It is important for customers to understand the measures that Axon has taken to secure Axon Fleet, Axon products, and Axon Evidence (Evidence.com), as customers inherit our advanced security capabilities, controls, and programs. It is also critically important for customers to understand the actions and processes that they must implement to ensure the security of their data and operations of the Axon Fleet system.
We are here to help. Below is a checklist of items that should be considered by agencies when managing wireless access points and utilizing MDTs:
Wi-fi Access Point Configuration
Axon expects U.S.-based agencies to have deployed Wireless Access Points in compliance with CJIS Requirements and Guidance and should implement the following controls:
- Maintain inventory of wireless access points and agency owned wireless devices
- Place access points in secure areas, such as a criminal justice conveyance trunk or other secure location
- Enable appropriate users authentication and encryption mechanisms for the wireless access point management interface including meeting password requirements and usage of FIPS compliant secure protocols
- Ensure reset functionality on wireless access points do not revert to factory default settings
- Change the service set identifier (SSID) from the default and disable the broadcast feature.
- Enable available access point security features including firewalls and authentication
- Ensure encryption key sizes are at least 128-bits and default keys are not utilized
- Disable ad-hoc mode
- Disable any nonessential management protocols
*Requirements derived from CJIS Security Policy v5.5 Section 220.127.116.11 802.11 Wireless Protocols
Standard MDT Hardening
Axon expects U.S.-based agencies to have deployed MDTs in compliance with CJIS Requirements and Guidance and should implement have at minimum implemented the following controls:
- MDTs are configured for local device authentication (see Section 18.104.22.168) and authenticator used shall meet the requirements in section in CJIS 5.5 22.214.171.124 Standard Authenticators.
- Use advanced authentication or CSO approved compensating controls as per Section 126.96.36.199.1.
- Encrypt all CJI resident on the device.
- Erase cached information, to include authenticators (see Section 188.8.131.52) in applications, when session is terminated.
- Apply available critical patches and upgrades to the operating system as soon as they become available for the device and after necessary testing as described in CJIS Section 184.108.40.206.
- Employ personal firewalls or run a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level.
- Manage program access to the Internet.
- Block unsolicited requests to connect to the user device.
- Filter incoming traffic by IP address or protocol.
- Filter incoming traffic by destination ports.
- Maintain an IP traffic log.
- Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level.
- Wi-Fi - Hardening to limit the types and specific Wi-Fi access points the device can connect to.
- Disallow connectivity to WEP or WPA networks - 220.127.116.11 802.11 Wireless Protocols
The most updated CJIS Security Policy can be retrieved here. Also, see Security Best Practices for guidance on securing your agency's usage of Evidence.com.