Skip to main content
FBI CJIS Security Policy v6.0

CJIS-Compliant Hosting for Law Enforcement and Their Vendors

The FBI CJIS Security Policy applies to every entity that stores, processes, or transmits Criminal Justice Information — over 18,000 law enforcement agencies and the technology vendors serving them. Our infrastructure is built around CJIS pillars: fingerprinted US citizen support, Advanced Authentication, US-only data residency, FIPS 140-2 encryption, and full audit accountability.

13
CJIS Policy Areas
18K+
Law Enforcement Agencies
US Only
Data & Personnel
v6.0
Current Policy Version
CJIS Security Policy v6.0
Advanced Authentication
FIPS 140-2 Encryption
Fingerprinted US Citizen Staff
US Data Residency
Why It Matters

What CJIS Means for Your Organization

The FBI Criminal Justice Information Services Division publishes the CJIS Security Policy — a unified, prescriptive standard for safeguarding Criminal Justice Information. Compliance is a contractual condition between the FBI and every state CJIS Systems Agency, flowing down to local agencies and any vendor handling CJI on their behalf. Audits are real, deficiencies have consequences, and the policy is moving fast.

Mandatory for LE Agencies

Every state, local, and federal agency that accesses NCIC, III, NICS, or other FBI CJIS systems is contractually bound to enforce the CJIS Security Policy across their infrastructure and personnel.

Flow-Down to Vendors

Vendors hosting, integrating, or supporting LE systems are obligated through agency contracts, Management Control Agreements, and CJIS Security Addenda to satisfy applicable policy areas — including personnel screening.

Mapped to NIST 800-53 Rev 5

CJIS Security Policy v6.0 explicitly mapped its requirements to NIST 800-53 Rev 5, aligning the LE community with broader federal cybersecurity practice and easing dual-compliance burdens for federal/SLED workloads.

Triennial FBI Audits

FBI CJIS auditors review state CSAs every three years, with state CSAs auditing local agencies on a similar cadence. Findings result in corrective action plans — and in serious cases, suspension of CJIS access.

CJIS Security Policy v6.0

13 Policy Areas Governing Criminal Justice Information

The FBI CJIS Security Policy organizes safeguards into 13 policy areas covering the full lifecycle of Criminal Justice Information. Version 6.0 is the most aggressive update in years — explicitly mapped to NIST 800-53 Rev 5 and aligning CJIS with broader federal cybersecurity practice.

Area 1 — Information Exchange AgreementsFormalize CJI sharing through written agreements with all parties.
Area 2 — Security Awareness TrainingAnnual training required for all personnel with CJI access.
Area 3 — Incident ResponseDetect, respond to, and report CJI security incidents to FBI CJIS.
Area 4 — Auditing & AccountabilityLog every CJI access event with sufficient detail to reconstruct activity.
Area 5 — Access ControlRestrict CJI access by role and least privilege; manage session timeouts.
Area 6 — Identification & AuthenticationAdvanced Authentication required: MFA for any access outside secured location.
Area 7 — Configuration ManagementEstablish baselines, control changes, and document configuration state.
Area 8 — Media ProtectionProtect CJI on physical and digital media; secure transport and disposal.
Area 9 — Physical ProtectionLimit physical access to areas processing or storing CJI.
Area 10 — Systems & Communications ProtectionFIPS 140-2 encryption for CJI in transit and at rest.
Area 11 — Formal AuditsTriennial audits by FBI CJIS or state CSA confirm continued compliance.
Area 12 — Personnel SecurityFingerprint-based background check required for any CJI access.
Area 13 — Mobile DevicesSpecific safeguards for smartphones, tablets, and field devices touching CJI.
Three Non-Negotiable Requirements

The Pillars That Decide CJIS Eligibility

Three requirements drive most CJIS hosting decisions: who can touch the data, how strongly identity is verified, and where the data physically resides. Get any of these wrong, and the rest doesn’t matter.

Built for CJIS Workloads

How GovDataHosting Inherits the CJIS Burden

Many CJIS policy areas have heavy infrastructure components that hosting providers can satisfy on a tenant’s behalf. The remaining policy areas — training, agreements, agency-specific procedures — are work only your agency or vendor can do. The split below shows where we lift the load and where you stay accountable.

CJIS Policy Area
GovDataHosting Handles
You Handle
Area 4 — Auditing & Accountability
SIEM, log retention, FBI CJIS-aligned audit events
Application-level audit content
Area 5 — Access Control
Infrastructure RBAC, session controls, timeouts
Application user roles & access reviews
Area 6 — Advanced Authentication
MFA infrastructure, smartcard / token integration
Application identity provider configuration
Area 7 — Configuration Management
Hardened baselines, change control, drift detection
Application configuration baselines
Area 9 — Physical Protection
Fully inherited from US CJIS-aware datacenters
Nothing — physical layer is fully ours
Area 10 — Systems & Comms Protection
FIPS 140-2 crypto, network segmentation, TLS
Application TLS configuration
Area 12 — Personnel Security
Fingerprinted, background-checked US citizen staff
Your own personnel screening
Areas 1, 2, 11 — Agreements / Training / Audits
Vendor-side documentation; cooperation in audits
Agency-side agreements, training, audit response
The GovDataHosting Process

Your Path to CJIS Compliance

Our proven methodology shortens timelines and reduces risk by combining inheritable controls, dedicated compliance staff, and direct experience with CJIS-aligned authorizations.

Step 1

Scope CJI Footprint

Identify every system, dataset, and integration that touches CJI. Define your CJIS authorization boundary as tightly as possible.

Step 2

Sign the Security Addendum

Execute the CJIS Security Addendum with your state CSA. Establish Management Control Agreements with hosting and SaaS vendors.

Step 3

Migrate & Inherit

Move workloads onto CJIS-aware infrastructure. Inherit Advanced Authentication, FIPS 140-2 crypto, and US persons-only support.

Step 4

Audit Readiness

Maintain audit logs, training records, and personnel screening documentation. Prepare for triennial CSA / FBI CJIS audits.

Frequently Asked Questions

CJIS FAQs

Does CJIS apply to a vendor that never sees CJI directly — for example, a hosting provider with full encryption?

Yes. The CJIS Security Policy explicitly addresses ‘incidental access’ — situations where a vendor’s personnel could potentially access CJI through privileged operations even if they don’t in normal practice. Hosting providers, MSPs, backup vendors, and any party with administrative reach into CJI-bearing systems must satisfy applicable policy areas, including personnel screening, regardless of whether they routinely view the data.

What is Advanced Authentication and what counts?

Advanced Authentication is CJIS shorthand for multi-factor authentication. Acceptable factors include hardware tokens, smartcards (including PIV), biometric verification, certificate-based authentication, and risk-based methods that meet the policy’s thresholds. SMS-based second factors are no longer considered compliant. AA is required for any CJI access from outside a physically secured location, including remote work, mobile devices, and field operations.

Is CJIS the same as StateRAMP / GovRAMP for state agencies?

No, but they often coexist. StateRAMP / GovRAMP is a state-level analog to FedRAMP, focused on cloud authorization for state and local government generally. CJIS is a specialized federal policy specifically for criminal justice information. A SaaS vendor serving a state police agency may need to satisfy both: GovRAMP for the underlying cloud authorization and CJIS for the law enforcement-specific data handling.

How does GovDataHosting’s personnel screening work for CJIS?

We employ US citizen support and engineering staff, all of whom undergo fingerprint-based background checks coordinated through the appropriate state CSA channel before being granted privileged access to CJIS-tagged tenant environments. We maintain documentation, logs, and re-vetting cadence per CJIS Section 5.12 requirements. During state CSA audits, we participate directly — providing personnel records, system documentation, and audit log evidence as required.

Ready to Host CJI on Compliant Infrastructure?

Schedule a free CJIS readiness review. We will walk through the 13 policy areas, identify what you can inherit, and coordinate with your state CSA on the documentation path.