lolloj - Fotolia

CJIS Security Policy: How can companies ensure FIPS compliance?

Companies and government agencies handling criminal justice information need to comply with CJIS Security Policy. Expert Michael Cobb explains the cryptographic modules to use.

We were informed that our WebOMNI system (load balanced web servers running Windows 2008 IIS 7.0) needs to be FIPS...

140-2 compliant as it contains some CJIS data. We have enabled FIPS mode on the server. The server uses a Comodo RSA certificate to encrypt traffic. How do we confirm which FIPS certificate, if any, covers our configuration? We are rather sure it is either certificate 1008 (bcrypt.dll) or 1010 (RSAENH), but we are not sure how to tell. Any help you can give would be appreciated.

The Criminal Justice Information Services (CJIS) is the largest division of the Federal Bureau of Investigation. Its databases provide a centralized source of criminal justice information to agencies around the U.S. This information includes biometric, identity history, property and case/incident history data, so clearly it has to be extremely well protected. The CJIS Security Policy establishes minimum security requirements and controls to safeguard criminal justice information, covering areas such as wireless networking, remote access, data encryption and authentication. The requirements and controls in the CJIS Security Policy correspond closely to NIST 800-53: "Security and Privacy Controls for Federal Information Systems and Organizations," which is also the basis for the Federal Risk and Authorization Management Program.

Government agencies must ensure that their systems and any third-party systems, such as cloud services used for the transmission, storage or processing of criminal justice information complies with the CJIS Security Policy. Section of the Security Policy sets out strict and specific Federal Information Processing Standard (FIPS) 140-2 encryption standards for data that is at rest or in transit, stating: "When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards."

There are various cryptographic modules that come with Windows operating systems and encapsulate different cryptographic algorithms accessible via API calls. I assume your servers are running a version of Windows Server 2008 R2, as support for Windows Server 2008 has expired. Microsoft's Cryptographic Primitives Library, a software-based cryptographic service provider (BCRYPT.dll), is FIPS 140-2 certified, as is its Enhanced Cryptographic Provider (RSAENH.dll), with the algorithms being accessible via the Microsoft CryptoAPI. User mode applications directly interface with BCRYPT, so this is the module to use.

Enabling FIPS mode in Windows makes it and its subsystems use only FIPS compliant cryptographic algorithms for encryption, hashing and signing. For example, it disallows the use of SSL 2.0 and 3.0 as they do not meet the FIPS standards. However, just enabling FIPS mode doesn't ensure a system complies with the CJIS Security Policy. There is no enforcement of the FIPS mode by the operating system or validated cryptographic modules. This means an application that doesn't check the registry setting associated with FIPS mode and isn't dependent on any Windows subsystems will continue to work exactly as it had with FIPS mode disabled, potentially using noncompliant encryption algorithms. This is why it's vital to run applications that use certified encryption modules at all times, and that software developers ensure their applications check the FIPS mode flag registry setting and enforce the use of the appropriate algorithms.

Next Steps

Read about Amazon Web Services' cloud deal with Colorado law enforcement agencies

Find out how to avoid common pitfalls when using threat intelligence and analytics

Learn about NIST's new password recommendations for U.S. government use

This was last published in March 2017

Dig Deeper on Data security and privacy