13 CJIS Compliance Requirements and Best Practices

What is CJIS Compliance?

Established in 1992, the Criminal Justice Information Services (CJIS) is a subdivision of the Federal Bureau of Investigation (FBI) of the United States. CJIS serves as a core repository of crucial data for criminal justice, including fingerprint and biometric information together with criminal-history data, as the FBI gathers criminal justice agency and organizational security needs and guidelines. For state, local, and federal law enforcement and criminal justice institutions, this division of the FBI is the most important. CJIS compliance essentially means following the security standards established by the FBI’s Criminal Justice Information Services department. Through the imposition of security restrictions and precautions, CJIS Compliance guarantees the secrecy, integrity, and availability (CIA) of this information.

CJIS Compliance Requirements

Criminal Justice Information Services Security Policy (CJISSECPOL) has existed for years. Updated during August 2024, with the updated rules taking effect from October 2024, these revisions bring all security policies into line with NIST 800-53 (National Institute of Standards and Technology) and the current environment about cybersecurity and threats. CJISSECPOL therefore lays forth the minimum security standards to approved agencies wishing to access CJIS or handle and store criminal justice data.

Under Identification and Authentication, the most important policy changes took place. Multi factor authentication (MFA), which essentially sums up the other significant policy changes and will be required for any agency accessing CJI starting October 2024: data encryption at rest and in transit, account management, incident response processes, guest access log retention, and audit requirements.

• Something you are familiar with, such as PINs, passwords, or security codes.
• An access card, USB, or mobile device something you have; a physical authenticator.
• Biometrics are examples of something You Are: fingerprints or facial expressions.

1. Information Exchange Agreements

Criminal justice agencies and other entities concur on how to manage CJI in order for him to be shielded at all levels. Writing that the conditions of the Information Exchange agreement will guarantee that real agreements are reached every CJI exchanges in fields of roles and duties and expect security. The written contract will include in great detail:

• Including notice of the breach, the security obligations of both parties regarding how the information must be delivered securely, who will be in charge of protecting the information, and how to respond if the information could be shared to third-party contractors.
• Approved ways of information sharing include data handling safeguards that guarantee the information is safely transmitted to and received by all interested parties and kept securely in all cases. Generally, these methods limit access and encryption.
• Every party that uses and has access to shared CJI will be observed during an audit and compliance verification process.

2. Security Awareness Training

Employees who have access to CJI must be trained to comply with the CJIS compliance security standards within the first six months of assignment, and training should be carried out annually.

3. Incident Response Plan

Organizations must have an Incident Response Plan (IRP) in place to ensure that they are able to identify, contain, eradicate and recover from a security incident in a timely manner. Any data breaches must be reported to the Justice Department.

4. Auditing and Accountability

Organizations must monitor all access to CJI, including who is accessing it, and when. They will also need information about why a user is accessing the data, to help them determine the legitimacy of the user’s actions. Organizations should keep a historical archive of all events involving CJI, to assist them in conducting a forensic analysis, were a security incident to unfold. Administrators should monitor access to files, folders and privileged mailbox accounts, login attempts, permission changes, password modifications, and so on.

5. Access Control

Organizations will need to implement Role-Based Access Control (RBAC), and include “roles” such as job type, location, IP address, and time restrictions in order to meet CJIS compliance standards.

6. Identification and Authentication

To access CJIS data, users are required to comply with the CJIS authentication standards, which compels agencies to use multi-factor authentication (MFA). MFA relies on two or more “factors” to authenticate the user. These factors include; something the user knows, something the user has, and something the user is (e.g. biometric data). The CJIS stipulates that a maximum of 5 unsuccessful login attempts are allowed, per user, after which their credentials will need to be reset. Additionally, passwords will need to be reset periodically.

7. Configuration Management

The CJIS security standards stipulate that only authorized users are allowed to make configuration changes to systems that store CJI, which includes performing software updates, and adding/removing hardware. Both the procedures for making such changes, along with any changes that are made, must be clearly documented, and shielded from unauthorized access.

8. Media Protection

To ensure data integrity and confidentiality, policies should specify how to securely store, move, and destroy physical and digital media that hold sensitive information. To stop unwanted access or tampering, physical media and storage spaces must be controlled and continuously monitored. Information, communications, and systems protection. To regulate access to both digital and non-digital media, organizations must make sure that media protection policies are applied and documented.

9. Physical Protection

Policies and processes must be in place for organizations that keep CJIS to guarantee that all media are safeguarded and disposed of safely after use. Security measures for server rooms should include cameras, alarms, and locks. Policies for physical protection should be established and followed to guarantee that CJI, hardware, and software are safeguarded.

10. Systems and Communications Protection and Information Integrity

This policy area relates to the overall security of an organization’s network. Organizations handling CJIS must have the necessary safeguards in place to ensure that all systems and communication protocols are protected from authorized access. They will need to implement perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS). They will need use techniques such as application blacklisting/whitelisting, and ensure that all CJI is encrypted, both at rest and in transit. The CJIS also sets out certain standards relating to the way data is encrypted. For example, organizations must use a minimum of 128 bit encryption, and the decryption keys must be at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters. If a user no longer needs access to the encrypted data, the keys must be changed.

11. Formal Audits

Organizations will be subject to formal security audits to ensure that they are complying with the CJIS security standards. The audits will be carried out at least once every three years, by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Any employees, contractors and vendors, that will have access to CJI, must be subject to a rigorous screening process, which includes checking fingerprints against the Integrated Automated Fingerprint Identification System (IAFIS).

13. Mobile Devices

Organizations must establish an “acceptable use policy” relating to the way mobiles devices are used, including the websites they can access, and the applications they can install. The policy should cover any laptop, smartphone or tablet that has access to CJI. Such devices will be held to the same security standards as on-premise devices, although a number of additional security measures may be required. For example, the user will be required to ensure that their device is password protected. They may be required to install Mobile Device Management (MDM) software, remote wiping software, and use a device locator service (to help find the device if it is lost or stolen). If employees are using their device on an unsecured public Wi-Fi network, they may be forced to use a Virtual Private Network (VPN), to ensure that all data transmissions are encrypted.

Who Needs to Be CJIS Compliant?

Applying compliance to CJIS involves establishing and maintaining certain security requirements on all systems and employees that process criminal justice information services and data. This same standard applies to everyone, regardless of where they stand in the criminal justice system. That encompasses anyone who can access or handle such information — contractors, private vendors, officials from non-criminal justice bodies, prosecuting officers and criminal justice employees. It is a shared responsibility: the vendor and the agency. Once every three years the CJIS Audit Unit or a CJIS Systems Agency will perform a formal audit to ensure compliance. It is worth mentioning that not all the data security is contingent on all staff members, even if the department chooses to have a cloud service provider for access to CJIS data. Adhering to CSP’s best practices, businesses can remain compliant, secure sensitive data and optimize their operations.

Broadly speaking, if a company gets its data from the FBI or an independent state investigation bureau, it is most probably covered by CJIS standards. But there really isn’t a concrete way to determine whether or not a particular solution is CJIS compliant. In the end, each state answers to the FBI for compliance within its own borders. No one institution can provide a national seal of approval for compliance, as each state has its own laws and the FBI cannot regulate a national certification process. In order to evaluate how well businesses are following the CSP recommended protocols, we could conduct an assessment of their level to signage for compliance.

Why Is CJIS Compliance Important?

CJIS is crucial for many reasons including it sets and enforces security requirements for managing criminal justice information:

1. Data Security: CJIS compliance’s biggest benefit is data security. Organizations can greatly increase the safety of sensitive Criminal Justice Information (CJI) by following the strict security guidelines in the CJIS Security Policy. By implementing strong encryption, access controls and incident response plans these organizations can prevent CJI from being used, disclosed or accessed illegally. This increased level of data protection ensures the integrity and confidentiality of critical law enforcement data and reduces the risk of data breaches, cyber attacks and information theft.
2. Enhanced Law Enforcement Operations and Efficiency: By making data handling more secure and reliable CJIS compliance makes law enforcement agencies more effective. Having timely and accurate access to CJI allows police and investigators to get critical information quickly, assess cases and make informed decisions. Better decision making and resource allocation is facilitated by having access to reliable information so authorities can respond to incidents proactively and prevent crime. CJIS also encourages safe and standardized information sharing between departments, agencies and jurisdictions to reduce information silos.
3. Public Trust: CJIS compliance which shows commitment to values and data security is key to public trust in law enforcement. By following data protection guidelines organizations show they will prevent personal data from being misused and respect people’s rights. Not just the general public but also peer organizations, funding agencies and regulatory bodies can benefit from an agency’s CJIS compliance.

How Lepide Helps

Lepide Data Security Platform assists you to track permission modifications, suspicious file and folder activity, anomalous failed logon attempts, privileged mailbox access, unauthorized password changes, and much more. All of them will be shown via a single dashboard, that too along with a detailed history of all activities related to CJI. Also, most solutions offer a predefined set of reports, which are tailored to satisfy the CJIS reporting needs of a vast majority of data privacy regulations, including those outlined by the CJIS.

To learn how Lepide can help you to get aligned with CJIS compliance, download a free trial or call one of our engineers to schedule a demo today.