This document is provided for informational purposes only, and it is provided "as is," without warranties of any kind, whether express or implied. In addition, this document does not create any representations, contractual commitments, conditions or assurances from Tyler or any of its related entities. Tyler's responsibilities to its clients are set forth in the contract(s) it has signed with those clients, and this document is not a part of, and does not modify, any such contract. The document reflects Tyler's current CJIS compliance practices, which may be updated from time to time at Tyler's discretion and without advance notice. Tyler's clients and prospects are responsible for making their own assessment of the information contained herein, and/or of Tyler's products and services, each as they may be updated from time to time.
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to FBI CJIS systems and information for the protection and safeguarding of CJI. Certain Tyler clients include CJAs and NJCAs who license Tyler products to manage CJI, putting Tyler and those clients under a shared responsibility framework with respect to that CJI. Tyler manages for compliance with CJIS Security Policy requirements where applicable, such as providing states with fingerprint cards for Tyler employees with access to CJI and signing CJIS security addendum agreements with our clients. The purpose of this whitepaper is to provide an overview of Tyler's CJIS compliance program, including the shared responsibility model under which it operates in partnership with its impacted clients.
To access the FBI's CJIS Security Policy itself, please visit the FBI's CJIS Security Policy Resource Center.
Criminal Justice Information (CJI), Defined
CJI refers to all of the FBI's CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws. CJI includes biometric, identity history, person, organization, property and case/incident history data. It also includes FBI's CJIS-provided data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules. The CJIS Security Policy outlines a minimum set of security requirements that create security controls for managing and maintaining CJI data. There is no centralized body authorized to certify compliance with the CJIS Security Policy.
Many vendors incorrectly state that their solution is "CJIS certified." There is no such thing as being "CJIS certified."
The FBI has advised that CJAs and NCJAs are ultimately responsible for ensuring compliance, even when they engage with a third-party vendor to provide software or services relating to the agency's CJI. What is more, those agencies interpret solutions according to the agency's own risk acceptance standard of what is CJIS-compliant. Tyler's clients include agencies across the United States. To the extent a Tyler client's compliance requirements exceed the minimum established by the FBI's CJIS Security Policy and conflict with the common standards followed by other Tyler clients, Tyler expects to work collaboratively with that client/those clients to arrive at a mutually agreeable approach that is consistent with the FBI's CJIS Security Policy and industry standards.
To memorialize Tyler's commitment to fulfilling its responsibilities under the CJIS Security Policy, Tyler has executed the CJIS Security Addendum. A copy of the CJIS Security Addendum that Tyler has signed is available for reference. Each Tyler employee with access to CJI is also required to sign a CJIS Security Addendum.
The Shared Responsibility Model
Tyler has prepared a responsibility matrix that outlines the responsibilities, if any, of Tyler and its impacted clients in relation to the relevant security controls the FBI has identified. It is important to note that the matrix is comprehensive, in that it assumes the Tyler client is hosted in a Tyler data center. If the Tyler client is, however, hosted in a client or third-party environment, certain responsibilities will not apply. If you are a self-hosted client, or a client hosted in a third-party environment, and you have questions about which controls do not apply to you, or do not apply to Tyler, please contact Tyler's Information Security Team. That team will direct your email to Tyler's Corporate CJIS Security Officer.
Shared responsibility means, at least, that Tyler's clients remain responsible for managing their client-side environment(s) and their data. This is true even for those clients whose Tyler solution is hosted in a Tyler cloud. For example, Tyler's clients are responsible for at least:
- User identity management;
- Access control of the Tyler solution;
- Security management and control of terminals that access cloud services, including hardware, software, applications and device rights; and
- Data security (transmission and storage security, integrity protection, backup and recovery, rights and permissions).
To request a copy of the shared responsibility matrix, please send an email to CJISRequest@tylertech.com Tyler's impacted clients should review that matrix carefully.
CJIS Policy Areas
The CJIS Security Policy is divided into 13 policy areas. The shared responsibility matrix referenced above details which party is responsible for controls within those policy areas, and how those responsibilities are met. What follows here is an intentionally high-level summary of the policy areas themselves and how Tyler addresses them, as applicable.
Policy Area 1 — Information Exchange Agreements
Clients who use a Tyler solution to manage CJI must sign a written agreement with Tyler to document the extent of their interaction and the policies and procedures that are intended to ensure appropriate safeguards. Tyler's standard license agreements include language directed at these concepts. Tyler also has executed the CJIS Security Addendum, as discussed above.
Policy Area 2 — Security Awareness Training
Tyler personnel with access to CJI must complete and maintain the FBI-approved Peak Performance CJIS Level 4 Training. Tyler maintains records of security awareness training.
Policy Area 3 — Incident Response
Tyler follows industry standard incident response protocols, including preparation, detection, analysis, containment, eradication and recovery. Tyler's plan is audited according to the SOC 2, Type 2 Trust Principles. It is important to note that Tyler's clients must also have their own incident response policies and procedures in place, as Tyler does not manage or triage client security incidents on its clients' behalf.
Policy Area 4 — Auditing and Accountability
Agencies must provide for the ability to generate audit records of their systems for defined events. Tyler will assist its clients who are undergoing an audit by responding to client inquiries relating to that audit and providing available information in response.
Policy Area 5 — Access Control
Tyler has implemented multiple mechanisms addressing login management systems, remote access, and virtual private network (VPN) solutions certified to the FIPS 140-2 standard. Tyler has also enacted policies and controls for Wi-Fi, Bluetooth and cellular devices.
Policy Area 6 — Identification and Authentication
Tyler provides Tyler personnel with unique user identification credentials and requires complex passwords, which must be changed regularly.
Policy Area 7 — Configuration Management
Tyler segregates databases containing CJI on the Tyler network, and limits user access credentials to Tyler resources authorized to access and manage CJI on behalf of Tyler's clients. Tyler's system configuration documentation contains sensitive details (such as descriptions of Tyler applications, processes, procedures, data structures, authorization processes, data flow, etc.). Tyler protects such system documentation from public access. A high-level network diagram is available upon request to Tyler's Information Security Team.
Policy Area 8 — Media Protection
Tyler secures all CJIS data in its possession in all of its forms, including electronic and hard copy. Tyler's solution is capable of encrypting data in transit and at rest. Tyler takes a risk-based approach to identifying, classifying and securing sensitive information as appropriate.
Policy Area 9 — Physical Protection
Tyler has designated physically secure locations in applicable Tyler office locations and other Tyler areas where CJI may be accessed by Tyler resources.
Policy Area 10 — Systems and Communications Protection and Information Integrity
Tyler takes industry standard measures to safeguard its network and the data on Tyler's network. Those measures include encryption, antivirus tools, and patch management functionality.
Policy Area 11 — Formal Audits
The FBI does not audit third-party vendors such as Tyler. Instead, the FBI audits law enforcement agencies, such as Tyler's clients. Tyler cooperates with its clients during such audits as necessary.
Policy Area 12 — Personnel Security
Tyler conducts background checks, including fingerprinting, on all Tyler personnel with physical or logical access to unencrypted CJI. Tyler maintains records of the results of those checks.
Policy Area 13 — Mobile Devices
This policy area requires law enforcement agencies to establish usage restrictions and implementation guidance for mobile devices, and to authorize, monitor, and control wireless access.
Data security is constantly evolving, and the requirements around CJIS compliance are no exception. Tyler takes its data security and CJIS compliance obligations seriously, and continuously works to enhance and refine its data security programs. This whitepaper may be updated to reflect Tyler's most current practices, and we encourage you to return to the compliance page on our website for the most current information.
We are committed to partnering with our clients in this effort. The resources we have committed to that partnership are significant, and include the appointment of CJIS security officers, executive-level oversight, engagement of a third-party CJIS compliance consultant, participation in bi-annual FBI Advisory Policy Board meetings, and leveraging internal resources to foster a culture of compliance across the Tyler community.