Agency Security Expectations

It is important for customers to understand the measures that Axon has taken to secure Axon Fleet, Axon products, and Evidence.com, as customers inherit our advanced security capabilities, controls, and programs. It is also critically important for customers to understand the actions and processes that they must implement to ensure the security of their data and operations of the Axon Fleet system.

We are here to help. Below is a checklist of items that should be considered by agencies when managing wireless access points and utilizing MDTs:

Wi-fi Access Point Configuration

Axon expects U.S.-based agencies to have deployed Wireless Access Points in compliance with CJIS Requirements and Guidance and should implement the following controls:

  1. Maintain inventory of wireless access points and agency owned wireless devices
  2. Place access points in secure areas, such as an criminal justice conveyance trunk or other secure location
  3. Enable appropriate users authentication and encryption mechanisms for the wireless access point management interface including meeting password requirements and usage of FIPS compliant secure protocols
  4. Ensure reset functionality on wireless access points do not revert to factory default settings
  5. Change the service set identifier (SSID) from the default and disable the broadcast feature.
  6. Enable available access point security features including firewalls and authentication
  7. Ensure encryption key sizes are at least 128-bits and default keys are not utilized
  8. Disable ad-hoc mode
  9. Disable any nonessential management protocols

*Requirements derived from CJIS Security Policy v5.5 Section 5.13.1.1 802.11 Wireless Protocols

Standard MDT Hardening

Axon expects U.S.-based agencies to have deployed MDTs in compliance with CJIS Requirements and Guidance and should implement have at minimum implemented the following controls:

Authentication

  • MDTs are configured for local device authentication (see Section 5.13.7.1) and authenticator used shall meet the requirements in section in CJIS 5.5 5.6.2.1 Standard Authenticators.
  • Use advanced authentication or CSO approved compensating controls as per Section 5.13.7.2.1.

Data Storage

  • Encrypt all CJI resident on the device.
  • Erase cached information, to include authenticators (see Section 5.6.2.1) in applications, when session is terminated.

Operating Protections

  • Apply available critical patches and upgrades to the operating system as soon as they become available for the device and after necessary testing as described in CJIS Section 5.10.4.1.
  • Employ personal firewalls or run a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level.
    - Manage program access to the Internet.
    - Block unsolicited requests to connect to the user device.
    - Filter incoming traffic by IP address or protocol.
    - Filter incoming traffic by destination ports.
    - Maintain an IP traffic log.
  • Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level.
  • Wi-Fi - Hardening to limit the types and specific Wi-Fi access points the device can connect to.
    - Disallow connectivity to WEP or WPA networks - 5.13.1.1 802.11 Wireless Protocols

The most updated CJIS Security Policy can be retrieved here. Also, see Security Best Practices for guidance on securing your agency's usage of Evidence.com.