Guide · 9 min · For Municipal Owners

What CJIS is, in plain terms

The FBI Criminal Justice Information Services (CJIS) Division publishes the CJIS Security Policy — the set of controls that protects Criminal Justice Information (CJI) wherever it's stored, transmitted, or accessed. CJI includes NCIC query data, state criminal-history records, fingerprint-based background-check data, and anything the FBI defines as criminal justice information.

Any agency that touches CJI — through NCIC, through a state system that feeds NCIC, through a records management system that pulls CJI, through a CAD that connects to dispatch — has to meet the policy. That includes the smallest rural police department, the smallest sheriff's office, the municipality's records clerk who runs background checks.

The 13 policy areas

  1. Information exchange agreements. Written agreements with every entity exchanging CJI with the agency. The MSP contract needs the CJIS Security Addendum.
  2. Security awareness training. Annually for every person with CJI access — sworn officers, civilian dispatchers, records staff, IT support. Documented, with completion records.
  3. Incident response. Written plan, table-top exercise annually, breach-notification process to the state's CJIS Systems Officer (CSO).
  4. Audit and accountability. Audit logging on every CJI-accessing system, retained per §5.4 (often longer than agencies are configured for), reviewed.
  5. Access control. Least-privilege on every account, separation of duties where staffing allows, session timeouts, account-management procedures.
  6. Identification and authentication. Advanced authentication (CJIS-grade MFA) on every CJI-accessing account, with FIPS-validated authenticators. The detail here matters — some MFA products are not FIPS-validated.
  7. Configuration management. Documented baseline configurations, change control, vulnerability management.
  8. Media protection. Encryption of CJI on portable media; secure disposal of media that held CJI.
  9. Physical protection. CJI workstations in physically secured spaces, with documented access controls.
  10. System and communications protection. FIPS-validated encryption (AES) of CJI at rest and in transit. Network segmentation between CJI-accessing systems and the rest of the agency network.
  11. Formal audits. Triennial CJIS audit by the state CSO, plus internal annual audits.
  12. Personnel security. Fingerprint-based background check on everyone with CJI access — including IT support staff, including remote support technicians. Documented.
  13. Mobile devices. Specific controls on phones, tablets, and laptops that touch CJI — encryption, remote wipe, container separation.

What an MSP can own (and what stays with the agency)

An MSP serving a CJIS environment owns the technical work: the FIPS-validated MFA, the encryption configuration, the audit-log infrastructure, the patching cadence, the EDR, the SOC, the segmented network, the media-encryption tooling. The MSP also signs the CJIS Security Addendum, completes the CJIS security awareness training annually, and submits MSP staff with CJI access for the agency's fingerprint-based background check.

The agency owns the policy work: designating the Local Agency Security Officer (LASO), maintaining the written policies, conducting the annual training for sworn and civilian staff, the physical-security work on the building, the personnel decisions, and the relationship with the state CJIS Systems Officer.

The audit, in practice

Triennial CJIS audits from the state CSO are the formal review. They typically ask for:

  1. The current Information Exchange Agreement and CJIS Security Addendum.
  2. Training completion records for every person with CJI access, current year.
  3. Fingerprint-based background check documentation for every person with CJI access, current.
  4. The MFA configuration evidence — product, FIPS validation status, coverage report.
  5. The encryption configuration evidence — at-rest and in-transit, FIPS validation status.
  6. The audit-log retention configuration and a sample of recent logs.
  7. The written incident-response plan plus the last table-top exercise.
  8. The configuration baseline documents and the change-management records.
  9. The patching SLA evidence.
  10. The network diagram showing CJI segmentation.

If those ten documents are organized in one folder and current, the audit is a one-meeting conversation. If they're not, it's several meetings of getting them in order.

The three most common audit findings

Mobile devices and CJI

The mobile-device policy area (CJIS §5.13) has specific controls when an officer's phone or in-car laptop touches CJI. Required: agency-configured encryption, remote wipe capability, container or workspace separation of CJI from personal data, screen-lock requirements, and access controls. Personal devices with CJI access are generally not acceptable; either the agency issues the device or the BYOD policy meets every §5.13 requirement (rare).

How a Micro-IT engagement works for CJIS-scoped agencies

Municipal clients with a CJI-accessing department (police, sheriff, dispatch) get the standard managed stack with CJIS-specific configuration: FIPS-validated Microsoft Authenticator MFA on every CJI account, FIPS-validated encryption at rest and in transit, segmented network on the Ubiquiti / Unifi stack with documented VLAN structure, audit-log retention configured to CJIS requirements, and the SOC's incident-response runbook updated for CJIS breach-notification flow. The CJIS Security Addendum is signed on contract day. MSP staff with CJI access complete the agency's security awareness training and are submitted for fingerprint-based background checks. See the municipal IT page for the full vertical posture.

Frequently asked questions

What is CJIS compliance?
CJIS compliance means adhering to the FBI Criminal Justice Information Services Security Policy — a published set of controls that protects Criminal Justice Information (CJI) wherever it's stored, transmitted, or accessed. Any agency that accesses NCIC, state criminal-history databases, or CJI through an integrated system has to meet the policy.
Does CJIS apply to small police departments?
Yes. CJIS applies to any law-enforcement agency that touches CJI, regardless of size. The same 13 policy areas apply to a three-officer rural department as to a city police force, though the scoping and audit cadence differ by state.
What does CJIS require for IT specifically?
The 13 policy areas cover: information exchange agreements, security awareness training, incident response, audit and accountability, access control, identification and authentication (FIPS-validated advanced authentication on every CJI-accessing account), configuration management, media protection, physical protection of CJI workstations, system and communications protection (FIPS-validated encryption), formal audits, personnel security (fingerprint-based background checks for everyone with CJI access including IT staff), and mobile devices. Each has specific control requirements.
Does my MSP need to be CJIS-compliant for me to use them?
Any MSP staff who can access CJI — even unintentionally, through remote support sessions or admin access — must meet the personnel screening requirements (fingerprint-based background check) and complete the security awareness training. They must also be covered by the agency's CJIS Security Addendum to the MSP contract. The MSP itself doesn't have a separate certification; the requirement is on the people who touch the system.
What's the most common CJIS audit finding?
Three patterns: missing or incomplete advanced authentication (MFA on every CJI-accessing account, with the FIPS-validated requirement that some MFA products don't meet); incomplete audit-log retention (CJIS requires retention per Policy §5.4, often longer than agencies are configured for); and missing personnel-security documentation for the IT support staff who can remote into CJI workstations.

Related reading