CJIS compliance requirements and the 13 security policy areas

Uniform police officer accessing CJIS information on a tablet on the job

What is CJIS compliance? Explore the 13 security policy areas of the regulation

CJIS compliance defines how criminal justice information must be protected across government agencies and their partners. This guide breaks down the FBI’s 13 CJIS Security Policy areas and explains what they mean in practice.

If you have any involvement with government entities and operations, you’ve likely heard of CJIS compliance. The division of Criminal Justice Information Services (CJIS) is the largest in the Federal Bureau of Investigation (FBI), and is the primary source of information and services for all law enforcement, national security, and intelligence community partners.

To help keep government agencies safe from malicious cyber activity and data breaches, CJIS released a security policy that outlines 13 policy areas that all government agencies must follow to stay compliant and protected from bad actors. Let’s take a deeper look at what CJIS compliance is, the role it plays in government cybersecurity, and the tools needed to address the 13 CJIS Security Policy areas to maintain compliance within government institutions.

What is CJIS compliance?

The Criminal Justice Information Services (CJIS) Security Policy is a federal framework that governs how law enforcement and public safety agencies must protect sensitive criminal justice data. It defines detailed requirements for authentication, access control, data encryption, auditing, incident response, and personnel security, to ensure that only authorized individuals can access systems containing criminal justice information.

CJIS compliance is mandatory for any organization that handles this kind of data — from local police departments to state agencies and their technology partners — and serves as the baseline for safeguarding information that, if exposed, could compromise investigations, public safety operations, and individual privacy.

CJIS provides a centralized source of criminal justice data to agencies and authorized third parties throughout the United States. It encompasses several key systems, including the National Crime Information Center (NCIC) , the National Instant Criminal Background Check System (NICS) , and the Integrated Automated Fingerprint Identification System (IAFIS) .

Digital fingerprint backed by binary code

Given the serious nature of criminal justice cyber threats, CJIS compliance is among the most comprehensive and stringent cybersecurity standards in the US. Failure to comply can result in denial of access to FBI databases or CJIS systems, fines, and even criminal charges.

What are the key requirements for CJIS compliance?

To protect criminal justice data and systems, the FBI created the CJIS Security Policy document , which defines requirements and standards for the following 13 security policy areas:

  1. Information exchange agreements

    Organizations must define procedures for handling CJIS data, including:

    • Audits
    • Logging
    • Quality assurance
    • Pre-employment screening
    • Security
    • Timeliness
    • Training
    • Use of systems

  2. Security awareness training

    Anyone with access to CJIS data must complete security awareness training within six months of assignment and at regular intervals thereafter.

  3. Incident response

    All cybersecurity incidents and data breaches must be reported, and organizations must maintain documented response procedures.

  4. Auditing and accountability

    The following events must be logged and auditable:

    • Login attempts
    • Changes to user permissions
    • Password modification attempts
    • Actions by privileged accounts
    • Attempts to alter or delete log files

  5. Access control

    Access to CJIS systems must follow least-privilege principles and be monitored at all times.

  6. Identification and authentication

    Each authorized user must have a unique identity and use approved authentication methods such as multifactor authentication.

  7. Configuration management

    Changes to systems and infrastructure must be documented and protected from unauthorized access.

  8. Media protection

    Policies must govern the secure storage, transport, and destruction of physical and digital media.

  9. Physical protection

    Physical access to CJIS data and media must be restricted and monitored.

  10. Systems and communications protection and information integrity

    Systems must protect data integrity and control how information moves between networks and applications.

  11. Formal audits

    Government agencies conduct regular audits to verify CJIS compliance.

  12. Personnel security

    Individuals with access to unencrypted CJIS data must undergo thorough background screening. Vendor identification is also required.

  13. Mobile devices

    CJIS policy includes requirements for accessing systems from smartphones, tablets, and other mobile devices, including remote access controls.

Person ticking boxes on a digital checklist while working on a laptop

The CJIS compliance audit

The CJIS Audit Unit (CAU) conducts audits every three years to ensure CJIS compliance across government institutions.

Although audits can seem intimidating, the CAU provides documentation outlining discussion points and required reports so agencies can prepare in advance.

Resources such as the Imprivata CJIS compliance made practical guide can help organizations determine which cybersecurity solutions help achieve CJIS compliance .