January 27, 2016
BYOD – R U OK?

Got acronyms? Of course you do. No doubt we find ourselves amidst a convergence of many technical and law enforcement acronyms, whether in journals, text messages, laws, operating procedures, you name it, everyday. “BYOD” is a fairly new acronym for “Bring Your Own Device,” referring to the FBI’s CJIS Security policy.

Ah! More acronyms! CJIS is Criminal Justice Information Systems, a division of the FBI (Federal Bureau of Investigation – of course, you knew that one). In the fourth quarter of 2015, the FBI CJIS division updated the CJIS Security Policy and several sections deal specifically with this important topic, BYOD.

CSI feels it is worth pointing out a few of the key references, requirements, and warnings regarding staff bringing their own devices to the agency. Of course, as it is the authoritative source, please do refer to the complete document for all the details (find it at https://www.fbi.gov/about-us/cjis/ cjis-security-policy-resource-center ).

Many law enforcement agencies issue mobile devices currently, or are contemplating doing so.

On one hand, the value, in terms of communications and convenience, is obvious. For the past several versions of the policy, CJIS has recognized the availability of, and thus the growing need for addressing, mobile devices. But, as their policy points out, there are challenges in using these devices for accessing CJI (Criminal Justice Information), and especially so if they are personally owned. The policy states: “If personally owned devices are utilized within the environment (BYOD scenario), specialized and costly access control methods may be required to reach compliance with CJIS Security Policy.”

So, they go on to say...…“BYOD environments pose significant challenges to the management of secure device configurations. In many cases it may be impossible to apply effective security that is acceptable to the device owner or it may require extremely costly compensating controls to allow access to CJI on personally owned devices.

While allowed by the CJIS Security Policy, agencies are advised to conduct a detailed cost analysis of the ancillary costs of compliance with CJIS Security Policy on personally owned devices when they are approved for use.” “Two terms used increasingly when addressing this topic of mobile access and BYOD are “EMM” (Enterprise Mobility Management) and “MDM” (Mobile Device Management),” explains CSI’s VP and CIO Chris Rein. While we can’t get into all the details here, Rein recommends, “if your agency is considering implementation of mobile access, it will be necessary to have familiarization, or better yet, expertise, in what they are.

” MDM and EMM systems and applications, coupled with a device-specific technical policy, can provide a robust method for device configuration management, if properly implemented. MDM capabilities include the application of mandatory policy settings on the device, detection of unauthorized configurations or software/ applications, detection of rooting/ jailbreaking of the device, and many other security policy-related functions. In many cases, the most cost effective way to achieve CJIS Security Policy compliance on mobile devices is the selection of MDM or EMM applications and infrastructure appropriate to the mobile operating systems.

"A written and approved policy for your agency’s use of mobile devices is the cornerstone for compliance,” advises Rein. “And it is essential to distinguish whether you are implementing, or even allowing, personally owned devices or agency-issues ones." He recommends the following essential considerations for your agency if considering a BYOD environment:

Solid understanding of Advanced Authentication

Understanding when Compensating Controls are applicable

Loss of Device (how to address & plan for)

Remote Data Erasure

Protecting against “Rooting” or “Jailbreaking”

Use of Mobile Device Management (MDM)

Use of Enterprise Mobility Management (EMM)

CSI serves a wide range of agencies that use, consume, store, and share CJI. These agencies also employ a variety of operational and technological policies and procedures that relate to their use of technology and communications. We encourage all of our customers to familiarize themselves and understand this important FBI CJIS policy and the need for proper conformance.