A mission to simplify CJIS compliance for those who serve
CJIS compliance shouldn’t slow the mission. Imprivata’s Nick Stohlman shares why he joined a team dedicated to helping agencies strengthen security and speed operations with simple, secure access that works the way public safety does.
When it comes to law enforcement, every shift depends on having access to information and systems when they’re needed most. That’s been true for the entirety of my career, which spans over two decades. Even now, that part of the job hasn’t changed. What has changed is the complexity of the systems.
For more than 37 years, I’ve served in law enforcement and in leadership roles. Across every role, my focus has stayed the same: help those charged with administering justice better understand how to use technology that makes agencies faster, safer, and more compliant. That’s what brought me to Imprivata.
A shared mission
Imprivata is a mission-driven company. That’s important to me because public safety is also mission-driven. The people who serve in this space are dedicated to something larger than themselves, and they need technology that supports that commitment. My role as Vice President of CJIS Program Strategy is to help educate agencies on how to meet the Criminal Justice Information Services (CJIS) Security Policy requirements, while also improving the speed and safety of their operations.
CJIS compliance is about privacy, but it’s also about responder safety. If a dispatcher, officer, or investigator can’t quickly access information because of security barriers, that delay can put lives at risk. Compliance must protect both data and people. That balance is possible when systems are designed with real workflows in mind.
Why agencies should avoid a reactive approach to CJIS compliance
When we talk about cybersecurity and privacy in government, CJIS often gets less attention than other frameworks, such as NIST or HIPAA, which are better known. CJIS is every bit as important for law enforcement, but many agencies lack the resources or staff to keep up with it. Local and state agencies work with tight budgets. They protect critical data and infrastructure with fewer tools than most private organizations have.
When the federal government audits agencies, they’re asking a simple question: “What have you done to comply?” For agencies that haven’t started working on CJIS compliance, that can be a difficult conversation. The most common response is that there’s not enough resources – either money or people – to meet the requirements. In Tennessee and other states, we are already seeing agencies request grant funding to close those gaps. The problem is that compliance becomes a priority only after something goes wrong, and by then, the window to be proactive has closed. When people rush to fix a problem, mistakes follow.
At Imprivata, our goal is to help agencies avoid that cycle. We see ourselves as educators as much as partners. We go in, conduct an assessment, identify areas of noncompliance or solutions that are ill-designed or suboptimal, and help fix them. We can also look at areas that might be technically compliant but could be improved to deliver more value to the organization. We want to help agencies strengthen their security posture and maintain uninterrupted access to the systems that keep their communities safe.
The growing complexity of CJIS
The CJIS Security Policy has continued to evolve, most recently with version 6.0. It now requires multifactor authentication for all users accessing criminal justice data, stricter controls for third-party access, and more robust auditing. These are positive steps that protect both information and accountability, but they also add layers of complexity. Agencies must balance these expectations with the realities of shared workstations, mobile devices, and legacy systems that were never designed for modern access management.
Imprivata helps solve that challenge by integrating secure, seamless authentication across new and old systems. We focus on fast, secure user switching, strong MFA that does not rely on personal devices, and centralized auditing that meets CJIS requirements. Our goal is to simplify the work, not add to it.
A changing threat landscape
Public safety continues to evolve, as do the risks associated with it. Drones, body cameras, and other connected tools generate massive amounts of sensitive information that must be secured and logged. Cloud-based solutions are becoming more common, which introduces new risks related to access management and data integrity. Each new connection point increases the potential for a breach or compliance violation.
The threat environment is also being shaped by emerging technologies like artificial intelligence. I recently spoke at a public safety conference where the topic was AI. Agencies are excited about the potential, but that excitement needs to be matched with caution. We’ve already seen how technologies like facial recognition were adopted quickly, only to be challenged in court. AI will bring similar questions. As of now, CJIS has not provided specific guidance on AI use. That will change, and when it does, agencies will need clear access controls and accountability measures in place.
Technology advances rapidly, but compliance frameworks evolve slowly. That gap is where risk grows. Agencies can manage that risk by focusing on fundamentals: identity, access, and audit. If you can prove who accessed what, when, and from where, you have a strong foundation, no matter how the technology changes.
Why proactive security matters
Most agencies are doing everything they can to protect data with the resources they have. The issue is rarely a lack of intent. It’s bandwidth. IT and security teams are often small. They manage dozens of systems with limited staff. Adding new requirements without simplifying existing workflows creates fatigue and delays.
That’s why an educational, collaborative approach matters. Agencies shouldn’t have to face an audit alone or react to policy updates after they are already overdue. We can help agencies assess their readiness, document their gaps, and build a plan that fits their current infrastructure and budget. The earlier this process starts, the easier it is to close gaps before they lead to bigger problems.
Lessons from the field
Every officer, dispatcher, or analyst knows that small delays add up. A few seconds at login. Another few while switching users. Then the system times out, and the process restarts. An officer then needs to reset their password or contact IT support to help log in. Multiply that across an entire department, and you lose hours of productivity every day. Security controls should never create those kinds of barriers.
When I reflect on my years in the field, I recall moments when a simple system failure could’ve made a potentially hazardous situation even more perilous. That is why I believe technology must work for the people who depend on it, not against them – and compliance should strengthen the mission, not hinder it.
Looking ahead
As we move toward 2026, agencies face pressure to modernize while maintaining compliance. That can feel like a heavy lift, but it is achievable. It starts with a clear view of your current environment, an understanding of your biggest risks, and a partner who can guide you through the steps to address them.
Imprivata is committed to supporting agencies through that process. We bring experience from other mission-critical sectors. We also understand the realities of public safety work, and we know how to make CJIS compliance practical. We’re here to collaborate and deliver solutions that improve both security and performance.
If you lead or support an agency that is working toward CJIS compliance, I encourage you to reach out. Let’s start a conversation about how to simplify compliance, so we can truly serve those who serve.
Connect with me on LinkedIn or reach out through Imprivata to schedule a CJIS readiness conversation. Together, we can identify where you stand today and build a clear path to compliance that fits your mission and your budget.