The Criminal Justice Information Services (CJIS) database is one of the most important crime-fighting tools at law enforcement agencies’ fingertips. This repository of case and incident-related datasets is kept under lock and key by the FBI’s CJIS Security Policy. Within that policy is a provision known as the Federal Information Processing Standard (FIPS) 140-2, which lays out required cryptographic standards government agencies – and any third-party vendor of those agencies – must adhere to.
In theory, abiding by FIPS-outlined cryptographic standards is simple enough. But the practice of implementing and enforcing these standards does pose some challenges. This post identifies some of the most notable hurdles to FIPS compliance, and supplies a few actionable steps to overcome them.
Windows operating systems feature what is known as FIPS mode, which according to TechTarget contributor Michael Cobb, “use only FIPS compliant cryptographic algorithms for encryption, hashing and signing.” The problem, however, is that unaffiliated software that does not check the Windows registry can still run on the system. If that software does not use an allowable cryptographic algorithm, then the user is in breach of FIPS compliance.
One way to address this oversight is by creating application whitelisting. These are essentially indexes of authorized executables. For the intents and purposes of FIPS compliance, administrators have the ability to only authorize applications that use compliant cryptographic algorithms. While this approach isn’t an end-to-end solution, but it definitely helps as a useful layer, in enabling FIPS compliance.
SSL 2.0 and 3.0 are among the forbidden encryption types under FIPS.
Automatic Software Updating
While it is imprudent to ignore critical security updates, applying patches without regard for FIPS compliance can result in infractions against the CJIS Security Policy that may put your agency or organization at risk. This places IT administrators in the unfavorable position of having to manually patch every machine in their computing environment to ensure automatically applied updates are compliant.
Again, this problem is far from insurmountable. To circumvent the burden of manual patching, an increasing number of organizations are starting to automate IT maintenance schedules. This differs from simply allowing automatic updates to run uninhibited, because administrators are still in control of what patches are applied to which machines. Once updates are vetted, they can then be pushed across the entire computing environment from a central console.
The beauty of this methodology is that it handily dispels the idea that IT convenience and security are asynchronous. Automatic updating from a central console prohibits scripts from running without consent from an authorized administrator – who, rather than having to patch each computer and server manually, can update the IT environment in compliance with FIPS without leaving his or her desk.