Knowledge Center / CJIS
US FBI · United States

FBI CJIS Security Policy

Security policy protecting US criminal-justice information.

Introduction: The FBI CJIS Security Policy

The Criminal Justice Information Services (CJIS) Security Policy is the definitive information-security framework governing the creation, viewing, modification, transmission, dissemination, storage and destruction of Criminal Justice Information (CJI) throughout the United States. Issued and maintained by the Federal Bureau of Investigation (FBI) CJIS Division, the Policy binds every entity that touches data drawn from national criminal-justice systems such as the National Crime Information Center (NCIC), the Interstate Identification Index (III), the National Instant Criminal Background Check System (NICS), the Next Generation Identification (NGI) biometric repository and the International Justice and Public Safety Network (Nlets).

Unlike a voluntary best-practice standard, the CJIS Security Policy is a mandatory condition of access: a state, county, municipal or tribal agency, and any private contractor or cloud provider acting on their behalf, may not receive or process CJI unless it can demonstrate conformance. The Policy is enforced through triennial audits performed by the FBI CJIS Audit Unit (CAU) and by the CJIS Systems Agency (CSA) in each state, and non-compliance can result in suspension of a terminal's connection to the national systems. This guide provides an auditor-grade, control-by-control deep-dive for CISOs, compliance leaders and assessors preparing for a CJIS audit.

Copyright and source note
This guide is an original CyberSigma interpretation written for educational and readiness purposes. It paraphrases obligations and does not reproduce the FBI's copyrighted text. The CJIS Security Policy (currently the 6.x series, with version 5.9.x being the long-standing predecessor) is published by the FBI CJIS Division and is available at no cost. Always work from the current authoritative version issued by the FBI and by your state's CJIS Systems Officer (CSO); requirement identifiers and effective dates cited here reflect the Policy's alignment with NIST SP 800-53 and are provided for planning only.

What is the CJIS Security Policy?

The CJIS Security Policy is a single, integrated document that establishes a minimum set of security requirements and controls to protect the full lifecycle of Criminal Justice Information. Its stated purpose is to provide appropriate controls to protect CJI, from creation through dissemination, whether at rest or in transit, and to ensure that only authorised, trained and vetted personnel access that data. The Policy applies uniformly regardless of the underlying information technology, and it explicitly presumes that CJI must be protected to the same standard whether processed on a mainframe, a mobile device, a virtualised environment or a public cloud.

A defining characteristic of the modern Policy is its adoption of the NIST SP 800-53 control catalogue as its backbone. Beginning with the 5.9.x releases and formalised in the 6.0 restructuring effective 1 October 2024, the Policy reorganised its requirements into the eighteen NIST 800-53 control families supplemented by CJIS-specific augmentations. This alignment means an agency that is maturing towards a NIST-based programme finds significant overlap, while the CJIS additions (such as advanced authentication requirements, the noteworthy Security Awareness Training cadence, and Criminal Justice Agency versus Non-Criminal Justice Agency distinctions) remain unique. The Policy also defines the CJIS Advisory Policy Board (APB) process by which changes are proposed, debated and ratified.

  • Scope of data: Criminal History Record Information (CHRI), NCIC data, biometric data (fingerprints, facial images, iris), identity history, case/incident records, and property and person data derived from FBI CJIS systems.
  • Governing bodies: FBI CJIS Division, the CJIS Advisory Policy Board (APB), the five Working Groups, and the CJIS Systems Agency (CSA) and CJIS Systems Officer (CSO) in each state.
  • Enforcement: triennial (every three years) compliance audits by the FBI CAU of each CSA, and CSA audits of local agencies and contractors.
  • Legal underpinning: the Policy operationalises federal statutes and Title 28 CFR Part 20 governing the exchange of criminal history record information.

Who must comply: scope of applicability

The Policy reaches far beyond sworn law-enforcement officers. Any individual or organisation with access to, or that operates in support of, CJI must comply. This deliberately broad reach captures IT vendors, cloud service providers, dispatch centres, records-management vendors and even cleaning or maintenance staff who could physically access areas where CJI is processed. The table below summarises the principal categories of affected parties.

Party / roleApplicability and obligation
Criminal Justice Agency (CJA)Courts, police, prosecutors, corrections and probation agencies performing the administration of criminal justice; full Policy applies and the agency is directly accountable to its CSA.
Non-Criminal Justice Agency (NCJA)Agencies performing background checks for licensing/employment (e.g., schools, banking regulators); access is more restricted and typically governed by a specific statutory authority and an Outsourcing/Management Control Agreement.
CJIS Systems Agency (CSA) / CSOThe state-level agency (often the State Police) and its appointed CJIS Systems Officer responsible for administering the Policy, approving connections and conducting local audits.
Local Agency Security Officer (LASO)Designated at each agency to be the point of contact for security matters, maintain topology, and report incidents to the CSA/CSO.
Private contractors / vendorsAny third party (software vendor, integrator, managed service provider) that stores, processes or transmits CJI; must sign the CJIS Security Addendum and be subject to the same personnel vetting.
Cloud service providers (CSPs)Providers hosting CJI must contractually accept CJIS obligations, support required encryption and personnel screening, and enable the agency's shared-responsibility controls.
Interstate / Nlets participantsAgencies exchanging data across state lines via Nlets and the III inherit the same protection duties for received CJI.
  • Geographic reach: all US states, territories, and tribal nations connected to CJIS systems, plus their contractors wherever located.
  • Physical scope: any physically secure location where CJI is stored, processed or transmitted, and any 'controlled area' with temporary safeguards.
  • Personnel scope: every person with unescorted access to CJI or to the physically secure location must undergo fingerprint-based state and national background checks.

Structure of the CJIS Security Policy

Since the 6.0 restructuring, the Policy is organised around the eighteen NIST SP 800-53 control families, each mapped to CJIS-specific requirements and augmentations. Earlier releases (5.x) used thirteen numbered 'Policy Areas', and many agencies still think in those terms during transition, so both structures are shown below. The control-family view is now authoritative for audit purposes.

Control family (ID)Focus area within CJIS
Access Control (AC)Account management, least privilege, session control, remote access, wireless and mobile access to CJI.
Awareness and Training (AT)Role-based security awareness training, biennial refresh, and specialised training for privileged users.
Audit and Accountability (AU)Event logging, log content, retention, review and protection of audit records.
Assessment, Authorization and Monitoring (CA)Security assessments, interconnection agreements, POA&M and continuous monitoring.
Configuration Management (CM)Baseline configurations, change control, least functionality and software inventory.
Contingency Planning (CP)Backups, recovery, and continuity of CJI availability.
Identification and Authentication (IA)Unique identification, advanced (multi-factor) authentication, and authenticator management.
Incident Response (IR)Detection, reporting to the CSA/FBI, handling and post-incident learning.
Maintenance (MA)Controlled and remote maintenance, and sanitisation of maintenance tools.
Media Protection (MP)Media marking, storage, transport, sanitisation and destruction of CJI media.
Physical and Environmental Protection (PE)Physically secure locations, controlled areas, visitor control and monitoring.
Planning (PL)System security plans, rules of behaviour and security architecture.
Personnel Security (PS)Fingerprint-based screening, position risk designation, and access termination.
Risk Assessment (RA)Risk assessments, vulnerability scanning and risk response.
System and Services Acquisition (SA)Acquisition process, developer security, and the CJIS Security Addendum for outsourcing.
System and Communications Protection (SC)Boundary protection, encryption in transit/at rest (FIPS 140 validated), and partitioning.
System and Information Integrity (SI)Flaw remediation, malicious code protection, monitoring and error handling.
Personally Identifiable Information Processing and Transparency (PT) / Supply Chain (SR)PII handling, and supply-chain risk management for CJI systems (newer families).
Legacy Policy Area (5.x)Description
Policy Area 1Information Exchange Agreements
Policy Area 2Security Awareness Training
Policy Area 3Incident Response
Policy Area 4Auditing and Accountability
Policy Area 5Access Control
Policy Area 6Identification and Authentication
Policy Area 7Configuration Management
Policy Area 8Media Protection
Policy Area 9Physical Protection
Policy Area 10Systems and Communications Protection and Information Integrity
Policy Area 11Formal Audits
Policy Area 12Personnel Security
Policy Area 13Mobile Devices

Master assessment checklist

This is the core of the guide. Each control family below is enumerated with concrete verification points and the typical evidence an auditor expects. Use these tables directly as your assessment workbook; every CJIS control area is covered so that nothing is skipped during a mock audit or readiness review.

AC — Access Control

What to verifyTypical evidence
Accounts are uniquely identified, authorised and reviewed; shared/generic accounts prohibitedAccount inventory, access-authorisation forms, quarterly access-review records
Least privilege and separation of duties enforced for CJI accessRole definitions, permission matrices, privileged-access approvals
Sessions lock after inactivity and terminate appropriatelyEndpoint lock policy (typically session lock on inactivity), GPO/MDM screenshots
Remote access to CJI uses encrypted, authenticated channels with advanced authenticationVPN configuration, MFA logs, remote-access policy
Wireless and mobile access controls (WPA2/WPA3 enterprise, MDM) appliedWireless config, MDM enrolment records, mobile-device policy
Unsuccessful logon attempts trigger lockoutAuthentication policy, lockout threshold configuration

AT — Awareness and Training

What to verifyTypical evidence
Security awareness training completed before CJI access and refreshed at least bienniallyTraining completion certificates, LMS records with dates
Role-based training differentiates basic users, privileged users and physically-only access personnelTraining curriculum by role, attendance logs
Training covers incident reporting, media handling, social engineering and sanctionsCourse content, acknowledgement forms
Records retained and available to CSA auditorsTraining register mapped to personnel roster

AU — Audit and Accountability

What to verifyTypical evidence
Auditable events defined (successful/failed logons, CJI access, privilege use, config changes)Logging policy, event-type list
Log records capture who, what, when, where and outcomeSample log entries showing required content fields
Audit logs retained per Policy (commonly minimum one year, with events available for CSA review)Retention configuration, SIEM retention policy
Logs reviewed regularly (e.g., weekly) and anomalies investigatedReview sign-off sheets, SIEM alert tickets
Audit records protected from unauthorised access, modification and deletionAccess controls on SIEM, log integrity/immutability settings

CA — Assessment, Authorization and Monitoring

What to verifyTypical evidence
Periodic security control assessments conductedAssessment reports, self-assessment records
Interconnection/information-exchange agreements in place for each CJI connectionSigned MOUs, interagency agreements, connection approvals
Plan of Action and Milestones (POA&M) tracks and remediates findingsPOA&M register with owners and target dates
Continuous monitoring strategy implementedContinuous monitoring plan, monitoring dashboards

CM — Configuration Management

What to verifyTypical evidence
Documented, approved baseline configurations for CJI systemsHardening standards, baseline documents (CIS/DISA STIG references)
Change control process governs modificationsChange tickets, CAB minutes, change-approval records
Least functionality: unnecessary services, ports and protocols disabledPort/service scans, configuration reports
Authorised software inventory maintained and unauthorised software preventedSoftware inventory, application allow-listing config

CP — Contingency Planning

What to verifyTypical evidence
Contingency/continuity plan exists and is maintainedContingency plan document, review dates
Backups of CJI performed, protected and encryptedBackup schedules, backup encryption config, restore logs
Recovery capabilities tested periodicallyRestore-test reports, tabletop exercise records
Alternate processing/storage considered for availability of CJIDR site or cloud-region documentation

IA — Identification and Authentication

What to verifyTypical evidence
Each user uniquely identified before access to CJIIdentity provisioning records, unique-ID enforcement
Advanced Authentication (multi-factor) enforced for CJI access, including from non-secure locationsMFA policy, MFA enrolment and success logs
Password/authenticator standards meet the current Policy (length, complexity or approved alternatives)Password policy config aligned to Policy requirements
Authenticators managed, protected and revoked on separationToken issuance/revocation records, offboarding tickets
Device identification and authentication where requiredCertificate/802.1X configuration

IR — Incident Response

What to verifyTypical evidence
Incident response plan defines roles, phases and reporting chain to LASO/CSO/FBIIR plan, contact/escalation matrix
Security incidents involving CJI reported to the CSA/CSO and FBI CJIS ISO promptlyIncident reports, CSO notification records
Detection, containment, eradication and recovery procedures documentedIR runbooks, incident tickets
Post-incident reviews conducted and lessons appliedAfter-action reports, corrective-action tracking
IR capability tested (exercises)Tabletop/exercise records

MA — Maintenance

What to verifyTypical evidence
Maintenance performed and logged by authorised personnel onlyMaintenance logs, authorised-tech list
Remote maintenance uses secure, authenticated, monitored sessionsRemote-maintenance policy, session logs
Maintenance tools and media checked for malicious code and sanitisedTool inspection records, sanitisation logs
Equipment leaving the premises for repair is sanitised of CJISanitisation certificates, media-handling records

MP — Media Protection

What to verifyTypical evidence
Digital and physical media containing CJI marked and access-restrictedMedia labelling standard, storage-access records
Media transported securely with encryption and documented custodyTransport procedures, courier/chain-of-custody logs
Media sanitised before reuse using approved methodsSanitisation policy, wipe/overwrite logs
Media destruction (shredding, degaussing, incineration) documentedDestruction certificates, witnessed-destruction records

PE — Physical and Environmental Protection

What to verifyTypical evidence
Physically secure location(s) defined with perimeter and access controlsFacility diagrams, badge-access lists
Visitor access controlled, logged and escorted; unescorted access limited to vetted staffVisitor logs, escort procedures
Controlled areas established where a full secure location is not feasibleControlled-area procedures, temporary-safeguard documentation
Physical access monitored (CCTV, alarms) and reviewedMonitoring records, access-log reviews

PL — Planning

What to verifyTypical evidence
System Security Plan (SSP) documents the CJI environment, boundary and controlsCurrent SSP with approval signatures
Rules of behaviour signed by all usersSigned rules-of-behaviour/acceptable-use forms
Security architecture and data-flow diagrams maintainedNetwork topology, CJI data-flow diagrams

PS — Personnel Security

What to verifyTypical evidence
Fingerprint-based state and national (NCIC/III) background checks completed before CJI accessFingerprint submission records, adjudication decisions
Position risk designations and re-vetting cadence definedPosition-designation records, re-check schedule
Access terminated promptly on separation or role changeOffboarding checklists, access-revocation tickets
Contractor personnel screened to the same standard via the Security AddendumSigned Security Addendum certifications, vendor screening records

RA — Risk Assessment

What to verifyTypical evidence
Risk assessment of the CJI environment conducted and updatedRisk assessment report, risk register
Vulnerability scanning performed and results tracked to closureScan reports, remediation tickets
Risk responses (accept/mitigate/transfer) documented and approvedRisk-treatment decisions, sign-offs

SA — System and Services Acquisition

What to verifyTypical evidence
Security requirements included in acquisitions of CJI systems/servicesProcurement specs, security requirement clauses
CJIS Security Addendum executed for all outsourced CJI functionsSigned Security Addendum and certification pages
Developer/vendor security practices assessedVendor security questionnaires, SBOM/third-party assessments
Management control agreements govern NCJA/private outsourcingManagement Control Agreements on file

SC — System and Communications Protection

What to verifyTypical evidence
Boundary protection (firewalls, segmentation) isolates CJI systemsFirewall rulesets, network-segmentation diagrams
CJI encrypted in transit using FIPS 140-validated cryptographyTLS/IPsec configuration, FIPS validation certificate references
CJI encrypted at rest with FIPS 140-validated modules (or physically protected)Disk/database encryption config, key-management records
Cryptographic key management protects and rotates keysKey-management policy, rotation logs
Voice/data over public networks protected end-to-endVPN/encryption configs for external links

SI — System and Information Integrity

What to verifyTypical evidence
Flaw remediation and patch management applied within defined timeframesPatch policy, patch-compliance reports
Malicious-code protection deployed and updatedEDR/anti-malware coverage reports
System monitoring detects attacks and indicators of compromiseIDS/IPS alerts, monitoring dashboards
Security alerts and advisories acted uponAdvisory-tracking records, response tickets

PT / SR — PII Processing, Transparency and Supply-Chain Risk

What to verifyTypical evidence
PII within CJI handled per authority and minimisedData-inventory, minimisation procedures
Supply-chain risks to CJI systems identified and managedSupply-chain risk assessment, vendor risk register
Provenance and integrity of components trackedSBOM, component-integrity checks

Scoping and materiality / tiering

Correctly scoping the CJI environment is the single most consequential decision in a CJIS programme. Over-scoping wastes effort; under-scoping risks audit findings and loss of connection. Scope is defined by where CJI is created, viewed, modified, transmitted, stored or destroyed, and by the personnel and physical spaces involved.

  • Data-driven scope: identify every system, application, database, backup and log store that holds CJI, including derivative data (e.g., a records-management system caching NCIC returns).
  • Network scope: any segment carrying CJI in cleartext is in scope; encryption and segmentation can reduce but not eliminate scope.
  • Physical scope: all physically secure locations and controlled areas, plus mobile devices that display or store CJI.
  • Personnel scope: everyone with logical or unescorted physical access, including IT admins and third-party staff.
  • Materiality distinction: CJA vs NCJA status changes which controls and agreements apply; NCJAs performing noncriminal-justice background checks operate under narrower authority and management control agreements.
Scope-reduction lever
Strong FIPS 140-validated encryption of CJI in transit and at rest, combined with tight network segmentation, is the most effective way to shrink the population of systems and personnel that require full Policy controls and background screening — but encryption does not remove the requirement to protect the keys or to vet those who can decrypt CJI.

Implementation approach (phased)

A pragmatic CJIS implementation proceeds through five phases. Each phase lists key activities and the deliverables an auditor will later expect to see.

Phase 1 — Discovery and scoping

  • Activities: inventory CJI data flows and systems; identify physically secure locations; confirm CJA/NCJA status; appoint the LASO and confirm the CSO relationship.
  • Deliverables: CJI data-flow diagrams, asset and personnel inventory, scoping memorandum, LASO appointment letter.

Phase 2 — Gap assessment

  • Activities: assess current state against every control family; map to the master checklist; rate gaps by risk and audit impact.
  • Deliverables: gap-analysis report, risk-ranked findings, draft POA&M.

Phase 3 — Remediation and control build

  • Activities: deploy advanced authentication; enable FIPS-validated encryption; harden baselines; complete personnel fingerprinting; execute Security Addenda with vendors; stand up logging.
  • Deliverables: updated SSP, hardening standards, MFA rollout evidence, signed addenda, screening records.

Phase 4 — Documentation and training

  • Activities: finalise policies and procedures for all thirteen policy areas / eighteen families; deliver role-based awareness training; sign rules of behaviour.
  • Deliverables: complete policy set, training completion register, signed acceptable-use forms.

Phase 5 — Audit readiness and continuous monitoring

  • Activities: run a mock CSA audit; close POA&M items; implement continuous monitoring; prepare evidence binder.
  • Deliverables: mock-audit report, closed POA&M, monitoring dashboards, audit evidence package.

Maturity / capability model

CJIS is a pass/fail compliance regime rather than a graded maturity scheme, but organisations benefit from tracking capability maturity to sustain compliance between triennial audits. The model below helps benchmark programme maturity.

Maturity levelCharacteristics
Level 1 — InitialAd hoc controls, no LASO, undocumented CJI flows, likely audit findings and connection risk.
Level 2 — DevelopingLASO appointed, key policies drafted, partial MFA/encryption, background checks incomplete.
Level 3 — DefinedAll control families documented, MFA and FIPS encryption deployed, SSP current, addenda signed.
Level 4 — ManagedContinuous monitoring, regular log review, metrics reported, POA&M actively managed, passes CSA audit cleanly.
Level 5 — OptimisingAutomated evidence collection, integrated with enterprise GRC, proactive threat detection, mature vendor governance.

Assessment and audit approach

  1. Confirm scope and the CJA/NCJA determination with the CSO, and identify all connections requiring exchange agreements.
  2. Assemble the evidence binder mapped to each control family using the master checklist above.
  3. Perform a documentation review: SSP, policies, agreements, addenda, POA&M and training records.
  4. Conduct technical validation: MFA enforcement, FIPS-validated encryption in transit/at rest, logging content and retention, hardening baselines, patch status.
  5. Verify personnel security: fingerprint-based screening completion for all in-scope staff and contractors, and timely access termination.
  6. Inspect physical controls: physically secure locations, visitor logs, controlled-area safeguards and monitoring.
  7. Test incident response and contingency through tabletop exercises and restore tests.
  8. Sample audit logs and access reviews to confirm operational effectiveness, not just documented intent.
  9. Record findings, assign remediation owners and dates in the POA&M, and re-test closed items.
  10. Prepare for the triennial CSA/FBI CAU audit and retain evidence for the required period.

Evidence request list

  • Governance: System Security Plan, all thirteen policy-area / eighteen control-family policies, LASO appointment, rules of behaviour.
  • Agreements: information-exchange agreements/MOUs, CJIS Security Addenda, Management Control Agreements, cloud contracts with CJIS terms.
  • Access and identity: account inventory, access-authorisation forms, access-review records, MFA enrolment and success logs, password/authenticator policy.
  • Personnel security: fingerprint submission and adjudication records, position-risk designations, offboarding/access-revocation tickets.
  • Cryptography: FIPS 140 validation references, TLS/IPsec/disk/database encryption configurations, key-management policy and rotation logs.
  • Logging and monitoring: logging policy, sample log records, retention configuration, SIEM review sign-offs, IDS/EDR reports.
  • Configuration: hardening baselines, change-control tickets, software inventory, vulnerability-scan and patch-compliance reports.
  • Media and physical: media handling and destruction certificates, facility diagrams, badge-access lists, visitor logs, CCTV/monitoring records.
  • Resilience: contingency plan, backup schedules and restore-test results, incident-response plan and incident reports.
  • Training: role-based training curriculum, completion register with dates, signed acknowledgements.
  • Continuous improvement: risk register, POA&M, assessment reports and after-action reviews.

Roles and responsibilities

RoleResponsibility
FBI CJIS Division / CJIS ISOMaintains the Policy, sets national requirements, receives major incident reports, and runs the triennial audit of CSAs.
CJIS Advisory Policy Board (APB)Recommends changes to the Policy through the Working Group and Board process.
CJIS Systems Officer (CSO)State-level authority who administers the Policy, approves connections and enforces compliance locally.
CJIS Systems Agency (CSA)State agency (often State Police) that manages access and audits local agencies and contractors.
Local Agency Security Officer (LASO)Agency point of contact for security; maintains topology, ensures approved personnel, and reports incidents to the CSO.
Agency head / executiveAccountable owner who authorises the system and ensures resourcing and adjudication of screening results.
System administrators / ITImplement and operate technical controls: MFA, encryption, logging, hardening and patching.
Contractor / vendor / CSPSigns the Security Addendum, screens its personnel, and operates its share of controls under the agreement.

KPIs and metrics to track

  • Percentage of in-scope personnel with completed fingerprint-based background checks.
  • Percentage of CJI access enforced by advanced (multi-factor) authentication.
  • Percentage of CJI encrypted in transit and at rest with FIPS 140-validated modules.
  • Security-awareness training completion rate and time-to-completion for new staff.
  • Mean time to detect and mean time to report CJI security incidents to the CSO.
  • Patch-compliance rate and mean time to remediate critical vulnerabilities.
  • Number of open POA&M items and average age to closure.
  • Access-review completion rate and count of orphaned/stale accounts remediated.
  • Audit-log review coverage and percentage of alerts triaged within SLA.
  • Number of signed and current Security Addenda / exchange agreements versus required.

Readiness checklist

  • CJI data flows, systems, secure locations and personnel fully inventoried and scoped.
  • LASO appointed and CSO/CSA relationship confirmed.
  • System Security Plan and all policy-area/control-family policies current and approved.
  • Advanced authentication enforced for all CJI access.
  • FIPS 140-validated encryption applied in transit and at rest, with managed keys.
  • Fingerprint-based state and national background checks completed for all in-scope staff and contractors.
  • CJIS Security Addenda and information-exchange agreements executed and on file.
  • Audit logging configured with required content, retention and regular review.
  • Configuration baselines hardened, patches current, vulnerability scanning active.
  • Media handling, sanitisation and destruction procedures in place with evidence.
  • Physical and controlled-area safeguards, visitor control and monitoring operating.
  • Incident-response and contingency plans tested; backups verified by restore tests.
  • Role-based awareness training delivered and refreshed on cadence.
  • POA&M actively tracks and closes findings; mock CSA audit passed.

Common gaps and findings

  • Advanced authentication not enforced for remote or mobile access to CJI.
  • Encryption in place but not using FIPS 140-validated modules, or keys poorly managed.
  • Incomplete or lapsed fingerprint-based background checks, especially for IT contractors and cloud staff.
  • Missing or unsigned CJIS Security Addenda with vendors and cloud providers.
  • Audit logs lacking required content, insufficient retention, or never reviewed.
  • Shared/generic accounts used for CJI access, defeating unique identification.
  • Security-awareness training expired beyond the biennial refresh window.
  • Media destruction not documented, or equipment sent for repair without sanitisation.
  • Physically secure locations undefined, or unescorted access granted to unvetted personnel.
  • Stale POA&M with unremediated findings carried over from prior audits.
  • Cloud shared-responsibility boundaries undocumented, leaving control gaps unassigned.

CJIS mapped to other frameworks

CJIS control areaRelated framework / control
Overall control catalogueNIST SP 800-53 (direct alignment since 5.9.x / 6.0)
Access Control (AC)ISO/IEC 27001 A.5.15-A.5.18; NIST 800-53 AC family; PCI DSS Req 7-8
Identification and Authentication (IA)NIST SP 800-63 (advanced authentication); PCI DSS Req 8; ISO A.5.17
Audit and Accountability (AU)ISO A.8.15-A.8.16; PCI DSS Req 10; SOC 2 CC7
System and Communications Protection (SC)FIPS 140-3; PCI DSS Req 4; ISO A.8.24; NIST 800-53 SC family
Incident Response (IR)NIST SP 800-61; ISO A.5.24-A.5.28; PCI DSS Req 12.10
Personnel Security (PS)ISO A.6.1-A.6.6; NIST 800-53 PS family
Media Protection (MP)NIST SP 800-88 sanitisation; ISO A.7.10, A.7.14; PCI DSS Req 9
Configuration Management (CM)CIS Benchmarks / DISA STIGs; ISO A.8.9; PCI DSS Req 2, 6
Risk Assessment (RA)NIST SP 800-30; ISO 27005; SOC 2 CC3

How CyberSigma helps

Partner with CyberSigma for CJIS readiness
CyberSigma guides US agencies, contractors and cloud providers through the entire CJIS lifecycle: scoping the CJI environment, running a control-family gap assessment against the current 6.x Policy, deploying advanced authentication and FIPS 140-validated encryption, standing up compliant logging and continuous monitoring, structuring vendor Security Addenda and cloud shared-responsibility, and assembling the evidence binder for your triennial CSA and FBI CAU audit. Our CERT-In empanelled and PCI QSA assessors translate CJIS obligations into an actionable, audit-ready programme that also aligns with your NIST 800-53, ISO 27001 and PCI DSS commitments — so you achieve and sustain CJIS compliance without duplicating effort. Contact CyberSigma to book a CJIS readiness assessment.

Frequently asked questions

Does CJIS apply to cloud vendors?
Yes — any vendor or cloud provider handling CJI on behalf of a criminal-justice agency must meet the CJIS Security Policy.
CyberSigma resources

Need help with CJIS?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.