Guide · 9 min · For Municipal Owners

What CJIS is, in plain terms

The FBI Criminal Justice Information Services (CJIS) Division publishes the CJIS Security Policy — the set of controls that protects Criminal Justice Information (CJI) wherever it's stored, transmitted, or accessed. CJI includes NCIC query data, state criminal-history records, fingerprint-based background-check data, and anything the FBI defines as criminal justice information.

Any agency that touches CJI — through NCIC, through a state system that feeds NCIC, through a records management system that pulls CJI, through a CAD that connects to dispatch — has to meet the policy. That includes the smallest rural police department, the smallest sheriff's office, the municipality's records clerk who runs background checks.

The 13 policy areas

  1. Information exchange agreements. Written agreements with every entity exchanging CJI with the agency. The MSP contract needs the CJIS Security Addendum.
  2. Security awareness training. Annually for every person with CJI access — sworn officers, civilian dispatchers, records staff, IT support. Documented, with completion records.
  3. Incident response. Written plan, table-top exercise annually, breach-notification process to the state's CJIS Systems Officer (CSO).
  4. Audit and accountability. Audit logging on every CJI-accessing system, retained per §5.4 (often longer than agencies are configured for), reviewed.
  5. Access control. Least-privilege on every account, separation of duties where staffing allows, session timeouts, account-management procedures.
  6. Identification and authentication. Advanced authentication (CJIS-grade MFA) on every CJI-accessing account, with FIPS-validated authenticators. The detail here matters — some MFA products are not FIPS-validated.
  7. Configuration management. Documented baseline configurations, change control, vulnerability management.
  8. Media protection. Encryption of CJI on portable media; secure disposal of media that held CJI.
  9. Physical protection. CJI workstations in physically secured spaces, with documented access controls.
  10. System and communications protection. FIPS-validated encryption (AES) of CJI at rest and in transit. Network segmentation between CJI-accessing systems and the rest of the agency network.
  11. Formal audits. Triennial CJIS audit by the state CSO, plus internal annual audits.
  12. Personnel security. Fingerprint-based background check on everyone with CJI access — including IT support staff, including remote support technicians. Documented.
  13. Mobile devices. Specific controls on phones, tablets, and laptops that touch CJI — encryption, remote wipe, container separation.

One note on versions: the “13 policy areas” framing comes from CJIS Security Policy v5.9.x, which most agencies still know by heart. The FBI released v6.0 on December 27, 2024, which realigns the policy to NIST SP 800-53 Rev. 5 and reorganizes the content into 20 finer-grained policy areas. The underlying controls below are the same; v6.0 just splits them into more named areas (separating planning, acquisition, maintenance, and integrity monitoring). If your state has adopted v6.0, expect the audit to reference the 20-area structure, but the technical requirements an MSP handles — MFA, encryption, logging, segmentation, screening — carry straight over.

What an MSP can own (and what stays with the agency)

An MSP serving a CJIS environment owns the technical work: the FIPS-validated MFA, the encryption configuration, the audit-log infrastructure, the patching cadence, the EDR, the SOC, the segmented network, the media-encryption tooling. The MSP also signs the CJIS Security Addendum, completes the CJIS security awareness training annually, and submits MSP staff with CJI access for the agency's fingerprint-based background check.

The agency owns the policy work: designating the Local Agency Security Officer (LASO), maintaining the written policies, conducting the annual training for sworn and civilian staff, the physical-security work on the building, the personnel decisions, and the relationship with the state CJIS Systems Officer.

The audit, in practice

Triennial CJIS audits from the state CSO are the formal review. They typically ask for:

  1. The current Information Exchange Agreement and CJIS Security Addendum.
  2. Training completion records for every person with CJI access, current year.
  3. Fingerprint-based background check documentation for every person with CJI access, current.
  4. The MFA configuration evidence — product, FIPS validation status, coverage report.
  5. The encryption configuration evidence — at-rest and in-transit, FIPS validation status.
  6. The audit-log retention configuration and a sample of recent logs.
  7. The written incident-response plan plus the last table-top exercise.
  8. The configuration baseline documents and the change-management records.
  9. The patching SLA evidence.
  10. The network diagram showing CJI segmentation.

If those ten documents are organized in one folder and current, the audit is a one-meeting conversation. If they're not, it's several meetings of getting them in order.

The three most common audit findings

Mobile devices and CJI

The mobile-device policy area (CJIS §5.13) has specific controls when an officer's phone or in-car laptop touches CJI. Required: agency-configured encryption, remote wipe capability, container or workspace separation of CJI from personal data, screen-lock requirements, and access controls. Personal devices with CJI access are generally not acceptable; either the agency issues the device or the BYOD policy meets every §5.13 requirement (rare).

How a Micro-IT engagement works for CJIS-scoped agencies

Municipal clients with a CJI-accessing department (police, sheriff, dispatch) get the standard managed stack with CJIS-specific configuration: FIPS-validated Microsoft Authenticator MFA on every CJI account, FIPS-validated encryption at rest and in transit, segmented network on the Ubiquiti / Unifi stack with documented VLAN structure, audit-log retention configured to CJIS requirements, and the SOC's incident-response runbook updated for CJIS breach-notification flow. The CJIS Security Addendum is signed on contract day. MSP staff with CJI access complete the agency's security awareness training and are submitted for fingerprint-based background checks. See the municipal and county government IT support page for the full vertical posture.

CJI and CHRI: what they are and who can touch them

Criminal Justice Information (CJI) is the broad category the CJIS Security Policy protects — biometric data, identity-history data, biographic data, property data, and case or incident-history data the FBI defines as criminal justice information. Criminal History Record Information (CHRI), sometimes called “rap-sheet” data, is a subset of CJI: the record of arrests, charges, and dispositions tied to an individual. Because CHRI is more sensitive, it carries tighter controls on access, use, and dissemination.

Access to and use of CJI and CHRI is for the administration of criminal justice and certain authorized non-criminal-justice purposes only — for example, running a query during an investigation, or a fingerprint-based background check for a position the law allows. It is restricted to authorized personnel who have completed security awareness training and passed a fingerprint-based background check. It is not for personal use, not for commercial use, and not for sharing outside the receiving agency or other authorized entities. Looking up a neighbor, a date, or a family member is misuse, and misuse is auditable and sanctionable.

The MFA requirement and its deadline

CJIS calls multi-factor authentication “advanced authentication.” Under the Identification and Authentication policy area, every account that can access CJI has to authenticate with two or more different factors — something you know (a PIN or password), something you have (a token, security key, or authenticator app), or something you are (a fingerprint or face scan). A password alone does not meet the requirement.

The hard date is October 1, 2024. As of that date, advanced authentication became a sanctionable, auditable requirement (CJIS Security Policy v5.9.x, §5.6.2.2). An agency without acceptable MFA on every CJI-accessing account can now be cited at audit and, in some states, face denial of access to FBI CJIS resources. The practical work for agencies now: confirm MFA is deployed on every account that touches CJI — including remote-support and admin accounts — and confirm the authenticators meet the FIPS-validation detail, because some common MFA products and generic SMS codes do not qualify.

Does CJIS compliance apply in the cloud?

Yes. CJI in a cloud service is still CJI, and the policy follows the data. The common question — “is AWS CJIS compliant?” — has a precise answer: the FBI does not certify cloud providers. There is no FBI stamp that makes a platform “CJIS certified.” What providers like AWS GovCloud (US) and Microsoft Azure Government do is build environments capable of meeting the policy and sign the CJIS Security Addendum with the state, which puts their personnel through fingerprint-based screening and binds them to the controls.

That leaves a shared-responsibility model. The provider secures the infrastructure; the agency is still responsible for how CJI is configured, encrypted, access-controlled, and logged inside that environment — and for proving each control at audit. Choosing GovCloud or Azure Government does not transfer compliance; it makes compliance achievable. The agency, and its MSP, still own the configuration and the evidence.

Frequently asked questions

What is CJIS compliance?
CJIS compliance means adhering to the FBI Criminal Justice Information Services Security Policy — a published set of controls that protects Criminal Justice Information (CJI) wherever it's stored, transmitted, or accessed. Any agency that accesses NCIC, state criminal-history databases, or CJI through an integrated system has to meet the policy.
Does CJIS apply to small police departments?
Yes. CJIS applies to any law-enforcement agency that touches CJI, regardless of size. The same 13 policy areas apply to a three-officer rural department as to a city police force, though the scoping and audit cadence differ by state.
What does CJIS require for IT specifically?
The 13 policy areas cover: information exchange agreements, security awareness training, incident response, audit and accountability, access control, identification and authentication (FIPS-validated advanced authentication on every CJI-accessing account), configuration management, media protection, physical protection of CJI workstations, system and communications protection (FIPS-validated encryption), formal audits, personnel security (fingerprint-based background checks for everyone with CJI access including IT staff), and mobile devices. Each has specific control requirements.
Does my MSP need to be CJIS-compliant for me to use them?
Any MSP staff who can access CJI — even unintentionally, through remote support sessions or admin access — must meet the personnel screening requirements (fingerprint-based background check) and complete the security awareness training. They must also be covered by the agency's CJIS Security Addendum to the MSP contract. The MSP itself doesn't have a separate certification; the requirement is on the people who touch the system.
What's the most common CJIS audit finding?
Three patterns: missing or incomplete advanced authentication (MFA on every CJI-accessing account, with the FIPS-validated requirement that some MFA products don't meet); incomplete audit-log retention (CJIS requires retention per Policy §5.4, often longer than agencies are configured for); and missing personnel-security documentation for the IT support staff who can remote into CJI workstations.
Who needs to be CJIS compliant?
Any agency or person that accesses, stores, or transmits Criminal Justice Information. That covers police departments, sheriff's offices, and dispatch centers of every size, plus the municipal staff who run background checks. It also reaches the vendors and IT support staff who can touch CJI — including an MSP's remote-support technicians. The requirement follows the data, not the job title, so anyone with logical or physical access to CJI is in scope.
What is the CJIS MFA deadline?
October 1, 2024. As of that date, advanced authentication (multi-factor authentication on every CJI-accessing account) became a sanctionable, auditable requirement under the CJIS Security Policy (v5.9.x, §5.6.2.2). MFA must use two or more factors — something you know, something you have, or something you are — and the authenticators must meet the policy's FIPS-validation detail. A password alone does not satisfy it.
Is AWS CJIS compliant?
The FBI does not certify cloud providers, so no platform is “CJIS certified” in itself. AWS GovCloud (US) and Microsoft Azure Government build environments capable of meeting the policy and sign the CJIS Security Addendum with the state, which screens their personnel and binds them to the controls. Under the shared-responsibility model, the agency still owns how CJI is configured, encrypted, access-controlled, and logged inside that environment — and still has to prove each control at audit.
What's the difference between CJI and CHRI?
Criminal Justice Information (CJI) is the broad category the policy protects — biometric, identity-history, biographic, property, and case or incident data. Criminal History Record Information (CHRI), or “rap-sheet” data, is a subset of CJI: the record of arrests, charges, and dispositions tied to a person. Because CHRI is more sensitive, it carries tighter controls on access, use, and dissemination. Both are for the administration of justice and authorized purposes only, by authorized personnel.

Related reading