CJIS Compliance (CJIS-C)

Illumant's CJIS-C service provides straightforward gap analysis and readiness services to assess compliance with the CJIS Security Policy and to remedy gaps, and to prepare for scheduled, and unannounced audits.

The Criminal Justice Information Services (CJIS) Division of the FBI shares invaluable Criminal Justice Information (CJI) with and between local law enforcement agencies to make them collectively more effective in fighting crime.

Given the value and sensitivity of this data the FBI through CJIS imposes strict security and privacy standards on agencies that connect to CJIS systems. The key to CJIS is a Security Policy that defines required controls for agencies to protect CJI, at rest and in transit: "The CJIS Security Policy provides guidance for the proper creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This policy applies to every individual-contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity-with access to, or who operate in support of, criminal justice services and information." Enforcement of these requirements includes audits by CJIS.

Why do you need Illumant's CJIS-C Service?

In its agency agreements, CJIS reserves the right to triennial security audits, as well as, ad hoc unannounced audits. Non-compliance means loss of access to valuable databases and crime fighting data. And in cases of misuse, individuals may face suspension, loss of employment, and prosecution for state and federal crimes. Illumant’s CJIS-C service brings CJIS Security Policy knowledge, experience and expertise to your team to address compliance, and prepare for audits

Educate Officers/Stakeholders, Share Accountability, Drive Security Initiatives

Our CJIS-C service includes interviews with stakeholders to assess compliance as well as to educate and inform about compliance requirements, which increases cross-departmental responsibility and accountability, and helps drive security initiatives. You control who should be involved in the interview process.

Illumant Reduces the Burden and Minimizes the Confusion of Compliance

Illumant's CJIS-C service leverages our expertise and resources to shift much of the burden of compliance away from you, to distribute responsibility for compliance to appropriate personnel, and to add clarity and education to the process – what needs to be meet the standards, and what needs to be remediated to achieve compliance, avoid penalties, and of course, avoid breaches.

Overview of the CJIS Security Policy

The CJIS Security Policy defines the minimum standard of security controls required for sharing criminal justice information through CJIS. Individual states are left to interpret the policy. At the state level, an internal CJIS Systems Officer (CSO) is appointed to administer the policy within that state. The CSO is responsible for interpreting and enforcing the Policy for sub-agencies.

At the local level (city or county) a Terminal Agency Coordinator (TAC), usually a commissioned Officer, is designated as the point of contact for all CJIS matters. The TAC’s direct report is designated the Local Agency Security Officer (LASO). Often these and other roles are assumed by the same individual.

A triennial audit of each Criminal Justice Agency (CJA) is required to document compliance with the CJIS Security Policy. This audit is usually administered by the state’s ranking CJA under the purview of the CSO. This audit can be executed at the federal level by the FBI CJIS Audit Unit.

CJIS Security Policy Requirements

Area 1 - Information Exchange Agreements Organizations must have executed, written agreements in place that cover the degree to which CJI sharing will occur and the relevant security policies and procedures of each to safeguard that information. Sample exchange agreements can be found in Appendix D of the CJIS Security Policy.

Area 2 - Security Awareness Training For all personnel that have access to CJI, and for IT personnel with logical access, basic security training must be performed within 6 months of assignment of CJI responsibilities and every two years thereafter. The agency must maintain records of that training was performed.

Area 3 - Incident Response Agencies must have incident detections, response, and handing capabilities in place, including incident reporting and tracking, as well as containment and recovery mechanisms.

Area 4 - Auditing and Accountability Agencies must generate and maintain adequate system event logging and review capabilities for incident detection, response and forensics purposes.

Area 5 - Access Control Agencies must implement mechanisms to control access to sensitive information, including authentication, remote access, and virtual private networks. Access control should cover wireless access (WiFi and Bluetooth) for computers and mobile devices.

Area 6 - Identification and Authentication Agencies must uniquely identify users and processes acting on behalf of users. This section details password and PIN policies as well as advanced authentication requirements.

Area 7 - Configuration Management The goal is to allow only qualified and authorized individuals’ access to information system components for purposes of initiating changes, including upgrades and modifications. In addition, agencies are required to produce a complete topological drawing depicting the inter-connectivity of the agency network to criminal justice information, systems and services. This diagram must be maintained in a current status. Examples of network diagrams can be found in Appendix C of the Policy.

Area 8 - Media Protection Agencies must secure CJI data in all its forms, both at rest and in motion as it traverses electronic networks and physical locations. Here you’ll also find guidelines for physical and electronic media sanitization and disposal.

Area 9 - Physical Protection Physically secure locations are defined by the implementation of both policies and physical and personnel security controls sufficient to protect CJI. This Policy Area defines a secure location and dictates the controls that must be in place to make it so.

Area 10 - Systems and Communications Protection and Information Integrity This section addresses all the components of modern cybersecurity. Pervasive IT systems and communications safeguards must be employed to ensure the security and integrity of data across the network both in motion and at rest. Components covered include traditional areas like encryption, antivirus and spam and also advanced technologies like virtualization, Voice over IP (VOIP) and cloud computing. The agency must provide for version control, i.e. patch management functionality, to ensure changes, updates or upgrades are not released into the network without proper approval.

Area 11 - Formal Audits CJAs and NCJAs will be audited against the Policy triennially, at a minimum. These audits will be executed by the either the FBI CJIS Audit Unit (CAU) or the state’s lead CJIS Systems Agency (CSA).

Area 12 - Personnel Security Agencies must provide security screenings consisting of state of residence and national fingerprint-based record checks for all personnel with either physical or logical access to unencrypted CJI. This applies to agency personnel, vendors and contractors.

Area 13 - Mobile Devices This section provides detailed guidance regarding employing mobile devices, e.g. cellular enabled smartphones and tablets. Here you’ll find minimum functions required to manage mobile devices and an introduction to the concept of compensating controls in order to bridge the inherent technical limitations of some devices.


  • Interviews with stakeholders, education
  • Inspection and observation-based process
  • Assessment of current security measures
  • Assessment of compliance with CJIS Security Policy
  • Review of policies and procedures
  • Perimeter Security Assessment
  • Physical Security Assessment
  • Actionable remediation activities
  • Optional CJIS-compliant security program development
  • Documentation of results, evidence
  • Final reports – executive and technical


  • Criminal Justice Information (CJI)
  • CJIS Security Policy
  • Administrative, technical, physical controls
  • Policies and procedures
  • Information exchange agreements
  • Security Awareness Training
  • Incident Response
  • Auditing
  • Access Control, Identification, Authentication
  • Configuration Management, System and Communications Protection
  • Media Protection
  • Physical Protection
  • Personnel Protection
  • Mobile Devices and Wireless networks

security risk analysis required addressable administrative technical physical safeguards security measures policies procedures vulnerability assessment penetration testing social engineering breach notification

electronic records applications servers routers firewalls physical security awareness data centers server rooms telco closets workstations

Criminal Justice Information (CJI) CJIS Security Policy best practices