The following AA Decision Tree, coupled with figures 9 and 10 in the CJIS Policy, assists decision makers in determining whether or not AA is required.
1. Can request’s physical originating location be determined? If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 2.
a. The IP address is attributed to a physical structure; or
b. The mnemonic is attributed to a specific device assigned to a specific location that is a physical structure.
If neither (a) or (b) above are true then the answer is “no”. Skip to question number 4.
2. Does request originate from within a physically secure location as described in Section
5.9.1?
If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 3.
a. The IP address is attributed to a physically secure location; or
b. If a mnemonic is used it is attributed to a specific device assigned to a specific physically secure location.
If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.
3. Are all required technical controls implemented at this location or at the controlling agency?
If either (a) or (b) below are true the answer to the above question is “yes”. Decision tree completed. AA requirement waived.
a. Appropriate technical controls listed in Sections 5.5 and 5.10 are implemented; or
b. The controlling agency (i.e. parent agency or agency leveraged as conduit to CJI) extends its wide area network controls down to the requesting agency and the extended controls provide assurance equal or greater to the controls listed in Sections 5.5 and 5.10.
If neither (a) or (b) above are true then the answer is “no”. Decision tree completed.
AA required.
4. Does request originate from an agency-controlled user device? If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 5.
a. The static IP address or MAC address can be traced to registered device; or
b. Certificates are issued to agency managed devices only and certificate exchange is allowed only between authentication server and agency issued devices.
If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.
5. Is the agency managed user device associated with and located within a criminal justice conveyance?
If any of the (a), (b), or (c) statements below is true the answer to the above question is “yes”. Proceed to Figure 9 Step 3.
a. The static IP address or MAC address is associated with a device associated with a criminal justice conveyance; or
b. The certificate presented is associated with a device associated with a criminal justice conveyance; or
c. The mnemonic presented is associated with a specific device assigned and that device is attributed to a criminal justice conveyance.
If none of the (a), (b), or (c) statements above are true then the answer is “no”. Skip to question number 7.
6. Is the user device an agency-issued and controlled smartphone or tablet?
If both (a) and (b) below are true, the answer to the above question is “yes.” Proceed to question number 7.
a. The law enforcement agency issued the device to an individual; and
b. The device is subject to administrative management control of the issuing agency.
If either (a) or (b) above is false, then the answer is “no.” Decision tree completed.
AA required.
7. Does the agency-issued smartphone or tablet have CSO-approved AA compensating controls implemented?
If (a) and (b) below are true, the answer to the above question is “yes.” Decision tree completed. AA requirement is waived.
a. An agency cannot meet a requirement due to legitimate technical or business constraints; and
b. The CSO has given written approval permitting AA compensating controls to be implemented in lieu of the required AA control measures.
If either (a) or (b) above is false then the answer is “no.” Decision tree completed. AA required.