The Criminal Justice Information Services (CJIS) Security Policy is a set of minimum security requirements mandated by the FBI to govern the access, handling, storage, and transmission of Criminal Justice Information (CJI) by any US state, local, or tribal agency and their non-criminal justice contractors. Yes—CJIS compliance is legally required for any organization in the United States that accesses FBI-maintained criminal history records or other CJI, regardless of whether they are a law enforcement agency or a private vendor, with violations exposing entities to audits, data access revocation, and material breach of contract liabilities.
What Is the CJIS Security Policy? An Overview
The CJIS Security Policy is an FBI-issued document (formally titled the CJIS Security Policy — latest version 5.9.2, effective June 1, 2023) that establishes a minimum mandatory security baseline for all entities that create, access, process, store, or transmit CJI. The policy is overseen by the FBI’s CJIS Division and is enforced through individual state compacts—each state’s CJIS Systems Officer (CSO) conducts audits and certifications. The policy aligns closely with NIST SP 800-53 control families but adds specific CJI-focused protections such as Advanced Authentication, encryption-at-rest requirements, and background investigations for personnel with unescorted access to CJI.
Who Must Comply with the CJIS Security Policy?
Any entity—government or private—that touches CJI must comply. This includes:
- Federal, state, local, and tribal law enforcement agencies
- Non-criminal justice government agencies (e.g., child protective services, state licensing boards) that receive CJI for background checks
- Private contractors and vendors providing cloud services, application hosting, managed IT, or network support to a criminal justice agency
- Cloud service providers (CSPs) hosting CJI must sign an FBI CJIS Addendum and undergo an on-site security audit every three years
- Third-party application developers building software that ingests CJI via APIs (e.g., records management systems, mobile field reporting tools)
An estimated 85% of US states require CJIS compliance for contractors supporting public safety IT systems, and failure to comply has led to contract terminations and ineligibility for future government bids.
What Is CJI Under the CJIS Policy?
The policy defines Criminal Justice Information (CJI) broadly. It includes not only fingerprint submissions and rap sheets (III — Interstate Identification Index) but also:
- Biometric data (fingerprints, palm prints, facial recognition search results)
- National Crime Information Center (NCIC) records
- National Instant Criminal Background Check System (NICS) data
- Computerized Criminal History (CCH) records
- Administrative messages containing personal identifying information (PII) used in law enforcement
- Hate crime incident reports
- Terrorist Screening Database (TSDB) hits
Importantly, the policy applies whether CJI is in transit, at rest, or in use—including on mobile devices and cloud environments.
What Are the Core CJIS Security Policy Requirements?
The CJIS policy encompasses 17 policy areas (called “policy domains” or “sections”), each mapped to NIST SP 800-53 controls. Below are the most impactful for enterprise compliance:
Advanced Authentication (Section 5.6)
The most well-known CJIS requirement. Users accessing CJI remotely must use two-factor authentication (2FA) meeting Level 3 or Level 4 assurance as defined by NIST SP 800-63-3. This typically requires:
- Something you know (password/PIN)
- Something you have (hardware token, smart card, or FIPS 140-2 validated soft token)
- Something you are (fingerprint or other biometric) — optional but encouraged for Level 4
Password-only access to CJI is explicitly prohibited after January 1, 2020 (fully effective in all states as of 2023 audits).
Encryption Requirements (Sections 5.10.1.1 & 5.10.1.2)
- Data at Rest: CJI stored on any medium must be encrypted using AES-256 (FIPS 197 compliant) or equivalent.
- Data in Transit: CJI transmitted over any network—especially public or wireless—requires TLS 1.2 or higher (FIPS 140-2 validated cryptographic modules). VPNs using IPsec with IKEv2 are also acceptable.
Personnel Security and Screening (Section 5.2)
All personnel (including contractor employees) with access to CJI must undergo a fingerprint-based background check and a state-level criminal history check. The policy requires a “favorable determination” before granting access. This applies to IT administrators who have administrative or root-level privileges on systems hosting CJI, even if they do not “view” CJI directly.
Audit and Accountability (Section 5.4)
Organizations must log all CJI access events (successful and failed), privileged user actions, and system administrator activities. Logs must be retained for a minimum of 90 days (recommended 365 for forensic purposes) and protected against modification. Logs must be reviewed at least weekly by a designated auditor or automated SIEM tool.
Incident Response (Section 5.8)
The policy mandates a formal incident response plan aligned with NIST SP 800-61 Rev. 2. Breach notification to the CJIS Division and the state CSO must occur within 1 hour of confirmation of a CJI compromise. This is a tighter window than many other US frameworks (e.g., HIPAA’s 60-day, SEC’s 4-business-day).
Mobile Device and Bring Your Own Device (BYOD) (Section 5.12.2)
Any mobile device (smartphone, tablet, laptop) that stores or accesses CJI must be encrypted, capable of remote wipe, and have full-device PIN/biometric lock activated. BYOD is permitted only with agency-approved mobile device management (MDM) solutions that enforce CJIS-level controls and a signed BYOD agreement.
Cloud Computing (Appendix B & Section 5.12.7)
CSPs must sign the FBI CJIS Addendum and complete a CJIS Cloud Audit Report (CCAR) every three years. The policy requires that all CJI hosted in the cloud remain within the United States (or US territories). Data sovereignty is strictly enforced—no CJI may be replicated to international regions, including Canada or Europe, even for disaster recovery.
Key Takeaway: The CJIS Security Policy is one of the few US federal policies that explicitly mandates minimum encryption strength (AES-256), imposes a 1-hour breach notification clock, and requires 2FA for all remote CJI access. Organizations that conflate “NIST moderate baseline” with CJIS compliance often fail Advanced Authentication or background check audits.
How Does CJIS Compare to Other US Privacy Frameworks?
Organizations already compliant with NIST SP 800-53, FedRAMP, or SOC 2 may assume CJIS is covered. While there is overlap, CJIS imposes unique stricter obligations:
How to Achieve and Maintain CJIS Compliance
CJIS compliance is an ongoing operational program—not a one-time certification. Here is the structured path that enterprises follow:
Scope Determination and Data Mapping
Identify all CJI ingested, stored, processed, or transmitted within your environment. Conduct a data flow assessment to identify every system, network segment, cloud service, API, and third-party connection that touches CJI. Document the CJI types (III, NCIC, biometrics, etc.) and their retention periods.
Personnel Security — Background Investigations
Every employee or contractor with unescorted access to CJI must submit to a fingerprint-based FBI background check via the state CJIS Systems Officer (CSO). This includes remote IT support personnel who can access CJI-hosted systems. Many states require reinvestigations every 5 years. Ensure your HR onboarding process includes this step before granting system access.
Technical Controls Deployment
Implement the mandatory technical controls: AES-256 encryption at rest (via BitLocker, FileVault, or cloud-native KMS), TLS 1.2+ for all data-in-transit, and a 2FA solution (FIPS 140-2 validated hardware tokens or smart cards). Deploy a SIEM tool (such as ThreatHawk SIEM) to collect and alert on CJI access logs, failed login attempts, and privileged user activity. Configure log retention for 90 days at minimum—365 days is recommended by the FBI’s audit guide.
Jurisdiction & State-Specific Alignment
Work with the CSO in your state (or your customer agency’s state) to confirm local CJIS policy addendums. Some states (California, Texas, New York) impose additional controls beyond the baseline—for example, Texas requires penetration testing every 6 months for CJIS vendors. Submit your System Security Plan (SSP) and Plan of Action and Milestones (POA&M) for approval.
Audit, Monitoring & Continuous Compliance
Schedule annual CJIS self-audits (or triennial third-party audits for CSPs). Use automated compliance monitoring tools to track encryption status, 2FA adoption, background check expiration, and log coverage. Any new application, cloud deployment, or major network change that touches CJI must go through a CJIS change management review before deployment. The CyberSilo Compliance Standards Automation solution can continuously validate CJIS controls against your live environment and generate audit-ready evidence.
Compliance Warning: One of the leading causes of CJIS audit failure is the misidentification of “all CJI touchpoints.” A modern law enforcement agency may have CJI flowing through body-worn camera systems, vehicle license plate readers, cloud-based records management systems (RMS), and even scheduling tools that share CJI via API. Every single endpoint must be scoped in the SSP. Operational technology (OT) like digital radio systems that transmit NCIC queries may also fall in scope.
Role of CyberSilo in CJIS Compliance
CyberSilo helps US law enforcement agencies, public safety IT departments, and CJIS-connected vendors operationalize the CJIS Security Policy without overburdening existing security teams. Our Compliance Standards Automation platform maps the 17 CJIS policy domains to your technology stack and automates log centralization, encryption verification, and user access certification. For cloud-hosted CJIS environments, CyberSilo provides the CJIS Cloud Addendum readiness assessment and continuous monitoring against the FBI CJIS Cloud Audit Report (CCAR) requirements. Our integrated approach also supports cross-framework alignment for agencies that must meet both CJIS and other US privacy standards (detailed in our US cybersecurity compliance services).
Consequences of Non-Compliance with CJIS
- Loss of CJI Access: The FBI or state CSO can suspend or revoke a state’s access to NCIC and III systems, effectively halting law enforcement operations.
- Contract Termination: Vendors found non-compliant during a CJIS audit are immediately banned from bidding on or renewing contracts with criminal justice agencies.
- Civil Liability: A data breach involving CJI exposes the agency or contractor to liability under state data breach laws (47 US states now include CJI-specific notification requirements) and potential civil rights lawsuits if CJI misuse harms individuals.
- Federal Scrutiny: In cases of willful non-compliance or gross negligence, the FBI may refer the matter to the DOJ for potential False Claims Act actions (contractors) or federal civil rights investigations (agencies).
Assess Your CJIS Readiness — No Audit Required
Many organizations only discover CJIS compliance gaps during a state audit when it is too late to remediate without losing access. CyberSilo’s pre-audit assessment maps your actual environment against the full CJIS baseline, including Advanced Authentication, encryption, and personnel screening status — in under two weeks.
CJIS and Other US Privacy Frameworks: Crosswalk
Organizations subject to both CJIS and another privacy framework (CCPA/CPRA, HIPAA, or state privacy laws) face a complex mapping exercise. For example, a county probation department that also manages juvenile health records must apply CJIS controls to CJI subsystems and HIPAA controls to PHI — and the two may share a single Active Directory. CyberSilo’s crosswalk engine identifies control conflicts (e.g., CJIS requires AES-256; HIPAA allows AES-128 for PHI at rest) and resolves them at the higher standard. View our complete CJIS compliance services page for state-by-state specifics and the latest policy version updates.
Frequently Asked Questions About the CJIS Security Policy
Does CJIS apply to private companies that are not law enforcement?
Yes. Any private company or contractor that processes, stores, or transmits CJI on behalf of a criminal justice agency must comply. This includes cloud providers, software vendors, telecom carriers handling NCIC data, and even janitorial services with unescorted access to CJI terminals.
Is CJIS a law or a policy?
CJIS is an FBI-issued policy, not a statute. However, compliance is mandated by state-level compacts, contractual agreements with the FBI, and the terms of the CJIS Addendum. Violating CJIS does not result in a direct federal fine, but it can lead to immediate suspension of CJI access and contract cancellation, which is effectively a shutdown penalty for most agencies and vendors.
What is the current version of the CJIS Security Policy?
As of January 2025, the current version is 5.9.2 (June 1, 2023). Version 6.0 is in draft and expected in late 2025, with anticipated updates to zero-trust architecture requirements and expanded cloud controls.
Can a company use multi-cloud for CJI?
Yes, but each cloud service provider must sign a separate FBI CJIS Addendum for each region where CJI will be stored. All CJI data must remain within the US. The customer agency (or its CSO) must ensure inter-cloud data movement is encrypted and logged.
What happens during a CJIS audit?
A CJIS audit is typically conducted by the state CSO or a contracted third-party auditor. The auditor reviews your System Security Plan (SSP), interviews personnel, scans for encryption and 2FA compliance, validates background check records for all CJI-accessible staff, and tests incident response procedures (including the 1-hour notification). Findings are rated as critical, major, or minor. Any critical finding (e.g., unencrypted CJI at rest, missing 2FA) must be remediated within 30-90 days depending on the state, or CJI access is suspended.
Our Conclusion & Recommendation
The CJIS Security Policy is the single most consequential data security framework for public safety technology operations in the United States. It demands a level of operational rigor—particularly around Advanced Authentication, encryption standards, and rapid incident reporting—that exceeds many commercial industry frameworks. For public sector CIOs and CISOs, non-compliance is not a risk; it is a shutdown event. For private vendors serving law enforcement, CJIS compliance is a non-negotiable competitive requirement.
We recommend that any organization currently accessing or planning to access CJI conduct a CJIS-specific gap analysis against version 5.9.2, focusing especially on data flow mapping (to avoid scope gaps) and personnel background check currency. Automated compliance tools like CyberSilo’s Compliance Standards Automation can reduce audit preparation time by up to 60% by continuously validating encryption, log coverage, and user authentication policies against the CJIS control set. The cost of a failed audit—measured in lost CJI access, legal exposure, and public trust—far outweighs the investment in proactive compliance.
Ready to Lock In Your CJIS Compliance?
Our team of former CSO auditors and compliance engineers can step you through the full CJIS gap assessment in under 10 business days. No commitment required for the initial scoping call.
