Reference
CJIS Control Mapping
Full mapping of CJIS Security Policy v6.0 controls to EasyWarrant implementation details.
| Control | Title | Requirement | EasyWarrant Implementation |
|---|---|---|---|
SC-8 | Transmission Confidentiality & Integrity | Protect CJI during transmission | TLS 1.3 for all API and signaling; DTLS-SRTP for video media |
SC-8(1) | Cryptographic Protection | Implement cryptographic mechanisms for transmission | AES-128 minimum; FIPS 140-3 validated module; TLS 1.3 |
SC-13 | Cryptographic Protection | FIPS 140-3 validated modules; FIPS 140-2 sunset Sep 2026 | Azure Government FIPS 140-3 throughout; no FIPS 140-2 |
SC-17 | Public Key Infrastructure Certificates | PKI for e-signature and judicial approval | DocuSign eNotary; agency-level CA; TSA timestamp |
SC-23 | Session Authenticity | Protect against MitM attacks and session hijacking | DTLS certificate pinning; session key rotation; server-side enforcement |
SC-28 | Protection of Information at Rest | Protect CJI at rest | AES-256 via Azure Blob Storage Gov + Key Vault CMK; US jurisdiction only |
SC-10 | Network Disconnect | Terminate session after 1 hour of inactivity | Server-side 60-minute inactivity timeout; all session keys destroyed on termination |
SC-12 | Cryptographic Key Establishment | Agency-controlled key lifecycle | Azure Key Vault HSM CMK; agency controls generation, rotation, destruction |
IA-2(1) | Multi-Factor Authentication | AAL2 MFA for all CJI access | Auth0 Government or Okta FedRAMP High; AAL2 enforced; SMS OTP not accepted |
AU-2 | Audit Events | Identify and log auditable events | OpenTelemetry + PostgreSQL; all warrant lifecycle, auth, and access events logged |
AU-3 | Content of Audit Records | Sufficient information in each audit record | Timestamp, actor, action, resource, outcome, source IP, prev-hash in every entry |
AU-9 | Protection of Audit Information | Protect audit logs from unauthorized access/modification | Hash chain tamper-evidence; agency CMK; Brigade staff cannot modify agency logs |
AU-11 | Audit Record Retention | Retain audit records per policy | Configurable per-agency retention policy; on-demand export with chain cert |
AC-17 | Remote Access | Authorize and monitor remote access | All access over TLS 1.3; MFA required; full access logging |
App. G.2 | VoIP/Video Security | Address VoIP/video threat model | DTLS-SRTP enforced; no plaintext media; session keys per-session |
App. G.6 | Encryption Decision | Apply FIPS requirements per encryption decision flowchart | All EasyWarrant channels encrypted; physical location rule: always encrypt |