Agency Security Expectations
It is important for customers to understand the measures that Axon has taken to secure Axon Fleet, Axon products and Evidence.com, as customers inherit our advanced security capabilities, controls and programs. It is also critically important for customers to understand the actions and processes that they must implement to ensure the security of their data and operations of the Axon Fleet system.
We are here to help. Below is a checklist of items that should be considered by agencies when managing wireless access points and utilising MDTs:
Wi-Fi Access Point Configuration
Axon expects U.S.-based agencies to have deployed Wireless Access Points in compliance with CJIS Requirements and Guidance and should implement the following controls:
- Maintain inventory of wireless access points and agency-owned wireless devices
- Place access points in secure areas, such as a criminal justice conveyance trunk or another secure location
- Enable appropriate users authentication and encryption mechanisms for the wireless access point management interface including meeting password requirements and usage of FIPS-compliant secure protocols
- Ensure that reset functionality on wireless access points does not revert to factory default settings
- Change the service set identifier (SSID) from the default and disable the broadcast feature.
- Enable available access point security features including firewalls and authentication
- Ensure that encryption key sizes are at least 128-bits and default keys are not utilised
- Disable ad-hoc mode
- Disable any non-essential management protocols
*Requirements derived from CJIS Security Policy v5.5 Section 220.127.116.11 802.11 Wireless Protocols
Standard MDT Hardening
Axon expects U.S.-based agencies to have deployed MDTs in compliance with CJIS Requirements and Guidance and should at minimum have implemented the following controls:
- MDTs are configured for local device authentication (see Section 18.104.22.168) and the authenticator used shall meet the requirements in section CJIS 5.5 22.214.171.124 Standard Authenticators.
- Use advanced authentication or CSO-approved compensating controls as per Section 126.96.36.199.1.
- Encrypt all CJI resident on the device.
- Erase cached information, to include authenticators (see Section 188.8.131.52) in applications, when a session is terminated.
- Apply available critical patches and upgrades to the operating system as soon as they become available for the device and after necessary testing as described in CJIS Section 184.108.40.206.
- Employ personal firewalls or run a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level.
- Manage program access to the Internet.
- Block unsolicited requests to connect to the user device.
- Filter incoming traffic by IP address or protocol.
- Filter incoming traffic by destination ports.
- Maintain an IP traffic log.
- Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level.
- Wi-Fi – Hardening to limit the types and specific Wi-Fi access points to which the device can connect.
- Disallow connectivity to WEP or WPA networks – 220.127.116.11 802.11 Wireless Protocols