What you need to know now about CJIS 6.0
The FBI has raised the bar for protecting criminal justice data. Discover what’s new in CJIS 6.0.
The FBI’s Criminal Justice Information Services (CJIS) Security Policy sets the standard for how law enforcement agencies and their partners protect some of the most sensitive data in government. This framework is essential for ensuring the integrity, confidentiality, and availability of criminal justice information — and the rules have changed in a big way.
The FBI has issued two major updates to the CJIS Security Policy: version 5.9.5 in July 2024 and version 6.0 in December 2024. These updates raise the bar for agencies, vendors, and third parties who handle criminal justice information, and CJIS compliance is not optional.
Who must comply with CJIS
CJIS requirements apply to every entity that creates, stores, accesses, or transmits criminal justice data. This includes a broad range of organizations and partners, each with unique access points that could present vulnerabilities if not properly secured.
- State and local law enforcement agencies, as well as court systems and prosecution offices, must comply with CJIS because they are on the front line of criminal justice operations. They often access and share sensitive data in real time during investigations, traffic stops, and public safety incidents.
- Regional task forces bring together personnel from multiple agencies to collaborate on joint operations, which increases the number of systems, networks, and endpoints that must meet the same security standards.
- Third-party vendors and contractors often provide critical tools, technology, and services, but they also introduce supply chain risks. Without rigorous access controls and oversight, these partners can become an entry point for cyberattacks.
- Any organization or individual interacting with criminal justice information systems, from IT support providers to software developers, must follow CJIS protocols to maintain the integrity of shared data environments.
By understanding that CJIS compliance is not limited to sworn officers, agencies can better assess where potential vulnerabilities may exist across their extended networks.
Key changes in CJIS 5.9.5 and 6.0
CJIS 5.9.5: Multifactor authentication becomes mandatory
CJIS version 5.9.5 marked a significant shift from recommended best practices to mandated security controls. Multifactor authentication (MFA) is now required for every user accessing criminal justice data, ensuring that stolen credentials alone cannot grant access.
MFA must include at least two distinct factors:
- Something you know such as a password or PIN, which forms the first layer of defense but can be compromised if used alone.
- Something you have such as a smart card, secure token, or mobile device, providing an additional barrier that is harder for attackers to replicate.
- Something you are such as a fingerprint or facial recognition, leveraging biometric data to tie access to a unique physical trait.
By combining these factors, agencies significantly reduce the likelihood of unauthorized access even if one element is breached.
CJIS 6.0: Expanding the security perimeter
CJIS version 6.0 built upon the MFA requirement with additional measures that strengthen both day-to-day operations and long-term system security:
- Continuous monitoring requires agencies to detect and investigate suspicious activity in real time, ensuring that potential threats are addressed before they escalate into full breaches.
- Third-party and supply chain risk management puts vendors, contractors, and partners under the same security expectations as internal staff, with documented risk assessments and clearly defined access controls.
- Lifecycle security planning mandates that security considerations be integrated from the earliest stages of system design through deployment, maintenance, and eventual decommissioning.
These changes recognize the complexity of modern law enforcement operations, where data is accessed across multiple devices, networks, and jurisdictions, all of which must meet uniform security standards.
Why this matters now
The latest updates to CJIS are a direct response to an increasingly hostile cyber threat environment. According to Verizon’s 2025 Data Breach Investigations Report, 22% of public sector breaches stem from credential abuse, making it the most common attack vector. For agencies tasked with protecting public safety, the stakes are especially high.
Criminal justice agencies manage a vast ecosystem of devices, systems, and people. Many operate in the field, often accessing sensitive systems from mobile units or remote locations. Every one of these access points represents a potential weakness if not properly secured. CJIS 6.0 addresses these realities with targeted, enforceable standards that agencies must act on immediately.
The urgency for action
Meeting the new CJIS requirements isn’t an option, of course, and failure to comply can lead to the FBI denying access to its databases, fines, and potential criminal charges. But on top of that, complying with CJIS also helps protect the integrity of investigations, the safety of personnel, and the trust of the communities served. Agencies that take a proactive approach to compliance will be better positioned to defend against cyberattacks, recover quickly from incidents, and maintain operational continuity.
If your systems, vendor relationships, or security processes are not yet aligned with CJIS 6.0 requirements, now is the time to assess, plan, and act.
Ready to go deeper? Download Imprivata’s full white paper, CJIS 6.0 compliance made practical, to explore detailed requirements and strategies for sustainable compliance.