NIST CSF 2.0HIPAACMMC 2.0GLBA / FFIECCJISPCI DSSOhio Safe HarborSOC 2Cyber InsuranceFTC Safeguards
🚔 Law Enforcement Compliance

CJIS
Compliance

CJIS Security Policy v5.9.5 governs all access to FBI criminal justice information, requiring compliance across 14 policy areas including multi-factor authentication, encryption, audit logging, and personnel screening. Non-compliant agencies lose CJI system access. Securafy is a CJIS-compliant MSP serving Ohio law enforcement agencies, courts, and IT vendors with complete policy area implementation and annual compliance assessments.

Free CJIS Compliance Review Law Enforcement Services
Compliance Requirement
CJIS

Any agency accessing FBI CJIS data must meet strict security controls. Securafy is CJIS-aligned and has guided Ohio law enforcement through audits.

Free · No Obligation
See where your gaps are — before auditors or attackers find them.
🛡 Book a Free Assessment
★★★★★5.0 Google · Verified reviews

What Is the CJIS Security Policy?

The Criminal Justice Information Services (CJIS) Security Policy, maintained by the FBI, governs all access to Criminal Justice Information (CJI) — including data from NCIC, state repositories, biometric databases, identity history, and case/incident data. The current policy is version 5.9.5.

In Ohio, the Ohio Department of Public Safety / LEADS administers CJIS compliance for all agencies accessing Ohio Law Enforcement Automated Data System and federal criminal justice databases. Every agency — from large municipal departments to small township departments — must maintain full CJIS compliance.

Critically: any IT vendor, MSP, or contractor who has unescorted physical or logical access to systems processing CJI must also comply with the CJIS Security Policy and sign a Management Control Agreement (MCA). This means your IT provider must be CJIS-compliant — not just your agency.

"Loss of CJIS access means loss of NCIC, LEADS, AFIS, and every federal criminal database — effectively disabling modern law enforcement operations."

14
CJIS Security Policy areas requiring compliance
5.9.5
Current CJIS Security Policy version
800+
Ohio agencies accessing CJIS data
FBI
Audits Ohio CJIS compliance through LEADS/OPOTA
The 14 Policy Areas

CJIS Security Policy Requirements

The CJIS Security Policy v5.9.5 is organized into 14 policy areas. Every area must be addressed — partial compliance is not compliance.

📋

Policy Area 1: Information Exchange Agreements

All agencies and vendors accessing CJI must have executed Interagency Agreements, Management Control Agreements (MCAs), or User Agreements. Securafy signs MCAs with every law enforcement client.

🔒

Policy Area 2: Security Awareness Training

All personnel with access to CJI must complete security awareness training within 6 months of hire and every 2 years thereafter. Training must be documented and available for audit.

📱

Policy Area 3: Incident Response

Agencies must have documented incident response procedures, report security incidents to their CSO and the FBI CJIS Division, and maintain incident logs. Breach notification timelines are strict.

🔍

Policy Area 4: Auditing & Accountability

All CJI access must be logged, including who accessed what data, when, and from where. Logs must be reviewed, retained for minimum periods, and protected from tampering.

🆔

Policy Area 5: Access Control

Least-privilege access, unique individual accounts, account management, and role-based access control. Shared accounts and generic logins are prohibited for CJI access.

🔑

Policy Area 6: Identification & Authentication

Advanced Authentication (AA) — equivalent to multi-factor authentication — is required for all remote access to CJI and any local access outside the physically secure location. Complex password requirements apply.

📡

Policy Area 7: Configuration Management

Baseline configurations, change control, software inventory, and configuration monitoring. Unauthorized software and hardware changes to CJI systems are prohibited.

🏢

Policy Area 8: Media Protection

CJI on removable media must be encrypted. Sanitization procedures required before disposal. Physical media controls for CJI printouts, portable drives, and backup media.

👁️

Policy Area 9: Physical Protection

Physically secure locations for CJI processing, visitor control, workstation placement, screen privacy, and access controls for server rooms and communications facilities.

🔬

Policy Area 10: System & Communications Protection

Encryption of CJI in transit (minimum 128-bit), network segmentation, boundary protections, and controls for wireless access. Unencrypted CJI may not traverse non-agency-controlled networks.

🛡️

Policy Area 11: System & Information Integrity

Malicious code protection, security alerting, software patching, spam and spyware protection, and input validation for CJI systems. Regular vulnerability scanning required.

☁️

Policy Area 12: Cloud Computing

Cloud services storing or processing CJI must meet FBI CJIS Division cloud requirements. FedRAMP authorized cloud providers are the standard. AWS GovCloud, Microsoft Government Community Cloud, and similar solutions require specific configuration.

📱

Policy Area 13: Mobile Devices

Mobile devices accessing CJI require device management (MDM), encryption, remote wipe capability, and advanced authentication. Personally-owned devices (BYOD) face additional restrictions.

🤝

Policy Area 14: Management Control Agreements

All private sector entities with unescorted access to CJI systems must execute MCAs acknowledging their responsibilities under the CJIS Security Policy. Violation is grounds for immediate access termination.

How Securafy Helps

CJIS-Compliant IT for Ohio Agencies

Securafy is a CJIS-compliant Managed Service Provider. Our staff complete CJIS security awareness training, we execute MCAs with all Ohio law enforcement clients, and every service we provide to law enforcement is designed to maintain your CJIS compliance posture.

CJIS Compliance Audit

We conduct a comprehensive review of your agency's posture against all 14 CJIS policy areas, identify gaps, and produce a prioritized remediation plan aligned to LEADS audit criteria.

Advanced Authentication (AA) Deployment

We implement and manage multi-factor authentication for all remote CJI access and physically secure location access — meeting CJIS AA requirements across all platforms.

CJIS-Compliant Cloud Migration

We architect and migrate agency systems to CJIS-compliant cloud environments using FBI-approved platforms — ensuring your cloud infrastructure meets all Policy Area 12 requirements.

Mobile Device Management

We implement and manage MDM solutions meeting all CJIS Policy Area 13 requirements — encryption, remote wipe, compliance enforcement, and access controls for every device accessing CJI.

Security Awareness Training

We provide CJIS-specific security awareness training meeting Policy Area 2 requirements — tracked, documented, and reportable for LEADS audits. Annual refreshers automated.

Incident Response & Reporting

When a security incident involving CJI occurs, we provide immediate incident response support, help fulfill mandatory FBI CJIS Division reporting requirements, and document the response for audit purposes.

Common Questions

CJIS Compliance FAQ

Does our IT vendor need to be CJIS compliant?
Yes. Any private entity providing IT services where they have unescorted physical or logical access to CJI must comply with the CJIS Security Policy and sign a Management Control Agreement (MCA). This includes your MSP, cloud providers, and any software vendors with remote access to your systems. Failure to have MCAs in place is itself a CJIS violation.
What is Advanced Authentication (AA) and when is it required?
Advanced Authentication is the CJIS term for multi-factor authentication. It's required for: all remote access to CJI from outside the agency, access via mobile devices, and any access outside a physically secure location. Some local workstation access within a secure agency may qualify for single-factor authentication, but the trend is toward AA everywhere.
How does CJIS compliance affect our cloud strategy?
Any cloud service storing or processing CJI must meet FBI CJIS Division requirements. This typically means FedRAMP-authorized platforms with specific configuration requirements — Microsoft's Government Community Cloud (GCC High), AWS GovCloud, or other FBI-approved solutions. Standard commercial cloud platforms (standard Office 365, consumer AWS) are generally not permitted for CJI without specific configuration validation.
What happens during an Ohio CJIS compliance audit?
Ohio LEADS conducts periodic compliance audits of agencies. Auditors review policy documentation, training records, access logs, MCAs, network diagrams, and technical controls. Deficiencies result in required corrective actions with deadlines. Serious violations can result in suspension of CJI access — which means loss of NCIC and LEADS access until corrected.
From the Blog
Free Resources
@media(max-width:640px){.blog-resources-cluster{grid-template-columns:1fr !important;}}
Related Resources
🛡️
Service
Comply-CARE Program
 🏢
Industry
Law Enforcement IT Services
Read 1,500+ Articles on Our Blog
No obligation · Custom proposal within 4 business hours

Ready to Become
Audit-ready?

Securafy builds and maintains compliance programs for Columbus and Cleveland, businesses nationwide. Prevention-First. Compliance-Ready. Award-Winning.

Free Compliance Assessment COMPLY-CARE Services
📧 sales@securafy.com
📞 (330) 906-8888
📍 Columbus & Cleveland, Ohio

Official Regulatory Resources

FREE · 30 MINUTES · NO SALES PITCH

See Exactly Where You're Exposed.
Before an Attacker Does.

Our free 47-point network and security assessment gives you a prioritised remediation report in plain language — no obligation, no upsell.

Book a Free Strategy Call → 📞 (330) 906-8888

★ Soteria Award — Most Trusted MSP in North America 2024  ·  30-Day Risk-Free Trial  ·  10-Minute Response Guarantee

FAQ

Frequently Asked Questions