What is CJI?
Criminal justice information (CJI) must be protected from the ever-increasing security risks of the digital age. Therefore, organizations that handle CJI must comply with security standards established by the CJIS. In this article, we cover what is CJIS compliance, who must comply with it, what its requirements are, how to do so, and how you can tackle CJIS compliance in case it applies to your organization.
Criminal Justice Information (CJI) includes a vast array of data collected, managed, and stored by law enforcement agencies. CJI can include data such as criminal histories, arrest records, investigative reports, biometric data, etc. All of this information must remain confidential and be kept secure from unauthorized access.
In our digital age, CJI faces multiple cybersecurity threats: hacking, data breaches (both accidental or intentional), ransomware attacks, non-secure Wi-Fi networks, loss of devices like laptops, etc.
To ensure the protection of CJI, the Criminal Justice Information Services (CJIS) was escjis ctablished. This article will guide you through what CJIS compliance is, who is required to comply with it, what the CJIS security requirements are, and how to comply with it. Let’s begin.
What does CJIS stand for?
CJIS stands for Criminal Justice Information Services and is the largest division of the FBI. It was created in 1992 and includes several departments such as the National Crime Information Center (NCIC) and the Integrated Automated Fingerprint Identification System (IAFIS) to mention a few. The CJIS works with law enforcement, national security, and intelligence agencies across the United States. The services it provides include access to databases, biometric services, analysis and reporting on crime, background checks, and more.
What are the CJIS requirements?
The CJIS established a set of security standards called the CJIS Security Policy and outlines how organizations must ensure the security of criminal justice information. Individuals and organizations that handle CJI must comply with it to ensure that sensitive information remains secure. Failure to meet these security standards (which we’ll dive into in a bit) can result in access to CJI being revoked, having to pay fines, and even facing criminal charges.
The security requirements are divided into 13 policy areas:
- Information exchange agreements: An agreement between parties that share CJI with each other which specifies their roles, responsibilities, and security safeguards.
- Basic security awareness training: Personnel with access to CJI to undergo basic security awareness training.
- Incident response: A plan that details procedures for identifying, reporting, mitigating, and recovering from security incidents.
- Auditing and accountability: Organizations must monitor and log who accesses CJI, when, and why. By auditing these logs, they evaluate compliance and ensure accountability.
- Access control: There must be rules for granting, monitoring, and restricting access to CJI based on user roles and the principle of least privilege.
- Identification and authentication: Any person who is granted access to CJI must verify their identity using strong identification and authentication methods.
- Configuration management: Only qualified and authorized personnel can access the CJI information system to perform upgrades or modifications.
- Media protection: Access to physical and digital media must be restricted to authorized individuals and follow procedures that are documented and implemented.
- Physical protection: Organizations must have physically secure locations where CJI is stored. They must control and monitor access to those locations.
- Systems and communications protection and information integrity: Application, services, and information systems must ensure the system’s integrity by detecting and protecting against unauthorized changes to information and software.
- Formal audits: Organizations will undergo formal audits to ensure compliance with CJIS security standards.
- Personnel security: To protect CJI from insider threats, this policy specifies requirements for personnel termination, transfer, and sanctions for failing to comply with established security policies and procedures..
- Mobile devices: There must be measures in place to restrict usage of mobile devices as well as the accessing, monitoring, and control of wireless communications.
Admittedly, meeting the security requirements for all of these 13 areas to obtain CJIS certification can be an arduous undertaking.
As you establish policies and procedures to comply with CJIS, you will notice that a lot of the criminal justice information your organization handles includes personal data. What kind of data exactly? Let’s find out.
What types of data is included in CJI?
Criminal justice information includes multiple types of personal information, namely:
- Biometric Data: physical or biological data such as facial recognition data, fingerprints, etc.
- Identity History Data: Records of an individual's criminal history e.g. arrest records, convictions, etc.
- Biographical Data: Descriptive information about an individual that helps identify them and complements biometric data and identity history data during criminal justice processes.
- Personally Identifiable Information (PII): Any data that can identify an individual, such as name, address, credit card number, passport number, etc.
The handling of this personal data is tightly regulated under the CJIS Security Policy, which mandates strict controls over the lifecycle of CJI, from creation and storage to transmission and destruction. In fact, sometimes you will have to deal with hundreds of documents that contain personal data, and that necessitates redacting it to keep it secure.
So, how do you achieve CJIS compliance? Read on to find out.
CJIS compliance checklist
Use this comprehensive checklist to assess your organization's current CJIS compliance status and identify areas that need attention. Each item corresponds to the 13 CJIS Security Policy areas and includes practical verification steps.
Information Exchange Agreements
- Executed formal agreements with all parties that share CJI
- Agreements specify roles, responsibilities, and security safeguards
- Regular review schedule established for agreement updates
- Contact information for all parties kept current
Security Awareness Training
- All personnel with CJI access completed initial security training
- Annual refresher training program implemented
- Training records maintained and up-to-date
- Training covers redaction best practices and data handling procedures
- Knowledge assessments completed and documented
Incident Response
- Written Incident Response Plan (IRP) developed and approved
- IRP includes procedures for identification, reporting, containment, and recovery
- Response team roles and contact information clearly defined
- Regular testing and simulation exercises conducted
- Incident reporting procedures established with appropriate authorities
Auditing and Accountability
- Comprehensive audit logging system implemented
- User access activities monitored and recorded
- Log reviews conducted regularly
- Audit trail integrity protection measures in place
- Retention schedules for audit logs established
Access Control
- Role-based access control system implemented
- Principle of least privilege enforced
- User access reviews conducted periodically
- Access termination procedures established
- Guest and temporary access protocols defined
Identification and Authentication
- Strong authentication methods implemented for all users
- Multi-factor authentication enabled where required
- Password policies meet CJIS standards
- Account lockout procedures established
- Regular authentication system reviews conducted
Configuration Management
- System baseline configurations documented
- Change control procedures implemented
- Only authorized personnel can modify systems
- Configuration changes tracked and approved
- Regular system integrity checks performed
Media Protection
- Physical media access controls implemented
- Digital media encryption standards met
- Secure media disposal procedures established
- Media transportation security protocols defined
- Media inventory and tracking system maintained
Physical Protection
- Secure facilities for CJI storage and access established
- Physical access controls and monitoring systems installed
- Visitor access procedures documented and followed
- Environmental controls (fire, flood, temperature) implemented
- Regular physical security assessments conducted
System and Communications Protection
- Data encryption implemented for data in transit and at rest
- Network security controls and monitoring established
- System integrity verification procedures implemented
- Secure communication protocols used
- Regular vulnerability assessments conducted
Information Integrity
- Data integrity verification measures implemented
- Unauthorized change detection systems in place
- Regular data backup and recovery testing performed
- Document redaction procedures ensure permanent removal of sensitive data
- Version control systems for sensitive documents maintained
Formal Audits
- Annual compliance audits scheduled and completed
- Audit findings documented and remediation plans developed
- Compliance gaps identified and addressed promptly
- Audit documentation maintained for required retention periods
- Continuous monitoring program established
Personnel Security
- Background check procedures implemented for all CJI-accessing personnel
- Personnel security policies documented and communicated
- Termination procedures include access revocation protocols
- Personnel sanctions policy established for security violations
- Regular personnel security reviews conducted
Mobile Devices
- Mobile device usage policies established and enforced
- Device encryption and security controls implemented
- Remote wipe capabilities enabled for organizational devices
- Wireless communication security protocols established
- Regular mobile device security assessments conducted
Additional Compliance Verification
- CJIS Security Officer (CSO) appointed and trained
- All third-party vendors and contractors CJIS compliant
- Emergency procedures and business continuity plans developed
- Regular policy reviews and updates conducted
- Staff knowledge of current CJIS Security Policy requirements verified
Documentation Requirements
- All policies and procedures documented and accessible
- Training records maintained for required retention periods
- Incident response documentation complete and current
- Audit trails and compliance evidence readily available
- Change management documentation up-to-date
This checklist should be reviewed quarterly and updated whenever CJIS Security Policy changes are released. Regular self-assessments using this checklist help maintain continuous compliance and prepare your organization for formal CJIS audits.
10 steps to comply with the CJIS requirements
To comply with the security requirements of the CJIS, we recommend that your organization takes the following 10 steps.
1. Review and understand the CJIS Security Policy
First, you need to make sure all personnel with access to CJI fully understands the CJIS Security Policy.
Consider organizing training sessions to learn about and clarify the key security requirements. During these sessions, be sure to discuss best practices related to protecting sensitive data e.g. encryption, access, control, and redaction.
Upon completing this first step, your staff should be able to pass simple knowledge tests. Furthermore, you will have a clear idea of the areas of non-compliance within your organization and how they should be tackled.
2. Assign a CJIS Security Officer (CSO)
To centralize communication and accountability, you want to have a CJIS Security Officer who acts as a point of contact with the CJIS. The CSO has the authority to review data protection methods and enforce policies.
So you need to designate the most qualified individual for this role. The right person for this role should be well versed in CJIS, trained in data security, and skilled in redaction methods.
Upon appointing a CSO, be sure to document and communicate their responsibilities. The CSO will hold periodic compliance reviews and enforce policies when necessary.
3. Implement technical safeguards
Unauthorized access to CJI must be prevented at all times. To that end, you should:
- Encrypt all CJI in transit and at rest.
- Implement security measures: access control, identification, authentication, monitoring of sensitive files, etc.
- Use automated redaction tools to remove sensitive data points from documents permanently.
To measure the effectiveness of these technical safeguards, we recommend that you conduct periodic audits and test redacted documents.
4. Ensure the security of physical locations where CJI is stored and/or accessed
In addition to cyber threats, physical access to CJI is a concern that needs to be addressed.
Essentially, you must restrict access to physical locations where CJI is stored and/or accessed, conduct regular inspections, and ensure that redacted physical documents are properly disposed of. By doing this, you will prevent potential incidents of unauthorized access to CJI.
5. Conduct background checks on personnel with access to CJI
Only vetted and trustworthy individuals should be allowed to handle CJI. So your organization needs to perform thorough background checks and establish criteria for disqualification (such as criminal history).
6. Provide adequate training to personnel
Your personnel needs adequate training on how to handle CJI. Resources like CJIS Online can help organizations provide essential training programs and certification for staff who handle sensitive information.
Organize training sessions where staff learns how to identify and protect sensitive information. This training should include redaction practices for biographical, biometric, identity history data, and PII.
With proper CJIS training, staff should successfully pass assessments. If everything goes well, future audits will reveal a reduction in compliance failures and risks.
7. Create internal policies that adhere to the CJIS Security Policy
Your organization needs to have internal policies for CJIS compliance. Everyone who handles CJI should learn about these policies and adhere to them.
So take the time to draw policies that define how CJI should be accessed, stored, transmitted, and redacted.
Eventually, internal audits will confirm whether all staff adhere to the internal policies, and CJIS audits will determine whether these policies must be revised or not.
8. Ensure that third-party vendors and contractors comply with the CJIS
Any third-party entities you work with should comply with the CJIS Security Policy as well. This means they need to implement measures for data encryption, access controls, audit logging, an Incident Response Plan, media protection, etc.
Practically, you need them to sign CJIS compliance agreements and provide documentation of their security protocols. Their systems and processes should also support permanent redaction of confidential information. Furthermore, they will have to undergo periodic compliance audits as well.
As a result, vendors and contractors will pass CJIS compliance reviews, ensuring that any CJI remains safe from threats and incidents.
9. Establish an Incident Response Plan
Like we mentioned earlier while discussing the security requirements, you need to have an IRP in place and follow it if an incident occurs.
This IRP should define how to prepare for and identify an incident. It should also detail how to report, contain, eliminate, and recover from incidents. Lastly, incidents must be reviewed to prevent them from happening again in the future.
But that’s not all: use simulated scenarios to test your IRP such as a breach of redacted documents. These drills will demonstrated the readiness and adherence to your IRP. So when incidents do occur, your organization will be able to respond to them swiftly and minimize their impact.
10. Stay up-to-date with the latest changes in the CJIS Security Policy
Lastly, you want to keep up with the latest CJIS standards to protect all CJI from new threats.
So we recommend you monitor updates to the CJIS Security Policy. Revise your internal protocols, including redaction practices, to adhere to the latest changes. And always communicate these updates to all personnel who handles CJI.
By adhering to the latest security requirements, no compliance issues will arise during CJIS audits.
To protect personal data from cyber threats, you can implement protective measures like redaction. Redacting information actually plays an important role in safeguarding sensitive CJI and ensuring compliance with CJIS standards.
Roles and responsibilities in CJIS compliance
Successful CJIS compliance requires clearly defined roles and responsibilities across your organization. Understanding who does what ensures accountability, streamlines communication, and maintains the security of criminal justice information. Here are the key positions and their essential duties in maintaining CJIS compliance.
Local Agency Security Officer (LASO)
The Local Agency Security Officer serves as the primary information security contact between a local law enforcement agency and the CJIS Systems Agency (CSA). The LASO actively represents their agency in all matters pertaining to information security and ensures compliance with CJIS Security Policy requirements.
Key responsibilities include:
- Policy compliance oversight: Ensure all agency personnel follow established CJIS security policies and procedures
- Information security liaison: Act as the primary point of contact with the CSA for security-related matters
- Training coordination: Oversee security awareness training programs for all personnel with CJI access
- Incident management: Report security incidents and breaches to appropriate authorities according to established protocols
- Access control administration: Manage user access permissions and ensure only authorized personnel have CJI access
- Documentation maintenance: Keep security documentation current, including system configuration data and audit records
- Hardware and software oversight: Ensure only CSA-approved hardware, software, and firmware are used for CJI access
- Audit assistance: Support information security audits of hardware, procedures, and compliance measures
Qualifications and requirements:
- Knowledge of criminal history record information (CHRI) policies and regulations
- Understanding of IT security procedures and best practices
- Enhanced security awareness training completion
- Ability to communicate effectively with both technical and non-technical personnel
CJIS Security Officer (CSO) / Chief Security Officer
The CJIS Security Officer is appointed by the head of the CSA and is responsible for managing the CJIS network within the agency's jurisdiction. The CSO ensures compliance with the CJIS Security Policy, overseeing security operations and delegating responsibilities as necessary to maintain network integrity.
Primary responsibilities include:
- Strategic security leadership: Develop and implement comprehensive security strategies for CJI protection
- Policy development and enforcement: Create, maintain, and enforce security policies aligned with CJIS requirements
- Risk management: Conduct security risk assessments and implement appropriate mitigation measures
- Compliance oversight: Ensure organizational adherence to all CJIS Security Policy requirements
- Incident response coordination: Lead incident response efforts and coordinate with relevant authorities
- Staff management: Supervise security personnel and delegate responsibilities effectively
- Vendor management: Ensure third-party contractors and vendors meet CJIS compliance requirements
- Communication liaison: Serve as the primary contact point with CJIS Division and other security agencies
- Audit preparation: Prepare for and coordinate formal CJIS audits and compliance reviews
- Resource allocation: Determine security resource needs and budget requirements
Essential qualifications:
- Extensive knowledge of CJIS Security Policy and criminal justice systems
- Advanced training in data security and risk management
- Experience with redaction methods and document security protocols
- Leadership and project management capabilities
- Strong communication and interpersonal skills
Information Security Officer (ISO) / CSA ISO
The CSA Information Security Officer acts as the primary security point of contact between the CSA and the FBI CJIS Division. The CSA ISO is responsible for ensuring the technical compliance of the CSA with the CJIS Security Policy and for addressing security-related issues within the CSA's jurisdiction.
Core responsibilities encompass:
- Technical compliance management: Ensure technical systems meet CJIS Security Policy requirements
- Security policy development: Establish and maintain comprehensive information security policies
- Threat and vulnerability assessment: Regularly assess security threats and system vulnerabilities
- Risk and control assessments: Perform ongoing risk evaluations and implement appropriate controls
- Security operations governance: Oversee day-to-day security operations and procedures
- Training program development: Establish and deliver information security training and awareness programs
- FBI liaison coordination: Maintain communication with FBI CJIS Division on technical security matters
- Security architecture: Design and implement secure system architectures for CJI handling
- Compliance monitoring: Monitor ongoing compliance with technical security requirements
- Documentation management: Maintain accurate records of security measures and compliance activities
Required expertise:
- Deep technical knowledge of information security frameworks and standards
- Understanding of NIST 800-53 controls and their application to CJIS requirements
- Experience with security assessment methodologies and tools
- Knowledge of network security, encryption, and access control technologies
- Certification in information security (CISSP, CISM, or equivalent preferred)
Terminal Agency Coordinator (TAC)
The Terminal Agency Coordinator serves as the primary point of contact at the local agency level for matters relating to CJIS information access. The TAC is responsible for administering CJIS systems programs within the agency, ensuring local compliance with CJIS policies, and facilitating communication between the agency and CJIS authorities.
Key duties include:
- System administration: Manage day-to-day operations of CJIS terminal systems
- User account management: Create, modify, and terminate user access accounts
- Training coordination: Ensure all system users receive proper CJIS training
- Quality assurance: Monitor system usage and ensure proper procedures are followed
- Communication facilitation: Serve as liaison between local users and CJIS authorities
- Documentation maintenance: Keep user records and system documentation current
- Compliance monitoring: Ensure local adherence to CJIS policies and procedures
Agreement Coordinator (AC)
The Agreement Coordinator is an individual appointed by the Contracting Government Agency (CGA) to manage the agreement between the government agency and a contractor.
Primary functions include:
- Contract oversight: Manage CJIS-related contractual agreements with third parties
- Compliance verification: Ensure contractors meet all CJIS security requirements
- Agreement negotiation: Work with legal teams to develop appropriate security language in contracts
- Vendor communication: Coordinate security requirements with external partners
- Documentation management: Maintain records of all security agreements and amendments
Establishing clear accountability
Organizational structure considerations:
- Reporting relationships: Establish clear reporting lines between security roles
- Authority delegation: Define decision-making authority for each position
- Communication protocols: Create structured communication channels between roles
- Backup assignments: Designate alternate personnel for critical security functions
- Performance metrics: Develop measurable goals for security role effectiveness
Best practices for role implementation:
- Written job descriptions: Document specific responsibilities and requirements for each role
- Regular training updates: Ensure role holders stay current with CJIS policy changes
- Cross-training programs: Prepare backup personnel to assume critical security functions
- Performance evaluations: Regularly assess role effectiveness and compliance
- Resource allocation: Provide adequate time, tools, and budget for security responsibilities
Coordination between roles:
Effective CJIS compliance requires seamless coordination between all security roles. Regular meetings, shared documentation systems, and clear escalation procedures ensure that security responsibilities don't fall through organizational gaps. Each role must understand how their duties connect to overall compliance objectives and organizational security posture.
Role adaptation for organization size:
Smaller organizations may need to combine multiple roles into single positions, while larger agencies might require dedicated personnel for each function. The key is ensuring all responsibilities are assigned and properly executed, regardless of how roles are distributed across available personnel.
CJIS compliance vs. other data security frameworks
Understanding how CJIS compliance compares to other major data protection regulations helps organizations navigate overlapping requirements and develop comprehensive security strategies. Here's how CJIS stacks up against HIPAA and GDPR, two other significant frameworks that organizations commonly encounter.
Framework overview comparison
Key security requirements comparison
Compliance overlap scenarios
CJIS + HIPAA: Law enforcement agencies handling medical records during investigations must meet both standards. CJIS provides stricter access controls while HIPAA offers specific health data protection requirements. Both require comprehensive redaction of sensitive information when sharing documents.
CJIS + GDPR: Federal agencies with international operations or handling EU citizen data must comply with both. GDPR's consent requirements complement CJIS access controls, and both recommend strong data protection measures including permanent redaction capabilities.
Implementation comparison
Strategic recommendations for multi-framework compliance
Unified security approach: Implement comprehensive security programs that address the most stringent requirements across applicable frameworks. CJIS often provides the highest security baseline that can satisfy other framework requirements.
Technology integration: Choose security solutions that support multiple compliance frameworks simultaneously. Professional redaction tools, for example, can help meet CJIS permanent redaction requirements while also addressing HIPAA PHI protection and GDPR data subject rights.
Documentation strategy: Maintain centralized documentation that maps security controls to multiple framework requirements, reducing audit preparation time and ensuring consistent implementation across all applicable standards.
Training efficiency: Develop comprehensive training programs that address overlapping requirements, helping staff understand their responsibilities under multiple regulations while avoiding redundant training efforts.
CJIS compliance often provides the most comprehensive security foundation, as its stringent requirements typically meet or exceed those of other frameworks in most security areas. Organizations that achieve CJIS compliance are generally well-positioned to meet other regulatory requirements with minimal additional effort.
Why is complying with the CJIS security requirements important?
If criminal justice information is not protected from cybersecurity threats (like the ones we mentioned earlier), the consequences can be rather dire for the entire nation.
Successful cyberattacks can do a lot of damage, from compromising databases and communication networks to destroying digital evidence and delaying digital investigations. This disruption in data forensics processes can hinder law enforcement agencies from solving cases effectively and maintaining the integrity of justice systems.
That is why it is essential to comply with the CJIS requirements. Doing so helps maintain the security of sensitive information, the privacy of people, and the integrity of justice systems.
Who is required to be CJIS compliant?
Any individual or organization that accesses, uses, or manages CJI must comply with the CJIS security standards. This includes:
- Law enforcement agencies;
- Criminal justice organizations;
- Government agencies;
- Contractors, vendors, and legal teams working with these entities e.g. cloud service providers;
- Legal teams;
- Other private entities with access to CJI.
What role does redaction play in CJIS compliance?
Redaction plays an essential role in protecting Personally Identifiable Information. When handling documents that contain CJI, you need to remove sensitive data like personal identifiers, victim details, or investigative information. That way, even if unauthorized access occurs, that information will remain safe from data breaches and cyberattacks.
Document redaction is particularly important when sharing information with parties who don’t have proper clearance, such as during legal proceedings or public records requests.
By adhering to the principle of least privilege, redaction helps restrict access to only the information necessary for an individual’s role or task. Redaction aligns with CJIS requirements for access control and protects organizations from risks associated with data breaches. Redaction also supports compliance with legal and privacy obligations, such as shielding juvenile records or withholding details about ongoing investigations.
Protect sensitive data in CJIS with permanent redaction
When working with criminal justice information, you will often have to handle large volumes of documents with countless data points, many of which contain sensitive information. So to achieve CJIS compliance, you need precision and efficiency. However, manual redaction methods, like simple PDF editors, often fall short as they are too time-consuming and leave sensitive data exposed. For instance, cybercriminals can easily bypass black markers and access metadata.
Because of this, you need to use an advanced and automated redaction solution, one that permanently removes all sensitive data — both visible and hidden. With automated redaction, you can process hundreds of documents and thousands of data points in moments, saving up to 98% of the time and effort required by manual methods.
Redactable simplifies compliance, protects your CJI, and helps you comply with the CJIS Security Policy without draining resources. Try Redactable for free and remove all confidential information from your CJI-related documents quickly and effectively.
