Definition and purpose

The CJIS Security Policy provides a secure framework of laws, standards, and elements of published and vetted policies for the creation, viewing, and handling of CJI data, such as fingerprint records, criminal histories, and other related criminal justice data. It aims to provide appropriate controls to protect the full lifecycle of CJI, regardless of whether the data is at rest or in transit.

Governing Body

The governing body for the CJIS framework is the Federal Bureau of Investigation (FBI) through its Criminal Justice Information Services Division.

Last updated

The CJIS Security Policy undergoes periodic updates to address evolving threats, technological changes, and legal requirements. The most recent update was released in October 2022.

Applies to

The CJIS standards apply to any local, state, tribal, or federal law enforcement agency (or private entity) that accesses CJI or provides services for agencies that do. This includes police departments, sheriff's offices, private security firms, and even IT contractors and other entities that handle or manage systems containing CJI.

Controls and requirements

The CJIS Security Policy encompasses several areas of security. Some of the primary policy areas include:

• Information Exchange Agreements
• Security Awareness Training
• Incident Response
• Auditing and Accountability
• Access Control
• Identification and Authentication
• Configuration Management
• Media Protection
• Physical Protection
• System and Communications Protection and Information Integrity
• Formal Audits
• Personnel Security
• Mobile Devices

Each policy area contains specific controls, requirements, and guidelines to ensure CJI's safety and security.

Please refer to the official Criminal Justice Information Services Security Policy for a detailed list of controls and requirements.

Audit type, frequency, and duration

All agencies or entities with access to CJI are subject to triennial (every three years) audits to ensure compliance with the CJIS Security Policy. These audits can be both on-site and remote, examining both the technical and non-technical security aspects related to CJI.

The duration of the audit varies based on the size, complexity, and scope of the entity being audited, but can typically range from several days to a few weeks.

Note: For precise, detailed, and updated information on the CJIS Security Policy, always refer to the official documents and resources provided by the FBI.