DCJIS Did Not Ensure That Criminal Justice Information System Single Sign on Application Users Completed Cybersecurity Awareness Training.

DCJIS did not ensure that Criminal Justice Information System Single Sign On Application (CSSOA) users completed cybersecurity awareness training. We found 39 of the 131 law enforcement employees in our sample who worked at law enforcement agencies during the audit period did not complete biennial training on time. Our test revealed that 21 law enforcement employees completed their training late, with missed due dates ranging from 11 days to 9 years. As of June 30, 2021, the remaining 18 employees had not completed biennial training, with missed due dates ranging from 122 days to 9 years. Based on our testing, no less than 5,310 (23.233%) employees did not complete cybersecurity awareness training.

Not completing cybersecurity awareness training may lead to user error and compromise the integrity and security of CSSOA, which DCJIS manages.

Section 5.2.1 of the United States Department of Justice Federal Bureau of Investigation’s (FBI’s) “Criminal Justice Information Services (CJIS) Security Policy,” issued on June 1, 2020, states, “Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to . . . a physically secure location,” which applies to CSSOA users.

DCJIS management told us that they review training completion certificates as part of the audit process every three years, but DCJIS does not continually monitor whether CSSOA users complete cybersecurity awareness training within six months of their initial access to CSSOA and biennially thereafter.

1.    DCJIS should ensure that CSSOA users complete initial cybersecurity awareness training within six months of their initial access to CSSOA and biennially thereafter.

2.    DCJIS should continually monitor that both new and existing CSSOA users have completed the required cybersecurity awareness training.

The SAO finds that DCJIS needs to take steps to ensure that users of the Criminal Justice Information Systems (“CJIS”) are in compliance with the security awareness training requirements in Section 5.2 of the FBI CJIS Security Policy by completing training within six months of being hired and then biennially thereafter.

Again, it is unclear what standard DCJIS is being audited to. State regulations at 803 CMR 7.07 place this burden not upon DCJIS but upon the law enforcement agencies and individual users of the CJIS system. The Massachusetts CJIS User Agreement does the same at Section 3.2.

Nevertheless, in reference to the first audit recommendation, DCJIS notes that completion of CJIS Security Awareness Training is a pre-requisite to gaining access to CJIS. Therefore, CJIS user accounts are not activated by DCJIS until such time as a user completes training. As such, DCJIS, although not required to do so, ensures that all CJIS users complete initial training prior to being granted access privileges to CJIS. DCJIS staff also provides regular training of CJIS users. In calendar year 2022, DCJIS held 17 training sessions and trained approximately 171 users.

In regard to the second audit recommendation, DCJIS audits law enforcement agencies’ compliance with the security awareness training requirements of the FBI CJIS Security Policy. This analysis is performed during DCJIS’s triennial audit of each Massachusetts law enforcement agency with access to CJIS. These audits are the most efficient way for DCJIS to monitor compliance with the security awareness training requirements. As personnel from DCJIS’s CJIS Support Unit explained in interviews with SAO auditors on December 2 and December 16, 2021, there are simply too many CJIS users for DCJIS to actively monitor each individual user’s training status in real time. Moreover, whether and when an officer is required to retake the training will depend on personnel information in the possession of the police department. For example, a police officer’s certificate of compliance may expire, but if the officer is on leave from his job and does not have access to CJIS, then he does not need to retake the test. The information necessary to determine when a user needs to take the training rests with the individual user’s agency and not with DCJIS. Consequently, it is most effective for DCJIS to determine compliance during audits of the agencies.

Therefore, while DCJIS appreciates the SAO’s efforts and is grateful for the SAO’s audit, it respectfully disagrees with the SAO’s finding on this point. Nevertheless, on August 29, 2022, DCJIS took the additional step of sending out a notification to all Massachusetts chiefs of police and law enforcement agency heads. The notification was sent electronically in the form of a letter which was also posted on DCJIS’s extranet. The letter reminds all recipients in detail about the security awareness training requirements imposed upon them by 803 CMR 7.07 and by the Massachusetts CJIS User Agreement. The letter further reminds all recipients that DCJIS will continue to audit their agencies to these requirements.

We commend DCJIS on taking the step of issuing a letter on its extranet to Massachusetts police chiefs and law enforcement agencies regarding cybersecurity awareness training and encourage DCJIS to develop a system that continually monitors whether CSSOA users complete cybersecurity training in a timely manner. However, we disagree with DCJIS on who is ultimately responsible for ensuring that all CSSOA users complete the mandatory biennial cybersecurity awareness training.

As noted in both Section 5.2.1 of the FBI’s “Criminal Justice Information Services (CJIS) Security Policy” and 803 CMR 7.07(1), DCJIS is responsible for the administration and management of CSSOA. Section 5.2.1 of the FBI’s “Criminal Justice Information Services (CJIS) Security Policy” states,

[DCJIS] may accept the documentation of the completion of security awareness training from another agency. Accepting such documentation from another agency means that the accepting agency assumes the risk that the training may not meet a particular requirement or process required by federal, state, or local laws.

According to 803 CMR 7.07, DCJIS “shall be responsible for overseeing access to all FBI systems and information by Massachusetts agencies, as well as for ensuring system security, training, policy compliance, and auditing.”

Based on these requirements, DCJIS should not just trust that law enforcement agencies are ensuring their CSSOA users are being trained. Instead, DCJIS should verify on its own that the agencies’ CSSOA users are being trained and follow up on any users with extended gaps in their training that DCJIS identifies in its audits. Because of the sensitive nature and types of information (such as personally identifiable information) in CSSOA, there is a heightened risk of unauthorized access to this information if users do not regularly receive cybersecurity awareness training.