Cyber security banner

CJIS Compliance Checklist

CJIS compliance article

Government agencies — including those that operate within the criminal justice system — handle large quantities of data every day. Due to the sensitive nature of this data, which includes criminal history information, law enforcement agencies and other government functions must comply with Criminal Justice Information Services (CJIS) security requirements.

If you’re operating in the criminal justice space, you’re likely already familiar with CJIS cybersecurity policies. However, with constantly evolving CJIS security requirements, it’s important to ensure your organization does more than the bare minimum. Consequences for noncompliance are higher in this industry than in many others, and careful attention to detail is critical for success.

Learn more about what it means to be CJIS compliant and what your organization or agency can expect during an audit. You also get a comprehensive checklist outlining the steps you need to take to meet the division’s standards so you can improve your cybersecurity posture.

What Is CJIS Compliance?

Criminal Justice Information Services (CJIS) is an FBI division that provides information services to law enforcement agencies at every level of government. The CJIS division comprises several departments:

  • Uniform Crime Reporting (UCR)
  • National Data Exchange (N-DEx)
  • Next Generation Identification (NGI)
  • National Crime Information Center (NCIC)
  • Law Enforcement Enterprise Portal (LEEP)
  • National Instant Criminal Background Check System (NICS)

Being CJIS compliant enables your organization to access and use criminal justice information (CJI), which includes all the sensitive data law enforcement agencies use in their investigations. Some examples of CJI include:

  • Biometrics
  • Biographics
  • Incident history
  • Identification history

Note that the CJIS does not consider administrative records of law enforcement agencies as a type of CJI.

The CJIS Security Policy (CSP) provides a set of guidelines all authorized organizations must follow to achieve compliance. These requirements come from the NIST 800-53 special publication, which offers a list of cybersecurity controls federal agencies can use to make their information systems more resilient.

Why Is CJIS Compliance Important?

why cjis compliance is important

With increasing numbers of government agencies migrating their operations to the cloud, ensuring that the infrastructure they use for their everyday operations is highly secure is more important than ever. That’s why being CJIS-compliant is so essential for government agencies and third-party technology providers that handle CJI.

Adhering to CSP requirements enables organizations to protect national security without infringing on individuals’ privacy rights. Failing to adhere to the CJIS guidelines can result in more than a fine — a noncompliant agency could lose access to CJI entirely.

How CJIS Audits Work

The CJIS Audit Unit (CAU) and the CJIS Systems Agency (CSA) conduct CJIS audits. Agencies and their service providers need to undergo an audit once every three years to maintain basic compliance.

Typically, the auditor will notify your agency’s point of contact about six months in advance — which should be sufficient time to prepare.

During the audit, the inspector will:

  • Review your data quality
  • Tour your facility and inspect your physical security controls
  • Interview your organization’s point of contact about your typical data protection processes

Immediately after completion, the auditor will conduct an exit briefing, during which they’ll provide you with feedback you can implement right away. You’ll receive more in-depth recommendations in a final report several months later.

It’s important to note that the CAU will track your progress in implementing these final recommendations, so your agency will need to get started as soon as you receive them.

Checklist for CJIS Compliance Requirements

Organizations must achieve CJIS compliance in 13 key areas to legally handle CJI. Use this CJIS checklist to organize your compliance strategy.

  1. Information exchange agreements: Your agency must have documented rules for sharing CJI with other authorized entities that specify all implemented security controls, including specific details around audit, logging, timeliness, training and other requirements.
  2. Security awareness training: All employees and contractors who are authorized to access CJI must complete basic security awareness training within six months of their first assignment. An organization-wide training session must also occur annually to enable compliance.
  3. Incident response plan (IRP): An IRP helps you identify, contain and recover from cyberattacks with minimal downtime. Your organization must have a documented IRP and a plan for reporting incidents when they occur.
  4. Auditing and accountability: Tracking every time someone accesses CJI within your organization creates an audit trail, helping to streamline auditing.
  5. Access control: Your organization must implement mechanisms that restrict CJI access to authorized users, including on Wi-Fi networks.
  6. Identification and authentication: You must follow the guidelines governing which credentials users may use to prove their identity and the multi-factor authentication protocols your organization uses to verify that identity.
  7. Configuration management: Compliance requirements stipulate that all infrastructure and process changes are documented; only authorized users may change hardware or software configurations.
  8. Media protection: You must have access controls in place for both digital and analog media.
  9. Physical protection: In addition to implementing digital protections, your organization should have physical security measures such as CCTV systems, alarms and advanced locks.
  10. Systems and communications protection: Your agency must ensure the integrity of all transmitted CJI across all applications and services. Additionally, you need to secure all the systems and applications that make up your organization’s virtual environment.
  11. Formal audits: All CJIS-compliant organizations must undergo a formal audit once every three years to confirm compliance.
  12. Personnel security: All employees and vendors with access to CJI data must submit to security screenings, including state and national fingerprint-based record checks. Your organization must have security controls in place to safeguard CJI throughout the employee life cycle, including during hiring, termination and transfer.
  13. Mobile devices: Agencies must restrict CJIS access on mobile devices such as smartphones and tablets and ensure they are regulated by a formal acceptable usage policy. This rule is especially important now that more than half of all web traffic comes from mobile devices.

Ensuring compliance with the above can be challenging for small to mid-sized organizations. To relieve some of the burden of compliance management from your IT team, consider enlisting the services of a managed service provider (MSP) like Omega Systems.

Third-Party CJIS Cloud Compliance

Law enforcement agencies and government entities that work with third parties to manage IT and data security also need to ensure their managed service providers adhere to necessary CJIS compliance standards. Given the expertise and complexity required to maintain CJIS-compliant infrastructures on-premise, many agencies outsource these responsibilities to CJIS-certified cloud providers.

CJIS-compliant data centers must adhere to strict protocols for information security, limit access control to only authorized users and require anyone who handles criminal justice information to complete routine security awareness training.

Be sure to ask potential MSPs or IT providers about their physical, virtual and security training protocols to ensure they meet or exceed the necessary requirements for you to secure CJIS data in the cloud.

How Omega Systems Can Help Navigate CJIS Compliance

Is your organization searching for a way to simplify CJIS compliance? Omega Systems is an award-winning MSP with extensive experience in government-level cybersecurity and cloud compliance and has the necessary infrastructure and industry expertise to guide your agency through the complexities of the compliance process.

Omega’s CJIS-compliant cloud infrastructure is secured by the first regional private data center to successfully complete a CLEAN technical audit and complies with all data security standards set forth by CJIS. Additionally, we proactively undergo a SOC 2 compliance audit annually, which further certifies the integrity, availability and security of our hosted infrastructure.

We have more than two decades of experience working with government agencies at the local, state and federal levels and have the necessary expertise to support agencies in their quest for CJIS compliance.

Our highly qualified compliance consultants keep a constant pulse on the industry and can help your team avoid common compliance hurdles.

Contact us today to learn more about how Omega Systems can help your government organization navigate CJIS compliance.

download Omega's CJIS checklist for government and law enforcementDownload CJIS Checklist

If you are a local, state or federal government or law enforcement agency, leverage our handy CJIS Compliance Checklist, which outlines the 13 key information security requirements needed for compliance.

Get Your CJIS Checklist Here

Previous ArticleFive Signs That Your Technology is Keeping You Down
Next Article The Power of Unified Communications Services