Malware attacks on state and local governments increased by 148% in 2023, and non-malware cyberattacks increased by 37%. Given this relentless and increasing string of attacks, law enforcement agencies and their partners face mounting pressure to secure the data they manage.

The CJIS Security Policy was developed by the FBI’s Criminal Justice Information Services division to protect sensitive law enforcement data, but the policy affects a wide range of organizations — including contractors, vendors, and service providers — that interact with criminal justice systems and their information. If your organization handles CJI or CHRI in any capacity, compliance with the CJIS Security Policy is not optional; it’s a legal requirement.

Whether you're just starting to learn about CJIS or are looking for ways to simplify your compliance efforts, this article will give you the foundational knowledge you need. We’ll break down what the CJIS Security Policy is, its purpose, and who needs to comply with it. We’ll also explore each policy area’s key requirements, the security addendum and audit process, and provide a spreadsheet that maps Security Policy requirements to NIST 800-53 controls to help you focus your efforts.

What is CJIS?

CJIS stands for Criminal Justice Information Services, a division of the Federal Bureau of Investigation (FBI). Established in 1992, CJIS manages the FBI's criminal justice information databases and services. These services are crucial for law enforcement agencies, providing access to tools that assist with criminal investigations, identity verification, and background checks.

The CJIS division protects a wide range of sensitive information related to criminal justice activities. This data, referred to as Criminal Justice Information (CJI) or Criminal History Record Information (CHRI), includes both personally identifiable information and law enforcement-specific records:

• Biometric data: Fingerprint records, palm prints, iris scans, mugshots, and facial recognition data.
• Criminal history information: Criminal records, including information about arrests, convictions, and incarceration records, as well as details of active warrants and court dispositions.
• Personally Identifiable Information (PII): Full names of individuals involved in criminal justice matters; current and past residential addresses; social security numbers; and dates of birth
• Identity history data: Records of identity verification, including names, aliases, dates of birth, and associated criminal records that help confirm a person's identity
• Case and incident data: Documentation of criminal cases, including investigation details, reports, and evidence, as well as incident reports filed by law enforcement officers regarding specific criminal activities or incidents.
• Warrants and protection orders: Details of active arrest warrants and legal orders, such as restraining orders.
• Property data: Data about stolen vehicles, firearms, or other property entered into criminal justice databases.
• Sex offender registry data: Information on individuals registered as sex offenders, including their personal information, past offenses, and current locations.
• Licensing data: Criminal justice background information used to vet individuals applying for sensitive positions (such as firearm licenses or law enforcement jobs).
• Cybersecurity threat data: Information related to cybersecurity threats or incidents targeting criminal justice information systems, ensuring that these threats are reported and addressed.
• Gang and terrorist watchlists: Data on individuals involved in or suspected of gang activities or terrorist-related activities, helping agencies track and prevent organized crime or terror threats.
• Interagency communication data: Communications between law enforcement agencies that may involve shared intelligence, cross-jurisdictional cooperation, and case coordination.
• Transaction and log data: Details of access to CJI data systems, including who accessed what information, and when, helping ensure accountability and detect unauthorized access.

Each of these types of data is tightly controlled under CJIS guidelines, with strict requirements around access, encryption, monitoring, and reporting to protect its integrity and confidentiality.

What is the CJIS Security Policy and who needs to comply?

The FBI CJIS Security Policy establishes minimum security requirements for organizations that handle CJI, including law enforcement agencies, non-criminal justice agencies, government contractors, and IT service providers. Compliance with this policy ensures that CJI is protected against unauthorized access, security incidents, data breaches, and cyber threats.

The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community's Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST), to cover a comprehensive set of data security best practices.

CJIS compliance is required for any entity that interacts with criminal justice data, including law enforcement agencies, criminal justice agencies, government contractors and subcontractors, public safety organizations, and any non-criminal justice agencies or service providers with access to CJI. Non-compliance can lead to legal penalties, security breaches, the loss of contracts with government agencies, and even criminal charges.

Understanding the CJIS Security Policy Areas and requirements

The latest version of the CJIS Security Policy, version 5.9.5, is grouped into 13 areas — each with its own set of requirements. Each of these policy areas addresses a different aspect of security, from ensuring secure information exchanges to protecting physical environments.

Each CJIS Security Policy requirement is mapped to specific NIST 800-53 controls. As one of the most comprehensive standards for federal compliance, NIST 800-53 includes more than a thousand security and privacy controls designed to protect federal information systems and sensitive data.

The CJIS Security Policy maps its security requirements to a relevant subset of these NIST 800-53 controls. This not only allows CJIS to align with established best practices for information security, it also makes it easier for organizations that are already NIST compliant to also meet CJIS requirements.

The CJIS Information Security Officer (ISO) provides a document that maps CJIS requirements to a list of nearly 500 “best fit” NIST 800-53 rev. 5 controls. Organizations can reference this document as guidance when selecting which controls to implement to meet CJIS Security Policy requirements.

Let’s dive into each policy area to understand its focus and requirements.

1. Information Exchange Agreements

When criminal justice agencies share CJI with other organizations, it's crucial that both parties agree on how they will handle the data to ensure it’s protected at every stage. The Information Exchange Agreements policy area ensures that any time CJI is exchanged, formal agreements are in place to outline roles, responsibilities, and security expectations.

These agreements cover things like how data should be transmitted securely, who is responsible for protecting it, and how to handle situations where data may be shared with third-party contractors. 

There are 14 requirements and 27 possible controls for this policy area, including:

• Formal agreements must be in place whenever CJI is exchanged between parties, defining the roles and security responsibilities of both sides.
• Data handling controls ensure that information is transmitted, received, and stored securely, often requiring encryption and access controls.
• Auditing mechanisms track who accesses and uses shared CJI.

2. Security Awareness Training

Security isn’t just about technology, it's also about people. This policy area focuses on educating personnel about the risks involved in handling CJI. This includes understanding how to recognize security threats like phishing attacks, the importance of strong passwords, and how to report potential incidents.

Training needs to happen regularly, and it should be tailored to the specific roles employees play within the organization. For example, IT staff might need to know more about system security, while administrative staff may focus on identifying social engineering attempts. This policy ensures that everyone who touches CJI knows how to protect it.

There are 8 requirements and 17 possible controls for this policy area, including:

• Regular training sessions are required for all personnel who handle CJI. Training must cover topics such as password management, recognizing phishing attacks, and reporting security incidents.
• Role-based training is required, ensuring that personnel understand their responsibilities based on their access level.
• Organizations must document training sessions, track employee participation, conduct periodic refresher courses to stay compliant, and retain training records for the organization-defined period of time.

3. Incident Response

When a security breach or other incident occurs, organizations must be prepared to respond efficiently and effectively. The Incident Response policy area makes sure that organizations have a plan in place for dealing with potential security threats to CJI.

Organizations are required to create an incident response plan that details how to detect, respond to, and recover from incidents. It also requires a process for reporting incidents, both internally and to external authorities, so that security breaches are addressed quickly and thoroughly. Regular testing of this plan is critical to ensure that when something does go wrong, the organization is ready to act.

There are 9 requirements and 20 possible controls for the Incident Response policy area, including:

• Incident response plans must be developed, detailing the steps to take during a security incident.
• Organizations must establish reporting procedures for notifying relevant authorities when an incident occurs.
• Testing and updates to incident response plans are required to ensure they remain effective over time.
• Organizations need to regularly test their incident response capabilities and document both successful and unsuccessful responses to incidents.

4. Auditing and Accountability

Knowing who accessed CJI, when they accessed it, and what they did with it is key to protecting this sensitive information. The Auditing and Accountability policy area ensures that all access to CJI is logged and monitored.

Organizations must put systems in place that track every interaction with CJI, creating an audit trail that can be reviewed to spot unauthorized access or unusual activity. Regularly reviewing these logs helps organizations catch security issues before they become serious problems. 

There are 10 requirements and 26 possible controls for this area, including:

• Systems must implement audit logs that capture critical information such as who accessed CJI, when, and what actions were performed.
• Log retention policies dictate how long audit logs should be maintained, often requiring storage for a minimum of 12 months.
• Automated tools are often needed to monitor logs and flag suspicious activity.
• Organizations must ensure that audit trails are comprehensive and that personnel are assigned to review logs for potential security issues.

5. Access Control

This policy area ensures that only the right people have access to CJI and that access is limited to the information they need to do their jobs.

Role-based access control is a common solution, where access permissions are assigned based on an employee's job role. High-risk users, such as system administrators, may need multi-factor authentication (MFA) to further protect their accounts. By using the principle of least privilege and implementing strong authentication, organizations can greatly reduce the risk of unauthorized access to CJI.

There are 13 requirements and 38 possible controls for the Access Control policy area, including:

• Role-based access control (RBAC) ensures that personnel only have access to CJI necessary for their duties.
• Least privilege principles mandate that access to systems is restricted to what is necessary for job performance.
• Access control systems must support multi-factor authentication (MFA) to protect sensitive accounts.
• Organizations must implement technology that enforces access controls and regularly review permissions to prevent unauthorized access.

6. Identification and Authentication

Verifying who is accessing CJI is a cornerstone of security. The Identification and Authentication policy area ensures that every person or system accessing CJI is who they say they are. This policy requires the use of unique identifiers (such as user IDs) and authentication methods like passwords, MFA, or even biometrics.

The focus is on creating a layered defense so that if one control (like a password) is compromised, other safeguards (such as an additional authentication step) are in place. 

The Identification and Authentication policy area includes 17 requirements and 39 possible controls, including:

• Unique identification and authentication credentials must be assigned to all users accessing CJI.
• Multi-factor authentication (MFA) is required to provide an additional layer of security for high-risk systems.
• Password management policies must be implemented to enforce strong passwords and periodic changes.
• Organizations need to ensure all personnel use strong authentication methods and implement MFA where necessary.

7. Configuration Management

The Configuration Management policy area focuses on ensuring that the systems used to store or process CJI are properly configured and maintained. Changes to system configurations need to be controlled and documented so that security vulnerabilities aren’t accidentally introduced.

Organizations must have a formal process for managing system changes, like applying updates or installing new software. By tracking and approving changes, they can ensure that systems remain secure over time. 

Configuration management includes 5 requirements and 39 possible controls, including:

• Change control processes ensure that any changes to system configurations are documented and approved.
• Systems must undergo regular configuration audits to detect unauthorized changes or vulnerabilities.
• Version control must be used to ensure that system updates are tracked and managed.
• Organizations need to develop and follow a configuration management plan to ensure systems are secure and up to date.

8. Media Protection

Whether it's a physical hard drive or a digital file, the Media Protection policy area ensures that any media containing CJI is handled securely. This policy covers the entire lifecycle of media — from creation to disposal.

For digital media, encryption is typically required to prevent unauthorized access, especially when the media is transported or stored outside of secure facilities. Physical media, such as backup tapes or printed documents, must be kept in secure locations and properly disposed of when no longer needed.

This policy area includes 7 requirements and 16 possible controls, including:

• Encryption is required for digital media containing CJI, especially when it is transported or stored offsite.
• Media disposal policies must ensure that CJI is securely wiped or destroyed when no longer needed.
• Physical controls must prevent unauthorized access to media, such as hard drives or USB devices.
• Organizations must track and securely handle all media containing CJI, from creation to destruction.

9. Physical Protection

This policy area focuses on securing the physical locations where CJI is accessed, stored, or processed. This means implementing physical barriers, like locked doors, surveillance cameras, and access badges, to prevent unauthorized individuals from gaining access.

Access to controlled areas, where CJI is stored or handled, must be restricted to authorized personnel. Visitors should be closely monitored, and access logs should be kept to track who enters these secure areas. Physical protection is as important as digital security when it comes to keeping CJI safe.

The physical protection policy area includes 11 requirements with 17 possible controls, including:

• Physical access controls such as locked doors, security badges, and surveillance cameras must be implemented.
• Visitor access to secure areas must be controlled, logged, and monitored.
• Sensitive areas should be designated as controlled areas, where access is limited to authorized personnel only.
• Organizations need to implement strong physical security measures to prevent unauthorized access to facilities housing CJI.

10. Systems and Communications Protection and Information Integrity

This is one of the most extensive policy areas in the CJIS Security Policy, covering a broad range of 150+ controls to ensure that CJI remains secure during transmission and storage.

This policy area requires encryption for CJI transmitted over public networks, the use of firewalls and intrusion detection systems, and regular monitoring to catch potential malware or system vulnerabilities. The goal is to ensure that sensitive data stays secure, even as it's accessed and shared across different systems.

The policy area includes 20 requirements with 163 possible controls, including:

• Encryption is required for transmitting CJI over public networks and when stored.
• Firewalls and intrusion detection systems (IDS) must be implemented to protect systems from external attacks.
• Malware protection ensures that systems are regularly scanned for viruses and other malicious software.
• Organizations must ensure that all communications and systems handling CJI are secure and regularly updated to defend against threats.

11. Formal Audits

Organizations handling CJI must undergo regular audits to ensure compliance with the CJIS Security Policy. This policy area requires these organizations to review their practices and security measures regularly to make sure they meet the standards set by the FBI.

Audits help organizations identify areas where they may be falling short and develop remediation plans to address any issues. By staying audit-ready, organizations can be proactive about catching potential problems before they become serious compliance issues.

There are 7 requirements and 9 possible controls for this policy area, including:

• Audits must assess how well an organization is complying with CJIS standards, including data handling, access control, and physical security.
• Remediation plans must be developed to address any gaps or deficiencies identified during an audit.
• Organizations need to prepare for audits by regularly reviewing their security posture and addressing any issues in advance.

12. Personnel Security

This policy area ensures that individuals who have access to CJI are properly vetted and monitored. This starts with conducting background checks before granting access and extends to ensuring that personnel sign non-disclosure agreements acknowledging their responsibility to protect CJI.

Organizations must also have procedures in place to revoke access quickly when personnel no longer need it, such as when they leave the organization or change job roles. This ensures that only authorized and trustworthy individuals have access to sensitive data.

This policy area includes 5 requirements with 12 possible controls, including:

• Background checks must be conducted on personnel before granting access to CJI.
• Personnel must sign non-disclosure agreements to confirm their understanding of the security requirements related to CJI.
• Access termination procedures ensure that access is immediately revoked when personnel no longer require it.
• Organizations must maintain strict personnel security protocols to ensure that only trustworthy individuals have access to CJI.

13. Mobile Devices

As mobile devices become more common in law enforcement, the Mobile Devices policy area provides guidelines for securing smartphones, tablets, and laptops used to access or store CJI.

Encryption is a key requirement here, ensuring that if a device is lost or stolen, the CJI it contains is still protected. Remote wiping capabilities must also be in place to allow organizations to erase data from compromised devices. Mobile device management (MDM) solutions are typically used to enforce these security policies and manage device configurations.

This final policy area includes 21 requirements with 75 possible controls, including:

• Encryption is required for any CJI stored on or accessed via mobile devices such as smartphones, laptops, or tablets.
• Remote wiping must be enabled to allow organizations to erase CJI from lost or stolen devices.
• Mobile device management (MDM) solutions should be used to control device configurations and enforce security policies.
• Organizations need to manage mobile devices carefully, ensuring they are configured securely and that CJI is protected at all times.

What is the CJIS Security Addendum?

The CJIS Security Policy is an essential measure to protect CJI when it’s being used by criminal justice and other federal agencies. But what about non-agency vendors and partners that need access to CJI or the systems it’s stored in?

The CJIS Security Addendum is a legally binding document that extends the requirements of the CJIS Security Policy to private contractors, vendors, and third parties who have access to CJI but are not part of a criminal justice agency. Its purpose is to ensure that any external organizations handling CJI comply with the same rigorous security standards as criminal justice agencies, protecting sensitive information from unauthorized access, breaches, or misuse.

Any organization or individual outside of a criminal justice agency that handles, stores, processes, or transmits CJI must sign the CJIS Security Addendum. This typically includes vendors and contractors, Managed Service Providers, cloud service providers, and consultants or other external personnel.

The CJIS Security Addendum outlines several critical responsibilities and security requirements that third parties must adhere to. Here's what’s typically involved:

Security requirements

Vendors and contractors must adhere to the same security controls required of law enforcement agencies, including data encryption, access controls, audit logging, and incident response. These security controls ensure that CJI remains secure, even when handled by external organizations.

Personnel screening

Individuals who work for the third party and will have access to CJI must undergo background checks. The screening process helps verify that only trusted personnel are allowed to handle sensitive criminal justice data. 

Compliance monitoring

The criminal justice agency retains the right to audit and monitor the systems and processes of third-party vendors to ensure ongoing compliance with the CJIS Security Policy. This oversight allows criminal justice agencies to identify and address potential security vulnerabilities before they lead to data breaches or non-compliance issues.

Incident reporting

Contractors must promptly report any security incidents, such as data breaches, unauthorized access, or lost devices that contain CJI. This ensures that the criminal justice agency is aware of any security risks and can respond appropriately to mitigate threats.

Termination clauses

If a vendor or contractor fails to comply with the CJIS Security Policy as outlined in the security addendum, the contract can be terminated. This clause holds external parties accountable for their role in protecting CJI and provides criminal justice agencies with a legal remedy in case of non-compliance.

The CJIS Security Addendum is generally signed at the start of a contract or engagement, when a contract is renewed, or when there is a significant change in the scope of work. By signing the CJIS Security Addendum, third parties agree to comply with all the security standards laid out in the CJIS Security Policy. The CJIS Security Addendum is a legally binding document, making the vendor or contractor accountable for any security lapses that occur under their watch.

Proving compliance: The CJIS audit process

Compliance with the CJIS Security Policy is enforced through a combination of audits, compliance assessments, and ongoing monitoring. Law enforcement agencies, as well as any organizations or vendors that handle CJI, are required to adhere to the strict security standards outlined in the policy. The FBI, along with state and local authorities, also ensures compliance through regular audits and enforcement.

Let’s discuss how the CJIS Security Policy is enforced, the audit process, and the frequency of audits.

Continuous compliance monitoring

Compliance with the CJIS Security Policy is an ongoing requirement for any organization that handles CJI, including federal agencies and their contractors and subcontractors. Each agency or organization is responsible for self-enforcing compliance through internal controls, training, and policy implementation. Failure to comply can lead to significant penalties, including the loss of access to critical criminal justice information systems.

Formal CJIS audits

The FBI’s CJIS division or a state CJIS Systems Agency (CSA) can conduct formal audits to assess whether agencies and vendors are following the CJIS Security Policy's requirements and properly securing CJI.

Before an audit, the organization or agency being audited is typically notified by the FBI’s CJIS division or the state’s CJIS Systems Agency. The agency will usually be provided with information on the scope of the audit and what documentation and systems need to be prepared.

Organizations are expected to provide evidence of their security practices, which could include:

• Policies and procedures: Documentation of internal policies that ensure CJIS compliance, such as access control policies and incident response procedures.
• Audit logs and access records: Detailed logs that show who has accessed CJI, what actions they performed, and how access is being monitored.
• Training records: Proof that personnel have undergone the required security awareness training for handling CJI.

During the audit, CJIS auditors will conduct both technical and operational reviews. This can include interviews with personnel, review of physical security measures, system assessments, incident response testing, and other evaluations to verify compliance.

After the audit, the auditors will compile a report that outlines their findings, including areas where the agency is meeting or exceeding requirements, any areas of non-compliance, and recommendations for remediation. This report is shared with the agency or organization, along with a timeframe for addressing any areas of non-compliance. Remediation can involve updating policies, improving security controls, conducting additional training, or implementing new technologies to better secure CJI. In some cases, a follow-up audit or review may be required to verify that the organization has properly remediated any issues and is now in full compliance.

The FBI CJIS division conducts audits every three years for law enforcement agencies and organizations that have access to CJI. State-level agencies may conduct additional audits, particularly if the criminal justice system or CJI access is managed at the state level. State CJIS Systems Agencies may also have their own audit schedules that supplement the FBI’s audits.

Vendors and third-party service providers that handle CJI are subject to audits as well. These audits are typically coordinated through the agency that contracts with the vendor. Vendors are expected to maintain continuous compliance, and audits may be conducted when contracts are renewed.

Audits may also be triggered by a data breach or other security incident involving CJI. In this case, a special audit may be conducted to assess the cause of the breach and determine whether CJIS requirements were being followed. Criminal justice agencies can also request audits if they suspect a security issue or want to verify that their vendors remain compliant.

Incident and breach notification

Any security incidents involving CJI, such as data breaches or unauthorized access, must be reported promptly to the appropriate authorities. This allows law enforcement agencies and CJIS auditors to investigate, enforce remediation measures, and potentially impose penalties for non-compliance.

Streamline CJIS Security Policy compliance with automation

Achieving and maintaining CJIS Security Policy compliance can be a significant challenge, given its comprehensive and complex nature. Keeping track of all the requirements can feel overwhelming, and maintaining compliance means continually updating policies, retraining staff, and reassessing security measures to ensure they’re still aligned with the current version of the Security Policy. Compliance automation tools can significantly reduce this burden. 

Secureframe can simplify the process of complying with the CJIS Security Policy, helping organizations save time, reduce costs, and enhance their security and compliance posture when handling CJI.

With Secureframe, you get:

• CJIS compliance expertise: A dedicated support team with former federal auditors and compliance consultants who can guide you through CJIS readiness, audits, and updates.
• Integrations with secure cloud environments: Automatic evidence collection from your existing tech stack, including secure cloud platforms like AWS GovCloud and Microsoft Azure Government.
• Prebuilt and customizable policies and templates: Prebuilt policies and procedures aligned with CJIS requirements, customizable to your organization’s needs. Additional templates include Personnel Screening Checklists, Incident Response Plans, and readiness checklists tailored to CJIS compliance.
• In-platform training: Proprietary employee security awareness and role-based trainings that meets CJIS requirements and are reviewed and updated annually by compliance experts to ensure your team is always prepared.
• Role-based access controls: Implement strict data access controls based on roles and a need-to-know basis to meet CJIS standards for protecting CJI.
• Custom controls and tests: Support for organizationally-defined implementations for CJIS controls, ensuring your system meets the unique requirements of your agency.
• Trusted partner network: Relationships with certified assessors who specialize in CJIS compliance and can support your audits and compliance reviews.
• Cross-mapping across frameworks: Automated mapping of your CJIS compliance efforts across many other frameworks, such as NIST 800-53 and NIST 800-171, to reduce duplicate work and maximize efficiency.
• Continuous monitoring: 24/7 monitoring to alert you of potential non-compliance, along with vulnerability scanning and POA&M maintenance to ensure continuous compliance with CJIS requirements.

To learn more about how Secureframe can help you comply with the CJIS Security Policy, schedule a demo.