology, the Information Security Officer (ISO) is responsible for the development and delivery of a comprehensive information security program for the Departments and Divisions of the organization, collectively referred to as the Org. The scope of this activity is Org-wide and includes information in electronic, print, and other formats.

The purposes of this program include protecting information created, acquired, received by, or maintained by the organization and its information technology infrastructure from external or internal threats and ensuring that the organization complies with statutory and regulatory requirements regarding information access, security, and privacy. This position will also develop and maintain comprehensive systems, network, and application documentation.

1.3.1 Examples of Duties

Function as the LASO per the Criminal Justice Information Services Security Policy to ensure compliance with the FBI CJIS Security Policy and all applicable security requirements of the criminal justice information network and systems. Act as the Director’s designee representing the Org on Information Security matters; serve as the responsible Org contact person for external agencies and audits, including the CJIS triennial Technical Audit.

Coordinate the development of Org information security and other policies, standards, procedures, and processes. Work with the IT divisions and data custodians to develop such documents. Ensure that Org policies support compliance with external requirements. Oversee the dissemination of policies, standards, and procedures to the Org departments, divisions, and users.

Coordinate developing and delivering an education and training program on information security for employees and other authorized users. Coordinate with Human Resources to document security training in the employee’s permanent file.

Develop and implement an ongoing risk assessment program targeting information security; recommend methods for vulnerability detection and remediation; and oversee vulnerability testing. Maintain an inventory of all sources of PHI and PII; identify and document risks associated with these sources; identify and document the likelihood and impact of each risk; and Identify methods of mitigating or eliminating each risk.

Serve as the Org security compliance officer and LASO with respect to all State and Federal information security policies and regulations, including but not limited to HIPPA, PCI, CJIS, Patriot Act, etc. Prepare and submit any required reports to external agencies.

Identify users of CJIS-approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to this hardware, software, or firmware.

Ensure that CJIS personnel security screening measures are in place and working as expected.

Ensure appropriate physical and digital security is maintained for all areas where CJI, PII, PHI, or other covered data is accessed or stored.

Perform audits and inspections of internal Org operations and business associates, agents, or sub-contractors to ensure compliance.

Work with the Org designated Records Management Liaison Officer (RMLO) and IT Asset Management staff to ensure adherence to the policies and procedures.

Develop and implement an Incident Reporting and Response System to address any Org-related security incidents, including defining what incidents require responses and what level of response is needed based on the findings of the Risk Assessment. Respond to alleged policy violations or complaints from external parties. Serve as the official Org contact point for information security, including relationships with law enforcement entities. Ensure appropriate communications are issued per statutory and regulatory requirements, including promptly notifying the CSA ISO of CJIS-related security incidents.

Maintain the IT department’s Continuity of Operations Plan and maintain and coordinate the IT response concerning other Departments’ and Divisions’ Continuity plans.

Keep abreast of the latest security legislation, regulations, advisories, alerts, and vulnerabilities pertaining to the Org.

Be knowledgeable of and document the technical aspects of the Org network, showing how all CJIS-related equipment is connected to the Org network and the State CJIS system and/or networks.

Maintain physical and digital documentation for all hardware, software, and business systems the Org uses, including maintaining an up-to-date network diagram.

Perform other duties of a similar nature or level.

1.3.2 Qualifications

1.3.2.1 Training and Experience

Bachelor’s Degree in Information Security or Business Administration or related field and a minimum 5 years experience in information security, business system analysis or information technology or related field; or an equivalent of combined education and/or experience sufficient to successfully perform the duties of the job such as is listed above.

Must complete the online LASO training available on the CSA CJ Network and complete and maintain an active certification status of Level 3 Security Awareness Training within 3 months of employment.

Certification by an industry-recognized organization, e.g. Microsoft, Cisco, CompTIA, ISC2, SANS, is preferred.

Must pass review by CJIS, which includes fingerprinting, state background check through the CSA, and national background check through the FBI.

1.3.2.2 Knowledge, Skills, and Abilities

Knowledge of CJIS and potentially other security requirements is highly desired.

Excellent written and oral communication skills are highly desired.

The ability to work collaboratively with a broad range of locations is essential.

Must be able to read, analyze, and interpret general computer periodicals, technical manuals, and government publications and regulations.

Ability to effectively present information and respond to questions relating to information security functions.

2.0 Identifying Terms and Services

2.1 CSA Specific Information

  • Identify the name of your CSA (CJIS Systems Agency). This is usually the state you’re in.
  • Find out the name of the website, portal, or network where you can get CJIS-related information, such as training, news, and more.
  • Find out who your CSA’s Information Security Officer (ISO) is.

2.2 CSA Related Acronyms

AcronymTerm
AAAApplication Access Administrator
CCCCentral Communication Center
CSCCustomer Support Center
ACAdministrative Code
NCICNational Crime Information Center
DLEDepartment of Law Enforcement
IDTInformation Delivery Team
PASPublic Access System
RMLORecords Management Liaison Officer
SSState Statute
UserAgency using CSA services

These are probably the most important ones you may need to know. At the end of the article, more acronyms are available to help reduce the scrolling between the major content.

3.0 CJIS Security Policy

The CJIS Security Policy governs all personnel with direct or unescorted proximity access to CJI. The policy’s premise is to provide appropriate controls to protect the full lifecycle of CJI while at rest or in transit.

The CJIS Security Policy provides:

  • Guidance for creating, viewing, modifying, transmitting, disseminating, storing, and destroying CJI.
  • Rules & Mandates for every contractor, private entity, non-criminal justice agency representative, or member of a criminal justice entity with access to or who operates in support of criminal justice services and information.
  • The CSP should be used as a minimum for security.

The full lifecycle of the CJI includes:

  • Staff members making queries on terminals.
  • Location of the CJIS terminals in relation to other additional staff.
  • Printing of queried CJI with the actual location of the printer.
  • Who has access to CJI in digital and printed form.
  • How the CJI is shared or transmitted (fax, email, sending it to MDT screens, etc.).

3.1 CSP Survival Guide

  • Re-read the figures.
  • The use cases on page 41 are awesome.
  • Become familiar with the term FIPS 140-2 certification.
    • It deals with encryption.
    • There’s a page with all certified encryption certificates.
  • Appendix E contains security forms and organization entities.

You accept the attached FBI Security Addendum, acknowledging that you will maintain security compliance with federal and state laws and assess non-public-facing systems for appropriate purposes only.

If a need arises to access Criminal Justice Information Systems (CJIS) directly, users must be authorized to process or store CJIS data. Authorization is given to those who pass a fingerprint check, a background check, and security awareness training.

4.0 Security Awareness Training

The LASO is not required to administer the CJIS Security Training.

The agency will maintain the CJIS Security Training records at the local level. The training keeper can be an appointed person and not specific to a certain position, including the Terminal Agency Coordinator (TAC).

CJIS Security Awareness training shall be required for all personnel with access to CJI within 6 months of initial assignment and biennially thereafter.

There are 3 types of access to CJI:

  • Level 1: Physical Access
  • Level 2: Physical and/or Logical
  • Level 3: Personnel with Information Technology roles

4.1 Different Levels of Access

4.1.1 Physical Access

Who has physical access?

Anyone with unescorted (unfettered walking access to your secured location) access to areas that process or store CJI.

Common examples include the following roles:

  • Janitors
  • Building maintenance
  • Radio technician vendors

4.1.2 Logical Access

Who has physical and/or logical access?

Any individual with login credentials to a machine and/or service.

4.1.3 Personnel with Information Technology Roles

What does Information Technology personnel encompass?

Anyone with unescorted access to access or work on devices such as networking equipment that process or store CJI.

Access can be as simple as having a key to the door that secures the networking equipment or as complex as vendors having VPN access (unescorted) to systems that process CJI.

5.0 Implementation Information

5.1 Physically Secure Location Versus Controlled Area

5.1.1 Physically Secure Location

A physically secure location is a facility, a police vehicle, an area, a room, or a group of rooms within a facility with sufficient physical and personnel security controls to protect CJI and associated information systems.

The physically secure location is subject to criminal justice agency management control, SIB control, FBI CJIS Security addendum, or a combination thereof.

5.1.2 Controlled Area

Suppose an agency cannot meet all of the controls required for establishing a physically secure location but has an operational need to access or store CJI. In that case, the agency shall designate an area, a room, or a storage container as a controlled area for the purpose of day-to-day CJI access or storage.

The agency shall, at a minimum:

  1. Limit access to the controlled area during CJI processing times to only those personnel authorized by the agency to access or view CJI.
  2. Lock the area, room, or storage container when unattended.
  3. Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from accessing and viewing.
  4. For electronic storage (i.e., data “at rest”) of CJI, follow the encryption requirements found in Section 5.10.1.2.

5.2 CJIS AA Notes

Advanced authentication (AA) will be required for law enforcement personnel accessing NCIC criminal justice information outside of a secure location.

Authentication refers to verifying a user’s identity when requesting secure access to CJIS systems. Typical One-factor authentication is when a user logs in with only a username and password.

Advanced authentication, or “two-factor authentication (2-step, multifactor),” requires an additional factor or credential to complete the login process.

The second credential is often sent as a one-time PIN (OTP) obtained by something that the user physically has in his or her possession. These OTPs cannot be memorized like standard passwords because they are designed to change every time the user logs in. OTP can be sent through SMS, a phone app, a hard token, or a paper token.

AA is required for those who access NCIC CJI from a mobile data terminal or handheld device outside a physically secure location and for those who access remotely from an insecure location.

5.3 New CJIS Connection

To access CJI from NCIC, NLETS, or any other CJIS, agencies are required to obtain an Originating Agency Identifier (ORI). This identifier consists of a series of letters and numbers that look something like this: AB######C. The level of access to CJI through this system is dependent upon 2 main factors:

  1. Your agency’s mission.
  2. Statutory authority as mandated by Federal and State regulations.

To request an ORI, you must furnish the CSA with information on an agency letterhead. Plan to include items such as how your agency plans to utilize the system.

If you’re a non-terminal agency, basic information is required. However, be prepared to have a CSA representative, the terminal agency’s ORI, and a letter of agreement between your agency and the terminal agency.

Additional forms must be filled out and submitted to the CSA, and the exact forms will vary between CSAs.

5.4 FIPS 140-2 Certification Information

FIPS refers to Federal Information Processing Standards: Security standards.   FIPS 140-2 Certified is about tested cryptographic modules. This is essentially what the CJIS Advisory Process, the Working Groups, and the Advisory Policy Board have deemed trustworthy.

The rigorous FIPS testing process eliminates a few legitimate open-source options and creates controversy about the necessity of the FIPS 140-2 certification process.

Regardless of how you feel about it, it’s still worth knowing what it is.

6.0 LASO Survival Guide Conclusion

Thanks for joining me. If your state agency (CSA) organizes an annual training conference, be sure to go. Networking with people and getting your questions answered is essential for great success.

If you’ve been appointed as a LASO or assist a LASO with similar duties, what have you learned that should be added to this list? Let me know in the comments below.

6.1 More Acronyms Addendum

Here are a few more you need to know to serve as the LASO successfully.

AcronymTerm
AAAdvanced Authentication
ACAgency Coordinator
ACLAccess Control List
ADPTAutomated Data Processing and Telecommunications
AESAdvanced Encryption Standard
AISAutomated Information System
ALAgency Liaison
ALGApplication Level Gateways
ANSIAmerican National Standards Institute
APAccess Point
APBAdvisory Policy Board
BD-ADDRBluetooth-Enabled Wireless Devices and Addresses
BYODBring Your Own Device
CACertification Authority
CADComputer Assisted Dispatch
CAOContract Administration Office
CAUCJIS Audit Unit
CCSCommon Channel Signaling
CDPDCellular Digital Packet Data
CFRCode of Federal Regulations
CGAContracting Government Agency
CHRICriminal History Record Information
CIICritical Infrastructure Information
CIRCComputer Incident Response Capability
CJACriminal Justice Agency
CJICriminal Justice Information
CJISCriminal Justice Information Services
CMConfiguration Management
ConOpsConcept of Operations
COTSCommercial-off-the-Shelf
CSACJIS Systems Agency
CSA ISOCJIS Systems Agency Information Security Officer
CSIRCComputer Security Incident Response Capability
CSOCJIS Systems Officer
CSPCJIS Security Policy
CTAControl Terminal Agency
CTOControl Terminal Officer
CUIControlled Unclassified Information
DAADesignated Approving Authority
DESData Encryption Standard
DFEDesignated Federal Employee
DoJDepartment of Justice
DoJCERTDoJ Computer Emergency Response Team
DoSDenial of Service
EMMEnterprise Mobility Management
FBIFederal Bureau of Investigation
FBI CJIS ISOFBI CJIS Division Information Security Officer
FIPSFederal Information Processing Standards
FISMAFederal information Security Management Act
FOIAFreedom of Information Act
FOUOFor Official Use Only
FSCFederal Service Coordinator
FTPFile Transfer Protocol
GPSGlobal Positioning System
GSMGlobal System for Mobile
HTMLHypertext Markup Language
HTTPHypertext Transfer Protocol
IaaSInfrastructure as a Service
IAFISIntegrated Automated Fingerprint Identification System
IDSIntrusion Detection System
IIIInterstate Identification Index
INFOSECInformation Security
IPInternet Protocol
IPSIntrusion Prevention System
IPSECInternet Protocol Security
ISAInterconnection Security Agreement
ISOInformation Security Officer
ISPInternet Service Provider
ITInformation Technology
JISJudicial Inquiry System
LAILocal Agency Instructor
LANLocal Area Network
LASOLocal Agency Security Officer
LEOLaw Enforcement Online
LESLaw Enforcement Sensitive
LFOSLimited Feature Operating System
LMRLand Mobile Radio
MACMedia Access Control
MANMetropolitan Area Network
MCAManagement Control Agreement
MDMMobile Device Management
MDTMobile Digital Terminal
MITMMan in the Middle (attack)
MMSMultimedia Messaging Service
MOUMemorandum of Understanding
NCJANoncriminal Justice Agency
NexTESTOnline testing system for CJIS certification via CJNet
NICSNational Instant Criminal Background Check System
NIPCNational Infrastructure Protection Center
NISTNational Institute of Standards and Technology
NLETSInternational Justice and Public Safety Network
OMBOffice of Management and Budget
ORIOriginating Agency Identifier
ORIONORI Online
OWAOutlook Web Access
PaasPlatform as a Service
PBXPrivate Branch Exchange
PDAPersonal Digital Assistant
PIIPersonally Identifiable Information
PINPersonal Identification Number
PKIPublic Key Infrastructure
POCPoint of Contact
PSTNPublic Switched Telephone Network
QAQuality Assurance
QoSQuality of Service
RFRadio Frequency
RFCRequest For Comments
ROTReceive-Only Terminal
RSARivest-Shamir-Adelman Public Key Encryption Algorithm
SASecurity Addendum (Security & Access)
SaaSSoftware as a Service
SBUSensitive But Unclassified, see CUI
SCOState Compact Officer
SIBState Identification Bureau
SIDState Identification
SIMSubscriber Identity Module
SMSShort Message Service
SPSpecial Publication
SPRCSecurity Policy Resource Center
SSISensitive Homeland Security Information/Security Sensitive Information
SSIDService Set Identifier
SSLSecure Socket Layer
TACTerminal Agency Coordinator
TCP/IPTransmission Control Protocol/Internet Protocol
TFTPTrivial File Transfer Protocol
TLSTransport Layer Security
UA or U/ACSA User Agreement
USCUS Code
VLANVirtual Local Area Network
VMVirtual Machine/Hypervisor/Hyper-V
VoIPVoice Over Internet Protocol
VPNVirtual Private Network
WANWide Area Network
WEPWired Equivalent Privacy
WLANWireless Local Area Network
WPAWi-Fi Protected Access