Is Criminal Justice Information Services (CJIS) right for you?

Law enforcement and intelligence agencies need access to this national database that’s constantly utilized for investigations, stolen property, missing persons, crime analysis, and other information sourced from the FBI. Criminal Justice Information Services (CJIS) provides access to this sensitive data, ensuring that your organization is using the stringent security and privacy protocols that are required.

Local, state, and federal agencies utilize CJIS and its security controls to prevent data breaches as they tap these information systems. This is especially important if you’re working with any international criminal justice systems and related agencies.

Multi-Industry Cybersecurity Solutions

CJIS requires a variety of cybersecurity practices and controls. Strong authentication, encryption, limited access control, physical security around equipment, and security around personnel are just some of the elements of CJIS compliance. Plans for detecting and responding to any incidents are also part of CJIS requirements within organizations.

Assessing where your organization is when it comes to these many cybersecurity requirements can be time-consuming. Utilizing Continuum GRC to assess, audit, and implement solutions can streamline the process of becoming CJIS compliant. Working with highly sensitive justice information services requires ongoing monitoring and testing to remain secure and compliant with evolving standards.

(CJIS) Criminal Justice Information Services Compliance Audit Services Checklist

A CJIS compliance audit covers a variety of elements, ranging from monitoring networks and overall device security, thorough documentation, staff training, testing, and keeping detailed logs. CJIS compliance requirements are stringent and ever-evolving. Having an experienced and certified third-party group focused on the checklist items needed for a successful audit can greatly smooth this process.

Continuum GRC specializes in helping criminal justice agencies develop and establish a thorough cybersecurity posture to access and work with sensitive information related to law enforcement and crime. Our solutions streamline the necessary but complex audit compliance process.

Our CJIS Services

Continuum GRC is a risk management and audit expert, specializing in helping organizations become compliant with the most security-sensitive requirements. When it comes to working with Criminal Justice Information Services, we’ll guide you through the stringent audit process, doing all initial assessments and testing, making recommendations, and helping you implement them to achieve (and maintain) compliance.

CJIS involves extremely sensitive information related to the justice system; having a strong security posture is essential in accessing it, especially if international partners are involved. We’ll help you cover every aspect to ensure and maintain a robust compliance stance.

What are you waiting for?

FAQ

What services are included in CJIS audit support?

Continuum GRC offers a review of basic security measures, such as encryption, physical and device security, network monitoring, and key documentation is reviewed and appraised. We offer recommendations for training, data sharing, security procedures, and managing outside vendors. It’s a deep-dive into every aspect CJIS requirements and ways to implement them.

What are some key areas reviewed in a CJIS audit?

CJIS systems require enhanced security. The audit will review encryption methods, access controls, network monitoring, the security around physical access to systems and to related devices. The audit will also look at multi-factor authentication practices. Policies and procedures are examined, around things like data sharing and responding to security incidents.

How often are CJIS audits conducted?

To ensure compliance with the security policy, formal CJIS audits are conducted every three years.

These are typically conducted either by the FBI or a state-level CJIS agency. However, it’s a good idea to do annual self-assessments to stay on top of required security and documentation measures around CJIS compliance.

How can organizations prepare for a CJIS audit?

Conduct an analysis to review your existing security posture and implement any needed controls. Document those steps (and maintain that documentation, like logs and any security events) and train your staff in any new protocols. Finally, contact Continuum GRC to guide you through a more detailed audit.

Why should third-party vendors undergo CJIS compliance audits?

Third-party vendors with any kind of access to sensitive justice system information will benefit from showing that they’re in compliance with the security demands required by CJIS. Undergoing an audit demonstrates their commitment to data security as a way to avoid reputational damage and potential legal consequences.

Do cloud service providers need to be CJIS compliant?

Yes. If a cloud service provider stores, processes, or transmits any data related to the criminal justice system it needs to be in compliance with the security demands of CJIS. This is highly-sensitive data that must have a high security profile. Continuum GRC can ensure your systems, networks, procedures and more align with these requirements.

You are just a conversation away from putting the power of Continuum GRC to work for you.

About this standard

The Criminal Justice Information Services (CJIS) Security Policy, established by the Federal Bureau of Investigation (FBI), provides a framework to protect sensitive Criminal Justice Information (CJI), such as fingerprints, criminal histories, and case files. It ensures the confidentiality, integrity, and availability (CIA) of CJI for law enforcement, national security, and authorized non-criminal justice agencies. Below is a compliance overview of the CJIS Security Policy based on its structure, purpose, and requirements, incorporating relevant information from the provided sources.

Purpose of CJIS Security Policy

The CJIS Security Policy aims to:

Protect sensitive CJI from unauthorized access, breaches, and cyber threats.
Standardize security practices across federal, state, local, and authorized non-criminal justice agencies handling CJI.
Ensure compliance with federal laws, FBI directives, and National Institute of Standards and Technology (NIST) guidelines, particularly NIST 800-53.
Facilitate secure data sharing among criminal justice agencies to support law enforcement operations and public safety.

Key Features of CJIS Security Policy

Structure and Scope:
- The latest version, CJIS Security Policy v6.0 (released December 27, 2024), includes 13 policy areas with specific security requirements and controls, mapped to nearly 500 NIST 800-53 rev. 5 controls.
- Applies to Criminal Justice Information (CJI), which includes biometric data (e.g., fingerprints, iris scans), criminal history records, personally identifiable information (PII), case/incident data, warrants, and more.
- Covers organizations accessing CJI, including law enforcement agencies, courts, prosecutors, government contractors, IT service providers, cloud providers, and non-criminal justice agencies with authorized access.
13 Policy Areas: The CJIS Security Policy is organized into 13 areas, each addressing a critical aspect of information security. Key requirements include:
- Information Exchange Agreements: Formal agreements defining roles, responsibilities, and security safeguards for sharing CJI.
- Security Awareness Training: Mandatory training for all personnel handling CJI, covering threats like phishing and data handling protocols, with initial training within six months and refresher training every two years.
- Incident Response: Documented plans for detecting, reporting, mitigating, and recovering from security incidents, including breach notifications.
- Auditing and Accountability: Comprehensive audit logging of CJI access, with logs retained for at least one year and regular reviews to detect unauthorized activity.
- Access Control: Role-based access, least privilege principles, and session termination after inactivity.
- Identification and Authentication: Strong authentication, including multi-factor authentication (MFA) and complex passwords (15+ characters).
- Configuration Management: Documented baseline configurations, change control procedures, and authorized personnel for system modifications.
- Media Protection: Secure storage, encryption, and disposal of physical and digital media containing CJI.
- Physical Protection: Secure facilities with access controls (e.g., badges, biometrics) and monitoring systems.
- Systems and Communications Protection: FIPS 140-2 validated encryption for data in transit and AES-256 for data at rest, plus network security controls like firewalls.
- Formal Audits: Triennial audits by the FBI or state agencies to verify compliance, with self-audits recommended in between.
- Personnel Security: Background checks, including fingerprint-based screening, and access revocation upon termination.
- Mobile Devices: Encryption, remote wipe capabilities, and wireless communication security for devices accessing CJI.
Audit and Compliance Verification:
- Compliance is verified through triennial audits by the FBI’s CJIS Audit Unit or state CJIS Systems Agency representatives.
- Organizations must conduct self-audits and maintain documentation, including audit logs, system security reports, and incident response plans.
- Non-compliance can result in loss of access to FBI systems (e.g., NCIC), fines up to $50,000 per violation, legal liability, compromised evidence, and reputational damage.
Transparency and Accountability:
- Organizations must provide detailed system descriptions, including data locations and subcontractor details.
- The policy requires continuous monitoring, real-time risk assessment, and independent assessments for some controls (e.g., CA-2(1) in v6.0).

Compliance Requirements

To achieve and maintain CJIS compliance, organizations must:

Understand and Implement Policy Areas:
- Adopt controls across all 13 areas, tailored to the organization’s role and CJI handling (e.g., encryption, MFA, access controls).
Conduct Risk Assessments:
- Identify vulnerabilities in systems, networks, and processes handling CJI and address gaps.
Train Personnel:
- Provide initial and ongoing training on CJIS security practices, with background checks for personnel accessing CJI.
Implement Monitoring and Auditing:
- Set up audit trails, regularly review logs, and flag suspicious activity. Continuous monitoring is now a standard requirement in v6.0.
Prepare for Audits:
- Conduct self-audits, maintain documentation, and schedule external audits to validate compliance.
Stay Updated:
- Regularly check for policy updates (e.g., via the CJIS website) and adjust systems to align with changes, such as v6.0’s new controls.
Partner with Compliant Vendors:
- Ensure third-party providers (e.g., cloud services) sign the CJIS Security Addendum and meet compliance standards.

CJIS in Practice

Adoption: Mandatory for law enforcement agencies, courts, prosecutors, and any entity accessing CJI, including private contractors, IT providers, and cloud vendors.
Key Updates in v6.0 (December 2024):
- Enhanced assessment and monitoring with independent assessors and real-time risk monitoring (CA-2(1), CA-7(4)).
- Strengthened personnel security with updated background checks and access agreements.
- Improved supply chain risk management to ensure secure procurement and vendor oversight.
- Mandatory MFA on all devices accessing CJI, with updated password management (e.g., banned password lists).
- Removal of redundant appendices (J and K) to streamline the policy.
Integration with Other Standards:
- Aligns with NIST 800-53 moderate-level controls, facilitating compliance for organizations already adhering to NIST standards.
- Supports frameworks like ISO 27001 and FedRAMP through control mappings.
Resources:
- FBI CJIS ISO Program: Provides guidance and mapping documents.
- State CJIS Authorities: Offer state-specific resources and training.
- Training Programs: Available through organizations like the IACP and IJIS Institute.
- Grants: Federal and state funding may offset compliance costs.

Challenges

Resource Constraints: Smaller agencies may struggle with financial and human resources to implement controls.
Technical Complexity: Integrating new controls into legacy systems can be challenging.
Vendor Compliance: Ensuring third-party providers meet CJIS standards requires ongoing oversight.
Training Demands: Regular training for all personnel, including non-IT staff, is resource-intensive.

How Organizations Can Use CJIS

Agencies and Organizations:
- Implement controls starting with Priority 1 (P1) requirements, such as MFA and encryption, which are immediately auditable.
- Use tools like Continuum GRC for CJIS-compliant evidence management and archiving.
Vendors and Contractors:
- Sign the CJIS Security Addendum and align systems (e.g., cloud platforms like AWS GovCloud) with CJIS requirements.
- Provide transparency on data handling and undergo regular audits.
Auditors:
- Use CJIS control mappings to NIST 800-53 to conduct consistent audits.
- Verify compliance through triennial audits and review remediation plans.

Conclusion

The CJIS Security Policy v6.0 provides a robust, standardized framework to secure CJI, ensuring confidentiality, integrity, and availability across a wide range of organizations. Its 13 policy areas, updated controls (e.g., mandatory MFA, real-time monitoring), and alignment with NIST 800-53 make it a critical tool for protecting sensitive criminal justice data. Compliance requires ongoing effort, including risk assessments, training, audits, and vendor coordination. Non-compliance risks severe penalties, including loss of access to critical databases and legal consequences. Organizations can leverage FBI resources, state authorities, and compliant vendors to achieve and maintain compliance. For detailed guidance, refer to the CJIS Security Policy on the FBI’s website or contact state CJIS representatives.

Your Roadmap to Risk Reduction!

Criminal Justice Information Services (CJIS)