California Law Enforcement Telecommunications System (CLETS)Advisory Committee (CAC)

Meeting Minutes

March 25, 2015

Folsom City Council Chambers

Present: Chair: Sam Spiegel (California Peace Officers’ Association)

Members: James Mele (California State Sheriffs’ Association)Frank Alvarez (Department of Motor Vehicles)

Cynthia Renaud (California Police Chiefs’ Association)

Karen Wong (Office of Emergency Services)Evert Palmer (League of California Cities)Marc Shaw (California Peace Officers’ Association)

Absent: Scott Howland (California Highway Patrol) Larry Spikes (California State Association of Counties)

Vacant: California Department of Justice Representative

CALL TO ORDER Chair Spiegel called the meeting to order at 1:02 p.m.

ROLL CALL CLETS Executive Secretary Keith Dann called roll; a quorum was present.

APPROVAL OF MINUTES A motion was made to approve the minutes from the meeting of December 2, 2014.

Motion: Evert Palmer Second: Marc Shaw Discussion: None Vote: Approved unanimously

CHAIR’S REPORT Chair Spiegel welcomed Tuolumne County Sheriff James Mele, representing the California State Sheriffs’ Association to the Committee and read his biography. Chair Spiegel provided a brief history of the CAC, which was codified in statute in 1965 and remains the oldest standing Advisory Committee in California, with every meeting adhering to the Bagley-Keene Open Meeting Act mandates, which include advanced notice of meetings and public access. Moreover, Chair Spiegel noted that the CAC as outlined in statute, is an Advisory Committee, which makes recommendations/advises the Office of the Attorney General

EXECUTIVE SECRETARY’S REPORT

a. Action Items

1. Chief Renaud to contact the Stockton Police Department Chief regarding encryption requirements. Result: Chief Renaud spoke to the Stockton Police Department Chief. A solution to the encryption issue has been identified and the

projected completion date has been advanced from December 2016 to June 2015.

2. Chair Spiegel to contact the Monterey Police Department Chief regarding encryption requirements. Result: Chair Spiegel spoke to the Monterey Police Department Chief. A solution to the encryption issue has been identified and the

projected completion date was advanced from July 2015 to March 31, 2015.

b.CLETS System Misuse Statistics

Possible cases of CLETS misuse processed by the Department of Justice (DOJ) from November 1, 2014 through February 28, 2015:

Journal search requests 56 Searches for possible misuse within own agency 98 Searches for possible misuse within another agency 12 Searches for other purposes 173

c. CLETS Traffic Statistics (October 1, 2014 through December 31, 2014) Inbound Outbound

Total messages 225,824,066 236,873,331 Monthly average 78,608,022 78,957,777 Daily average 2,563,305 2,574,710 Peak day 3,038,019 3,050,191 Peak hour 202,849 203,592

CALIFORNIA PAWN AND SECONDHAND DEALER SYSTEM UPDATE (CAPSS) The DOJ’s Chief Information Officer Adrian Farley gave an update on the CAPSS, which presented core functionality to meet Legislative mandates and was implemented in December 2014. Since then, the DOJ and its contractor have been working on phased-in improvements that will provide pawn and secondhand dealers with vastly improved user capabilities, including an automated registration component, multiple property transaction bulk upload and an advanced licensing application for law enforcement that will streamline the licensing process. The DOJ anticipates several waves of releases between April and June 2015. The DOJ sent a letter, currently on the Attorney General’s public website, to all secondhand dealers in the state, making them aware of requirements.

STANDING STRATEGIC PLANNING SUBCOMMITTEE (SSPS) UPDATE SSPS Chair Tom Bruce gave an update on the SSPS, which met before the CAC meeting and heard a presentation from San Diego Law Enforcement Communications Center Director Leslie Gardner. Additionally, the Subcommittee discussed the 2009 CLETS Strategic Plan and the following four remaining topics for future consideration/discussion:

Goal 3 Make a mobile device multi-modal for traffic citation generation and interface to traffic courts and the Department of Motor Vehicles (DMV).

Goal 4 Transmit “Failure to Appear” (FTA) bench warrants to DOJ and the FBI and have a fingerprint associated with the warrant for positive identification.

New Goal One Capture and share Global Positioning System (GPS) based geospatial data on offenders statewide.

Goal 8 Representatives from the California Police Chiefs’ Association, the California State Sheriffs’ Association, the California Peace Officers’ Association and the DOJ CAC or SSPS representatives will meet with the Department of Motor Vehicles (DMV) Director to discuss:

1. Electronic, interstate exchange of driver license and identification photos for law enforcement purposes; and,

2. Facial recognition technology.

Chair Bruce read the entirety of Goal 8 to the CAC, which was intended merely as an exploratory discussion with the DMV Director to establish a platform for the field to share their needs/wants related to sharing photos and utilizing facial recognition as an investigative tool. CLETS Executive Secretary Keith Dann gave an update that the proposed Goal 8 meeting with the DMV Director did not occur due to potential open meeting concerns. Chair Spiegel stated that the methodology of Goal 8, as written, was not possible and perhaps the language should be removed from the 2009 CLETS Strategic Plan. A motion was made to remove Goal 8 from the amended Strategic Plan update.

Motion: Cynthia Renaud Second: James Mele Discussion: David Maass, an investigative researcher with the Electronic Frontier

Foundation (EFF) asked to address the CAC. A complete transcript of Mr. Maass’ statements is attached. SSPS Chair Bruce stated that the SSPS makes no decisions on policies, practices and procedures and that the Subcommittee’s role is strictly advisory.

Vote: Approved unanimously

UPDATE: UPGRADE APPLICATIONS APPROVED BY THE DOJ The following 11 applications were not voted on and were presented as information only because they were previously approved by the DOJ:

a. Carlsbad Police Department (San Diego County) b. California State University, Channel Islands Police Department (Ventura County) c. Grass Valley Police Department (Nevada County) d. La Mesa Police Department (San Diego County) e. Madera Police Department (Madera County) f. Red Bluff Police Department (Tehama County) g. Riverside Police Department (Riverside County) h. San Luis Obispo Police Department (San Luis Obispo County) i. Tulare County Sheriff’s Department (Tulare County) j. University of California Davis Police Department (Yolo County) k. United States (U.S.) Department of Veterans Affairs, Long Beach (Los Angeles County)

NEW SERVICE APPLICATIONS a. U.S. Army Corp of Engineers, Security and Law Enforcement Division-Los Angeles

District. This item was pulled from the agenda since it was previously approved by the CAC.

b. U.S. Treasury Department, Special Inspector General for the Troubled Asset Relief Program (SIGTARP) – CLETS Administration Section (CAS) analyst Mark Hayward reported that the applicant is a law enforcement sub-unit of a non-law enforcement agency that qualifies for CLETS based upon the Emergency Economic Stabilization Act of 2008, TARP Act of 2009, Section 6. The host agency and DOJ recommended approval. A motion was made to approve the application.

Motion: Evert Palmer Second: James Mele Discussion: None Vote: Approved unanimously

CLIENT REPORTS The first nine agencies are now compliant and will be removed from future agendas

a. California State Licensing Board-Special Investigations Unit (Orange County) b. La Palma Police Department (Orange County) c. Los Angeles County Sheriff’s Department (Los Angeles County) d. Madera County Department of Corrections (Madera County) e. Orange County District Attorney (Orange County) f. Seal Beach Police Department (Orange County) g. U.S. Internal Revenue Service-Criminal Investigations (Orange County) h. U.S. Probation Department (Orange County) i. Westminster Police Department (Orange County)

j. Lodi Police Department CAS Analyst Mark Hayward reported the March 2014 Federal Bureau of Investigation (FBI) audit revealed 15 compliance issues. Of which, seven issues have been resolved. Two of the remaining eight issues: private contractors and media disposal policy are expected to be resolved by March 31, 2015. The outstanding six issues: physical security policy, network configuration diagram, system use notification, lack of user identification (ID) validation documentation, event logging and advanced authentication and an additional encryption issue are expected to be resolved by June 30, 2015.

k. Los Angeles Police Department CAS Analyst Mark Hayward reported the March 2014 FBI audit revealed seven compliance issues. The first compliance response indicated all issues would be resolved by December 31, 2014; however, in the second response, dated February 23, 2015, the agency indicated one encryption issue will not be resolved until May 29, 2015. A motion was made to approve an extension until May 29 for the encryption issue.

Motion: Karen WongSecond: Marc ShawDiscussion: NoneVote: Approved unanimously

l. Stockton Police Department CAS Analyst Mark Hayward reported the March 2014 FBI audit revealed 12 compliance issues. Of which, two issues remain: advanced authentication-vendor and encryption. A possible solution to the encryption issue has been identified and is being verified. If successful, the new projected completion date would be moved from December 2016 to June 2015.

m. UC Davis Police Department CAS Analyst Mark Hayward reported a DOJ audit revealed six compliance issues. Of which, one issue remains: authentication-password compliance, which is expected to be resolved by June 30, 2015.

n. Monterey Police Department The March 2014 FBI audit revealed six original compliance issues. Of which, the remaining issue, encryption, was resolved on March 24, 2015.

o. Anaheim Police Department CAS Analyst Michelle Mitchell reported the March 2014 FBI audit revealed eight compliance issues. Of which, five issues remain: system use notification, private contractors, personnel security, security awareness training and authentication are expected to be resolved by July 2015.

p. Orange County Sheriff’s Department CAS analyst Michelle Mitchell reported that a review of a 2014 CLETS application indicated 11 of the Orange County Sheriff’s Department’s downstream agencies were not compliant with strong password requirements. Of which, only one agency, Orange County Probation Department remained until further discussion with the Sheriff’s Department indicated two additional agencies, Orange County District Attorney (DA) and the Superior Court of California, Orange County did not meet the encryption.

The Orange County Probation Department originally reported a compliance date of December 31, 2014; however, the agency did not meet the compliance date and Sheriff’s Department Chief Information Officer Kirk Wilkerson requested and was granted an extension until April 1, 2015. The Orange County DA and the Superior Court of California, Orange County expect to be compliant by October 1, 2015. Two motions were made to approve extensions.

Motion for Probation extension to April 15: Marc Shaw Second: Evert Palmer Discussion: None Vote: Approved unanimously

Motion for DA/Superior Court extension to April 1: Marc Shaw Second: James Mele Discussion: None Vote: Approved unanimously

q. San Francisco County Sheriff’s Department CAS Analyst Michelle Mitchell reported the March 2014 FBI audit revealed six compliance issues. Of which, two issues remain: private contractors and the system use notification. The agency reported a compliance date of January 1, 2015; however, the agency did not meet the compliance date and Lieutenant Dave Hardy was scheduled to request an extension until March 31, 2015, but an emergency prevented his attendance. Member Mele asked if he could reach out to the Sheriff about the issue. A motion was made to grant the extension.

Motion: James MeleSecond: Karen WongDiscussion: NoneVote: Approved unanimously

r. Santa Ana Police Department CAS Analyst Michelle Mitchell reported the March 2014 FBI audit revealed seven compliance issues. Of which, one remains: event logging. Though the agency is on target to meet its projected compliance date of November 1, 2016, Member Renaud inquired whether the timeline was realistic and Chair Spiegel stated the proposed compliance date was unacceptable. Member Renaud said she would contact the Santa Ana Police Department

Chief about the compliance date and determine if a temporary resolution can be explored. A motion was made to grant an extension until the July 22, 2015 CAC meeting.

Motion: Cynthia Renaud Second: James Mele Discussion: Evert Palmer suggested receiving a progress report in May. Vote: Approved unanimously

MEMBERS’ REPORTS Karen Wong reported the Office of Emergency Services hosted a town hall in San Jose for approximately 200 people on March 2, 2015, where the focus of the First Responder Network Authority (FirstNet) was reaffirmed. The vision is to provide emergency responders with the first nationwide, high-speed, wireless broadband network dedicated to public safety.

Cynthia Renaud paid respects to San Jose Police Department Officer Michael Johnson, killed in the line of duty March 24.

CAC DISCUSSION/OPEN FORUM/PUBLIC COMMENT Chair Spiegel referred the Committee to the EFF letter included in each Member’s packet, which was submitted as public comment and will be entered into the public record for the CAC meeting.

EFF’s Dave Maass reiterated his earlier statements. A complete transcript of Mr. Maass’ statements is attached.

Brian Barnes, the Executive Director of the California CLETS Users Group, CCUG, asked to address the Committee. A complete transcript of Mr. Barnes comments is attached.

NEXT CAC MEETING/ADJOURN The meeting was adjourned at 2:11 p.m. in honor of Michael Johnson of the San Jose Police Department. The next CAC meeting is scheduled for Wednesday, July 22, 2015.

Action Items

1. Sheriff James Mele will contact the San Francisco Sheriff’s Department about compliance issues.

2. Chief Renaud will contact the Santa Ana Police Department Chief regarding the agency’s compliance date and potential resolution.

ORANGE COUNTY SHERIFF'S DEPARTMENT

SHERIFF~CORONER SANDRA HUTCHE~S

March 3, 2015

Ms. Michelle Mitchell CLETS Administration Department of Justice Audits, Inspections and Training Program Bureau of Criminal Identification a11d Investigative Services 4949 Broadway, Bll4 Sacramento, California 95820

Re: Contractor' s State License Board & Strong Password Compliance

Dear Ms. Mitchell:

The intent of this letter is to provide the Department ofJustice with the stattlS of Contractors State License Board (CA0193JOO) and the DOJ/FBI mandated CLE1'S/NCIC login utilizing strong passwords.

Contractor' s S1ate License Board utilizes a CLETS interface application called ELETE. In order to be compliant with strong passwords the agency had to upgrade their ELETE version. This upgrade was completed in mid-Jrumary. By January 30u\ all users had a chance to login to the new ELETE and update their passwords from the old 4 character password to tl1e CLETStFBI compliant strong password. This agency is now fully compliant.

Thank you for your patie11ce during their transition.

Sincerely,

Tina vVinterburn, Agency CLETS Coordinator Orange County Sheriff

Cc: .Karen McDaniel, OCSD IT Manager Bddgctte Hall, CSLB CLETS ACC

320 N. FLOWER STREET, SANTA ANA, CA 92703 (714) 834-6454 -···· .. ....... ' .! . . .. .. .. ................_ - .:..........,.......... ' ' ,.,..... . --·- . J!........ ' .2. .••, ..( ..... ' .... .... . ·-··".... , ....Integrity without compromis~: • Service nbove self • Profcssiomdi~m ln the petformance of duty • Vigilance in safeguarding our community

Police Depa rtment

t:A. PALMA

March 4, 2015

State of California Department of Justice

Bureau of Criminal Information and Analysis

4949 Broadway

PO Box 903387

Sacramento, CA 94203-4170

Dear Michelle

We are happy to inform you that we have upgraded all computers within the police department to the

newest ELETE software version (2204) effective February 28, 2015. The upgrade complies with the

following mandates:

1. OCSD ELETE version 2204 has been downloaded on all department computers.

2. All employees have reset their password and now comply with the new requirement. Per Policy

5.6.2.1.1, employees will comply with the following:

a. Password will me a minimum length of eight (8} characters for all end-users b. Not be a dictionary word or proper name

c. Not be the same as the User I.D.

d. Expire within a maximum of 90 calendar days

e. Not be identical to the previous ten (10} passwords

f. Not be transmitted in the clear outside the secure location

g. Not be displayed when entered

Please feel free to contact me, or the Agency CLETS Coordinator, Captain Jim Engen, if you have any

further questions or concerns.

Very Best;

Police Chief

PHONEwww .cityoflapa lma . org 714 690 3370

7792 Walker Street FAX La Pa lma, CA 90623-1770 714 523 7351

County ofLos Angeles SheriH's Department Headquarters

4700 Ramo11a Boulevard • Mo11terey Park, California 91754-2169

February 19, 2015

Kamala D. Harris, Attorney General

Department of Justice

P.O. Box 903387

Sacramento, California 94203-3870

Dear Ms. Harris:

I am responding to you regarding your October 21 , 2014, letter to the Sheriff's Department in reference to the Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS), Information Technology Security Audit (ITSA) Report.

There are two areas that the Los Angeles Sheriff's Department (LASD) were not in compliance with the FBI CJIS Security Policy.

1. Security Awareness Training Records

The LASD does not ensure:

a) Personnel who manage or have access to criminal justice information receive the required security awareness training with in six months of initial assignment and biennially thereafter (local agency personnel and private contractors)

b) Does not have the required topics covered in the security awareness training .

2. Identification/User ID

The LASD does not document the validation process of system accounts.

In regards to Security Awareness Training, LASD now has a process in place to lock the user account if the user doesn't attend training within six months of the initial activation and biennially thereafter. This process was implemented in September 2014.

717rachlion oj0eruice 0 ince 1 cf50

Kamala Harris -2- February 19, 2105

Security Awareness Training modules have been developed and mandated for all employee's accessing CLETS/JDIC. This training was implemented January 2015.

In regards to documentation of validation of system accounts, new users will be required to fill out a User Request form with proper signatures. The form will be submitted to the JDIC unit for processing. User accounts will be validated annually by the local site security officers and the results of the annual validations will be provided to the Agency CLETS Coordinator. This process was implemented January 2015.

Sincerely,

JIM MCDONNELL, SHERIFF

~ OL~Q_._ Paul E. Drake, Captain

Data Systems Bureau

Manuel Perez

Director of Corrections

maperez@madera-county com

January 1, 2015

From: Manue l Perez; Director

To: Michelle D. M itchell

Re: CLETS re-certification and compliance quarterly report

The Madera County Department of Corrections is dedicated to assuring every CLETS user in our department is in full compliance with the California Department of Justice, Bureau of Criminal Information & Analysis, CLETS Administration Section. As of January 1, 2015 all CLETS users are in full compliance.

•!• Alonzo Lopez, he just got hired so he will be added to User list and will be trained on the CLETS system.

14191 Road 28, Madera, CA 93638 • (559) 675-7951 • FAX (559) 661-5130

TONY RACKAUCKAS ORANGE COUNTY DISTRICT ATTORNEY

ORANGE COUNTY DISTRICT ATTORNEY' S OFFICE

401 CIVIC CENTER DRIVE WEST • SANTA ANA, CA 92701 (714) 834-3636

March 11, 2015 SENT VIA ELECTRONIC & U.S. MAIL AND FAX

MICHELLE MITCHELL, CLETS Staff Systems Analyst CLETS Administration Section, Department of Justice 4949 Broadway, B114 Sacramento, Ca. 95820

Dear Ms. Mitchell:

As follow-up to previous correspondence from August 2014, the Orange County District Attorney's Office worked with the Orange County Sheriffs Department to implement Security Policy 5.6.2.1.1 - (Strong Password Requirement). As had been noted, the OCSD Application Specialist had informed OCDA technical staff that two ports on the OCSD firewall configuration had been opened, which until that time had blocked traffic from our agency with regards to implementing 5.6.2.1.1.

Once these configurations were corrected, we found through testing that we were able to implement the required change on our test client machine. Likewise, the following implementation dates were provided with the expected completion date of December 31, 2014.

401 Civic Center Dr. West (DA Headquarters) September- 2014

700 Civic Center Dr. West (Central Courthouse) October- 2014

801 Civic Center Dr. West (DNA & Cons. Env) October- 2014 OCATT (Orange County Auto Theft Task Force) November- 2014

All PAD (Public Assistance) Countywide November- 2014

All DA Users assigned to NJC December- 2014

All DA Users assigned to WJC and Juvi December- 2014

All DA Users assigned to HJC December- 2014

This letter is to serve notice that the Orange County District Attorney's Office Information Systems met the dates as provided and are now in compliance. Thank you.

Sincerely,

;;;:;/ fiZ,u,fi-v

Tony Rlckauckas District Attorney

RSjTR:vlb

February 3, 2015

To: Michelle D. Mitchell From: Seal Beach Police Department Re: AG Letter of Non/Compliance of FBI CJIS/NCIC Security Policy

5.6.2.1.1

Dear Michelle Mitchell,

This letter is to update the Department of Justice on the Seal Beach Police Department's compliance with CLETS I NCIC strong password requirements. The Orange County Sheriff's Department provides ELETE software to our agency and developed a new version of ELETE to implement the use of strong passwords. As of January 15th, 2015 our agency has reached full compliance regarding the FBI CJIS/NCIC Policy.

As of January 15th, 2015 all mobile workstations and internal workstations including firewalls have been tested and are equipped with a strong password compliant version of ELETE. In addition, all users have received instruction and training and upgraded their passwords to meet the components of Policy 5.6.2.1.1.

Sincerely,

Joe Stilinovich Chief of Police

DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

Crimina l Investigation

January 30, 2015

Ms. Michelle Mitchell CLETS Staff Information Systems Analyst Bureau of Criminal Information and Analysis CLETS Administration Section 4949 Broadway, 8114 Sacramento, CA 95820

Dear Ms. Mitchell:

Re: Implementation Of Strong Password- ORI #CAIRS82SO

This letter is to update the Department of Justice on the CLETS/NCIC strong word requirements. The Internal Revenue Service Criminal Investigation in Santa Ana is used by nine employees. At this time, all nine employees comply with the strong password requirements. The IRS-CI CLETS Coordinator will biennially reaffirm that strong password requirements are being maintained. If you have any questions, please contact me at 714-347-9226.

David Nichols Supervisory Special Agent

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA PROBATION OFFICE

January 13, 2015

Michelle A. Carey Douglas B. Bys

Chief U.S. Probation Officer Deputy Chief U.S. Probation Officer

Ms. Michelle Mitchell CLETS Administration Department of Justice JAN 2 6 20f5Audits, Inspections and Training Program Bureau of Criminal Identification and Investigative Services 4949 Broadway, B114 Sacramento, California 95820

Re: Implementation of Strong Passwords - ORI #CA030017G

Dear Ms. Mitchell:

This letter is to update the Department of Justice on the US Probation Office, Santa Ana, Orange

County branch, compliance with CLETS/NCIC strong password requirements. Our Santa Ana

branch uses the Orange County Sheriff's Department's ELETE software. On December 16,

2014, our Agency upgraded ELETE to version 2.2.0.4 which implements the use of strong

passwords, and is now compliant with the CLETS/NCIC strong password requirements.

Sincerely, Michelle A. Carey

!kic~J.i.U./J. ' ~Q' 2015.01.14 13:30:48 · 08'00'

Chief Michelle Carey

US Probation Office

Central District of California

Cc:

5500 Telegraph Road, Suite 241, Ventura, CA 93003/805-644-7275 phone, 805-642-1149 fax

http:2015.01.14

Westminster Police Deportment Kevin Baker, Chief of Police

8200 Westminster Boulevard, Westminster, CA 92683 • 714.898.3315

www.westminster-co.gov

January 1 , 2015

Michelle Mitchell CLETS Administration Section Bureau of Criminal Information and Analysis 4949 Broadway PO Box 903387 Sacramento, CA 94203-4170

RE: Follow up: Non-Compliance with FBI CJIS/NCIC Security Policy 5.6.2.1.1 - Strong Password Requirement

Dear Ms. Mitchell ,

This letter is to provide you with a final report regarding the installation of ELETE.net for the Westminster Police Department. In order to comply with the new FBI CJIS/NCIC security requirements, the County of Orange ELETE.net software needed to be installed at all primary workstations replacing any older versions of the program. As of this date, the project has been completed.

Thank you.

z~ Kevin Baker Chief of Police

Ref: DOJ/NCIC Compliance Letter cc: Marc Contreras

Service with Integrity

http:ELETE.nethttp:ELETE.nethttp:www.westminster-co.gov

LODI POLICE DEPARTMENT

215 West Elm Street Mark A. Helms

Lodi, California 95240 Chief of Police (209) 333-6725

February 19, 2015

Keith Dann, Assistant Chief Bureau of Criminal Information and Analysis P.O. Box 903387 Sacramento, CA 94203-3870

Re: March status update regarding our Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) Division, Information Technology Security Audit (ITSA) Report implementation plan

Dear Assistant Chief Dann:

The Lodi Police Department received the FBI's CJIS Division audit results identifying areas where our agency was not in compliance with the FBI CJIS Security Policy. This letter is intended to outline updates regarding our implementation plan, identifying what steps will be taken to resolve each audit finding identified below as not meeting the requirements:

1. Noncriminal Justice Agency: The Lodi Police Department received Information Technology services from its respective noncriminal justice agency without a current Management Control Agreement on file with the City of Lodi Information Technology (IT) Department; Completed. CLETS Management Control Agreement completed and signed by all parties on February 9, 2015. Copy of the MCA attached as attachment 1.

2. Private Contactors: The Lodi Police Department receives information technology services from private contactor(s) without obtaining an FBI CJIS Security Addendum with the required certification of private contractor personnel and their representative (Secure Link, SunGard, and Delta Wireless); Update: In the process of sending CLETS Private Contractor Management Control Agreement forms to those contractors who have a need to access our systems or networks on our behalf. Estimated completion date is March 31,2015.

3. Personnel Security: The Lodi Police Department does not fingerprint all personnel, who have unescorted access within the perimeter of their physically secure location, with access to criminal justice information (city IT staff, OSSI, Secure Link, and Delta Wireless); Completed. All personnel who have not been fingerprinted are no longer allowed u nescorted access within the

perimeter of our physically secure location, with access to criminal justice information. All personnel are checked in, provided an identification badge, and assigned an escort. We have also identified personnel who require frequent access and have had them fingerprinted.

4. Security Awareness Training Records: The Lodi Police Department does not ensure personnel who manage or have access to criminal justice information receive the required security awareness training within six months of initial assignment, and biennially thereafter (local agency personnel, city IT staff, OSS/, Secure Link, and Delta Wireless); Completed. Currently our department CLETS Trainers provide the required 4 hour or 8 hour (depending upon the access level of the employee) training course and document exam scores in our CLETS training log, including all recertification training. Our CLETS Trainers are enrolled to attend the NexTEST certification course hosted at the Elk Grove Police Department on March 10, 2015. Once our trainers are certified all CLETS training and recertification will be conducted via NexTEST.

5. Physical Security: The Lodi Police Department does not have a written physical protection policy. Update. In the process of preparing and implementing a physical protection policy in our new department policy manual. Estimated completion date is June 30, 2015.

6. Media Protection: The Lodi Police Department does not have a written policy for electronic and physical media that restricts access to authorized individuals; Completed. The City of Lodi does have written policy for electronic and physical media that restricts access to authorized individuals. City of Lodi Information Services policy section number 1, Electronic Media Acceptable Usage, has been attached as attachment 2 SECTION 1.doc for review.

7. Media Disposal: The Lodi Police Department does not have 1) written policy for sanitization and destruction of electronic media, and 2) written procedures for physical media disposal; Update. Policy completed. The City of Lodi does have written policy for sanitization and destruction of electronic media and written procedures for physical media disposal. City of Lodi Information Services policy section number 8, E-Waste Disposal, has been attached as attachment 3 SECTION 8.doc for review. Information Services is in the process of purchasing a drive duplicator that meets D.O.D. 5520.22-M certification for sanitizing hard drives for disposal. Update: In progress, estimated completion date is March 31, 2015.

B. Network Configuration: The Lodi Police Department does not have a current network diagram; Update. IT in the progress of a data center move. Network diagram to be completed by June 30, 2015.

9. System Use Notification: The Lodi Police Department does not display an approved system use notification message to identify the device restrictions and consent on all information systems accessing criminal justice information; Update. System Use Notification message was enabled; however, it was not Jaw enforcement specific. We have an updated Jaw enforcement specific notification and Information Services is in the process of making the change. System Use Notification attached as attachment 4 Electronic Media Use Notice.doc for review. Estimated completion date is February 27, 2015.

10. JdentificationiUserid: The Lodi Police Department does not document the validation process of system accounts; Update. IT in the process of establishing a validation process of system accounts. Estimated completion date is June 30, 2015.

11. Authentication: The Lodi Police Department's passwords were less than eight characters and did not have a password history of at least ten; Completed. All passwords expire in 90 days and are now required to meet the listed standards including a history of at least ten.

12. Event Logging: The Lodi Police Department does not log successful and unsuccessful attempts to access, create, write, delete or change permission on user account, file, directory or other system resource for all information systems accessing criminal justice information; Update. IT in the process of an Internal History Log and tracking CLETS user identification. Estimated completion date is June 30, 2015.

13. Advanced Authentication: The Lodi Police Department does not provide advanced authentication for remote access to criminal justice information from non-secure locations, for information technology staff and private contractors; Update. IT in the process of installing 2FA, Inc. on all mobile devices with CLETS access. Estimated completion date is March 31, 2015.

An additional encryption issue was discovered during this process, regarding the encryption between our PD building and the City Hall Annex building. The City's Virtual Infrastructure is physically located in the City Hall Annex which is across the street from our PD building. Therefore our RMS is split between two sites. IT is in the process of identifying how to ensure that data between the two sites is properly encrypted. Estimated completion date is June 30, 2015.

14. Encryption: The Lodi Police Department does not encrypt its data backup and was unable to provide verification that the encryption used on the wireless and Internet network segments were at least 128-bit NIST certified; Completed. Wireless and Internet segments are 128-bit NJST 140-2 verified.

15. Personal Firewalls: The Lodi Police Department did not implement personal firewal/s on their wireless access devices. Completed. NetMotion and Windows 7 firewall protection is now installed on all wireless access devices. Personal Firewalls completed.

If you require additional information or have questions, please contact Lieutenant Chris Jacobson at (209) 333-6788.

__..:;;?'X'V7"X Mark Helms Chief of Police

MH:cj89

LOS ANGELES POLICE DEPARTMENT

P. 0 . Box 30158 CHARUE BECK Los Angeles, calif. 90030 Chief of Police Telephone: (213) 486-0150

TDD: (877) 275-5273 Ref#: 17.1

ERIC GARCETTI Mayor

FEB 2 7 2015 February 23,2015

KeithDann Bureau of Criminal Information and Analysis Post Oftice Box 903387 Sacramento, California 94203-3870

Dear Mr. Dann:

This correspondence is in response to the letter dated, October 21, 2014, informing the Los Angeles Police Department (LAPD) of the results of the Federal Bureau oflnvestigation's (FBI) Criminal Justice Information Services (CJIS) division Information Technology Security Audit (ITSA) inspection/review conducted earlier this year.

The Bureau's findings show that our agency was not in compliance with FBI CJIS security policies in regard to several areas detailed in your correspondence.

This letter is to inform you of the status of our agency's compliance with the following findings.

1. Private Contractors: We anticipate receiving signed FBI CJIS Security Addendum documents from most of the contractors identified in the findings by December 1, 2014. The contractors from whom we are receiving signed Security Addenda are Palantir, Praescient Analytics and JSS Contractors. We will not be receiving a Security Addendum from Iron Mountain as we are no longer using this firm for any information technology services related to CJIS data and their personnel are not allowed to enter any locations within our facilities containing CJIS-relatcd systems for removal of confidential or sensitive documents.

COMPLETED

2. Personnel Security: Fingerprinting of Iron Mountain personnel will no longer be necessary since they will not be permitted to enter any secured location within our agency's facilities. LAPD personnel will take over the destruction of all CJIS-related materials. Any non-CJIS materials that Iron Mountain may continue to collect for destruction will be provided to their personnel by LAPD staff at delivery or loading zones for pickup. COMPLETED

AN EQUAL EMPLOYMENT OPPORTUNITY EMPLOYER

www.LAPDonline.org

www.joinLAPD.com

http:www.joinLAPD.comhttp:www.LAPDonline.org

17.1

The Honorable Kamala D. Harris Page2

3. Security Awareness Training Records: Security Awareness training is being provided to the following populations identified in the findings:

a. Local agency personnel: training is up to date. COMPLETED b. City Information Technology Agency: training to be completed by December 31,

2014. COMPLETED c. Palantir, Praescient Analytics and JSS Contractors: training to be completed by

December 5, 2014. COMPLETED d. Iron Mountain personnel will no longer require trus training since LAPD staff is

taking over their functions. COMPLETED 4. Media Disposal: The Los Angeles Police Department does not agree with this finding. Our

agency provided our agency's media disposal policy to the FBI inspector, and wruch is attached with this letter. COMPLETED

5. System Usage Warning: All agency computers at the LAPD have displayed a system usage warning since June 2014. COMPLETED

6. ldentification!UseriD: An agency policy regarding this matter will be issued by December 31,2014. COMPLETED

7. Encryption: The following encryption modules are used for encryption ofLAPD CJISrelated traffic over the City network (the reference number for each module refers to

National Institute of Standards and Technology's Federal Information Processing Standards (PIPS) 140 vendor list at http:/!csrc.nist.gov/groups/STM/cmvp/documents/140

1/140 1 vend.htm):

a. #1051 OpenSSL FIPS Object Module - Module installed on server/mainframe;

awaiting LAPD NSS rollout schedule for BlueZone IN-J'ROGRESS - May 29, 2015 b. #989 Windows XP Enhanced Cryptographic Provider COMPLETED c. # 1330 Windows 7 Enhanced Cryptographic Provider COMPLETED

The LAPD has taken, or will take, action on all the above items identified by the FBI's ITSA

inspection, and all items will be in compliance by May 29, 2015 or earlier, as indicated above.

If you have any questions concerning the actions taken above, please have a member of your staff

contact the Agency Security Point of Contact, Mr. Sanjoy Datta, at (213) 486-0287.

Respectfully,

CHARLIE BECK

M. JANTZ, Director of Systems Commanding Officer, Agency CLETS Coordinator Information Technology Division

http:/!csrc.nist.gov/groups/STM/cmvp/documents/140

CITY OF STOCKTON

POLICE DEPARTMENT

22 East Market Street • Stockton, CA 95202-2876

www.stocktongov.com

(209) 937-8367

March 10, 2015

Keith Dann, Assistant Chief Bureau of Criminal Information and Analysis For Kamala D. Harris, Attorney General State of California Department of Justice P.O. Box 903387 Sacramento, CA 94203-3870

FBIICJIS AUDIT RESULTS AND IMPLEMENTATION PLAN

In response to your letter of October 30, 2014, detailing twelve FBI CJIS pol icy mandates with which the Stockton Police Department was not in compliance, the following corrective measures have been taken or will be implemented.

Item 1:

Noncriminal Justice Agency: The Stockton Police Department received Information Technology services from its respective noncriminal justice agency without a current Management Control Agreement on file with the City of Stockton Information Technology (IT) Department.

Response- 11/06/14:

The Stockton Police Department has a Management Control Agreement for the City of Stockton Information Technology (IT) that was sent to the City Manager's Office on October 9, 2014. We are waiting for the City Manager's signature. We anticipate approval and receipt of this document by December 15, 2014.

Update - 01 /30/15:

This document is still pending signature from the City Manager. Expected date of completion is February 15, 2015.

http:www.stocktongov.com

Keith Dann, Assistant Chief March 10, 2015 Page 2

Update - 03/12/15:

Completed.

Item 2:

Private Contractors: The Stockton Police Department receives information technology services from private contractor(s) without obtaining an FBI CJIS Security Addendum with the required certification of private contractor personnel and their representative (Tiburon, Iron Mountain, Delta Wireless and NEKO).

Response- 11/06/14:

Private Contractor Agreements and Security Addendums are currently on file from

Tiburon and NEKO Industries. We are in the process of obtaining these documents

from Iron Mountain and Delta Wireless. These documents are expected to be received

by December 15, 2014.

Update- 01/30/15:

Private Contractor Agreements and Security Addendums are currently on file for

Tiburon, NEKO Industries and Delta Wireless. We are expecting completion of the

required documents from Iron Mountain by February 15, 2015.

Update - 03/12/15:

Completed documents have been received.

Item 3:

Personnel Security: The Stockton Police Department does not fingerprint all personnel, who have unescorted access within the perimeter of their physically secure location, with access to criminal justice information (Tiburon, Iron Mountain, Delta Wireless and NEKO personnel).

Response 11/06/14:

There are no unauthorized or unescorted personnel allowed within the perimeter of a physically secure location that have not been fingerprinted, including Tiburon, Iron Mountain, Delta Wireless, and NEKO. All non-Stockton Police Department personnel are escorted in and out of the main police facility and the SEB (Investigations Building), except janitorial and IT staff, who are fingerprinted.

Keith Dann, Assistant Chief March 10, 2015 Page 3

Update- 01/30/15

Completed.

Item 4:

Security Awareness Training Records: The Stockton Police Department does not: 1) ensure personnel, who manage or have access to criminal justice information receive the required security awareness training within six months of initial assignment, and biennially thereafter (IT personnel, Tiburon, Iron Mountain, Delta Wireless and NEKO); and 2) provide the first tier of security awareness training to unescorted janitorial staff.

Response - 11/06/14:

The Stockton Police Department is currently providing security awareness training to all personnel, who manage or have access to criminal justice information, within six months of initial assignment and biennially thereafter. This training is being combined with CLETS training; and 2) IT personnel, Tiburon , NEKO personnel and janitorial staff have been provided security awareness training. We are currently using the security awareness training materials from the CLEW website. We will be setting up a schedu le of employees and others with criminal justices access on NexTEST by March 15, 2015. Note: Delta Wireless and Iron Mountain do not have direct access to criminal justice information. However, we are currently seeking compliance with Delta Wireless and Iron Mountain to receive the security awareness training document. It is anticipated that this will be completed by January 31 , 2015.

Update- 01/30/15:

1) Completed with the exception of Iron Mountain security awareness training . They have been contacted , and we are expecting completion by February 15, 2015. Delta Wireless security awareness training has been completed and documents received. 2) Completed with the exception of Iron Mountain. We are still expecting to set up employees with criminal justice access on NexTEST by March 15, 2015.

Update- 03/12/15:

Iron Mountain Security Awareness training completed .

Item 5:

Physical Security: The Stockton Police Department does not have a written physical protection policy.

Keith Dann, Assistant Chief March 10, 2015 Page4

Response- 11/06/14:

The Stockton Police Department has a new physical protection policy, currently in draft

form , "SECURITY MEASURES FOR MAIN POLICE DEPARMTENT AND SEB." We

anticipate the approval of this document by December 15, 2014.

Update- 01/30/15:

Completed.

Item 6:

Media Protection: The Stockton Police Department does not have a written policy for electronic and physical media that restricts access to authorized individuals.

Response- 11/06/14:

The Stockton Police Department has a current draft version of our security policy,

"MEDIA PROTECTION AND DESTRUCTION POLICY," which includes electronic and

physical media that restricts access to authorized individuals. We anticipate the

completion of this document by December 15, 2014.

Update - 01/30/15:

Completed.

Item 7:

Media Disposal: The Stockton Police Department does not have 1) written policy for sanitization and destruction of electronic media, and 2) written procedures for physical media disposal.

Response- 11/06/14:

The Stockton Police Department has a current draft version of our security policy, "MEDIA PROTECTION AND DESTRUCTION POLICY," which includes 1) sanitization and destruction of electronic media, and 2) written procedures for physical media disposal. We anticipate the completion of this document by December 15, 2014.

Update- 01/30/15

1) Completed. 2) Completed.

Keith Dann, Assistant Chief March 10, 2015 Page 5

Item 8:

System Use Notification: The Stockton Police Department does not display an approved system use notification message to identify the device restrictions and consent on all information systems accessing criminal justice information.

Response- 11/06/14:

The Stockton Police Department has a system use notification message, "-WARNINGTHE DEPARTMENT OF MOTOR VEHICLES, DEPARTMENT OF JUSTICE, AND SAN JOAQUIN COUNTY POLICY ADVISES THAT UNAUTHORIZED ACCESS OR MISUSE OF INFORMATION OBTAINED FROM ANY CRIMINAL JUSTICE INFORMATION SYSTEMS MAY RESULT IN ADVSERSE ACTION AND/OR CRIMINAL PROSECUTION. ALL ACTIVITY IS SUBJECT TO MONITORING." We anticipate implementation to be completed by December 15, 2014.

Update- 01/30/15:

Information Technology is expected to push out the SYSTEM USE NOTIFICATION to all CLETS terminals by February 15, 2015. This is just pending final approval.

Update- 01/30/15

Completed.

Item 9:

Identification/User /D: The Stockton Police Department does not document the validation process ofsystem accounts.

Response- 11/06/14:

The Stockton Police Department does document the validation process of system

accounts. IT uses the LOGR utility on CAD.

Update- 01/30/15:

Completed.

Item 10:

Authentication: The Stockton Police Department's Tiburon passwords did not expire within a maximum of 90 days.

Keith Dann, Assistant Chief March 10, 2015 Page 6

Response- 11/06/14:

Tiburon passwords have been set to expire every 90 days.

Update 01/30/15:

Completed.

Item 11:

Advanced Authentication: The Stockton Police Department does not provide

advanced authentication for remote access to its NEKO and Tiburon systems from non

secure locations.

Response- 11/06/14:

The Stockton Police Department currently has access by VPN with strong usernames and passwords, which are completely different than CLETS. We are in the process of setting up a multi-factor authentication. The user will be given a CISCO VPN account to access the Windows authenticate server over the internet. Each user must enter a user name and strong password. The server will then call a phone number associated with the user account. A message will ask the user to type a code in on the phone. The user will then be granted access to our network with the correct code. The anticipated date of completion is March 15, 2015.

Update- 01/30/15:

This is still in progress and expected to be completed by March 15, 2015.

Update - 03/12/15:

The solution City of Stockton Information Technology Department previously presented does not work with our current system. Network staff has developed a plan to purchase a different Virtual Private Network (VPN) for the vendors to use. The new VPN will work with three solutions we have found. The anticipated date of completion is June 30, 2015.

Item 12:

Encryption: The Stockton Police Department does not encrypt the public network segment between its buildings and was unable to provide verification the encryption used on the wireless network segments was at least 128-bit NIST certified.

Keith Dann, Assistant Chief March 10, 2015 Page 7

Response- 11/06/14:

The Stockton Police Department is in the process of obtaining quotes for switches that will support encryption. Funding to purchase the switches has not yet been identified. This project may take up to 24 months to complete. The estimated completion date is December, 2016.

Wireless network segments are 128-bit NIST; NetMotion Mobility XE. The NIST certificate numbers are 237, 441 and 493.

Update- 01/30/15:

Information Technology is working with DOJ to put a solution in place. Expected date of completion is undetermined, but work is in progress.

Update- 03/12/15:

The City of Stockton Information Technology Department anticipates using Netmotion as an encryption solution and to have it in place by June 30, 2015. The City of Stockton Information Technology Department has concerns that the Netmotion solution may not meet the encryption standard required . Information Technology Supervisor Ray Miller is scheduled for a conference call with DOJ on March 17, 2015, at 9:00AM to address the concerns.

These actions bring the Stockton Police Department into compliance with the FBI/CJIS policies.

~E EJ/RW:ta

emc: Bureau of Criminal Information & Analysis CLETS Admin Section Mark Hayward Supervising Police Records Assistant Rhonda Winkler

UNIVERSITY OF CALIFORNIA, DAVIS

B'l!.l.l.K.EUY • DAVJ/1 • IRVINE • LOl!ANGEI.L~ • MERGED • RIVERSIDE • SA..'IOJI!.nC> • MNJ'RJ\NCISOO

Police Department One Shields A venue Davis, CA 956 16

March 11 , 20 15

Mark Hayward California Department of Justice Sacramento, CA 94203

Re: CLETS Audit Letter Update-OR! CA0579700

Dear Mr. Hayward,

This letter is an updated response to the Department of Justice's security concerns related to the UC Davis Police Department ' s 2012 CLETS audit.

Below you will find our answers to the Department of Justice's specific concerns outlined in your previous correspondence.

• Please include a Reciprocity Agreement signed by your agency and Davis Police Department

Completed October 2014

• Please include the FBI CJIS Security Policy 5.1.1.1 that goes along with the Private Contractor Management Control Agreement

Completed documentation process January 2015 Fingerprints will be resent to DOJ once billing and addressing issues are cleared up on

the cards. Estimated completion date by end ofMarch, 2015.

• When passwords are used to authenticate an individual's unique ID, it is critical that your agency meets all requirements. Based on your ACC's •·espouse to question 3.14, your agency docs not currently meet the requirements outlined in the FBI CJIS Security Policy 5.6.2.1

Our current version of software does not run with the 90 day requirement change. It is a known bug that can only be fixed with updated versions of the software. However, we cannot update to the newer versions of the software due to our antiquated server system. The updated version of the software that meet the security requirements can only run on newer servers with the appropriate OS platform.

UNIVERSITY OF CALIFORNIA, DAVIS

IIERKEI..LY • DAVIII • IRVINE. • LOll ANGELES • MERGED • RIVERSIDE • SA.~ DIEC~tl • Si\N FRAN

Philip J. Penko Chief of Police

Monterey Police Department

351 Madison Street Monterey, CA93940

(831) 646-3800

MONTEREY POLICE DEPARTMENT

February 10,2015

Keith Dann, Executive Secretary State of California Department of Justice P.O. Box 903387 Sacramento, California 94203-3870

Re: Federal Bureau of Investigations (FBI), Criminal Justice Information Services (CJIS) Division, Information Technology Security Audit (ITSA) Response

Dear Mr. Dann:

In response to the results of the March 2014 FBI CJIS ITSA audit results, the City of Monterey and the Monterey Police Department (MPD) have implemented the following steps to bring the Department into compliance with the audit findings.

Audit Finding 6: Encryption

Response: Monterey is in the process of implementing encryption with regards to the backup data center. There are four high-speed links that connect the two data centers. Encryption to enable three of the links will be completed with existing equipment. The module to connect the fourth link has been purchased and received. Installation is currently in process with an expected completion date of March 31.

If you have any questions, please contact Administrative Analyst Karen Faurot at 831.646.3827 or via email at faurot@monterey.org.

sdzt Philip J. Penko Chief of Police

Monterey Police Department's Mission

Responsive to All *Second to None * Every Time

mailto:faurot@monterey.org

P.O. Box 3369 Anaheim, California 92803-3369

www.anaheim.net

City of Anaheim

POLICE DEPARTMENT

January 15, 2015

Keith Dann, Assistant Chief CLETS Executive Secretary CA Department of Justice Bureau of Criminal Information & Analysis Sacramento, CA 94203-3870

Re: Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) Division, Information Technology Security Audit (ITSA) Quarterly Compliance Report - January 2015

Dear Assistant Chief Dann:

As requested in your letter dated October 9, 2014, the Anaheim Police Department is presenting the following Quarterly Status Report for January 2015 as part of our steps towards compliance with FBI CJIS Security Policy.

The following lists the updates from the original Implementation Plan:

5. System Use Notification: The Anaheim Police Department has successfully tested the implementation of the system use notification message used throughout the City of Anaheim. The Police Department has submitted a custom System Use Notification to the City of Anaheim Information Technology Manager. We are awaiting authorization for use of this customized message. As a result, this item needs to be rescheduled for completion with the submission of the July 2015 Quarterly Report.

6. ldentification/Userid: Included with this report is documentation of the processes followed by the Anaheim Police Department.

8. Session Lock: We have successfully completed testing of a session lock pilot group. Implementation of a 30 minute inactivity Session Lock for our Versaterm users, excluding those on Mobile Data Tenninals and in Dispatch, in accordance with existing policy took effect on January 14,2015.

http:www.anaheim.net

The listed item topics are scheduled for future completion, as indicated in our Jetter and as such there is no additional update on them.

1 . Private Contractors Scheduled completion April 2015 Quarterly Report 2. Personnel Security Scheduled completion July 2015 Quarterly Report 3. Security Awareness Training Scheduled completion July 2015 Quarterly Report 4. Media Disposal Completed and submitted with Implementation Plan 7. Authentication Scheduled completion July 2015 Quarterly Report

The Anaheim Police Department will continue to work toward resolution of the remaining outstanding issues to bring us into full compliance. It is our understanding that our next deadline is submission of the April 2015 Quarterly Report.

If any further information is needed, please contact our Agency CLETS Coordinator (AAC), Charmaine Darmour, at 714-765- I 838 or cdarmour@anaheim.net .

Sincerely

~ RAUL QUEZADA

CHIEF OF POLICE

Enclosures: October 9, 2014 Letter

October 28, 2014 Letter

Identification!Userid

mailto:cdarmour@anaheim.net

Anaheim Police Department

ACCOUNT VALIDATION POLICY

The addition and deletion of new Anaheim Police Department network accounts is the responsibility of the Anaheim Police Department IT Bureau. The following outlines the process for adding and deleting network accounts.

Addition ofNew Account

When a new employee joins the Anaheim Police Department (APD), a new account request is forwarded to the APD IT Bureau in one of two ways:

1) The supervisor of the new user emails a request to APD IT; 2) The Personnel Sgt. forwards a copy of the new user 's "offer of employment" memo

Either type of request will include the following: I) user (employee) name 2) pem1ission level needed for shared network folders and fi les, and 3) identification of the email and security group(s) the user needs.

APD IT staffwi ll process the request and notify the employee's supervisor when the account is established.

Deletion of Account

When an employee separates their employment with APD, the Personnel Sgt. or the employee's supervisor will notify the APD IT Bureau of their separation. IT staffwill disable the logon account and emai l address.

An audit wi ll be conducted by APD IT staff every six months to identify and delete any/all obsolete user accounts should they exist.

The Anaheim Police Department's Account Validation policy upholds the City of Anaheim' s Administrative Regulation 155 pertaining to creating strong passwords specifically "it is the responsibility of each user to create a strong password when prompted by the system. Users should avoid using passwords that are easy to guess. The system will reject passwords that have been previously used by the user over the past 12 selections."

55{1 N. FLOWER STRE.lrr SANTA A,....A, CA n?OlORANGE COUNTY

(7t4) U 7-7000 SH~R,JFF'S DEPAR1'M,Ef~l;'_ WWW.OCSO.ORG

;; I 5 I S£4i 7:, 5 :~......... £~

SHERIFF-CORONER SANDRA HUTCHF.NS

OFFICE OFTHE SHERIFF

February I 8, 2015

Ms. Michelle Mitchell CLETS Administration Department ofJustice Bureau ofCriminallnfonnation & Analysis 4949 Broad wHy, B 114 SacClUllcnto, California 95820

Re: County Data Line Connectiow & Encryption

Dear Ms. Mitchell:

This Jetter is to provide OOJ with an implementation plan for encrypting CL.ETS traffic, from end to end, for each ofour County partners. Our plan for each agency is as follows:

I. Orange County Prob(l{ion: In December 2014, Probation purchased a Cisco firewall which has

been placed outside the OCSD firewall to uneJJ.Ctypt CLETS data. Once implemented, CLETS data

will travel encrypted once the user logs in to use CLETS via VPN technology. This project is 85%

complete and the ~pected completion date is April I, 2015.

2. Orange C0t111ty Dislriut oompromi.c • Service ab~ self• PtoCes.siona.lbDl in the pcrform:ance ofduty •VigUuu:.c in aafeguardi.bg uur COUUDunity

http:aafeguardi.bghttp:HUTCHF.NShttp:WWW.OCSO.ORG

ST£VEN J. SENTI'IIAN CHIEF PF

OFFICE OF THE SHERIFF CITY AND COUNTY OF SA~ FRANCISCO

l DR. CARLTO:'i B. GOODLETT PLACE ROOM 456. CITY HALL

SA.~ FRA.:~CISCO, CALIFOR.'\"'A 94101 Ross Mirkarimi SHERIFF

February 5, 2015 Reference: 2015-016

Michelle D. Mitchell California Department of Justice CLETS Administration 4949 Broadway Sacramento, CA 95817

Dear Ms. Mitchell,

This letter is to provide you an updated compliance report for outstanding issues which came to light as a result of the FBI CJIS audits conducted in 2014.

Issue 1: REVIEW COMPLETE: Private Contractors: We have a new vendor for paper document storage. A review of our document retention policies revealed that there is a category of documents that are stored in sealed boxes sent for storage to the new vendor (GRM) that most likely contain Ctl and FBI numbers. At the time of the audit it was unclear as to whether these paper records contained CORI data in an accessible format. We are undertaking a change to this policy and will be retrieving these documents that may contain CLETS derived numbers, as well as prohibiting the storage of these documents at GRM. We expect to be in compliance after this review on March 31, 2015.

Issue 2: RESOL VEO: Media Protection: The Department implemented a policy in 2013 for electronic and physical media that restricts access to authorized personnel. However we did not provide a copy of this document in a timely manner to the auditor when the visited.

Issue 3: IN PROGRESS (DELA YEO): System Use Notification: We have signed off on an agreed method for this delivery. We are prevented from implementation until the main virtual servers can be patched. We expect a resolution by March 1, 2015.

Issue 4: RESOLVED: ldentffication/Userid: At the time of the audit we were unsure of our compliance to all aspects of this requirement. The SFSD conducted a review and

PRONE: •1$-5~-7225 FAX: 41S-554-70!t0

WEBSITE: WWW.SFSHERIFF.COM EI\IAIL: SHERIFF@~FGOV.ORC

mailto:SHERIFF@~FGOV.ORChttp:WWW.SFSHERIFF.COM

found that our process does keep records for the issuance and revocation of identification/userids in compliance with CJIS regulations as follows:

1. We uniquely identify each user. 2. We verify the identity of each user. 3. We receive authorization to issue a user identifier from an appropriate agency official. 4. We issue the user identifier to the intended party. 5. We disable the user identifier after a specified period of inactivity. 6. We archive user identifaers.

Issue 5: RESOLVED: Event Logging: In consultation with our Department of Telecommunication we have implemented logging and a log review process to comply with this requirement. We also have implemented email notifications to admin staff for unusual activity (i.e. multiple password failures). We were in compliance 12/15/2014.

Issue 6: RESOLVED: Advanced Authentication: We are now employing advanced authentication implemented in June 2014.

Please contact Lieutenant Dave Hardy should you or your staff have any additional questions regarding this information. lieutenant Hardy can be reached at (415) 575-4449.

Sincerely,

cc: Chief of Staff. Chief Deputy

PHONE: -415-554-7215 FAX: 415-554-78!10

WEBSITE: WWW.SFSHERJFF.COI'tl EMAIL: Sll£RJFF@S.FGOV.ORG

mailto:Sll�RJFF@S.FGOV.ORGWWW.SFSHERJFF.COI'tl

OFFICE OF THE SHERIFF CITY AND COUNTY OF SA~ FRANCISCO

1 DR. CARLTON B. GOODLEIT PLACE ROOM 456. CITY HALL

SA~ FRA."'CISCO, CALIFOR.'\"'A 9410l Ross Mirkarimi SHERIFF

February 11. 2015 Reference: 2015-020

Michelle 0. Mitchell California Department of Justice CLETS Administration 4949 Broadway Sacramento. CA 95817

Dear Ms. Mitchell,

This letter is an addendum to our earlier report dated February 6, 2015, Ref: 2015-016.

In our last quarterly update we had targeted January 1, 2015 as our compliance date for the issues. We are requesting an extension to March 31, 2015. The reason for the requested extension is the time it took to do our paper document review was underestimated in our last quarterly report. In addition, the technology to allow us to display a System Notification to all users was not deployable due to software constraints.

We therefore respectfully request that the CAC authorize an extension to March 31, 2015. We understand that we will need to send a representative to the CAC to request the extension in person.

In addition. you asked for our validation process for validating user accounts. Our Microsoft Active Directory system is linked to the City's personnel data real-time. This adds an employee to the Sheriffs Organizational Unit (OU} in Active Directory.

This AD process allows us to verify the identity of each user. The Sheriff has authorized the SFSD IT to issue a user identifier based on this AD entry, and we assign a temporary password. We then use internal means to insure that these credentials are issued to the intended party. We disable the user identifier after 30 days of inactivity. We archive user identifiers by using AD to mark them "Inactive."

PRONE: 41~7%15 FAX: 415.554-70~

WEBSITE: WWW.SFSHERIFF.COM EMAIL: SHERIFF@SFGOV.ORG

mailto:SHERIFF@SFGOV.ORGhttp:WWW.SFSHERIFF.COM

Please contact Lieutenant Dave Hardy should you or your staff have any additional questions regarding this information. Lieutenant Hardy can be reached at (415) 575--4449.

cc: Chief of Staff, Chief Deputy Gorwood

WEBSITE: WWW.SFSH.ERIFF.CO~t EMAIL: SBERIFF@SFGOV.ORC

mailto:SBERIFF@SFGOV.ORCWWW.SFSH.ERIFF.CO~t

MAYOR CITY MANAGER Miguel A. Pulido David Cavazos

MAYOR PROTEM CITY ATTORNEY Vincent F. Sarmiento Sonia R. Carvalho

COUNCILMEMBERS CLERK OF THE COUNCIL Angelica Amezcua Maria D. Huizar P. David Benavides

Michele Martinez

Roman Reyna

Sal Tinajero CITY OF SANTA ANA

POLICE DEPARTMENT

60 Civic Center Plaza • P.O. Box 1981

Santa Ana, California 92702

wv.w.santa-ana.org

OFFICE OF THE CHIEF OF POLICE

March 4, 2015

Keith Dann, Assistant Chief

Bureau of Information and Analysis

State of California Department of Justice

P.O. Box 903387

Sacramento, CA 94203-3870

Re. Federal Bureau of Investigation (FBD, Criminal Justice Information Services (CJIS) Division, Information Technology Security Audit (ITSA) Report

Dear Asst. Chief Dann:

This letter is in response to Santa Ana Police Department's remaining areas of non-compliance following the ITSA completed in March 2014. The following is our current implementation plan or noted compliance with FBI CJIS Security policy:

1. Security Awareness Training Records: The Santa Ana Police Department does not ensure personnel, who manage or have access to criminal justice information receive the required security awareness training within six months of initial assignment, and biennially thereafter (local agency personnel; City IT; Softmaster; Crossroads Software, Inc.; Tiburon and Paper Recycling Shredding Services);

Security Awareness Training for all staff was completed by February 26, 2015.

2. Media Disposal: The Santa Ana Police Department does not have 1) written policy for sanitization and destruction of electronic media, and 2) did not witness physical media destruction by unauthorized individuals;

The Santa Ana Police Department now has a written policy and procedure that specifically addresses information technology matters. This includes a policy that addresses the sanitization and destruction of electronic media. Policy completed on February 24, 2015.

http:wv.w.santa-ana.org

March 4, 2015

Page2

3. Session Lock: The Santa Ana Police Department did not initiate a session lock after a maximum of 30 minutes of inactivity on all information systems accessing criminal justice information. Session lock feature added to Department computers. The installation of this feature was completed on February 12, 2015.

4. Event Logging: The Santa Ana Police Department does not review its system audit logs, at a minimum of once a week, for appropriate, unusual or suspicious activity;

Santa Ana Police Department's CAD system/IQ CAD is outdated and is unable to support this level of auditing. The Department is in the process of procuring a new CAD/RMS solution that will have this feature. The new CAD/RMS system is projected to be operational by November 1, 2016. Our agency is aware this change will require a CLETS application since it is upgrading our agency's computer aided dispatch/records management system. We anticipate submitting an application to DOJ by April 15, 2015, if Council approves the recommended vendor. If the timeline changes due to a delay in Council approval, we notify DOJ in a timely manner. Status remains unchanged from January's report.

We will submit a status repmt by May 5, 2015, to note our progress related to the selection and Council approval of the purchase of the new CAD/RMS system. Please feel free to contact our CLETS Coordinator, Christina Holland at (714)245-8620 or cholland@santa-ana.org if you need any further information or have additional concerns.

cc: Michelle D. Mitchell, DOJ, CLETS Analyst

mailto:cholland@santa-ana.org

ELECTRONIC FRONTIER FOUNDATION Protecting Rights and Jlromoting Freedom on the £1ectronic Frontier

March 10,2015 VIA EMAIL

CLETS Administration Section California Department ofJustice 4949 Broadway Room 1231 Sacramento, CA 95820 Email: steve.kell11edy@doj.ca.gov

RE: CLETS Advisory Committee/Standing Strategic Planning Subcommittee

To Whom It May Concern:

1am writing on behalfof the Electronic Frontier Foundation (EFF), a San Francisco-based nonprofit that defends civil liberties in the digital age. Having reviewed recent meeting minutes from the CLETS Advisory Committee (CAC) and its Standing Strategic Planning Subcommittee (SSPS), as well as documents obtained through the California Public Records Act, EFF is deeply concerned about the privacy and civil rights implications ofCAC/SSPS's recent actions and proposals. Please enter this letter into the public record for the March 25 meetings of both CAC and SSPS.

The public records indicate that these bodies are moving beyond mere advisory roles by applying for grants and meeting with heads of law enforcement agencies to expand both the collection of personal information and the sharing of this sensitive information with outside entities. In particular, CAC/SSPS appears headed towards a process of sharing facial images held by the California Department of Motor Vehicles (DMV) and enabling facial recognition for investigative purposes, despite DivfV concerns that some of these steps may be insecure and inconsistent with existing statutory authorization.

First, EFF is greatly concerned about CAC/SSPS's recent efforts to obtain funding to build out DMV's infrastructure and to allow the state to access driver license photos from other states through the National Law Enforcement Telecommunications System (NLETS). While this may not directly affect California drivers, it is clear from the documents that CAC/SSPS believes that this first step will open the door-both in te1ms of policy and technology-for the sh&ing of California drivers' photos nationwide. We share the concerns of the director ofthc DMV, who stated in response to CAC/SSPS inquiries:

fTlhe transmission and wholesale sharing of DLIID photos between Cal-Photo and NLETS raises significant concerns. DMV has a statutory and regulatory obligation to protect all information, including photos that are maintained in the department's database. There is no viable method for DMV to account for each disclosure ofCalifornia DLIID photos via NLETS under this proposal. The proposed expansion of photo-sharing between CLETS/Cai-Photo and NLETS may op~n the door to random accessing of photos without providing identifying points of information. The inability to account for each California DL/ID photo disclosure via NLETS would make it difficult, if not impossible to track the source ofa security breach involving the NLETS network.

At this time, DMV cannot support Goal #8 to the extent it depends on the use ofany California DMV information, specifically DLIID photos. Existing statute and regulations require a vast array of security measures to protect DMV record infonnation for the reasons stated.

815 Eddy Street ·San Francisco, CA 94109 USA

voice +1415 436 9333 fax +1415 436 9993 web www.eff.org email information®eft.org

http:information�eft.orghttp:www.eff.orgmailto:steve.kell11edy@doj.ca.gov

Despite this warning from the DMV, CAC/SSPS is continuing to move forward with this proposal, as well as pursuing the ability for law enforcement to leverage facial recognition technology against DMV records for investigations.

Beyond the obvious civil liberties concerns, there are also data security issues with these CAC/SSPS proposals. CAC meeting minutes regularly outline deficiencies in encryption and other security compliance failures among California law enforcement agencies, including problems in the Los Angeles County SherifPs Office and the Los Angeles Police Department, two of the largest law enforcement agencies in the state. No personal information should be collected, stored, or shared without effective security techniques and detailed auditing to ensure this sensitive information is adequately safeguarded.

Finally, we are concerned with CAC/SSPS effm1s to collect thumbprints from Californians during traffic stops for low-level infractions and misdemeanors, as well as the expansion of GPS tracking and sharing oflocational data statewide. Although CAC/SSPS cited Proposition 47 as justification for these measures, the primary purpose ofProposition 47 was to reduce the consequences ofnon-violent and less serious crimes. These proposals simply serve as an end-run around the will of California voters.

Given the specific privacy and security concerns surrounding these proposals, and the growing concerns about privacy and government surveillance generally among the public and state legislators, it was surprising to see CAC/SSPS is scheduling meetings with law enforcement officials on these issues without engaging civil liberties advocates and other stakeholders.

EFF asks CAC/SSPS to immediately put the brakes on these plans. These policies will have substantial and long-lasting ramifications for both law enforcement and the public. Therefore, decisions of this magnitude must be made with full public engagement and the involvement of the legislature, not in obscure advisory and planning committee meetings or in closed~door sessions with law enforcement associations.

In the coming days, we plan to publicize om position on these issues in anticipation of the CAC/SSPS March 25 meetings, with a goal ofgenerating letters for public comment. lf representatives ofthese committees would like to speak with us directly, you can reach me at dm@efT.org.

Sincerely,

ave Maass Investigative Researcher

CC: Attorney General Kamala Harris .attorneygeneral@,doj .ca.gov

815 Eddy Street· San Francisco. CA 94109 USA

voice +1415 436 9333 fax +1415 436 9993 web www.eff.org email information®eff.org

http:information�eff.orghttp:www.eff.orgmailto:dm@efT.org

California  CLETS  Users  GroupP Bo 294 Lak Elsinore CA  92531

Tax ID # 20-‐4416174

Hello, I’m Brian Barnes, Executive Director of  the California CLETS Users Group, more commonly  referred to as  CCUG or  C-‐CUG. I wanted to take a few moments today to share a little about ourorganization.

In 1983, California DOJ fostered users group to  provide CLETS  training, news, and updates tobetter communicate with law enforcement and criminal justice agencies. Since CCUG originated,our mission has been to  represent the approximately 1,300  law enforcement and  criminal justiceagencies in California. Our membership includes management, supervisory, technical staff, and linelevel  users representing agencies  that access  CLETS to do their daily jobs.

CCUG’s chapters divide the state geographically; northern, central, and southern. Each chapter  has  their own board to coordinate training and communicate with local  users. We currently have 110+agencies and over 350 members registered with us. Our membership is 44% dispatch, 38%records, 7% IT, 6% training, and  5% courts, probation, and federal agencies.   Our 14 boardmembers are elected by our membership  and volunteer their time  to CCUG in addition to their fulltime law enforcement  employment.

We provide two types of training; quarterly chapter training and  an  annual seminar. Each  chapterhosts 3 quarterly trainings each  year. Chapter training topics vary throughout the year and  typically include one if not  two DOJ/CLETS topics. S far this year our Southern  Chapter presented  New Laws for 2015 and Tactical Stress Response, Why Peer Support Works. Last month, the centralchapter had  DOJ present o nexTest and Smart Justice/Justice Mobile.

Once a year CCUG hosts our 24-‐hour Annual Training & Technology Seminar. We alternatebetween  northern  and southern California each year  with last year  in Sacramento and this  year  inAnaheim. Our seminar is certified by POST and gives each attendee 24 hours of CPT credit. It is agreat opportunity  to meet and receive training  from DOJ, DMV, NCIC, and local law enforcementleaders.

If you looked at  last  year’s training topics, you would have noticed about  10% were not  directlyCLETS related. We  try to incorporate training topics that focus on professionalism, careerdevelopment, and  empowering a well-‐rounded person.   We strongly believe training that enhancesperson’s life on any  level improves their performance in the workplace.

Lastly, we provide a space  for DOJ to present their Training for Trainers, commonly referred to asT4T, immediately preceding our annual seminar. Several of the T4T attendees also  attend theseminar.

Since CCUG’s inception we have continued to  provide CLETS  users the best forums available forCLETS training and  information  exchange. Considering the events of the last several years and  theadded emphasis on tightened security, system training, and other related issues, training  is still asmart investment for our CLETS  users.   We take pride in providing our member agencies withCLETS and  NCIC  training and connecting them with the experts that  have the right  answers. Iappreciate this opportunity  to  speak with you today, thank  you!

Executive   Northern Chapter Central Chapter Southern  Chapter   Northern Chapter Central Chapter Southern  Chapter  Director Director Director Director Assistant Director Assistant Director Assistant Director

Brian Barnes Dawn Shepherd Mila Baranov Debbie Konstantakos Peggy Mobley Chris Guerrero Jessica Moore

Electronic Frontier Foundation – Dave Maass Public Comment

My name is Dave Maass and I am an investigative researcher at the Electronic Frontier Foundation, a

San Francisco non-profit that defends civil liberties in the digital world. Today I speak on behalf of more

1,500 Californians who joined us in opposing Goal 8 of the strategic plan, which would share DMV

photos nationwide and allow law enforcement to deploy facial recognition.

In 1977, the California Legislature passed the Information Practices Act, reaffirming that the right to

privacy is a personal and fundamental right protected by the California Constitution. To quote from the

legislature’s statement of intent codified into law:

“The increasing use of computers and other sophisticated information technology has greatly magnified

the potential risk to individual privacy that can occur from the maintenance of personal information... In

order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of

personal information be subject to strict limits;”

The �LETS !dvisory �ommittee’s Standing Strategic Planning Subcommittee has repeatedly disregarded

warnings from the California Department of Motor Vehicles that connecting Cal-Photo to NLETS runs

counter to both the intent and the letter of the law. Facial recognition would run into even more legal

roadblocks. Nevertheless, these committees have moved forward, despite their responsibility to

consider the privacy of Californians. Nothing on the record indicates that civil liberties have played a role

in discussion over this goal.

Californians have the power to hold state and local law enforcement accountable, but we have little

ability to control policy and oversight outside of the state’s boundaries; We certainly have no say over

law enforcement policies outside of the U.S.—and I’ll remind you that Mexico and Canada are also

partners in NLETS.

�ut let’s also look at the issue of transparency; NLETS is a private entity and not subject to the Freedom

of Information Act, the California Public Records Act, or open meeting laws. If Cal-Photo is connected to

NLETS, the public will have no opportunity to inspect or influence policy changes at NLETS. Handing over

our photos to an entity with no public accountability measures is unacceptable.

As the DMV stated, under this plan, there would be little we could do to track or prevent random

accessing of our DMV photos or trace data breaches.

Goal 8 must be removed from the strategic plan, but it is not the only problematic goal that CLETS

Advisory Committee and its subcommittee have approved. In the coming weeks and months, we intend

to dig deeper into issues of biometris, finger and thumb printing and GPS tracking.

We’re putting the spotlight on this committee and 1,500 emails is only the beginning;

From: engagedcitizen To: Maria Cranston; AttorneyGeneral; dm@eff.org; susan.davis@mail.house.gov Subject: (No Subject) Date: Tuesday, March 17, 2015 1:33:14 PM

As a California resident, I am writing today to oppose the CLETS Advisory Committee’s (CAC) recent actions and

proposals regarding facial recognition technology and the sharing of the Cal-Photo database with the national law

enforcement community through NLETS.

The California Department of Motor Vehicles has expressed grave concerns about the security of these proposals

(Goal 8) and indicated that the law does not authorize such an expansion. Nevertheless, CAC refuses to drop the

proposal and has been brokering meetings with law enforcement associations to plan out this scheme. The

committee has also authorized staff to apply for grants to build out the technological groundwork for this

expansion.

I join the Electronic Frontier Foundation in calling for the advisory committee to put the brakes on these proposals

immediately. Decisions of this magnitude must be made with full public engagement and the involvement of the

legislature, not in obscure advisory and planning committee meetings or in closed-door sessions with law

enforcement lobby groups.

As an addendum, I must personally say that I am completely disgusted that this would even be considered in a

state such as this. As a resident who has moved from another state, specifically due to laws found unjust and

unconstitutional, to come to what was once a beacon of forward thinking democracy, this frightening

consequence of post 9/11 America is just another grave step in a terrible direction. You have allowed the war

hawks and corporations, especially in the military-industrial complex, to conjure up the threat of “terrorism” as a

pretense to send our country into a dark, USSR-era surveillance state. We are not what our country has

digressed into. Be the people we elected and stand up for this “democracy” we live in. Don’t allow backroom

deals and bias corporate interest to influence your decisions.

Thank you,

Engaged Citizen

mailto:Engagedcitizen@protonmail.chmailto:Maria.Cranston@doj.ca.govmailto:AttorneyGeneral@doj.ca.govmailto:dm@eff.orgmailto:susan.davis@mail.house.gov

From: Robert Brode To: Maria Cranston; AttorneyGeneral Cc: dm@eff.org; "Lisa Marie Bartley " Subject: CLETS foray into citizen privacy and questionable tactics Date: Tuesday, March 17, 2015 9:16:38 PM

Ms. Harris and Ms. Cranston,

Please accept this email as a formal protest against CLETS Advisory Committee’s recent actions and proposals regarding facial recognition technology AND the sharing of the Cal-Photo database with the national law enforcement community through NLETS.

I personally oppose this effort on several grounds:

1. As a former police officer with over 27 years of active service I understand the thinking that propelled this thinking. There is no doubt that law enforcement managers believe this will make their jobs easier. However, it also allows an unprecedented amount of what I believe is an unjustified and unconstitutional invasion of privacy. As citizens of the State of California the photographs held by DMV are required for drivers licensing requirements. Law Enforcement already has the use of DMV photos for photographic lineups. Now they would like to use facial recognition software to make their job “easier”. This concept is also called “fishing”. The photographs for DMV were never intended to be used in this manner. I believe that Law Enforcement does not have enough legal oversight to handle this kind of power and authority.

2. As a practicing attorney for the past 15 years, who also teaches criminal law full time, this is one of the very issues I warn my students to be wary of. This kind of assumption of authority is part of the “slippery slope” we all talk about and we should be very careful about taking this direction in law enforcement.

3. I also believe that this kind of major shift in law enforcement should require a vote of the people effected, i.e. the people of the state of California. The vast majority of citizens are decent and honorable people and have a right to know what the authorities are trying to do and what they will be subjected to by their government. I question why this activity to promote such a change has been shrouded in secret meetings and against the advice of the DMV. It makes me question who is behind this move and why. An open and free society lets the people decide on such actions. A totalitarian form government doesn’t.

I recognize that the California Department of Motor Vehicles has expressed their opinion that the law does not authorize such an expansion. Nevertheless, according to EFF the CAC refuses to drop the proposal and has been quietly meeting with law enforcement associations to develop this questionable approach to law enforcement. The committee has

mailto:bobthelawyer@dslextreme.commailto:Maria.Cranston@doj.ca.govmailto:AttorneyGeneral@doj.ca.govmailto:dm@eff.org