Criminal Justice Information Services Security Policy
Strict requirements for any organization accessing or storing US criminal justice data.
What Is CJIS?
The Criminal Justice Information Services (CJIS) Security Policy is published by the FBI. It outlines the minimum set of security requirements that must be met by any organization accessing, storing, or transmitting Criminal Justice Information (CJI).
CJI includes data like fingerprint records, criminal backgrounds, identity history summaries, and case/incident reports. If your software touches this data, you must comply with the CJIS Security Policy.
CJIS compliance is unique because it is managed at the state level by a CJIS Systems Agency (CSA), not federally. A vendor must sign a CJIS Security Addendum and go through compliance checks (often including state-level audits) in every single state they operate in.
Does CJIS Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
GovTech SaaS Platforms
Software for courts, parole boards, or police departments (like evidence management, CAD/RMS systems) constantly processes CJI.
Cloud Infrastructure Providers
AWS and Azure have dedicated GovCloud regions that sign CJIS Addendums, allowing downstream vendors to host CJI.
Background Check/Identity Vendors
APIs that pull criminal history or run AFIS fingerprint checks must strictly adhere to CJIS requirements.
- Companies selling generic B2B software to local governments that does not interface with the police, courts, or criminal databases.
- Federal contractors who only handle DoD CUI (they need CMMC/FedRAMP, not CJIS).
Why CJIS Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
State-Level Audits
State CSAs are heavily auditing municipal police departments. If the police department is using your non-compliant SaaS, they will be forced to rip it out immediately.
Cloud Migration
As local police departments move from on-premise servers to the cloud, vendors must prove they can secure CJI in a multi-tenant cloud environment.
Stricter Authentication Rules
Recent updates to the CJIS policy strictly mandate Advanced Authentication (MFA) for anyone with logical access to CJI, catching many legacy vendors off guard.
The Requirements
The core security controls and evidence parameters audited for CJIS.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for CJIS.
Architecture & Encryption Build
Migrate the application to a CJIS-compliant cloud (like AWS GovCloud). Implement FIPS-validated encryption and strict logical access controls.
Personnel Background Checks
This takes notoriously long. Identify all devs/admins who need production access. Submit their fingerprints to the state CSA for clearance.
Policy & Addendum Execution
Finalize internal CJIS policies, conduct required security awareness training, and sign the CJIS Security Addendum with the client agency.
With Existing Certifications
3-4 months: If you are FedRAMP Moderate, your technical controls (like FIPS) are fine. You just have to endure the agonizing administrative process of state-by-state fingerprinting.
Starting from Scratch
6-9 months: Architecting for FIPS encryption and migrating to GovCloud takes significant time, even before you start the background check process.
The Mistakes That Delay Most CJIS Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Assuming one CJIS audit covers all states
CJIS compliance is decentralized. Being approved by Texas does not mean California will approve you. You have to submit to the CSA process in every state where you have clients.
Build a standardized CJIS compliance packet (Architecture diagrams, FIPS certs, policies) that you can hand to every state CSA to speed up their review.
Offshore development accessing production
Only individuals who have passed the US fingerprint background check can access CJI. You generally cannot use offshore support teams if they have logical access to the production database.
Strictly segment development from production. Anonymize/dummy data for developers. Only cleared US personnel get production DB access.
Using standard commercial cloud
While not strictly forbidden, meeting CJIS physical security requirements in a standard commercial cloud is nearly impossible because the cloud provider won't sign the CJIS Addendum.
Use AWS GovCloud or Azure Government. They sign the CJIS Addendums and have cleared personnel manning the physical servers.
Rishabh's Take on CJIS
Practitioner Voice“CJIS is uniquely painful not because the technical controls are hard, but because of the personnel requirements. For a tech startup used to hiring developers globally and giving everyone production access to debug, CJIS breaks your entire operating model. You have to restrict production access to a handful of US citizens who have passed FBI fingerprint checks. If you are entering the GovTech space, build a highly segregated 'Gov' environment from day one, and automate your deployments so developers never need to SSH into production.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
CJIS Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
CJIS Checklist
Assess your baseline control posture against CJIS criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about CJIS compliance and certification processes.