What is the CJIS Security Policy and who must comply?

The FBI's CJIS Security Policy governs access to Criminal Justice Information (CJI) including NCIC, NLETS, fingerprint databases, and state criminal history systems. All law enforcement agencies, courts, corrections, dispatch centers, and any IT vendor with logical or physical access to CJI systems must comply with all 14 policy areas and execute a Security Addendum.

What background checks are required for CJIS compliance?

All personnel with access to CJI — including IT support staff and contractors — must undergo a fingerprint-based background check at the state and national level, reviewed by the state CSA. Securafy's staff with access to law enforcement environments maintain current CJIS background screening as required by the Security Addendum.

What encryption is required for CJIS compliance?

CJIS requires encryption of CJI in transit using FIPS 140-2 validated cryptographic modules with 128-bit or greater AES encryption. Data at rest in mobile devices must also be encrypted. All remote access to CJIS systems requires both encryption and advanced authentication (MFA). Securafy implements and documents CJIS-compliant encryption for all covered systems.

How does CJIS compliance apply to cloud services?

Cloud services storing or processing CJI must comply with all CJIS requirements including encryption, access controls, audit logging, and the Security Addendum. The FBI has established specific CJIS cloud requirements. Securafy evaluates cloud services for CJIS compliance and implements compensating controls for services used in law enforcement environments.

What is the penalty for CJIS non-compliance?

Law enforcement agencies that fail CJIS compliance audits can have access to CJI systems suspended or revoked — meaning officers cannot run background checks, access criminal histories, or query NCIC. This directly impacts public safety operations. Corrective action plans are required, and repeat violations can result in permanent access termination.

How often must CJIS security awareness training be completed?

CJIS requires security awareness training for all personnel with access to CJI at least every two years. Training must cover CJI handling procedures, applicable laws and regulations, and basic security awareness. Securafy's LMS platform includes CJIS-specific training modules with completion tracking and certificate generation for compliance documentation.

Law Enforcement / CJIS

Law Enforcement /
CJIS Compliance

CJIS Security Policy v5.9.5 compliance for law enforcement agencies in Columbus and Cleveland, Ohio. Security Addendum execution, fingerprint-based screening, all 14 policy areas documented.

Free Assessment View All Services

Compliance Requirement

CJIS

CJIS Security Policy mandates specific controls for any agency accessing criminal justice data. Non-compliance risks loss of data access. Securafy is CJIS-aligned and audit-ready.

Free · No Obligation

See where your security gaps are — before attackers do.

🛡 Get a Free CJIS Assessment

★★★★★5.0 Google · Verified reviews

CJI Access Suspension

CJIS v5.9.5 Risk

⚠ The Cost of Inaction

The consequence of a failed CSA triennial audit — operational disruption affecting every officer using CJIS-connected systems

Get a Free CJIS Compliance Review →

Industry Alert CJIS v5.9.5 eliminated the local network MFA exemption. Agencies not yet compliant are operating out of policy and at risk at their next CSA audit Talk to an Expert →

CJIS Security Policy v5.9.5 · All 14 Policy Areas

Are All 14 CJIS Policy Areas Fully Compliant?

Non-compliance with CJIS Security Policy means loss of CJI system access — and that is not a recoverable situation. A Securafy engineer will assess your agency's environment against all 14 CJIS policy areas and deliver a plain-language report of your current posture.

✓All 14 CJIS Security Policy area assessment
✓MFA, encryption, and audit logging verification
✓Personnel screening and training compliance check
✓Security Addendum documentation review

★ Law enforcement agencies · CJI access protected · CJIS-compliant MSP

Free · No Obligation · $2,500–$5,000 Value

Book Your Free Assessment

A Securafy engineer contacts you within 10 minutes.

★ What Law Enforcement Clients Say

CJIS compliance used to be a constant source of anxiety during our audits. Now it's a non-event. Securafy maintains all 14 policy areas continuously — we don't scramble before an audit anymore.

IT Director County Sheriff's Office · Northeast Ohio

The stakes with CJI are absolute — non-compliance means losing system access. Securafy is the only IT partner I've worked with who treats CJIS with the same seriousness law enforcement does.

Chief of Police Municipal Law Enforcement Agency · Ohio

Our state audit team audits our CJIS controls annually. Last year, for the first time, they told us we were one of the best-documented agencies they review. Securafy built that program.

Deputy Chief Regional Law Enforcement Agency · Central Ohio

Law Enforcement / CJIS

The Threat
Landscape

⚠️

Advanced Authentication Gap

v5.9.5 eliminated the local network exemption. Any agency with users accessing CJI on the internal network must deploy AA — one of the most common CSA audit findings.

MANDATORY — v5.9.5

⚠️

Policy Area 13 — Mobile Device Risk

MDM requirements for CJI-capable mobile devices are among the most frequently cited v5.9.5 gaps. Device encryption, remote wipe, and AA screen lock are required.

CJIS MANDATORY

⚠️

Vendor Addendum Status

Your IT provider must execute the CJIS Security Addendum as a condition of access. Many agencies discover their current IT vendor is not addendum-executed — an immediate audit finding.

AUDIT FINDING RISK

⚠️

Policy Area 14 — Cloud Services

New Policy Area 14 requirements govern CJI in cloud environments. Most agencies haven't assessed their cloud services against this requirement.

v5.9.5 NEW REQUIREMENT

What We Deliver

Award-Winning
Protection

Securafy's service tiers are purpose-built for this sector's compliance obligations, operational pressures, and threat environment. Headquartered in Columbus and Cleveland, Ohio — serving clients nationwide.

CJIS v5.9.5NIST SP 800-53 Rev. 5FBI CJIS DivisionCSA Audit PrepNIST CSF 2.0

📄

Security Addendum Execution on Day One

We sign the CJIS Security Addendum before accessing any system — removing the most common vendor-related audit finding before your first ticket is opened.

🔐

MFA on Every CJI User Including Local Network

v5.9.5 eliminated the local network exemption. We deploy phishing-resistant Advanced Authentication across every CJI user.

📱

MDM on Every CJI-Capable Mobile Device

Device encryption, remote wipe, and AA screen lock on all CJI mobile devices — closing the Policy Area 13 gap.

👁️

24/7 Human SOC — 24/7 Human-Operated SOC

Human analysts watching your environment around the clock. When an incident occurs, your 1-hour CSA notification clock is being managed — not just starting.

📋

Full 14-Policy-Area Documentation Program

We maintain compliance documentation across all 14 CJIS policy areas — the evidence package a CSA auditor expects to see.

✅

CSA Audit Preparation Support

Pre-audit readiness reviews, evidence package assembly, and CSO preparation for the triennial CSA audit. Goal: auditors find nothing.

See Comply-CARE See Secure-CARE

Common Questions

Frequently
Asked

Yes — we execute the CJIS Security Addendum as a standard condition of every law enforcement engagement, before accessing any system. All Securafy personnel who access your environment complete fingerprint-based background checks as required under Policy Area 12.

v5.9.5 (effective October 2024) eliminated the local network exemption for Advanced Authentication. All CJI users — including those on internal networks — must now use phishing-resistant MFA. Policy Area 13 also expanded MDM requirements for CJI-capable mobile devices, and new Policy Area 14 governs cloud services handling CJI.

We conduct pre-audit readiness reviews mapped against all 14 policy areas, assemble your evidence package, and prepare your CSO for the audit. We track all prior findings and ensure corrective action plans are fully closed before the next audit cycle. Our goal is that auditors find nothing requiring attention.

Ohio Client Proof

Ohio Client Proof: Amer Cunningham Co. L.P.A. (Akron, Ohio)

A professional services organization with strict data obligations chose Securafy for complete IT ownership. 100% business-hours uptime, zero unresolved tickets, and security so reliable leadership stopped thinking about it entirely.

100%

Biz-Hours Uptime

<5min

Response

Open Tickets

Read Case Study →

Watch the Full Briefing — On Your Schedule

Securafy for Law Enforcement
CJIS Compliance & Agency Protection

The complete briefing on how Securafy protects law enforcement agencies and organizations with Criminal Justice Information System (CJIS) access — covering all 14 CJIS Security Policy areas, MFA requirements, audit logging, and how Securafy maintains your CJI system eligibility.

▶ Full briefing · Stop anytime · No obligation

★ Soteria Award — Most Trusted MSP in North America 2024

Book Your Free CJIS Assessment →

No obligation · Custom proposal within 4 business hours

Ready To
Get Started?

Headquartered in Columbus and Cleveland, Ohio. Serving clients nationwide. Contact Securafy for a no-obligation assessment of your environment.

Request Free Assessment

📧 info@securafy.com

📍 Columbus, Ohio

📍 Cleveland, Ohio

FREE · 30 MINUTES · NO SALES PITCH

See Exactly Where You're Exposed.
Before an Attacker Does.

Our free 47-point network and security assessment gives you a prioritised remediation report in plain language — no obligation, no upsell.

Book a Free Strategy Call → 📞 (330) 906-8888

★ Soteria Award — Most Trusted MSP in North America 2024 · 30-Day Risk-Free Trial · 10-Minute Response Guarantee

Law Enforcement /CJIS Compliance