CJIS
Getting Started Guide

Criminal Justice Information Services Security Policy

Strict requirements for any organization accessing or storing US criminal justice data.

Audit Effort6–9 months for compliance
Key FactRequires fingerprint-based background checks for all staff with logical access.

What Is CJIS?

The Criminal Justice Information Services (CJIS) Security Policy is published by the FBI. It outlines the minimum set of security requirements that must be met by any organization accessing, storing, or transmitting Criminal Justice Information (CJI).

CJI includes data like fingerprint records, criminal backgrounds, identity history summaries, and case/incident reports. If your software touches this data, you must comply with the CJIS Security Policy.

CJIS compliance is unique because it is managed at the state level by a CJIS Systems Agency (CSA), not federally. A vendor must sign a CJIS Security Addendum and go through compliance checks (often including state-level audits) in every single state they operate in.

Does CJIS Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

GovTech SaaS Platforms

Software for courts, parole boards, or police departments (like evidence management, CAD/RMS systems) constantly processes CJI.

Mandatory

Cloud Infrastructure Providers

AWS and Azure have dedicated GovCloud regions that sign CJIS Addendums, allowing downstream vendors to host CJI.

Mandatory

Background Check/Identity Vendors

APIs that pull criminal history or run AFIS fingerprint checks must strictly adhere to CJIS requirements.

Mandatory
You probably don't need CJIS if:
  • Companies selling generic B2B software to local governments that does not interface with the police, courts, or criminal databases.
  • Federal contractors who only handle DoD CUI (they need CMMC/FedRAMP, not CJIS).

Why CJIS Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

State-Level Audits

State CSAs are heavily auditing municipal police departments. If the police department is using your non-compliant SaaS, they will be forced to rip it out immediately.

Cloud Migration

As local police departments move from on-premise servers to the cloud, vendors must prove they can secure CJI in a multi-tenant cloud environment.

Stricter Authentication Rules

Recent updates to the CJIS policy strictly mandate Advanced Authentication (MFA) for anyone with logical access to CJI, catching many legacy vendors off guard.

The Requirements

The core security controls and evidence parameters audited for CJIS.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for CJIS.

1
Weeks 1-8

Architecture & Encryption Build

Migrate the application to a CJIS-compliant cloud (like AWS GovCloud). Implement FIPS-validated encryption and strict logical access controls.

Key Deliverable:Compliant cloud architecture, FIPS encryption deployed
2
Weeks 9-16

Personnel Background Checks

This takes notoriously long. Identify all devs/admins who need production access. Submit their fingerprints to the state CSA for clearance.

Key Deliverable:Cleared personnel list, restricted access groups
3
Weeks 17-20

Policy & Addendum Execution

Finalize internal CJIS policies, conduct required security awareness training, and sign the CJIS Security Addendum with the client agency.

Key Deliverable:Signed Addendums, Training certificates
With Existing Certifications

3-4 months: If you are FedRAMP Moderate, your technical controls (like FIPS) are fine. You just have to endure the agonizing administrative process of state-by-state fingerprinting.

Starting from Scratch

6-9 months: Architecting for FIPS encryption and migrating to GovCloud takes significant time, even before you start the background check process.

The Mistakes That Delay Most CJIS Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Assuming one CJIS audit covers all states

Why it happens:

CJIS compliance is decentralized. Being approved by Texas does not mean California will approve you. You have to submit to the CSA process in every state where you have clients.

How to avoid it:

Build a standardized CJIS compliance packet (Architecture diagrams, FIPS certs, policies) that you can hand to every state CSA to speed up their review.

Offshore development accessing production

Why it happens:

Only individuals who have passed the US fingerprint background check can access CJI. You generally cannot use offshore support teams if they have logical access to the production database.

How to avoid it:

Strictly segment development from production. Anonymize/dummy data for developers. Only cleared US personnel get production DB access.

Using standard commercial cloud

Why it happens:

While not strictly forbidden, meeting CJIS physical security requirements in a standard commercial cloud is nearly impossible because the cloud provider won't sign the CJIS Addendum.

How to avoid it:

Use AWS GovCloud or Azure Government. They sign the CJIS Addendums and have cleared personnel manning the physical servers.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

CJIS Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

CJIS Checklist

Assess your baseline control posture against CJIS criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about CJIS compliance and certification processes.