The Ultimate Guide to

Criminal Justice Information Services(CJIS) Security Policy

What the CJIS Security Policy?

CJIS is the largest division of the FBI and the main source of information and services for all law enforcement, national security, and intelligence community partners. CJIS released a Security Policy that provides a minimum set of security requirements all government agencies and private entities handling Criminal Justice Information (CJI) need to meet in order to protect Criminal Justice Information from hackers and bad actors.

CJIS is a massive database of criminal justice information upon which law enforcement, intelligence, and civil agencies rely to perform their duties. The importance of the CJIS doesn’t end there–in fact, the civil liberties we enjoy as citizens, as well as our national security, can depend on the safeguarding of this primary source of information and services for all law enforcement, national security, and intelligence community partners.

Securing CJI is understandably a top Justice Department priority today, resulting in creating the strict CJIS Security Policy. This robust 230-page document draws on many sources–integrating material from presidential directives, federal laws, FBI directives, and the criminal justice community’s Advisory Policy Board (APB) decisions, along with nationally recognized guidance from the National Institute of Standards and Technology (NIST) and the National Crime Prevention and Privacy Compact Council.

This policy establishes minimum security requirements for all entities handling CJI. Compliance with these security requirements is mandatory for all government agencies, criminal justice agencies, or private entities, including cloud service providers who hold, process, or transmit CJI. Even secondary actors or contractors supporting government entities or criminal justice agencies fall under the compliance umbrella–an example being a county IT department that processes data for law enforcement.

Key things to know about the CJIS Security Policy

1. The CJIS Security Policy applies to CJI

The CJIS Security Policy provides appropriate controls to protect the full life cycle of CJI and provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of this information.

Criminal Justice Information, or CJI, is the term used to refer to all of the FBI CJIS-provided data necessary for law enforcement and civil agencies to perform their missions, including, but not limited to:

Biometric data (e.g. fingerprints, iris scans, facial recognition data)
Identity history: textual data that corresponds with an individual’s biometric data, providing a history of criminal and/or civil events for the identified individual.
Biographic data: information about individuals associated with a unique case and not necessarily connected to identity data
Property data: information about vehicles and properties associated with crime when accompanied by any personally identifiable information (PII)
Case/Incident history: information about the history of criminal incidents

Examples of systems that contain CJI include:

Interstate Identification Index
National Crime Information Center
National Sex Offender Registry
National Instant Criminal Background Check System
National Data Exchange
Uniform Crime Reporting (UCR)

Criminal History Record Information (CHRI), sometimes informally referred to as “restricted data”, is a subset of CJI. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. These additional controls are outlined in the CJIS Security Policy and in Title 28, Part 20, Code of Federal Regulations (CFR).

2. CJIS Security Policy applies to private corporations too

Compliance isn’t just mandatory for government agencies. Every cloud service provider that processes CJI must meet security requirements and controls laid out in the CJIS Security Policy and sign a Security Addendum (more on this below).

In fact, CJIS Security Policy applies to every individual — contractor, private entity, noncriminal justice agency representative, or member of a criminal justice identity — with access to, or who operates in support of, criminal justice services and information.

This applies whether you’re working with a criminal justice agency (e.g., police department) or a non-criminal justice agency (e.g., a county IT department running criminal justice systems for a police department).

3. CJIS Security Policy outlines 13 areas that private contractors must evaluate

There are 13 areas outlined that organizations selling products to government agencies must evaluate to determine if their service can be consistent with CJIS requirements. These areas correspond closely to NIST SP 800-53, which is also the basis for the Federal Risk and Authorization Management Program (FedRAMP).

The 13 areas are as follows:

Information exchange agreements
Security awareness training
Incident response
Audit and accountability; access control
Identity and authentication
Configuration management
Media protection
Physical protection over physical media
Systems and communication protection
Information integrity
Formal audits
Personal security
Mobile devices

4. All private contractors who process CUI must sign the CJIS Security Addendum.

The CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps to ensure the security and confidentiality of CJI required by the Security Policy. It also commits the contractor to maintain a security program consistent with federal laws, regulations, and standards and limits the use of CJI to the purposes for which a government agency provides it.

This needs to detail how your organization’s security controls help protect the full lifecycle of data and ensure appropriate background screening of team members with access to CJI. State law enforcement authorities responsible for compliance with CJIS Security Policy will review the Security Addendum as part of their compliance verification process. Here’s the full Security Addendum for your reference.

DEMO

Need help with CJIS Compliance?

Learn more about how we can help you maintain CJIS compliance, and compliance with the other frameworks you may be accountable for.

Request Demo

CJIS Security Policy areas of evaluation

CJIS Security Policy compliance is based on 13 well-defined areas of evaluation which include:

1. Information exchange agreements

This section discusses the required practices concerning the handling and processing of CJI, including the “processes and parameters” to be included in information exchange agreements. These agreements must cover the following:

Audits
Dissemination
Hit confirmation
Logging
Quality assurance
Pre-employment screening
Security
Timelines
Training
Systems usage
Validation

2. Security awareness training

This section introduces the four levels of security awareness training and LASO training. Training covers the individual responsibilities and expected behavior for those users with authorized access to CJI and is based on the nature of contact with CJI. Training must be received within 6 months of accessing CJI and repeated every two years.

3. Incident response

This section discusses the procedures all entities must institute to detect, analyze, contain, respond to, and recover from security incidents. It also mandates reporting all breaches and significant incidents to the Justice Department.

4. Auditing and accountability

This section outlines the auditing and monitoring controls necessary to increase the probability of authorized users adhering to the proper procedures in handling CJI. The following listed actions mandate audits

Login attempts
Changes to user account permissions, files, or directories
Attempted changes to access controls
Modifying or destroying history log files
Actions initiated through privileged accounts

5. Access control

This section covers how authorized users and their level of access must be identified and monitored. The default standard of “least privileged access” prevails to reduce risk. Access will be provided on a “need to know basis” relating to job, network address, location, or time restrictions. This section also covers the lockout procedure (after 30 minutes of inactivity) and controls required for remote access.

6. Identification and authentication

The guidelines for identifying and validating users are discussed in depth throughout this section. Everyone authorized to access CJI must present unique identification based on multi-factor authentication principles, including passwords, PINS, biometrics, and advanced authentication methods.

7. Configuration management

This section explains the requirements concerning the documentation of all software, hardware, architecture, and system platform changes. Also, the need to protect configuration management from unauthorized access threats is discussed in this section.

8. Media protection

This section covers the documented policies and practices required for storing, accessing, transporting, and destroying digital and physical media.

9. Physical protection

This section covers the requirements and restrictions for accessing physical media, including media storage devices. All physical protection policies are defined to ensure a physically secure environment for all CJI, software, hardware, and media devices.

10. Systems and communications protection

This section sets the policy and procedural requirements to establish data security and network integrity by addressing how and where information can travel across systems, services, and applications. Security control practices such as patch management, encryption, and virtualization are discussed.

11. Formal audits

The need and case for conducting FBI-led triennial compliance audits are addressed in this section.

12. Personnel security

The critical area of personnel security is addressed in this section–the main takeaway is the need for anyone with access to unencrypted CJI data to undergo screening during hiring, transfer, termination, or 3rd-party lifecycle events.

13. Mobile devices

Last on the list, but not in importance, this section addresses the requirements for managing system access through mobile devices like smartphones and tablets. Wireless security protocols like Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA) are referenced.

How important is staying compliant with the CJIS Security Policy for any government or private entity?

In a word: extremely. CJIS Security Policy compliance requirements are some of the most comprehensive and stringent of any regulatory framework today due to the serious nature of protecting citizen’s rights and the potential national security impact. Those entities–government or civilian–failing to stay compliant stand to lose all access to the CJIS network as well as face possible fines and criminal charges.

The CJIS compliance audit

The CJIS Audit Unit (CAU) conducts government audits every three years to ensure CJIS compliance is maintained by government agencies–including all local, state, tribal, and federal agencies. Audits are beneficial for numerous reasons–they ensure the integrity and security of all system data, verify everyone in the user community is upholding a minimum standard of network safety, and raise the bar for law enforcement and public safety.

The audit process typically starts with the auditor reviewing CJI policies, procedures, practices, and data. Next, the auditor will choose local agencies as standard examples of compliance. By this time, your CSO should receive outlines of audit discussion points and lists of requested reports, leaving no excuse for lack of preparation. The auditor will then conduct an on-site interview to collect information on current policies and procedures and a data quality review. The auditor will complete the on-site phase with a facility tour to confirm the existence of all necessary physical security controls.

Finally, the audit will conclude with preparing a report that includes improvement recommendations to be presented to appropriate governing bodies like the Compliance Evaluation Subcommittee or Council’s Sanctions Committee. The CAU will then follow up to track the suggested improvements to completion, ensuring the highest degree of CJIS data protection across the organization.

The importance of knowing your security program in detail

Although private entities will not be audited by the CAU, they must also be truthful and diligent in maintaining CJIS compliance. CJIS enforcement happens at the state level, and most states have their own CJIS authorities. To provide your product or service to a state agency, the state-level CJIS authority will ask your company to sign the CJIS Security Addendum, a document which (1) details how your organization’s security controls help protect the full lifecycle of data and (2) signals your commitment to maintaining an effective security program and limiting the use of CJI to the purposes for which a government agency provided it.

Company leaders must know the ins and outs of their security program before they include the attestation in their agreements between their company and a state’s CJIS authority. That means compliance and information security professionals must diligently document the security controls implemented within their organization.

Keeping track of all security controls (including how they work, who’s responsible for them, and how to test them) and collecting evidence of controls’ operating effectiveness can be incredibly tedious when you use homegrown systems and makeshift tools (e.g., Excel spreadsheets, ticketing systems, etc.). When controls aren’t well documented, the risk of not catching control deficiencies is quite high, and so is the risk of falling out of compliance with your contractual obligations to customers.

You can prevent control failures and maintain compliance much more efficiently by using a compliance software platform such as Hyperproof to organize and orchestrate all of your compliance work. Want more help? Get the ultimate guide to compliance operations.

CJIS: Frequently Asked Questions

Advanced Authentication (AA) refers to the use of more than one form of authentication to verify the identity of a user. This process goes beyond the traditional username and password method, incorporating additional factors such as biometrics, security tokens, or multi-factor authentication (MFA).

The goal is to enhance security by ensuring that only authorized users can access sensitive information or systems. In the context of Criminal Justice Information Services (CJIS), advanced authentication is crucial for protecting criminal justice data, which is often highly sensitive and targeted by cyber threats.

The purpose of CJIS is to provide a centralized source of criminal justice information for law enforcement and criminal justice agencies. Managed by the FBI, CJIS encompasses a wide array of services including fingerprint identification, criminal history records, and other investigative tools. The CJIS Security Policy establishes comprehensive security requirements to protect this sensitive information from unauthorized access, ensuring the integrity, confidentiality, and availability of criminal justice data. These controls cover areas such as encryption, personnel security, and incident response.

When a CJIS security policy violation occurs, it must be reported promptly to ensure appropriate measures are taken to mitigate any potential damage. The four key requirements for reporting these violations include:

Immediate notification: Report the violation to the CJIS Systems Agency (CSA) or the CJIS Security Officer (CSO) immediately upon discovery.
Detailed documentation: Provide a comprehensive report detailing the nature of the violation, the data or systems affected, and any actions taken to contain or mitigate the incident.
Continuous updates: Keep the CSA or CSO updated with any new information or developments related to the violation.
Corrective actions: Implement corrective actions to prevent future violations and document these measures for review.

Authenticating visitors according to the CJIS Security Policy involves several steps to ensure that only authorized individuals gain access to secure areas:

Identification: Visitors must present valid identification, such as a government-issued ID.
Verification: Verify the visitor’s credentials against a pre-approved access list or through direct contact with the host.
Logging: Record the visitor’s details — including the purpose of the visit, time of entry, and time of exit — in a visitor log.
Supervision: Ensure that visitors are escorted or monitored while in secure areas to prevent unauthorized access to CJIS-protected data.
Temporary Access: Issue temporary access badges or passes with limited privileges, which must be returned upon leaving the premises.
CJIS Security Awareness Training: Ensure visitors who require unescorted access to physically secure locations complete the appropriate level of CJIS Security Awareness Training.

Access to CJIS data requires adherence to stringent security protocols to ensure that only authorized personnel can view or handle this information. The access requirements include:

Background checks: Personnel must undergo thorough background checks, including fingerprint-based checks, to verify their eligibility for access to CJIS data, adhering to state and federal laws and regulations.
Security awareness training: All individuals with access must complete security awareness training to understand their responsibilities and the importance of safeguarding CJIS data.
Role-based access: Access is granted based on the principle of least privilege, ensuring that users only have the minimum level of access necessary to perform their duties.
Multi-factor authentication: Implementing advanced authentication methods, such as MFA, to verify the identity of users accessing CJIS systems.
Regular audits: Conduct regular audits and reviews of access permissions to ensure compliance with CJIS policies and to identify any unauthorized access.
Encryption: Ensure data at rest and in transit is encrypted to protect against unauthorized access.

CJIS protects a wide range of criminal justice information, including but not limited to:

Criminal History Record Information (CHRI): Details about an individual’s arrests, charges, convictions, and other criminal history.
Personally Identifiable Information (PII): Data that can be used to identify an individual, such as name, address, social security number, and biometrics.
Investigative and intelligence data: Information collected and used for investigative and intelligence purposes, including case files and surveillance data.
Transactional data: Information such as system transaction logs and audit trails.
Biometric data: Fingerprints, palm prints, DNA profiles, and other biometric data used for identification.

To comply with the CJIS Security Policy, an organization must implement a comprehensive security framework that includes:

Policy development: Develop and maintain security policies that align with the CJIS Security Policy requirements.
Security awareness training: Ensure all personnel with access to CJIS data complete security awareness training.
Advanced authentication: Implement advanced authentication methods for accessing CJIS systems.
Physical security: Secure physical access to facilities housing CJIS data, including controlled entry points and visitor management protocols.
Incident response: Establish an incident response plan to address security breaches and policy violations promptly.
Regular audits: Conduct regular audits and assessments to ensure ongoing compliance with CJIS requirements.
Documentation: Maintain detailed records of security controls, incidents, and corrective actions taken.

CJIS audits are typically conducted every three years by the FBI to ensure that agencies and organizations comply with the CJIS Security Policy. However, the frequency of state and local agencies may also vary, with some conducting their audits more frequently to maintain high security standards and ensure continuous compliance.

The CJIS Security Policy outlines 13 policy areas, each containing specific controls designed to protect criminal justice information. These policy areas include:

Information Exchange Agreements
Security Awareness Training
Incident Response
Auditing and Accountability
Access Control
Identification and Authentication
Physical Protection
Personnel Security
System and Communications Protection and Information Integrity
Formal Audits
Media Protection
Configuration Management
Policy and Procedures for Encryption

CJIS defines a security incident as any event that has the potential to compromise the confidentiality, integrity, or availability of criminal justice information, but the specific types of incidents can vary based on the CJIS Security Policy. This includes, but is not limited to:

Unauthorized access: Any instance where an unauthorized individual gains access to CJIS-protected data.
Data breach: The unauthorized acquisition, disclosure, or use of CJIS data.
System compromise: An event where a CJIS-connected system is compromised, such as through malware or hacking.
Policy violation: Any action that violates the established CJIS Security Policy, including non-compliance with security protocols.
Physical breach: Unauthorized physical access to areas where CJIS data is stored or processed.

The CJIS Security Policy is periodically updated to address emerging threats and technological advancements. While specific updates may vary, recent changes often focus on:

Enhanced authentication: Strengthening authentication methods, such as requiring multi-factor authentication (MFA) for more access scenarios.
Data encryption: Implementing advanced encryption standards to protect data at rest and in transit.
Mobile device management: Establishing stricter controls and policies for accessing CJIS data via mobile devices.
Cybersecurity controls: Introducing new requirements for protecting against cyber threats, such as ransomware and phishing attacks.
Incident reporting: Updating protocols for reporting and responding to security incidents to ensure timely and effective action.

Hyperproof for CJIS Compliance

See how Hyperproof can help you implement and maintain security controls that are compliant with the CJIS Security Policy as well as other applicable standards, regulatory frameworks, and statutes such as NIST SP 800-53, FedRAMP, ISO 27000 series, and more. Stay secure and compliant 24/7, 365 days a year.

See the CJIS Security Policy requirements laid out in a clear UI designed for easy project management

Implement security controls, map them to CJIS requirements and/or additional frameworks’ requirements, and assign controls to “owners” to foster accountability

Use existing controls (e.g., NIST SP 800-53) to get a headstart on CJIS compliance; Hyperproof supports crosswalks between many security compliance frameworks

Document gaps in your security controls and coordinate remediation activities

Document, organize, and maintain all compliance artifacts centrally

Automate numerous evidence collection requests and tasks for control operators

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CJIS ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.