N-DEx: Law Enforcement Security Standards

Posted on by Robert Moskowitz

The U.S. government launched a major law enforcement project, the National Data Exchange (N-DEx), in March 2008 to facilitate cases, criminal information, and available evidence among cooperating agencies. It's 2014, and the project is languishing.

N-DEx was designed as an information repository that federal, state, and local law enforcement could tap for a variety of purposes, with the basic idea being to help investigators establish security standards and identify patterns of criminal activity that they'd otherwise miss.

Problems Abound

Law Enforcement Security

Six years after its launch, fewer than one in four of the nation's police organizations have bothered to participate. There are four primary reasons for this: technical challenges, data control issues, lack of resources, and legal constraints.

One reason is the technological challenge. It's not easy to get a wide assortment of organizations to align their technology infrastructure to match a single overarching entity like N-DEx. Each agency has its own priorities, requirements, legacy systems, and budget constraints.

Another reason has to do with data control. Participating agencies often wanted to limit how other agencies could access their data. For various political and practical reasons, they were reluctant to openly share all of their data, leading to immense complexities. Each set of records had to be constrained by geography or restricted on an agency or individual level. While access to some records was wide open, access to many others remained restricted until the investigator called the data supplier with a specific request. Others are just invisible to queries from certain sources.

A third reason for the lack of participation in N-DEx is simply the law enforcement agencies' small sizes. Approximately 80 percent of law enforcement agencies serve populations of fewer than 50,000, and some 75 percent of law enforcement agencies employ 25 or fewer sworn personnel. These smaller entities have too much on their plates to spare the manpower necessary to map their data to the required security standards before uploading to the N-DEx system.

The final obstacle is legal. Participating agencies must sign a memorandum of understanding, submit to regular security audits, and agree to basic security requirements like password changes four times a year.

Even when a law enforcement agency is ready and willing to participate, technical issues can still interfere. Some software and hardware vendors simply do not meet the National Information Exchange Model (NIEM) or the Global Reference Architectures standards, both of which are necessary to implement automated interfacing with the N-DEx database.

To mitigate these problems, the FBI's Criminal Justice Information Services division (CJIS), which runs the N-DEx project, is cooperating with leading agencies to standardize the system's data requirements and tools. At present, the cost of necessary software upgrades and other changes can reach the low five figures. As a result, funding is being sought to help law enforcement pay for system changes required to exchange data with the N-DEx.

Still Hope on the Horizon

Despite these issues, many observers still believe that agencies want the fruits of the N-DEx system, and that the central database will eventually have vibrant, real-time linkages to the majority of law enforcement agencies in the United States, and perhaps beyond.

So far, some 4,200 law enforcement agencies—including the FBI, the ATF, the Federal Bureau of Prisons, the DEA, the DOJ, the DHS, and various military police organizations—have shared more than 200 million criminal, incident, arrest, and corrections records, and more.

These records can be searched like any other database, using text strings and filters that include geographical limits, date ranges, known aliases, and so forth. The system has already allowed police to leverage a routine traffic stop into positive identification of persons wanted for murder in other jurisdictions.

At present, the N-DEx system is being implemented both nationally and through regional sub-systems that aggregate local records before uploading them into the database. Some organizations, including both individual vendors and state-run consortiums such as the Alabama Criminal Justice Information Center, are adding N-DEx capabilities to their basic offerings, allowing thousands of law enforcement agencies ready access to N-DEx.

When completely rolled out, the N-DEx database will no doubt be of inestimable value to specialized task forces, cold case investigators, and fusion center analysts, as well as prosecutors.

Robert Moskowitz

, New Mobility Partnerships

big data analytics critical infrastructure forensics & ediscovery legislation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community