Criminal Justice Information Services Security Policy
Protecting criminal justice information across law enforcement and government agencies
// What is CJIS?
The CJIS Security Policy establishes the minimum security requirements for access to FBI Criminal Justice Information Services systems and data. It applies to every entity (law enforcement, government agency, private contractor, or cloud provider) that accesses, transmits, stores, or processes Criminal Justice Information (CJI).
CJI includes biometric data, identity history records, property records, case and incident data from the National Crime Information Center (NCIC), and data from the National Instant Criminal Background Check System (NICS). Unauthorized disclosure of CJI can compromise investigations, endanger individuals, and violate federal and state law.
The policy defines 13 security policy areas covering everything from personnel screening and physical security to encryption standards and incident response. Compliance is audited by the FBI CJIS Division and state-level CJIS Systems Agencies (CSAs).
// Inside the Regulation
The CJIS Security Policy defines 13 policy areas that organizations must implement to access and protect Criminal Justice Information. Requirements scale based on the type of access and data handled.
Policy Area 1-4: Foundational Controls
Baseline requirements covering information exchange agreements, security awareness training, incident response, and auditing and accountability.
Information Exchange Agreements
Formal agreements required between agencies sharing CJI, establishing security responsibilities and compliance obligations.
Security Awareness Training
All personnel with CJI access must complete security awareness training within six months of assignment and biennially thereafter.
Incident Response
Organizations must maintain incident response capabilities including reporting security events to the CJIS ISO within 24 hours.
Auditing and Accountability
Audit logging of CJI access events with minimum one-year retention and regular review of audit records.
Policy Area 5-6: Access Controls
Authentication, access control, and identification requirements ensuring only authorized personnel access CJI.
Advanced Authentication
Multi-factor authentication required for access to CJI systems from outside physically secure locations.
Access Control
Least privilege and role-based access controls limiting CJI access to authorized personnel with a valid need.
Personnel Screening
State and national fingerprint-based background checks required for all personnel with unescorted access to CJI.
Policy Area 7-10: Technical Controls
Configuration management, media protection, physical protection, and system communications protection requirements.
Encryption Standards
FIPS 140-2 certified encryption required for CJI in transit. Encryption at rest required for CJI stored outside physically secure locations.
Media Protection
Controls for electronic and physical media containing CJI including sanitization, disposal, and transport procedures.
Physical Protection
Physically secure locations with visitor controls, access logs, and environmental protections for systems housing CJI.
Policy Area 11-13: Governance
Formal security policies, cloud computing requirements, and mobile device security.
Formal Security Policy
Written security policy addressing all 13 policy areas, approved by agency head, and reviewed annually.
Cloud Computing
Cloud providers must meet all CJIS requirements and sign the CJIS Security Addendum. Data must remain within U.S. boundaries.
Mobile Devices
Mobile device management, remote wipe capability, and encryption requirements for mobile access to CJI.
Note: CJIS compliance is audited triennially by the FBI CJIS Division or delegated state-level CJIS Systems Agency. Non-compliance can result in termination of access to CJIS systems including NCIC, III, and NICS.
// Who Must Comply
- 1 Law enforcement agencies at federal, state, and local levels
- 2 Criminal justice agencies (courts, prosecutors, corrections)
- 3 Government agencies accessing criminal history data
- 4 Private contractors providing services to criminal justice agencies
- 5 Cloud service providers hosting or processing CJI
- 6 Network providers transporting CJI
- 7 Background check providers accessing FBI databases
// Key Requirements
Personnel Security
Fingerprint-based background checks for all personnel with unescorted access to CJI
Advanced Authentication
Multi-factor authentication for CJI access outside physically secure locations
Encryption
FIPS 140-2 certified encryption for CJI in transit and at rest outside secure facilities
Audit Logging
Complete audit trails of CJI access with minimum one-year retention
Incident Response
Security incident reporting to CJIS ISO within 24 hours of discovery
Configuration Management
Hardened system configurations, change control, and regular vulnerability assessments
// Enforcement & Penalties
Non-compliance with the CJIS Security Policy results in termination of access to FBI CJIS systems. Because law enforcement and criminal justice operations depend on these systems, losing access effectively impairs the organization's core mission.
Termination of access to CJIS systems (NCIC, III, NICS)
Examples:
- Loss of access to National Crime Information Center (NCIC)
- Termination of Interstate Identification Index (III) access
- Suspension of National Instant Criminal Background Check System (NICS) access
- Federal and state criminal penalties for unauthorized disclosure of CJI
- Liability under Privacy Act and state privacy laws
// Cyber Insurance Impact
Organizations handling CJI face elevated risk profiles due to the sensitivity of criminal justice data. Cyber insurers evaluate CJIS compliance as an indicator of security maturity. Breaches involving CJI can trigger federal reporting obligations and significant legal exposure beyond standard data breach scenarios.
// How Breach Craft Helps
We help organizations achieve CJIS compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CJIS.
// Industries That Need CJIS
These industries commonly require CJIS compliance as part of their regulatory obligations.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873