What Is CJIS Compliance?

Criminal Justice Information Services (CJIS) protects private or sensitive information gathered by local, state, and federal law enforcement agencies. This could include fingerprints, criminal background information, copies of private documents, or anything else that could be classified as sensitive.

CJIS is the largest division of the FBI, incorporating key departments like National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS). Each of these departments are privy to sensitive information gathered by law enforcement agencies to perform background checks. As part of CJIS compliance, organizations must keep this information protected, whether its being stored or transferred to another party. While portions of CJIS policies focus on the hard copies of sensitive information, there are also protections for digital information, too. In the past, keeping applicable information secure was as simple as storing the files in a locked cabinet. In a digital world, however, protecting these files looks a lot different than keeping them under lock and key.

Organizations today are tasked with protecting data that is stored on the cloud or transferred via the internet. Hackers are a constant looming threat if you’re subject to CJIS compliance. This means to ensure this information is protected, you need a number of digital security measures in place, like encryption and multi-factor authentication, among other measures.

To comply with CJIS regulations, you need to understand the broad goals of these regulations, and which aspects of CJIS apply to your business operations. Learn more about CJIS compliance entails, and find out how this applies to your digital data storage and transfers.

CJIS Compliance: What Does it Entail?

First, it’s important to address who should be compliant with CJIS policies. Essentially, if you have access to data from CJIS databases, you need to align with their data security standards. This applies to law enforcement agencies, including local police forces. It also applies to prosecuting attorneys offices who have access to CJIS data, as well.

In the FBI’s outline of CJIS policies, the bureau points out that not all of the 13 policy areas will apply to every organization. But, it’s important to be familiar with all policies in case some do apply to you. Let’s look at the 13 policy areas and a brief summary of what they cover. When you have a working knowledge of CJIS security policies, you can identify which ones apply to your organization.

• Policy Area 1: Information Exchange Agreements - If you’re sharing CJIS-protect data with another organization, you must have a written agreement between the organizations that you will both comply with CJIS security standards.

• Policy Area 2: Security Awareness Training - Any employees handling CJIS data must have security training within the first six months of being assigned to their role and additional training every other year in the future.

• Policy Area 3: Incident Response - You must have safeguards in place to detect and contain any data breaches. You also need data recovery measures in place. Any data breach must be reported to the appropriate authorities.

• Policy Area 4: Auditing and Accountability - You should implement audit controls to monitor who is accessing data, when they are accessing it, and for what purpose they are accessing it. This information should be logged for any future audits.

• Policy Area 5: Access Control - Under CJIS policy area 5, you must have the ability to control who can access your data. This can include controlling who can access, upload, download, transfer, and delete secure data. It also impacts your login management systems, remote access controls, and more.

• Policy Area 6: Identification and Authentication - To access CJIS data, users must align with CJIS login credential standards, meet password requirements, and use advanced authentication methods like one-time passwords and multi-factor authentication.

• Policy Area 7: Configuration Management - Per area 7, only authorized users can make configuration adjustments, like upgrading systems or initiating modifications.

• Policy Area 8: Media Protection - CJIS-related data must be protected in all forms, digital and physical, both in transit and at rest. Equipment that is no longer being used by your organization must be sanitized and disposed of in alignment with CJIS policies.

• Policy Area 9: Physical Protection - The physical location for stored CJIS data must be secured at all times, preventing access from unauthorized persons.

• Policy Area 10: System and Communications Protection and Information Integrity - Not only should your data be protected, your organizations systems and communications should be protected, as well. This policy section outlines the steps you must take to protect your systems, like encryption, network security, data breach detection measures, and more.

• Policy Area 11: Formal Audits - If you use and manage CJIS data, you are subject to audits a minimum every three years by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA) for your state.

• Policy Area 12: Personnel Security - Everyone associated with your organization – from employees to contractors and subcontractors – must submit to security screenings and national fingerprint-based record checks.

• Policy Area 13: Mobile Devices - Even your employees’ mobile devices (like smartphones and tablets) are subject to CJIS oversight. You must establish usage restrictions, and authorize, monitor, and control access to your systems via these devices.

How to Stay Compliant with CJIS Policies

While the above 13 policies are extensive, there are tools you can adopt to help lighten the burden of compliance. Once such tool is a secure file sharing solution. This can be particularly beneficial when it comes to policies that have to do with file sharing and keeping your data secure and your organization compliant.

Let’s look at policy areas 5, 6, and 12 specifically, and the secure file sharing features that can help you align with these standards.

• Access Controls - A file sharing solution allows administrators to control who can access, upload, download, and delete files. You can also control access based on IP address and based on the country the user is trying to access the solution from – a helpful feature when protecting against hackers.

• Identification and Authentication - Using a file sharing solution, you can require all users to align with secure password best practices. You can also use tools like multi-factor authentication (using a one-time password sent to a phone or email address) or multiple authentication methods (authenticating with login credentials and SSH authentication keys).

• Personnel Security - Though your data will be stored in the cloud with most top file sharing solutions, you can rest easy knowing that the remote servers are in secure locations. With Sharetru for example, it’s guaranteed that your data is stored at a secure, remote location in the United States managed 100% by U.S. persons.

With a secure file sharing solution, you can easily start to align with CJIS policies. Top solutions like Sharetru have the measures built into their solution, so the minute you adopt it and begin sharing files, you’re compliant with CJIS policies.

Using the right file sharing solution, your organization can stay CJIS compliant, and protect the data with which you’ve been entrusted.

Learn more about secure file sharing and how using the right solution can help you stay compliant. Explore these frequently asked questions now.

Trying to select a new file sharing solution, but you have a few questions first?

Explore these common questions about file sharing solutions and find out their answers.

See Answers to Common Questions