Skip to main content

Criminal Justice Information Services (CJIS)

S
Written by Shannon DeLange
Updated this week

What is CJIS?

The Criminal Justice Information Services (CJIS) division of the FBI sets standards for how organizations handle Criminal Justice Information (CJI). This includes sensitive data like arrest records, fingerprints, facial recognition, and other law enforcement-linked personal information.

CJIS compliance is based on the CJIS Security Policy—a standardized set of security requirements for any organization working with CJI. As of December 2024, Version 6.0 of the policy includes updates around cloud services, encryption, and remote access.

CJIS is not a federally certified framework—there’s no central certification body. Instead, enforcement is handled by state-level CJIS Systems Agencies (CSAs), which oversee compliance for public safety agencies in their jurisdiction. Each state may interpret or enforce the policy a little differently, so vendors must be ready to show compliance to each agency they work with.

Who should be CJIS compliant?

CJIS compliance is required for any entity that accesses, stores, processes, or transmits CJI, including:

  • Law enforcement agencies (federal, state, and local)

  • Public safety organizations

  • Government contractors and vendors

  • SaaS and cloud providers whose services touch CJI (e.g., storage, access control, analytics)

Private companies working with police departments or public safety agencies—especially those building cloud platforms, analytics tools, or mobile apps—may fall under CJIS scope even if they don’t consider themselves part of the criminal justice system. International vendors handling U.S. law enforcement data may also be required to comply.

What is the timeline for CJIS compliance?

While there’s no fixed federal deadline, compliance timelines are often dictated by contract terms with individual agencies. Here’s what the general lifecycle looks like:

  1. Initial Prework – Identify roles (e.g., controller, processor), affected systems, and state-specific CJIS requirements.

  2. Gap Assessment – Map your current security posture to CJIS Security Policy requirements and flag control gaps.

  3. Remediation & Policy Buildout – Implement missing safeguards (e.g., encryption, personnel vetting, logging).

  4. Ongoing Monitoring & Validation – Maintain continuous compliance via control testing, access tracking, and annual reassessments.

CJIS audits are typically conducted every 3 years by the respective state or agency CSA. Organizations are expected to be “audit-ready” at any time, which includes having updated evidence, logs, and documentation

Does this Require a Formal audit or certification?

CJIS does not have a centralized certification or audit authority like FedRAMP or ISO 27001. Instead:

  • Compliance is contractually enforced via state and agency agreements.

  • Audits are handled by state-level CSAs or their designated representatives.

  • Agencies may request documentation, test results, policies, and personnel vetting logs at any time.

  • Many organizations opt to perform internal audits annually or before bidding on major contracts to stay proactive

What can Vanta automate?

Access Management & Authentication

  • Checks that MFA is enabled and in-use for for privileged and non-privileged accounts

  • Monitors and validates identity provider configurations

  • Detects inactive or unused accounts
    Verifies device-based access controls and screen lock settings

  • Tracks privileged access and enforces least privilege

Infrastructure & Cloud Security

  • Scans AWS, GCP, Azure, DigitalOcean, and Heroku for misconfigurations

  • Detects public access on buckets, databases, and compute instances
    Monitors for insecure network rules (e.g., unrestricted SSH, RDP)

  • Validates encryption at rest and in transit

  • Tracks flow logs, firewall rules, and VPC configurations

System & Software Configuration

  • Checks baseline configurations (CIS, NIST) across OS, cloud, and endpoints

  • Validates that system updates and patching are in place
    Flags changes to critical configuration settings

Audit Logging & Monitoring

  • Confirms audit logging is enabled across services

  • Verifies log storage retention and alerting configurations

  • Detects changes to IAM roles, permissions, and configurations

  • Tracks monitoring coverage across services (e.g., CPU, IOPS, queue age)

Secure Development & Change Management

  • Enforces code review and approval workflows (GitHub, GitLab, Bitbucket)

  • Detects exceptions and ensures justifications are documented

  • Tracks vulnerability scan results and remediation status (Snyk, Inspector, etc.)

  • Flags configuration changes without review or approval

Incident Response & Risk Management

  • Monitors for unresolved vulnerabilities and tracks their remediation

  • Tracks incident response policy implementation and testing

  • Validates intrusion detection and alerting mechanisms are active

  • Supports audit evidence collection for incident reviews and root cause analysis

Physical & Endpoint Security

  • Validates antivirus and disk encryption on workstations

  • Verifies device MDM enrollment and enforcement

  • Flags unmonitored or non-compliant endpoints

Network & Boundary Protection

  • Verifies segmentation between production, dev, and other networks

  • Insecure firewall configurations

  • Confirms VPN and remote access policies (e.g., no split tunneling)

  • Monitors for secure telecommunications and external connections

Policy & Documentation Coverage

  • Tracks adoption and review of key policies (access, IR, encryption, etc.)

  • Supports uploading and validation of NDA, contractor, and vendor agreements
    Surfaces gaps in training records, approvals, or policy acknowledgments