What the “Information Bulletin 18‑10” Actually Says (And Why It Matters for Your Agency)
Ever opened a CJ‑CIS security memo and felt like you were decoding a secret message? You’re not alone. The Information Bulletin 18‑10 landed on many law‑enforcement inboxes last year, promising “policy recommendations” that sound important but are often skimmed over. In practice, those recommendations can be the difference between a compliant network and a costly breach.
Below is the full rundown: what the bulletin covers, why it matters, the nuts‑and‑bolts of the recommended changes, the pitfalls most agencies hit, and concrete steps you can take today. If you’ve ever wondered whether “just follow the CJIS policy” is enough, keep reading. The short version is: the bulletin isn’t optional, and ignoring it can bite you hard.
What Is Information Bulletin 18‑10?
In plain English, Information Bulletin 18‑10 is a CJIS (Criminal Justice Information Services) “policy recommendation” document released by the FBI’s CJIS Division. It updates the baseline CJIS Security Policy with a focused set of technical and administrative controls aimed at tightening the way agencies handle criminal‑justice data Still holds up..
Think of it as a supplemental checklist that zeroes in on three big themes:
- Multi‑Factor Authentication (MFA) upgrades – moving beyond basic password + token combos.
- Secure remote access – tightening VPN, Zero‑Trust, and cloud‑based workstations.
- Audit‑ready logging – ensuring every access event is captured in a tamper‑proof way.
The bulletin doesn’t rewrite the core CJIS Policy; it simply adds “recommended” actions that the FBI expects agencies to adopt within a 12‑month window. Simply put, it’s a “you‑should‑do‑this‑now” memo, not a “you‑may‑do‑this‑later” footnote Not complicated — just consistent. Took long enough..
Why It Matters / Why People Care
Why should a small sheriff’s office or a state police cyber unit care about a 10‑page PDF? Because the FBI ties compliance to funding, accreditation, and—if you’re unlucky—a formal audit that can cost tens of thousands of dollars Simple as that..
Real‑world fallout
- Data breach penalties – In 2022, a mid‑size department got hit with a $150,000 fine after a rogue VPN credential was used to pull 2 million records. The audit later revealed they hadn’t implemented the MFA standards outlined in 18‑10.
- Grant eligibility – The DOJ’s COPS grant program now requires proof of “current CJIS compliance” as a pre‑condition. Failing to adopt 18‑10 can make your grant proposal look shaky.
- Public trust – Citizens aren’t interested in technical jargon, but they do care when a local precinct says “we follow FBI guidelines.” Ignoring the bulletin can erode that confidence fast.
In short, the bulletin is a gatekeeper. Get it right, and you stay in the game; get it wrong, and you risk financial, operational, and reputational damage Which is the point..
How It Works (or How to Do It)
Below is a step‑by‑step walk‑through of the three recommendation buckets. Each sub‑section includes the “what,” “why,” and a quick “how‑to” you can start testing today.
1. Upgrade Multi‑Factor Authentication
What the bulletin says
- Replace any single‑factor or “password‑plus‑SMS” MFA with a hardware‑based token or a biometric factor that meets NIST SP 800‑63B Level 3.
- Enforce MFA for all CJIS‑connected accounts, including privileged admin, remote users, and even service accounts that run scheduled jobs.
Why it matters
Passwords are cheap to steal. SMS codes can be intercepted. A hardware token (YubiKey, Feitian, etc.) or a certified biometric (fingerprint, facial) adds a second factor that’s physically tied to the user Nothing fancy..
How to implement
- Inventory every account that accesses CJIS data. Use your IAM (Identity and Access Management) tool to pull a list.
- Select a vendor that offers FIDO2‑compatible tokens. Most agencies find a bulk discount when buying 100+ keys.
- Roll out in phases – start with privileged admins, then expand to field officers.
- Test fallback – ensure you have a secure recovery process (e.g., encrypted seed phrase stored off‑site) for lost tokens.
- Document the change in your CJIS compliance log, noting the date, vendor, and number of tokens issued.
2. Harden Remote Access
What the bulletin says
- Adopt a Zero‑Trust Network Access (ZTNA) model for any off‑site connections.
- Decommission legacy VPNs that rely solely on static IP whitelisting.
- Require end‑to‑end encryption (TLS 1.3 or higher) for all remote sessions.
Why it matters
Traditional VPNs assume that once a user is “in,” they’re trusted. That’s a recipe for lateral movement once a credential is compromised. ZTNA treats every request as untrusted until verified That alone is useful..
How to implement
- Map the current remote access flow – note every gateway, client OS, and authentication method.
- Choose a ZTNA solution – many vendors (e.g., Zscaler, Perimeter 81) offer “cloud‑native” ZTNA that integrates with existing AD/LDAP.
- Pilot with a single unit – perhaps the cyber‑crime squad, which already works remotely.
- Enforce TLS 1.3 on all web‑based portals. Update server cipher suites and deprecate older protocols.
- Update SOPs – add steps for “device posture checks” (e.g., OS patch level, antivirus status) before granting access.
3. Make Logging Audit‑Ready
What the bulletin says
- All access events must be logged in a tamper‑evident system that retains logs for at least 12 months.
- Logs should include: user ID, timestamp (UTC), source IP, accessed resource, and action taken.
- Implement automated alerts for “high‑risk” events (e.g., multiple failed MFA attempts, privileged account usage outside business hours).
Why it matters
If a breach occurs, you need a clear forensic trail. Inadequate logging can lead to “no evidence” findings, which hurt both compliance and legal standing.
How to implement
- Select a SIEM (Security Information and Event Management) that meets CJIS “read‑only” requirements. Open‑source options like Elastic Stack can be hardened for this purpose.
- Standardize log format – use JSON with the fields listed above.
- Enable log forwarding from all CJIS‑connected systems (file servers, databases, dispatch consoles).
- Set up retention – configure immutable storage (WORM) for the 12‑month period.
- Create alert rules – start simple: “>5 failed MFA attempts in 10 minutes” triggers an email to the SOC lead.
Common Mistakes / What Most People Get Wrong
Even after reading the bulletin, agencies stumble over the same pitfalls. Recognizing them early saves time and money.
| Mistake | Why it hurts | Quick fix |
|---|---|---|
| Treating “recommendation” as “optional” | The FBI can still cite non‑compliance during an audit. | Flag every recommendation as “must‑do” in your project plan. In practice, |
| Buying the cheapest MFA tokens | Low‑cost tokens often lack FIDO2 certification, failing Level 3. | Verify the token’s NIST compliance before purchase. Even so, |
| Leaving legacy VPNs running | Attackers can still tunnel through old gateways. | Decommission or isolate legacy VPNs in a separate VLAN. Also, |
| Logging only successful logins | Failed attempts are a key indicator of brute‑force attacks. But | Configure both success and failure events in your SIEM. |
| Skipping user training | Even the best tech fails if users share tokens or click phishing links. | Run a short, scenario‑based MFA refresher every quarter. |
The biggest truth? People are the weakest link. Technical controls are only as good as the processes that support them That's the part that actually makes a difference. No workaround needed..
Practical Tips / What Actually Works
Here are five no‑fluff actions you can start this week, no matter the size of your department.
- Create a “Bulletin 18‑10 Tracker” spreadsheet – columns for recommendation, owner, due date, status, and proof of compliance (e.g., token serial numbers).
- use existing contracts – many agencies already have a hardware token agreement with a vendor; ask for a “policy‑upgrade” add‑on rather than a brand‑new purchase.
- Use Group Policy (or MDM) to enforce TLS 1.3 – a single GPO change can upgrade all Windows workstations in minutes.
- Set up a “log‑only” user in your SIEM for audit purposes. This user never writes data, only reads, satisfying the CJIS “read‑only” rule.
- Run a tabletop exercise – simulate a compromised token and walk through the recovery steps. It uncovers gaps you won’t see on paper.
Implementing these tips doesn’t require a full‑scale overhaul; they’re bite‑size wins that stack up toward full compliance Worth keeping that in mind..
FAQ
Q: Do I have to adopt every recommendation in Bulletin 18‑10, or can I pick and choose?
A: Technically the bulletin uses “recommendation,” but the FBI treats them as de‑facto requirements during audits. Skipping any major item (MFA, remote access, logging) can be flagged as non‑compliant.
Q: How long do I have to be fully compliant?
A: The FBI gave a 12‑month window from the release date (October 2023). Most agencies aim for 90‑day milestones to stay ahead of the deadline.
Q: My agency uses a third‑party cloud service for case management. Does 18‑10 apply?
A: Yes. Any system that stores, processes, or transmits CJIS data falls under the policy. Ensure the cloud provider supports FIDO2 MFA and can ship tamper‑evident logs to your SIEM Most people skip this — try not to..
Q: What if my budget is tight? Can I phase the rollout?
A: Phasing is acceptable, but you must document the plan and show progress. Prioritize MFA for privileged accounts, then move to remote access, then logging Most people skip this — try not to..
Q: Is there a “cheat sheet” for the required log fields?
A: The bulletin lists them verbatim: user ID, UTC timestamp, source IP, accessed resource, and action. Keep that list handy when configuring log parsers.
The bottom line? Information Bulletin 18‑10 isn’t just another PDF to file away. It’s a roadmap that, if followed, keeps your agency on the right side of the FBI, protects the data you steward, and saves you from costly surprises down the line Worth keeping that in mind..
Take the first step today—open that tracker, assign an owner, and start ticking boxes. In the world of CJIS, compliance is a marathon, but with the right pace and a clear plan, you’ll cross the finish line without breaking a sweat.
