13 things to know about CJIS compliance

Law Enforcement Agencies (LEAs) and other government entities and the companies that access or manage sensitive US Justice Department information need to ensure that their processes and systems comply with the FBI’s Criminal Justice Information Services (CJIS) policies for wireless networking, data encryption, and remote access. CJIS compliance is important for law enforcement and other federal, state, local, and tribal government agencies to protect national security while preserving the civil liberties of individuals and businesses.  Because of this, CJIS is one of the most comprehensive and stringent cybersecurity standards. Failure to comply with it can result in denial of access to any FBI database or system, fines, and even criminal charges.

CJIS security policy areas

To protect criminal justice information, the FBI’s CJIS Security Policy document defines implementation requirements and standards for the following 13 security policy areas:

1. Information Exchange Agreements. CJIS policy includes procedures for how the information is handled and what should be in user agreements. Companies and agencies that use criminal justice information (CJI) must include specific processes and parameters in their information exchange agreements, including:
   • Audits 
   • Dissemination
   • Hit confirmation
   • Logging
   • Quality assurance
   • Pre-employment screening
   • Security
   • Timeliness
   • Training
   • Use of systems
   • Validation
2. Security awareness training. Anyone with access to CJI must undergo security awareness training within six months of receiving the CJI. The training needs to be repeated every two years. Individual training and topics covered are based on the access and interaction the individual has to the CJI.
3. Incident response. All breaches and major incidents need to be reported to the Justice Department. Companies and agencies must establish procedures for detection, analysis, containment, recovery, and user responses for all breaches and incidents.
4. Auditing and accountability. The following events must be audited:
   • Login attempts
   • Assess, create, write, delete, and change permissions on user accounts, files, directories, and other system resources
   • Attempts to modify passwords
   • Actions by privileged accounts
   • Attempts to access, modify, or destroy history/log files
5. Access control. The types of users, classifications, accountability, and associated account management must be defined. Access control criteria should be based on job, location, network address, and/or time restrictions.
6. Identification and authentication. Everyone who is authorized to use CJI must have unique identification and a standard authentication method such as a password, token or PIN, or another type of multi-factor identification.
7. Configuration management. Whether planned or unplanned, changes and updates to the information system platform, architecture, hardware, software, and procedures must be documented. That documentation must be protected from unauthorized access.
8. Media protection. You must have policies and procedures documented for how digital and physical media will be securely stored, accessed, transported, and destroyed.
9. Physical protection. Physical media (documents or digital media storage devices) need to be handled securely. Access to physical media needs to be limited and monitored.
10. Systems and communications protection and information integrity. Applications, services, and information systems must ensure data, system and network integrity. This includes defining and enforcing where and how information can travel within and between systems.
11. Formal audits. The FBI and other agencies may conduct formal audits to ensure compliance with the CJIS.
12. Personnel security. Anyone that will have access to unencrypted CJI must go through detailed security screening during hiring, termination, transfer and other employee/vendor lifecycle events.
13. Mobile devices. The CJIS outlines considerations and requirements for managing systems and network access via smartphones, tablets and other mobile devices. This includes using wireless security protocols such as WEP and WPA, device certificates, etc.

CJIS compliance checklist

Download our overview of CJIS and use the interactive SecureLink CJIS Compliance checklist to help you determine if your network access is CJIS compliant.