CJIS compliance: What it is and how to achieve it

What is CJI?

Criminal justice information (CJI) must be protected from the ever-increasing security risks of the digital age. Therefore, organizations that handle CJI must comply with security standards established by the CJIS. In this article, we cover what CJIS compliance is, who must comply with it, what its requirements are, how to do so, and how you can tackle CJIS compliance in case it applies to your organization.

Criminal Justice Information (CJI) includes a vast array of data collected, managed, and stored by law enforcement agencies. Examples of CJI include criminal histories, arrest records, investigative reports, biometric data, etc. All of this information must remain confidential and be kept secure from unauthorized access.

In our digital age, CJI faces multiple cybersecurity threats: hacking, data breaches (both accidental or intentional), ransomware attacks, non-secure Wi-Fi networks, loss of devices like laptops, etc.

To ensure the protection of CJI, the Criminal Justice Information Services (CJIS) was established. This article will guide you through what CJIS compliance is, who is required to comply with it, what the CJIS security requirements are, and how to comply with it. Let’s begin.

‍

What is CJIS compliance?

First, let’s talk a little bit about what the CJIS is.

CJIS stands for Criminal Justice Information Services and is the largest division of the FBI. It was created in 1992 and includes several departments such as the National Crime Information Center (NCIC) and the Integrated Automated Fingerprint Identification System (IAFIS) to mention a few. The CJIS works with law enforcement, national security, and intelligence agencies across the United States. The services it provides include access to databases, biometric services, analysis and reporting on crime, background checks, and more.

The CJIS established a set of security standards called the CJIS Security Policy. Individuals and organizations that handle CJI must comply with it to ensure that sensitive information remains secure. Failure to meet these security standards (which we’ll dive into in a bit) can result in access to CJI being revoked, having to pay fines, and even facing criminal charges.

‍

Why is complying with the CJIS Security Policy important?

If criminal justice information is not protected from cybersecurity threats (like the ones we mentioned earlier), the consequences can be rather dire for the entire nation.

Successful cyberattacks can do a lot of damage, from compromising databases and communication networks to destroying digital evidence and delaying digital investigations. This disruption in data forensics processes can hinder law enforcement agencies from solving cases effectively and maintaining the integrity of justice systems.

That is why it is essential to comply with the CJIS Security Policy. Doing so helps maintain the security of sensitive information, the privacy of people, and the integrity of justice systems.

Who is required to comply with CJIS?

Any individual or organization that accesses, uses, or manages CJI must comply with the CJIS security standards. This includes:

• Law enforcement agencies;
• Criminal justice organizations;
• Government agencies;
• Contractors, vendors, and legal teams working with these entities e.g. cloud service providers;
• Legal teams;
• Other private entities with access to CJI.

‍

What are the security requirements of the CJIS?

The CJIS Security Policy outlines how organizations must ensure the security of criminal justice information. The security requirements are divided into 13 policy areas:

1. Information exchange agreements: An agreement between parties that share CJI with each other which specifies their roles, responsibilities, and security safeguards.
2. Basic security awareness training: Personnel with access to CJI to undergo basic security awareness training.
3. Incident response: A plan that details procedures for identifying, reporting, mitigating, and recovering from security incidents.
4. Auditing and accountability: Organizations must monitor and log who accesses CJI, when, and why. By auditing these logs, they evaluate compliance and ensure accountability.
5. Access control: There must be rules for granting, monitoring, and restricting access to CJI based on user roles and the principle of least privilege.
6. Identification and authentication: Any person who is granted access to CJI must verify their identity using strong identification and authentication methods.
7. Configuration management: Only qualified and authorized personnel can access the CJI information system to perform upgrades or modifications.
8. Media protection: Access to physical and digital media must be restricted to authorized individuals and follow procedures that are documented and implemented.
9. Physical protection: Organizations must have physically secure locations where CJI is stored. They must control and monitor access to those locations.
10. Systems and communications protection and information integrity: Application, services, and information systems must ensure the system’s integrity by detecting and protecting against unauthorized changes to information and software.
11. Formal audits: Organizations will undergo formal audits to ensure compliance with CJIS security standards.
12. Personnel security: To protect CJI from insider threats, this policy specifies requirements for personnel termination, transfer, and sanctions for failing to comply with established security policies and procedures..
13. Mobile devices: There must be measures in place to restrict usage of mobile devices as well as the accessing, monitoring, and control of wireless communications.

Admittedly, meeting the security requirements for all of these 13 areas to obtain CJIS certification can be an arduous undertaking.

As you establish policies and procedures to comply with CJIS, you will notice that a lot of the criminal justice information your organization handles includes personal data. What kind of data exactly? Let’s find out.

‍

What kind of personal data is involved in CJI?

Criminal justice information includes multiple types of personal information, namely:

• Biometric Data: physical or biological data such as facial recognition data, fingerprints, etc.
• Identity History Data: Records of an individual's criminal history e.g. arrest records, convictions, etc.
• Biographical Data: Descriptive information about an individual that helps identify them and complements biometric data and identity history data during criminal justice processes.
• Personally Identifiable Information (PII): Any data that can identify an individual, such as name, address, credit card number, passport number, etc.

The handling of this personal data is tightly regulated under the CJIS Security Policy, which mandates strict controls over the lifecycle of CJI, from creation and storage to transmission and destruction. In fact, sometimes you will have to deal with hundreds of documents that contain personal data, and that necessitates redacting it to keep it secure.

So, how do you achieve CJIS compliance? Read on to find out.

‍

10 steps to comply with the CJIS Security Policy

To comply with the security requirements of the CJIS, we recommend that your organization  takes the following 10 steps.

1. Review and understand the CJIS Security Policy

First, you need to make sure all personnel with access to CJI fully understands the CJIS Security Policy.

Consider organizing training sessions to learn about and clarify the key security requirements. During these sessions, be sure to discuss best practices related to protecting sensitive data e.g. encryption, access, control, and redaction.

Upon completing this first step, your staff should be able to pass simple knowledge tests. Furthermore, you will have a clear idea of the areas of non-compliance within your organization and how they should be tackled.

2. Assign a CJIS Security Officer (CSO)

To centralize communication and accountability, you want to have a CJIS Security Officer who acts as a point of contact with the CJIS. The CSO has the authority to review data protection methods and enforce policies.

So you need to designate the most qualified individual for this role. The right person for this role should be well versed in CJIS, trained in data security, and skilled in redaction methods.

Upon appointing a CSO, be sure to document and communicate their responsibilities. The CSO will hold periodic compliance reviews and enforce policies when necessary.

3. Implement technical safeguards

Unauthorized access to CJI must be prevented at all times. To that end, you should:

• Encrypt all CJI in transit and at rest.
• Implement security measures: access control, identification, authentication, monitoring of sensitive files, etc.
• Use automated redaction tools to remove sensitive data points from documents permanently.

To measure the effectiveness of these technical safeguards, we recommend that you conduct periodic audits and test redacted documents.

4. Ensure the security of physical locations where CJI is stored and/or accessed

In addition to cyber threats, physical access to CJI is a concern that needs to be addressed.

Essentially, you must restrict access to physical locations where CJI is stored and/or accessed, conduct regular inspections, and ensure that redacted physical documents are properly disposed of. By doing this, you will prevent potential incidents of unauthorized access to CJI.

5. Conduct background checks on personnel with access to CJI

Only vetted and trustworthy individuals should be allowed to handle CJI. So your organization needs to perform thorough background checks and establish criteria for disqualification (such as criminal history).

6. Provide adequate training to personnel

Your personnel needs adequate training on how to handle CJI. Resources like CJIS Online can help organizations provide essential training programs and certification for staff who handle sensitive information.

Organize training sessions where staff learns how to identify and protect sensitive information. This training should include redaction practices for biographical, biometric, identity history data, and PII.

With proper CJIS training, staff should successfully pass assessments. If everything goes well, future audits will reveal a reduction in compliance failures and risks.

7. Create internal policies that adhere to the CJIS Security Policy

Your organization needs to have internal policies for CJIS compliance. Everyone who handles CJI should learn about these policies and adhere to them.

So take the time to draw policies that define how CJI should be accessed, stored, transmitted, and redacted.

Eventually, internal audits will confirm whether all staff adhere to the internal policies, and CJIS audits will determine whether these policies must be revised or not.

8. Ensure that third-party vendors and contractors comply with the CJIS

Any third-party entities you work with should comply with the CJIS Security Policy as well. This means they need to implement measures for data encryption, access controls, audit logging, an Incident Response Plan, media protection, etc.

Practically, you need them to sign CJIS compliance agreements and provide documentation of their security protocols. Their systems and processes should also support permanent redaction of confidential information. Furthermore, they will have to undergo periodic compliance audits as well.

As a result, vendors and contractors will pass CJIS compliance reviews, ensuring that any CJI remains safe from threats and incidents.

9. Establish an Incident Response Plan

Like we mentioned earlier while discussing the security requirements, you need to have an IRP in place and follow it if an incident occurs.

This IRP should define how to prepare for and identify an incident. It should also detail how to report, contain, eliminate, and recover from incidents. Lastly, incidents must be reviewed to prevent them from happening again in the future.

But that’s not all: use simulated scenarios to test your IRP such as a breach of redacted documents. These drills will demonstrated the readiness and adherence to your IRP. So when incidents do occur, your organization will be able to respond to them swiftly and minimize their impact.

10. Stay up-to-date with the latest changes in the CJIS Security Policy

Lastly, you want to keep up with the latest CJIS standards to protect all CJI from new threats.

So we recommend you monitor updates to the CJIS Security Policy. Revise your internal protocols, including redaction practices, to adhere to the latest changes. And always communicate these updates to all personnel who handles CJI.

By adhering to the latest security requirements, no compliance issues will arise during CJIS audits.

To protect personal data from cyber threats, you can implement protective measures like redaction. Redacting information actually plays an important role in safeguarding sensitive CJI and ensuring compliance with CJIS standards.

‍

What role does redaction play in CJIS compliance?

Redaction plays an essential role in protecting Personally Identifiable Information. When handling documents that contain CJI, you need to remove sensitive data like personal identifiers, victim details, or investigative information. That way, even if unauthorized access occurs, that information will remain safe from data breaches and cyberattacks.

Document redaction is particularly important when sharing information with parties who don’t have proper clearance, such as during legal proceedings or public records requests.

By adhering to the principle of least privilege, redaction helps restrict access to only the information necessary for an individual’s role or task. It aligns with CJIS requirements for access control and protects organizations from risks associated with data breaches. Redaction also supports compliance with legal and privacy obligations, such as shielding juvenile records or withholding details about ongoing investigations.

‍

Protect sensitive data in CJI with permanent redaction

When working with criminal justice information, you will often have to handle large volumes of documents with countless data points, many of which contain sensitive information. So to achieve CJIS compliance, you need precision and efficiency. However, manual redaction methods, like simple PDF editors, often fall short as they are too time-consuming and leave sensitive data exposed. For instance, cybercriminals can easily bypass black markers and access metadata.

Because of this, you need to use an advanced and automated redaction solution, one that permanently removes all sensitive data — both visible and hidden. With automated redaction, you can process hundreds of documents and thousands of data points in moments, saving up to 98% of the time and effort required by manual methods.

Redactable simplifies compliance, protects your CJI, and helps you comply with the CJIS  Security Policy without draining resources. Try Redactable for free and remove all confidential information from your CJI-related documents quickly and effectively.

‍