CJIS compliance
and mobile
device security
in law enforcement

Author: Sue Poremba

As smartphones, tablets and other devices became mainstream, many organizations have accepted or embraced bring your own device (BYOD) as part of their workplace culture.  Despite this acceptance, compliance regulations (like CJIS compliance) will dictate how—or if—an organization can adopt BYOD. 

However, law enforcement (LE) agencies must adhere to a different set of compliance rules than other industries. Devices accessing any criminal data used by LE must follow FBI Criminal Justice Information Services (CJIS) compliance for mobile device security.  It’s important to note that BYOD creates the possibility that your personal phone, with your personal information contained within, could potentially become evidence and subject to discovery in court proceedings.

CJIS compliance is strict, requiring anyone who has access to CJIS data to undergo security awareness training within six months of their first assignment, and training must be updated every two years. Mobile device security is a must; all work-related data transmitted or stored on a device needs to be encrypted. The stringent policies of CJIS compliance makes BYOD among LE difficult—but not impossible.

What is BYOD policy and how is it different for law enforcement?

BYOD policy can be uniquely tailored to each individual organization, however most mobile threat detection policies include the following:

  • Registering all devices used to connect to the corporate network
  • Requiring company-determined mobile threat detection software and other security tools on each device
  • Regulating apps that can be used for business operations—some policies may also decide to limit any apps on a device approved for BYOD to add layers of security
  • Adding permissions for any non-work-approved apps to avoid shadow IT (unauthorized) risks
  • Establishing agreements on who owns the phone number (should a personal number be allowed for a business-used phone?), who pays the monthly phone bill and who owns the non-work data on the device
  • Regulating access and storage of company assets
  • Limiting time dedicated to personal use during work hours

BYOD policy will have a slightly different look for LE under CJIS compliance. In addition to the above layers of security, all smartphones and tablets or other devices must use a CJIS-compliant multi-factor authentication (MFA) process, and they must also be enrolled in an agency-controlled mobile device manager (MDM) capable of remotely locking or erasing the memory of a lost or compromised device.

Risks and threats of BYOD for law enforcement

BYOD carries the same threats and risks that corporate-owned devices face; the difference is where responsibility lands. Who is responsible for the mobile device management around those threats, the deployment of mobile threat detection or the mitigation of any cyber incident that occurs? Mobile threats—such as phishing, unsecured Wi-Fi usage or excessive permissions in apps—are potentially a big concern because they can lead to data leakage or data loss, which could result in a significant security issue for LE.

Unique to BYOD are threats caused by cross contamination. When a mobile device holds both professional and personal credentials, it makes mobile device security more difficult. It may even be used by other family members for personal use. That simple action could potentially put you and your agency in violation of CJIS compliance.

If law enforcement BYOD is breached

If an agent or officer's personal device was lost or stolen, would your IT team be notified? Do you trust your employees to be honest if an important database was manipulated because a family member accessing BYOD thought it was a different application? Do those using BYOD recognize what constitutes a data breach and what types of incidents should be reported?

Of course, these mobile threat detection and device management guidelines should be included in LE BYOD policy, but that doesn't mean the employee will follow the directive. If the device is lost or stolen, they may not worry about the organization's security concerns; they may instead react to their personal losses. If there is another type of incident that is a more clear breach, they may be too afraid of the repercussions to come forward with the truth.

As previously mentioned, all BYOD and mobile device management policies should include clear language outlining the division between personal and work material on mobile devices. That way, when the worst case scenario happens, there are no questions of responsibility. For example, the organization should have the right—and the ability—to remotely wipe any device holding corporate information. There should be a clear reporting policy without intimidation. Rules for working with an employee post-breach should be the same for both BYOD and department-owned devices whenever possible. An officer frightened of losing their job because they lost their phone may remain silent for as long as possible, which could lead to greater risk of compromise for data and assets.

Weighing the cost benefits of BYOD for law enforcement

Mobile devices are critical to LE and agencies dedicated to keeping citizens safe, but the data they use is extremely sensitive, and stringent mobile device security is a must. In other industries, BYOD is seen as a cost-saving measure, but don't expect this to be the case in LE. First, devices used by LE need to be reliable; LE shouldn’t use a phone/data service plan that has spotty coverage and limited range. They need devices that are able to handle the mobile device security measures necessary to meet CJIS compliance.  Some states, for example California, require the employer to compensate their employees for the use of their device when conducting agency business. 

Devices used by LE are valuable to criminals, and not just cyber criminals. The FBI has well-defined parameters of what constitutes personally identifiable information (PII), and PII's protection is a priority. Any time BYOD is used, it puts the user's PII at risk, especially if the device ends up in the hands of an alleged criminal. Some agencies may decide that it is better to keep personal and work materials separate, including not conducting private activities on department-issued devices.

Learn more about keeping your mobile business secure with mobile cyber security measures from Verizon.

The author of this content is a paid contributor for Verizon.