CJIS Security Policy
The CJIS Security Policy sets minimum security requirements for accessing FBI criminal justice databases, applying to all entities handling criminal justice information.
The CJIS Security Policy sets minimum security requirements for accessing FBI criminal justice databases, applying to all entities handling criminal justice information.
Continue your mission
The Criminal Justice Information Services (CJIS) Security Policy is published by the FBI's CJIS Division and establishes the minimum security requirements for accessing criminal justice information (CJI). This includes data from the National Crime Information Center (NCIC), the Interstate Identification Index (III), and the National Instant Criminal Background Check System (NICS). The policy applies to every individual and organization that accesses, stores, or transmits CJI, including law enforcement agencies, private contractors, cloud service providers, and any entity with access to criminal justice databases. The current version reflects evolving threats and modern technology architectures.
The CJIS Security Policy is organized into 13 policy areas covering information exchange agreements, security awareness training, incident response, auditing and accountability, access control, identification and authentication, configuration management, media protection, physical protection, systems and communications protection, formal audits, personnel security, and mobile devices. Key technical requirements include advanced authentication (multi-factor) for accessing CJI remotely, encryption of CJI in transit using FIPS 140-validated modules, encryption at rest, comprehensive audit logging with minimum one-year retention, and background screening with fingerprint checks for all personnel with access. State CJIS Systems Agencies (CSAs) are responsible for enforcing the policy within their jurisdictions, and the FBI conducts triennial audits of state compliance.
Non-compliance with CJIS policy can result in suspension or termination of access to federal criminal justice databases, severely impacting law enforcement operations. For technology vendors and cloud providers serving law enforcement, CJIS compliance is a non-negotiable requirement. Violations can lead to criminal penalties for unauthorized access to CJI. As law enforcement agencies modernize their IT infrastructure, CJIS compliance drives significant investment in security controls, particularly around encryption, authentication, and personnel vetting.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.