IT Security

CJIS Compliance

CJIS Compliance

The Criminal Justice Information Services (CJIS) Division was established in February 1992 to serve as the focal point and central repository for criminal justice information services in the FBI.1 The CJIS Division gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI), such as fingerprint records and criminal histories.2 Law enforcement and other US government agencies must ensure that the transmission, storage, or processing of CJI complies with the CJIS Security Policy. The CJIS Security Policy outlines the “appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit.”3

The CJIS Security Policy defines 13 areas that private contractors, such as cloud service provides, must evaluate to determine if their use of services can be consistent with CJIS requirements.4 Additionally, all private contractors who process CJI must sign the CJIS Security Addendum, a uniform agreement approved by the US Attorney General that helps to ensure the security and confidentiality of CJI required by the CJIS Security Policy. This commits the contractor to maintaining a security program consistent with federal and state laws, regulations, and standards, and limits the use of CJI to the purposes for which a government agency provided it.

Properly securing CJI and maintaining compliance with CJIS Security Policy requires a number of controls aimed at ensuring that CJI is only accessed by authorized individuals. One of the most fundamental underpinnings of the CJIS Security Policy is the principle of least privilege, based on the “need-to-know, right-to-know” standard. Organizations can enforce least privilege by securely encrypting their CJI and limiting access to CJI to only those who have encryption keys. Other considerations for CJIS compliance include designating a local agency security officer (LASO), encrypting certain forms of network traffic, and segmenting CJI data from non-CJI network devices.

With the myriad of controls detailed in the CJIS Security Policy, it is recommended that organizations plan for CJIS compliance by conducting a comprehensive analysis of the technology and cybersecurity environment, reviewing potential cybersecurity gaps and compliance risks, and creating a plan for the organization to mitigate risks and protect data.

1 FBI, 2021, “Criminal Justice Information Services (CJIS)”

2 Microsoft, 2021, “Criminal Justice Information Services (CJIS)”

3 FBI, 2020, “Criminal Justice Information Services (CJIS) Security Policy: Version 5.9”

4 AWS, 2021, “Using AWS for Criminal Justice Information Solutions”