The Criminal Justice Information Services (CJIS) Security Policy is published by the FBI's CJIS Division and establishes the minimum security requirements for accessing criminal justice information (CJI). This includes data from the National Crime Information Center (NCIC), the Interstate Identification Index (III), and the National Instant Criminal Background Check System (NICS). The policy applies to every individual and organization that accesses, stores, or transmits CJI, including law enforcement agencies, private contractors, cloud service providers, and any entity with access to criminal justice databases. The current version reflects evolving threats and modern technology architectures.
The CJIS Security Policy is organized into 13 policy areas covering information exchange agreements, security awareness training, incident response, auditing and accountability, access control, identification and authentication, configuration management, media protection, physical protection, systems and communications protection, formal audits, personnel security, and mobile devices. Key technical requirements include advanced authentication (multi-factor) for accessing CJI remotely, encryption of CJI in transit using FIPS 140-validated modules, encryption at rest, comprehensive audit logging with minimum one-year retention, and background screening with fingerprint checks for all personnel with access. State CJIS Systems Agencies (CSAs) are responsible for enforcing the policy within their jurisdictions, and the FBI conducts triennial audits of state compliance.
Non-compliance with CJIS policy can result in suspension or termination of access to federal criminal justice databases, severely impacting law enforcement operations. For technology vendors and cloud providers serving law enforcement, CJIS compliance is a non-negotiable requirement. Violations can lead to criminal penalties for unauthorized access to CJI. As law enforcement agencies modernize their IT infrastructure, CJIS compliance drives significant investment in security controls, particularly around encryption, authentication, and personnel vetting.