How Blumira Helps With

CJIS Compliance

Criminal Justice Information Services (CJIS) is a regulatory framework mandated by the FBI (Federal Bureau Investigation) to help protect criminal justice data as processed by state, local, and federal governments’ police and sheriff departments. This helps ensure law enforcement has timely and secure access to services and data to help them stop and reduce crime.

The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

Try XDR free for 30 days

How Blumira Can Help

Blumira maps to many CJIS controls to help state and local government organizations meet compliance through our SIEM + XDR platform. Blumira’s platform provides capabilities for generating audit records, logging system events, automating the audit monitoring and analysis process, retaining audit logs for one year, and more.

“Blumira caught the password spraying attack within 20 minutes. We were able to get out to the local unit, take the server off of the network and reimage it before it was able to do any real harm.” – Mike Morrow, Technical Infrastructure Manager, Ottawa County.

Read The Case Study

Blumira Supports the Following CJIS Controls:

5.4 Policy Area 4: Auditing and Accountability

5.4 Policy Area 4: Auditing and Accountability

Agencies shall implement audit and accountability controls to increase the probability of

authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components.
5.4.1 Auditable Events and Content (Information Systems)

5.4.1 Auditable Events and Content (Information Systems)

The agency’s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The agency shall specify which information system components carry out auditing activities. Auditing activity can affect information system performance and this issue must be considered as a separate factor during the acquisition of information systems. The agency’s information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of agency-defined auditable events. In the event an agency does not use an automated system, manual recording of activities shall still take place.

By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.
5.4.1.1 Events
5.4.1.1 Events

The following events shall be logged:
1. Successful and unsuccessful system log-on attempts.
2. Successful and unsuccessful attempts to use:
3. Access permission on a user account, file, directory or other system resource;
  1. create permission on a user account, file, directory or other system resource;
  2. write permission on a user account, file, directory or other system resource;
  3. delete permission on a user account, file, directory or other system resource;
  4. change permission on a user account, file, directory or other system resource.
4. Successful and unsuccessful attempts to change account passwords.
5. Successful and unsuccessful actions by privileged accounts(i.e., root, Oracle, DBA, admin, etc.).
6. Successful and unsuccessful attempts for users to:
  1. access the audit log file; 09/14/2023 CJISD-ITS-DOC-08140-5.9.3 28
  2. modify the audit log file;
  3. destroy the audit log file.
Blumira can track user access to applications and services integrated with Blumira’s platform for log monitoring, collection, detection and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response. Blumira collects many third-party service provider logs. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.
5.4.1.1.1 Content
5.4.1.1.1 Content

The following content shall be included with every audited event:
1. Date and time of the event.
2. The component of the information system (e.g., software component, hardware component) where the event occurred.
3. Type of event.
4. User/subject identity.
5. Outcome (success or failure) of the event.
Blumira’s platform collects all data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations.

5.4 Policy Area 4: Auditing and Accountability

Agencies shall implement audit and accountability controls to increase the probability of

authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components.

5.4.1 Auditable Events and Content (Information Systems)

The agency’s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The agency shall specify which information system components carry out auditing activities. Auditing activity can affect information system performance and this issue must be considered as a separate factor during the acquisition of information systems. The agency’s information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of agency-defined auditable events. In the event an agency does not use an automated system, manual recording of activities shall still take place.

By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.

5.4.1.1 Events

The following events shall be logged:

Successful and unsuccessful system log-on attempts.
Successful and unsuccessful attempts to use:
Access permission on a user account, file, directory or other system resource;
1. create permission on a user account, file, directory or other system resource;
2. write permission on a user account, file, directory or other system resource;
3. delete permission on a user account, file, directory or other system resource;
4. change permission on a user account, file, directory or other system resource.
Successful and unsuccessful attempts to change account passwords.
Successful and unsuccessful actions by privileged accounts(i.e., root, Oracle, DBA, admin, etc.).
Successful and unsuccessful attempts for users to:
1. access the audit log file; 09/14/2023 CJISD-ITS-DOC-08140-5.9.3 28
2. modify the audit log file;
3. destroy the audit log file.

Blumira can track user access to applications and services integrated with Blumira’s platform for log monitoring, collection, detection and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response. Blumira collects many third-party service provider logs. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.

5.4.1.1.1 Content

The following content shall be included with every audited event:

Date and time of the event.
The component of the information system (e.g., software component, hardware component) where the event occurred.
Type of event.
User/subject identity.
Outcome (success or failure) of the event.

Blumira’s platform collects all data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations.

5.4.3 Audit Monitoring, Analysis, and Reporting

5.4.3 Audit Monitoring, Analysis, and Reporting

The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week. The frequency of review/analysis should be increased when the volume of an agency’s processing indicates an elevated need for audit review. The agency shall increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to agency operations, agency assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.

After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats; providing an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.
5.4.5 Protection of Audit Information

5.4.5 Protection of Audit Information

The agency’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.

Blumira’s log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation. Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.
5.4.6 Audit Record Retention

5.4.6 Audit Record Retention

The agency shall retain audit records for at least one (1) year. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for 09/14/2023 CJISD-ITS-DOC-08140-5.9.3 29 example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions.

Blumira’s SIEM + XDR platform collects all data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Blumira’s reporting functionality provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

5.4.3 Audit Monitoring, Analysis, and Reporting

The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week. The frequency of review/analysis should be increased when the volume of an agency’s processing indicates an elevated need for audit review. The agency shall increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to agency operations, agency assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.

After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats; providing an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.

5.4.5 Protection of Audit Information

The agency’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.

Blumira’s log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation. Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.

5.4.6 Audit Record Retention

The agency shall retain audit records for at least one (1) year. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for 09/14/2023 CJISD-ITS-DOC-08140-5.9.3 29 example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions.

Blumira’s SIEM + XDR platform collects all data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Blumira’s reporting functionality provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

5.7.1 Access Restrictions for Changes

5.7.1 Access Restrictions for Changes

Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.

Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems. Blumira also offers RBAC (role-based access control) features in the portal to restrict which users are able to modify the log ingestion functionality within Blumira.
5.5 Access Control (AC)

5.5 Access Control (AC)

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services, and communication configurations allowing access to CJIS information.

Blumira tracks user account activity, as well as provides reporting on an on-demand or scheduled basis for user account administration activities such as new user and administrative account creation, user/admin account deletions, security group modifications, elevation of user account privileges and more.
5.5 AC-2 Account Management
5.5 AC-2 Account Management
1. Define and document the types of accounts allowed and specifically prohibited for use within the system;
2. Assign account managers;
3. Require conditions for group and role membership;
4. Specify:
  - Authorized users of the system;
  - Group and role membership; and
  - Access authorizations (i.e., privileges) and attributes listed for each account (cont.)
Blumira can help by providing reporting of user account administration activities, based on logs that Blumira stores.
5.5 AC-17 Remote Access | Monitoring and Control

5.5 AC-17 Remote Access | Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

The Blumira SIEM + XDR platform monitors remote access methods to help organizations detect attacks by auditing remote user activities across different system components. By installing Blumira Agent on endpoints, Blumira can identify suspicious activity and alert you to take action or respond immediately using Blumira’s automated host isolation capabilities that cuts off an endpoint’s access to your network to protect against ransomware and breaches.

5.7.1 Access Restrictions for Changes

Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.

Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems. Blumira also offers RBAC (role-based access control) features in the portal to restrict which users are able to modify the log ingestion functionality within Blumira.

5.5 Access Control (AC)

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services, and communication configurations allowing access to CJIS information.

Blumira tracks user account activity, as well as provides reporting on an on-demand or scheduled basis for user account administration activities such as new user and administrative account creation, user/admin account deletions, security group modifications, elevation of user account privileges and more.

5.5 AC-2 Account Management

Define and document the types of accounts allowed and specifically prohibited for use within the system;
Assign account managers;
Require conditions for group and role membership;
Specify:
- Authorized users of the system;
- Group and role membership; and
- Access authorizations (i.e., privileges) and attributes listed for each account (cont.)

Blumira can help by providing reporting of user account administration activities, based on logs that Blumira stores.

5.5 AC-17 Remote Access | Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

The Blumira SIEM + XDR platform monitors remote access methods to help organizations detect attacks by auditing remote user activities across different system components. By installing Blumira Agent on endpoints, Blumira can identify suspicious activity and alert you to take action or respond immediately using Blumira’s automated host isolation capabilities that cuts off an endpoint’s access to your network to protect against ransomware and breaches.

SI-4 System Monitoring
5.15 System & Information Integrity (SI)
I-4 System Monitoring

Monitor the system to detect:
1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives:
  1. Intrusion detection and prevention
  2. Malicious code protection
  3. Vulnerability scanning
  4. Audit record monitoring
  5. Network monitoring
  6. Firewall monitoring; and
2. Unauthorized local, network, and remote connections;
3. Identify unauthorized use of the system through the following techniques and methods: event logging (ref. 5.4 Audit and Accountability);
4. Invoke internal monitoring capabilities or deploy monitoring devices:
  1. Strategically within the system to collect organization-determined essential information; and
  2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
5. Analyze detected events and anomalies;
6. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
7. Obtain legal opinion regarding system monitoring activities; and
8. Provide intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring, and firewall monitoring software logs to organizational personnel with information security responsibilities weekly.
Employ automated tools and mechanisms to support near real-time analysis of events.

The Blumira SIEM platform integrates with your third-party applications, network, endpoints, firewalls and more to collect system logs. Then Blumira automatically applies detection rules to monitor, analyze and detect anomalies or suspicious activity that could indicate potential threats in your environment. For real-time detections, Blumira sends notifications in under a minute of initial detection to enable faster response times.

With every alert, Blumira also provides playbooks that guide you through threat response. If you need more assistance, Blumira’s security operations team is available to provide support for any critical priority issues. In addition, you can access all of your logs retained for one year (for all paid editions) and schedule to send reports to your team on a weekly basis.
(4) System Monitoring | Inbound and Outbound Communications Traffic
(4) System Monitoring | Inbound and Outbound Communications Traffic
1. Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
2. Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions such as: the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information.
Blumira analyzes your network and inbound/outbound traffic to detect unusual or suspicious activity, including malware, data exfiltration, communications with attacker servers (Command & Control) and more. Blumira also detects inbound traffic originating from anonymous networks like Tor. Through Dynamic Blocklists, Blumira also integrates with supported firewalls and threat intelligence feeds to identify known malicious traffic, and block access to protect your organization.
(5) System Monitoring | System-Generated Alerts

(5) System Monitoring | System-Generated Alerts

Alert organizational personnel with system monitoring responsibilities when the following system-generated indications of compromise or potential compromise occur: inappropriate or unusual activities with security or privacy implications.

The Blumira SIEM + XDR platform collects, analyzes, detects and sends alerts to you whenever indications of compromise or potential compromise occurs. Blumira sends alerts with details about suspicious activity to any of your chosen team members in under a minute of initial detection for faster detection and response, by email, text and/or phone call. With every alert, Blumira also provides playbooks that guide you through threat response.
(7) Software, Firmware, and Information Integrity | Integration of Detection and Response

(7) Software, Firmware, and Information Integrity | Integration of Detection and Response

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: unauthorized changes to established configuration setting or the unauthorized elevation of system privileges.

The Blumira SIEM + XDR platform provides detection and response capabilities once integrated with your software and other services. The solution includes pre-built detection rules that identify when unauthorized changes are made to configuration settings, or when the unauthorized elevation of system privileges occurs, then alerts you to the issue with guidance on how to respond.
SI-12 Information Management and Retention

SI-12 Information Management and Retention

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

The Blumira platform collects all data across your entire environment and systems that are set up for logging. That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Blumira’s reporting functionality provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

5.15 System & Information Integrity (SI)
I-4 System Monitoring

Monitor the system to detect:

Attacks and indicators of potential attacks in accordance with the following monitoring objectives:
1. Intrusion detection and prevention
2. Malicious code protection
3. Vulnerability scanning
4. Audit record monitoring
5. Network monitoring
6. Firewall monitoring; and
Unauthorized local, network, and remote connections;
Identify unauthorized use of the system through the following techniques and methods: event logging (ref. 5.4 Audit and Accountability);
Invoke internal monitoring capabilities or deploy monitoring devices:
1. Strategically within the system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
Analyze detected events and anomalies;
Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
Obtain legal opinion regarding system monitoring activities; and
Provide intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring, and firewall monitoring software logs to organizational personnel with information security responsibilities weekly.

Employ automated tools and mechanisms to support near real-time analysis of events.

The Blumira SIEM platform integrates with your third-party applications, network, endpoints, firewalls and more to collect system logs. Then Blumira automatically applies detection rules to monitor, analyze and detect anomalies or suspicious activity that could indicate potential threats in your environment. For real-time detections, Blumira sends notifications in under a minute of initial detection to enable faster response times.

With every alert, Blumira also provides playbooks that guide you through threat response. If you need more assistance, Blumira’s security operations team is available to provide support for any critical priority issues. In addition, you can access all of your logs retained for one year (for all paid editions) and schedule to send reports to your team on a weekly basis.

(4) System Monitoring | Inbound and Outbound Communications Traffic

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions such as: the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information.

Blumira analyzes your network and inbound/outbound traffic to detect unusual or suspicious activity, including malware, data exfiltration, communications with attacker servers (Command & Control) and more. Blumira also detects inbound traffic originating from anonymous networks like Tor. Through Dynamic Blocklists, Blumira also integrates with supported firewalls and threat intelligence feeds to identify known malicious traffic, and block access to protect your organization.

(5) System Monitoring | System-Generated Alerts

Alert organizational personnel with system monitoring responsibilities when the following system-generated indications of compromise or potential compromise occur: inappropriate or unusual activities with security or privacy implications.

The Blumira SIEM + XDR platform collects, analyzes, detects and sends alerts to you whenever indications of compromise or potential compromise occurs. Blumira sends alerts with details about suspicious activity to any of your chosen team members in under a minute of initial detection for faster detection and response, by email, text and/or phone call. With every alert, Blumira also provides playbooks that guide you through threat response.

(7) Software, Firmware, and Information Integrity | Integration of Detection and Response

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: unauthorized changes to established configuration setting or the unauthorized elevation of system privileges.

The Blumira SIEM + XDR platform provides detection and response capabilities once integrated with your software and other services. The solution includes pre-built detection rules that identify when unauthorized changes are made to configuration settings, or when the unauthorized elevation of system privileges occurs, then alerts you to the issue with guidance on how to respond.

SI-12 Information Management and Retention

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

The Blumira platform collects all data across your entire environment and systems that are set up for logging. That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Blumira’s reporting functionality provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.