Access to FBI criminal justice information (CJI) requires strict compliance with the CJIS Security Policy. Ohio law enforcement agencies and their IT vendors must meet all 14 CJIS policy areas — or lose access to NCIC, LEADS, and AFIS. Securafy is a CJIS-compliant MSP serving Ohio agencies.
The Criminal Justice Information Services (CJIS) Security Policy, maintained by the FBI, governs all access to Criminal Justice Information (CJI) — including data from NCIC, state repositories, biometric databases, identity history, and case/incident data. The current policy is version 5.9.5.
In Ohio, the Ohio Department of Public Safety / LEADS administers CJIS compliance for all agencies accessing Ohio Law Enforcement Automated Data System and federal criminal justice databases. Every agency — from large municipal departments to small township departments — must maintain full CJIS compliance.
Critically: any IT vendor, MSP, or contractor who has unescorted physical or logical access to systems processing CJI must also comply with the CJIS Security Policy and sign a Management Control Agreement (MCA). This means your IT provider must be CJIS-compliant — not just your agency.
"Loss of CJIS access means loss of NCIC, LEADS, AFIS, and every federal criminal database — effectively disabling modern law enforcement operations."
The CJIS Security Policy v5.9.5 is organized into 14 policy areas. Every area must be addressed — partial compliance is not compliance.
All agencies and vendors accessing CJI must have executed Interagency Agreements, Management Control Agreements (MCAs), or User Agreements. Securafy signs MCAs with every law enforcement client.
All personnel with access to CJI must complete security awareness training within 6 months of hire and every 2 years thereafter. Training must be documented and available for audit.
Agencies must have documented incident response procedures, report security incidents to their CSO and the FBI CJIS Division, and maintain incident logs. Breach notification timelines are strict.
All CJI access must be logged, including who accessed what data, when, and from where. Logs must be reviewed, retained for minimum periods, and protected from tampering.
Least-privilege access, unique individual accounts, account management, and role-based access control. Shared accounts and generic logins are prohibited for CJI access.
Advanced Authentication (AA) — equivalent to multi-factor authentication — is required for all remote access to CJI and any local access outside the physically secure location. Complex password requirements apply.
Baseline configurations, change control, software inventory, and configuration monitoring. Unauthorized software and hardware changes to CJI systems are prohibited.
CJI on removable media must be encrypted. Sanitization procedures required before disposal. Physical media controls for CJI printouts, portable drives, and backup media.
Physically secure locations for CJI processing, visitor control, workstation placement, screen privacy, and access controls for server rooms and communications facilities.
Encryption of CJI in transit (minimum 128-bit), network segmentation, boundary protections, and controls for wireless access. Unencrypted CJI may not traverse non-agency-controlled networks.
Malicious code protection, security alerting, software patching, spam and spyware protection, and input validation for CJI systems. Regular vulnerability scanning required.
Cloud services storing or processing CJI must meet FBI CJIS Division cloud requirements. FedRAMP authorized cloud providers are the standard. AWS GovCloud, Microsoft Government Community Cloud, and similar solutions require specific configuration.
Mobile devices accessing CJI require device management (MDM), encryption, remote wipe capability, and advanced authentication. Personally-owned devices (BYOD) face additional restrictions.
All private sector entities with unescorted access to CJI systems must execute MCAs acknowledging their responsibilities under the CJIS Security Policy. Violation is grounds for immediate access termination.
Securafy is a CJIS-compliant Managed Service Provider. Our staff complete CJIS security awareness training, we execute MCAs with all Ohio law enforcement clients, and every service we provide to law enforcement is designed to maintain your CJIS compliance posture.
We conduct a comprehensive review of your agency's posture against all 14 CJIS policy areas, identify gaps, and produce a prioritized remediation plan aligned to LEADS audit criteria.
We implement and manage multi-factor authentication for all remote CJI access and physically secure location access — meeting CJIS AA requirements across all platforms.
We architect and migrate agency systems to CJIS-compliant cloud environments using FBI-approved platforms — ensuring your cloud infrastructure meets all Policy Area 12 requirements.
We implement and manage MDM solutions meeting all CJIS Policy Area 13 requirements — encryption, remote wipe, compliance enforcement, and access controls for every device accessing CJI.
We provide CJIS-specific security awareness training meeting Policy Area 2 requirements — tracked, documented, and reportable for LEADS audits. Annual refreshers automated.
When a security incident involving CJI occurs, we provide immediate incident response support, help fulfill mandatory FBI CJIS Division reporting requirements, and document the response for audit purposes.
Securafy builds and maintains compliance programs for Columbus and Cleveland, Ohio businesses. Prevention-First. Compliance-Ready. Award-Winning.
Official Regulatory Resources