Introduction: The FBI CJIS Security Policy
The Criminal Justice Information Services (CJIS) Security Policy is the definitive information-security framework governing the creation, viewing, modification, transmission, dissemination, storage and destruction of Criminal Justice Information (CJI) throughout the United States. Issued and maintained by the Federal Bureau of Investigation (FBI) CJIS Division, the Policy binds every entity that touches data drawn from national criminal-justice systems such as the National Crime Information Center (NCIC), the Interstate Identification Index (III), the National Instant Criminal Background Check System (NICS), the Next Generation Identification (NGI) biometric repository and the International Justice and Public Safety Network (Nlets).
Unlike a voluntary best-practice standard, the CJIS Security Policy is a mandatory condition of access: a state, county, municipal or tribal agency, and any private contractor or cloud provider acting on their behalf, may not receive or process CJI unless it can demonstrate conformance. The Policy is enforced through triennial audits performed by the FBI CJIS Audit Unit (CAU) and by the CJIS Systems Agency (CSA) in each state, and non-compliance can result in suspension of a terminal's connection to the national systems. This guide provides an auditor-grade, control-by-control deep-dive for CISOs, compliance leaders and assessors preparing for a CJIS audit.
Copyright and source note
This guide is an original CyberSigma interpretation written for educational and readiness purposes. It paraphrases obligations and does not reproduce the FBI's copyrighted text. The CJIS Security Policy (currently the 6.x series, with version 5.9.x being the long-standing predecessor) is published by the FBI CJIS Division and is available at no cost. Always work from the current authoritative version issued by the FBI and by your state's CJIS Systems Officer (CSO); requirement identifiers and effective dates cited here reflect the Policy's alignment with NIST SP 800-53 and are provided for planning only.
What is the CJIS Security Policy?
The CJIS Security Policy is a single, integrated document that establishes a minimum set of security requirements and controls to protect the full lifecycle of Criminal Justice Information. Its stated purpose is to provide appropriate controls to protect CJI, from creation through dissemination, whether at rest or in transit, and to ensure that only authorised, trained and vetted personnel access that data. The Policy applies uniformly regardless of the underlying information technology, and it explicitly presumes that CJI must be protected to the same standard whether processed on a mainframe, a mobile device, a virtualised environment or a public cloud.
A defining characteristic of the modern Policy is its adoption of the NIST SP 800-53 control catalogue as its backbone. Beginning with the 5.9.x releases and formalised in the 6.0 restructuring effective 1 October 2024, the Policy reorganised its requirements into the eighteen NIST 800-53 control families supplemented by CJIS-specific augmentations. This alignment means an agency that is maturing towards a NIST-based programme finds significant overlap, while the CJIS additions (such as advanced authentication requirements, the noteworthy Security Awareness Training cadence, and Criminal Justice Agency versus Non-Criminal Justice Agency distinctions) remain unique. The Policy also defines the CJIS Advisory Policy Board (APB) process by which changes are proposed, debated and ratified.
- Scope of data: Criminal History Record Information (CHRI), NCIC data, biometric data (fingerprints, facial images, iris), identity history, case/incident records, and property and person data derived from FBI CJIS systems.
- Governing bodies: FBI CJIS Division, the CJIS Advisory Policy Board (APB), the five Working Groups, and the CJIS Systems Agency (CSA) and CJIS Systems Officer (CSO) in each state.
- Enforcement: triennial (every three years) compliance audits by the FBI CAU of each CSA, and CSA audits of local agencies and contractors.
- Legal underpinning: the Policy operationalises federal statutes and Title 28 CFR Part 20 governing the exchange of criminal history record information.
Who must comply: scope of applicability
The Policy reaches far beyond sworn law-enforcement officers. Any individual or organisation with access to, or that operates in support of, CJI must comply. This deliberately broad reach captures IT vendors, cloud service providers, dispatch centres, records-management vendors and even cleaning or maintenance staff who could physically access areas where CJI is processed. The table below summarises the principal categories of affected parties.
| Party / role | Applicability and obligation |
|---|
| Criminal Justice Agency (CJA) | Courts, police, prosecutors, corrections and probation agencies performing the administration of criminal justice; full Policy applies and the agency is directly accountable to its CSA. |
| Non-Criminal Justice Agency (NCJA) | Agencies performing background checks for licensing/employment (e.g., schools, banking regulators); access is more restricted and typically governed by a specific statutory authority and an Outsourcing/Management Control Agreement. |
| CJIS Systems Agency (CSA) / CSO | The state-level agency (often the State Police) and its appointed CJIS Systems Officer responsible for administering the Policy, approving connections and conducting local audits. |
| Local Agency Security Officer (LASO) | Designated at each agency to be the point of contact for security matters, maintain topology, and report incidents to the CSA/CSO. |
| Private contractors / vendors | Any third party (software vendor, integrator, managed service provider) that stores, processes or transmits CJI; must sign the CJIS Security Addendum and be subject to the same personnel vetting. |
| Cloud service providers (CSPs) | Providers hosting CJI must contractually accept CJIS obligations, support required encryption and personnel screening, and enable the agency's shared-responsibility controls. |
| Interstate / Nlets participants | Agencies exchanging data across state lines via Nlets and the III inherit the same protection duties for received CJI. |
- Geographic reach: all US states, territories, and tribal nations connected to CJIS systems, plus their contractors wherever located.
- Physical scope: any physically secure location where CJI is stored, processed or transmitted, and any 'controlled area' with temporary safeguards.
- Personnel scope: every person with unescorted access to CJI or to the physically secure location must undergo fingerprint-based state and national background checks.
Structure of the CJIS Security Policy
Since the 6.0 restructuring, the Policy is organised around the eighteen NIST SP 800-53 control families, each mapped to CJIS-specific requirements and augmentations. Earlier releases (5.x) used thirteen numbered 'Policy Areas', and many agencies still think in those terms during transition, so both structures are shown below. The control-family view is now authoritative for audit purposes.
| Control family (ID) | Focus area within CJIS |
|---|
| Access Control (AC) | Account management, least privilege, session control, remote access, wireless and mobile access to CJI. |
| Awareness and Training (AT) | Role-based security awareness training, biennial refresh, and specialised training for privileged users. |
| Audit and Accountability (AU) | Event logging, log content, retention, review and protection of audit records. |
| Assessment, Authorization and Monitoring (CA) | Security assessments, interconnection agreements, POA&M and continuous monitoring. |
| Configuration Management (CM) | Baseline configurations, change control, least functionality and software inventory. |
| Contingency Planning (CP) | Backups, recovery, and continuity of CJI availability. |
| Identification and Authentication (IA) | Unique identification, advanced (multi-factor) authentication, and authenticator management. |
| Incident Response (IR) | Detection, reporting to the CSA/FBI, handling and post-incident learning. |
| Maintenance (MA) | Controlled and remote maintenance, and sanitisation of maintenance tools. |
| Media Protection (MP) | Media marking, storage, transport, sanitisation and destruction of CJI media. |
| Physical and Environmental Protection (PE) | Physically secure locations, controlled areas, visitor control and monitoring. |
| Planning (PL) | System security plans, rules of behaviour and security architecture. |
| Personnel Security (PS) | Fingerprint-based screening, position risk designation, and access termination. |
| Risk Assessment (RA) | Risk assessments, vulnerability scanning and risk response. |
| System and Services Acquisition (SA) | Acquisition process, developer security, and the CJIS Security Addendum for outsourcing. |
| System and Communications Protection (SC) | Boundary protection, encryption in transit/at rest (FIPS 140 validated), and partitioning. |
| System and Information Integrity (SI) | Flaw remediation, malicious code protection, monitoring and error handling. |
| Personally Identifiable Information Processing and Transparency (PT) / Supply Chain (SR) | PII handling, and supply-chain risk management for CJI systems (newer families). |
| Legacy Policy Area (5.x) | Description |
|---|
| Policy Area 1 | Information Exchange Agreements |
| Policy Area 2 | Security Awareness Training |
| Policy Area 3 | Incident Response |
| Policy Area 4 | Auditing and Accountability |
| Policy Area 5 | Access Control |
| Policy Area 6 | Identification and Authentication |
| Policy Area 7 | Configuration Management |
| Policy Area 8 | Media Protection |
| Policy Area 9 | Physical Protection |
| Policy Area 10 | Systems and Communications Protection and Information Integrity |
| Policy Area 11 | Formal Audits |
| Policy Area 12 | Personnel Security |
| Policy Area 13 | Mobile Devices |
Master assessment checklist
This is the core of the guide. Each control family below is enumerated with concrete verification points and the typical evidence an auditor expects. Use these tables directly as your assessment workbook; every CJIS control area is covered so that nothing is skipped during a mock audit or readiness review.
AC — Access Control
| What to verify | Typical evidence |
|---|
| Accounts are uniquely identified, authorised and reviewed; shared/generic accounts prohibited | Account inventory, access-authorisation forms, quarterly access-review records |
| Least privilege and separation of duties enforced for CJI access | Role definitions, permission matrices, privileged-access approvals |
| Sessions lock after inactivity and terminate appropriately | Endpoint lock policy (typically session lock on inactivity), GPO/MDM screenshots |
| Remote access to CJI uses encrypted, authenticated channels with advanced authentication | VPN configuration, MFA logs, remote-access policy |
| Wireless and mobile access controls (WPA2/WPA3 enterprise, MDM) applied | Wireless config, MDM enrolment records, mobile-device policy |
| Unsuccessful logon attempts trigger lockout | Authentication policy, lockout threshold configuration |
AT — Awareness and Training
| What to verify | Typical evidence |
|---|
| Security awareness training completed before CJI access and refreshed at least biennially | Training completion certificates, LMS records with dates |
| Role-based training differentiates basic users, privileged users and physically-only access personnel | Training curriculum by role, attendance logs |
| Training covers incident reporting, media handling, social engineering and sanctions | Course content, acknowledgement forms |
| Records retained and available to CSA auditors | Training register mapped to personnel roster |
AU — Audit and Accountability
| What to verify | Typical evidence |
|---|
| Auditable events defined (successful/failed logons, CJI access, privilege use, config changes) | Logging policy, event-type list |
| Log records capture who, what, when, where and outcome | Sample log entries showing required content fields |
| Audit logs retained per Policy (commonly minimum one year, with events available for CSA review) | Retention configuration, SIEM retention policy |
| Logs reviewed regularly (e.g., weekly) and anomalies investigated | Review sign-off sheets, SIEM alert tickets |
| Audit records protected from unauthorised access, modification and deletion | Access controls on SIEM, log integrity/immutability settings |
CA — Assessment, Authorization and Monitoring
| What to verify | Typical evidence |
|---|
| Periodic security control assessments conducted | Assessment reports, self-assessment records |
| Interconnection/information-exchange agreements in place for each CJI connection | Signed MOUs, interagency agreements, connection approvals |
| Plan of Action and Milestones (POA&M) tracks and remediates findings | POA&M register with owners and target dates |
| Continuous monitoring strategy implemented | Continuous monitoring plan, monitoring dashboards |
CM — Configuration Management
| What to verify | Typical evidence |
|---|
| Documented, approved baseline configurations for CJI systems | Hardening standards, baseline documents (CIS/DISA STIG references) |
| Change control process governs modifications | Change tickets, CAB minutes, change-approval records |
| Least functionality: unnecessary services, ports and protocols disabled | Port/service scans, configuration reports |
| Authorised software inventory maintained and unauthorised software prevented | Software inventory, application allow-listing config |
CP — Contingency Planning
| What to verify | Typical evidence |
|---|
| Contingency/continuity plan exists and is maintained | Contingency plan document, review dates |
| Backups of CJI performed, protected and encrypted | Backup schedules, backup encryption config, restore logs |
| Recovery capabilities tested periodically | Restore-test reports, tabletop exercise records |
| Alternate processing/storage considered for availability of CJI | DR site or cloud-region documentation |
IA — Identification and Authentication
| What to verify | Typical evidence |
|---|
| Each user uniquely identified before access to CJI | Identity provisioning records, unique-ID enforcement |
| Advanced Authentication (multi-factor) enforced for CJI access, including from non-secure locations | MFA policy, MFA enrolment and success logs |
| Password/authenticator standards meet the current Policy (length, complexity or approved alternatives) | Password policy config aligned to Policy requirements |
| Authenticators managed, protected and revoked on separation | Token issuance/revocation records, offboarding tickets |
| Device identification and authentication where required | Certificate/802.1X configuration |
IR — Incident Response
| What to verify | Typical evidence |
|---|
| Incident response plan defines roles, phases and reporting chain to LASO/CSO/FBI | IR plan, contact/escalation matrix |
| Security incidents involving CJI reported to the CSA/CSO and FBI CJIS ISO promptly | Incident reports, CSO notification records |
| Detection, containment, eradication and recovery procedures documented | IR runbooks, incident tickets |
| Post-incident reviews conducted and lessons applied | After-action reports, corrective-action tracking |
| IR capability tested (exercises) | Tabletop/exercise records |
MA — Maintenance
| What to verify | Typical evidence |
|---|
| Maintenance performed and logged by authorised personnel only | Maintenance logs, authorised-tech list |
| Remote maintenance uses secure, authenticated, monitored sessions | Remote-maintenance policy, session logs |
| Maintenance tools and media checked for malicious code and sanitised | Tool inspection records, sanitisation logs |
| Equipment leaving the premises for repair is sanitised of CJI | Sanitisation certificates, media-handling records |
MP — Media Protection
| What to verify | Typical evidence |
|---|
| Digital and physical media containing CJI marked and access-restricted | Media labelling standard, storage-access records |
| Media transported securely with encryption and documented custody | Transport procedures, courier/chain-of-custody logs |
| Media sanitised before reuse using approved methods | Sanitisation policy, wipe/overwrite logs |
| Media destruction (shredding, degaussing, incineration) documented | Destruction certificates, witnessed-destruction records |
PE — Physical and Environmental Protection
| What to verify | Typical evidence |
|---|
| Physically secure location(s) defined with perimeter and access controls | Facility diagrams, badge-access lists |
| Visitor access controlled, logged and escorted; unescorted access limited to vetted staff | Visitor logs, escort procedures |
| Controlled areas established where a full secure location is not feasible | Controlled-area procedures, temporary-safeguard documentation |
| Physical access monitored (CCTV, alarms) and reviewed | Monitoring records, access-log reviews |
PL — Planning
| What to verify | Typical evidence |
|---|
| System Security Plan (SSP) documents the CJI environment, boundary and controls | Current SSP with approval signatures |
| Rules of behaviour signed by all users | Signed rules-of-behaviour/acceptable-use forms |
| Security architecture and data-flow diagrams maintained | Network topology, CJI data-flow diagrams |
PS — Personnel Security
| What to verify | Typical evidence |
|---|
| Fingerprint-based state and national (NCIC/III) background checks completed before CJI access | Fingerprint submission records, adjudication decisions |
| Position risk designations and re-vetting cadence defined | Position-designation records, re-check schedule |
| Access terminated promptly on separation or role change | Offboarding checklists, access-revocation tickets |
| Contractor personnel screened to the same standard via the Security Addendum | Signed Security Addendum certifications, vendor screening records |
RA — Risk Assessment
| What to verify | Typical evidence |
|---|
| Risk assessment of the CJI environment conducted and updated | Risk assessment report, risk register |
| Vulnerability scanning performed and results tracked to closure | Scan reports, remediation tickets |
| Risk responses (accept/mitigate/transfer) documented and approved | Risk-treatment decisions, sign-offs |
SA — System and Services Acquisition
| What to verify | Typical evidence |
|---|
| Security requirements included in acquisitions of CJI systems/services | Procurement specs, security requirement clauses |
| CJIS Security Addendum executed for all outsourced CJI functions | Signed Security Addendum and certification pages |
| Developer/vendor security practices assessed | Vendor security questionnaires, SBOM/third-party assessments |
| Management control agreements govern NCJA/private outsourcing | Management Control Agreements on file |
SC — System and Communications Protection
| What to verify | Typical evidence |
|---|
| Boundary protection (firewalls, segmentation) isolates CJI systems | Firewall rulesets, network-segmentation diagrams |
| CJI encrypted in transit using FIPS 140-validated cryptography | TLS/IPsec configuration, FIPS validation certificate references |
| CJI encrypted at rest with FIPS 140-validated modules (or physically protected) | Disk/database encryption config, key-management records |
| Cryptographic key management protects and rotates keys | Key-management policy, rotation logs |
| Voice/data over public networks protected end-to-end | VPN/encryption configs for external links |
SI — System and Information Integrity
| What to verify | Typical evidence |
|---|
| Flaw remediation and patch management applied within defined timeframes | Patch policy, patch-compliance reports |
| Malicious-code protection deployed and updated | EDR/anti-malware coverage reports |
| System monitoring detects attacks and indicators of compromise | IDS/IPS alerts, monitoring dashboards |
| Security alerts and advisories acted upon | Advisory-tracking records, response tickets |
PT / SR — PII Processing, Transparency and Supply-Chain Risk
| What to verify | Typical evidence |
|---|
| PII within CJI handled per authority and minimised | Data-inventory, minimisation procedures |
| Supply-chain risks to CJI systems identified and managed | Supply-chain risk assessment, vendor risk register |
| Provenance and integrity of components tracked | SBOM, component-integrity checks |
Scoping and materiality / tiering
Correctly scoping the CJI environment is the single most consequential decision in a CJIS programme. Over-scoping wastes effort; under-scoping risks audit findings and loss of connection. Scope is defined by where CJI is created, viewed, modified, transmitted, stored or destroyed, and by the personnel and physical spaces involved.
- Data-driven scope: identify every system, application, database, backup and log store that holds CJI, including derivative data (e.g., a records-management system caching NCIC returns).
- Network scope: any segment carrying CJI in cleartext is in scope; encryption and segmentation can reduce but not eliminate scope.
- Physical scope: all physically secure locations and controlled areas, plus mobile devices that display or store CJI.
- Personnel scope: everyone with logical or unescorted physical access, including IT admins and third-party staff.
- Materiality distinction: CJA vs NCJA status changes which controls and agreements apply; NCJAs performing noncriminal-justice background checks operate under narrower authority and management control agreements.
Scope-reduction lever
Strong FIPS 140-validated encryption of CJI in transit and at rest, combined with tight network segmentation, is the most effective way to shrink the population of systems and personnel that require full Policy controls and background screening — but encryption does not remove the requirement to protect the keys or to vet those who can decrypt CJI.
Implementation approach (phased)
A pragmatic CJIS implementation proceeds through five phases. Each phase lists key activities and the deliverables an auditor will later expect to see.
Phase 1 — Discovery and scoping
- Activities: inventory CJI data flows and systems; identify physically secure locations; confirm CJA/NCJA status; appoint the LASO and confirm the CSO relationship.
- Deliverables: CJI data-flow diagrams, asset and personnel inventory, scoping memorandum, LASO appointment letter.
Phase 2 — Gap assessment
- Activities: assess current state against every control family; map to the master checklist; rate gaps by risk and audit impact.
- Deliverables: gap-analysis report, risk-ranked findings, draft POA&M.
Phase 3 — Remediation and control build
- Activities: deploy advanced authentication; enable FIPS-validated encryption; harden baselines; complete personnel fingerprinting; execute Security Addenda with vendors; stand up logging.
- Deliverables: updated SSP, hardening standards, MFA rollout evidence, signed addenda, screening records.
Phase 4 — Documentation and training
- Activities: finalise policies and procedures for all thirteen policy areas / eighteen families; deliver role-based awareness training; sign rules of behaviour.
- Deliverables: complete policy set, training completion register, signed acceptable-use forms.
Phase 5 — Audit readiness and continuous monitoring
- Activities: run a mock CSA audit; close POA&M items; implement continuous monitoring; prepare evidence binder.
- Deliverables: mock-audit report, closed POA&M, monitoring dashboards, audit evidence package.
Maturity / capability model
CJIS is a pass/fail compliance regime rather than a graded maturity scheme, but organisations benefit from tracking capability maturity to sustain compliance between triennial audits. The model below helps benchmark programme maturity.
| Maturity level | Characteristics |
|---|
| Level 1 — Initial | Ad hoc controls, no LASO, undocumented CJI flows, likely audit findings and connection risk. |
| Level 2 — Developing | LASO appointed, key policies drafted, partial MFA/encryption, background checks incomplete. |
| Level 3 — Defined | All control families documented, MFA and FIPS encryption deployed, SSP current, addenda signed. |
| Level 4 — Managed | Continuous monitoring, regular log review, metrics reported, POA&M actively managed, passes CSA audit cleanly. |
| Level 5 — Optimising | Automated evidence collection, integrated with enterprise GRC, proactive threat detection, mature vendor governance. |
Assessment and audit approach
- Confirm scope and the CJA/NCJA determination with the CSO, and identify all connections requiring exchange agreements.
- Assemble the evidence binder mapped to each control family using the master checklist above.
- Perform a documentation review: SSP, policies, agreements, addenda, POA&M and training records.
- Conduct technical validation: MFA enforcement, FIPS-validated encryption in transit/at rest, logging content and retention, hardening baselines, patch status.
- Verify personnel security: fingerprint-based screening completion for all in-scope staff and contractors, and timely access termination.
- Inspect physical controls: physically secure locations, visitor logs, controlled-area safeguards and monitoring.
- Test incident response and contingency through tabletop exercises and restore tests.
- Sample audit logs and access reviews to confirm operational effectiveness, not just documented intent.
- Record findings, assign remediation owners and dates in the POA&M, and re-test closed items.
- Prepare for the triennial CSA/FBI CAU audit and retain evidence for the required period.
Evidence request list
- Governance: System Security Plan, all thirteen policy-area / eighteen control-family policies, LASO appointment, rules of behaviour.
- Agreements: information-exchange agreements/MOUs, CJIS Security Addenda, Management Control Agreements, cloud contracts with CJIS terms.
- Access and identity: account inventory, access-authorisation forms, access-review records, MFA enrolment and success logs, password/authenticator policy.
- Personnel security: fingerprint submission and adjudication records, position-risk designations, offboarding/access-revocation tickets.
- Cryptography: FIPS 140 validation references, TLS/IPsec/disk/database encryption configurations, key-management policy and rotation logs.
- Logging and monitoring: logging policy, sample log records, retention configuration, SIEM review sign-offs, IDS/EDR reports.
- Configuration: hardening baselines, change-control tickets, software inventory, vulnerability-scan and patch-compliance reports.
- Media and physical: media handling and destruction certificates, facility diagrams, badge-access lists, visitor logs, CCTV/monitoring records.
- Resilience: contingency plan, backup schedules and restore-test results, incident-response plan and incident reports.
- Training: role-based training curriculum, completion register with dates, signed acknowledgements.
- Continuous improvement: risk register, POA&M, assessment reports and after-action reviews.
Roles and responsibilities
| Role | Responsibility |
|---|
| FBI CJIS Division / CJIS ISO | Maintains the Policy, sets national requirements, receives major incident reports, and runs the triennial audit of CSAs. |
| CJIS Advisory Policy Board (APB) | Recommends changes to the Policy through the Working Group and Board process. |
| CJIS Systems Officer (CSO) | State-level authority who administers the Policy, approves connections and enforces compliance locally. |
| CJIS Systems Agency (CSA) | State agency (often State Police) that manages access and audits local agencies and contractors. |
| Local Agency Security Officer (LASO) | Agency point of contact for security; maintains topology, ensures approved personnel, and reports incidents to the CSO. |
| Agency head / executive | Accountable owner who authorises the system and ensures resourcing and adjudication of screening results. |
| System administrators / IT | Implement and operate technical controls: MFA, encryption, logging, hardening and patching. |
| Contractor / vendor / CSP | Signs the Security Addendum, screens its personnel, and operates its share of controls under the agreement. |
KPIs and metrics to track
- Percentage of in-scope personnel with completed fingerprint-based background checks.
- Percentage of CJI access enforced by advanced (multi-factor) authentication.
- Percentage of CJI encrypted in transit and at rest with FIPS 140-validated modules.
- Security-awareness training completion rate and time-to-completion for new staff.
- Mean time to detect and mean time to report CJI security incidents to the CSO.
- Patch-compliance rate and mean time to remediate critical vulnerabilities.
- Number of open POA&M items and average age to closure.
- Access-review completion rate and count of orphaned/stale accounts remediated.
- Audit-log review coverage and percentage of alerts triaged within SLA.
- Number of signed and current Security Addenda / exchange agreements versus required.
Readiness checklist
- CJI data flows, systems, secure locations and personnel fully inventoried and scoped.
- LASO appointed and CSO/CSA relationship confirmed.
- System Security Plan and all policy-area/control-family policies current and approved.
- Advanced authentication enforced for all CJI access.
- FIPS 140-validated encryption applied in transit and at rest, with managed keys.
- Fingerprint-based state and national background checks completed for all in-scope staff and contractors.
- CJIS Security Addenda and information-exchange agreements executed and on file.
- Audit logging configured with required content, retention and regular review.
- Configuration baselines hardened, patches current, vulnerability scanning active.
- Media handling, sanitisation and destruction procedures in place with evidence.
- Physical and controlled-area safeguards, visitor control and monitoring operating.
- Incident-response and contingency plans tested; backups verified by restore tests.
- Role-based awareness training delivered and refreshed on cadence.
- POA&M actively tracks and closes findings; mock CSA audit passed.
Common gaps and findings
- Advanced authentication not enforced for remote or mobile access to CJI.
- Encryption in place but not using FIPS 140-validated modules, or keys poorly managed.
- Incomplete or lapsed fingerprint-based background checks, especially for IT contractors and cloud staff.
- Missing or unsigned CJIS Security Addenda with vendors and cloud providers.
- Audit logs lacking required content, insufficient retention, or never reviewed.
- Shared/generic accounts used for CJI access, defeating unique identification.
- Security-awareness training expired beyond the biennial refresh window.
- Media destruction not documented, or equipment sent for repair without sanitisation.
- Physically secure locations undefined, or unescorted access granted to unvetted personnel.
- Stale POA&M with unremediated findings carried over from prior audits.
- Cloud shared-responsibility boundaries undocumented, leaving control gaps unassigned.
CJIS mapped to other frameworks
| CJIS control area | Related framework / control |
|---|
| Overall control catalogue | NIST SP 800-53 (direct alignment since 5.9.x / 6.0) |
| Access Control (AC) | ISO/IEC 27001 A.5.15-A.5.18; NIST 800-53 AC family; PCI DSS Req 7-8 |
| Identification and Authentication (IA) | NIST SP 800-63 (advanced authentication); PCI DSS Req 8; ISO A.5.17 |
| Audit and Accountability (AU) | ISO A.8.15-A.8.16; PCI DSS Req 10; SOC 2 CC7 |
| System and Communications Protection (SC) | FIPS 140-3; PCI DSS Req 4; ISO A.8.24; NIST 800-53 SC family |
| Incident Response (IR) | NIST SP 800-61; ISO A.5.24-A.5.28; PCI DSS Req 12.10 |
| Personnel Security (PS) | ISO A.6.1-A.6.6; NIST 800-53 PS family |
| Media Protection (MP) | NIST SP 800-88 sanitisation; ISO A.7.10, A.7.14; PCI DSS Req 9 |
| Configuration Management (CM) | CIS Benchmarks / DISA STIGs; ISO A.8.9; PCI DSS Req 2, 6 |
| Risk Assessment (RA) | NIST SP 800-30; ISO 27005; SOC 2 CC3 |
How CyberSigma helps
Partner with CyberSigma for CJIS readiness
CyberSigma guides US agencies, contractors and cloud providers through the entire CJIS lifecycle: scoping the CJI environment, running a control-family gap assessment against the current 6.x Policy, deploying advanced authentication and FIPS 140-validated encryption, standing up compliant logging and continuous monitoring, structuring vendor Security Addenda and cloud shared-responsibility, and assembling the evidence binder for your triennial CSA and FBI CAU audit. Our CERT-In empanelled and PCI QSA assessors translate CJIS obligations into an actionable, audit-ready programme that also aligns with your NIST 800-53, ISO 27001 and PCI DSS commitments — so you achieve and sustain CJIS compliance without duplicating effort. Contact CyberSigma to book a CJIS readiness assessment.