What is CJIS Compliance?
Complete guide to FBI Criminal Justice Information Services security requirements for legal technology. Understand the 13 security areas, compliance checklist, and how EqualLaw meets every requirement.
Quick Summary
CJIS (Criminal Justice Information Services) is the FBI's security policy requiring specific safeguards for criminal justice data. First established in the 1990s and regularly updated (current version 6.0, December 2024), it mandates 13 security areas including encryption standards, access controls, audit trails, personnel background checks, and physical security. Legal technology handling discovery evidence—including body camera footage, police reports, and case files—must meet these standards to protect sensitive information and maintain access to FBI criminal justice databases.
What is CJIS?
The Criminal Justice Information Services (CJIS) Security Policy is a comprehensive set of security requirements established by the Federal Bureau of Investigation (FBI) to protect Criminal Justice Information (CJI). The policy ensures that any organization or system with access to CJI maintains appropriate security controls to protect this sensitive data from unauthorized access, use, or disclosure.
CJIS was created in response to the digitization of criminal justice records and the need for secure information sharing between law enforcement agencies, courts, prosecutors, and defense attorneys. The policy is mandatory for any organization that accesses FBI criminal justice databases or handles CJI in any form.
Why CJIS Exists
- Protect Individual Privacy: Criminal justice records contain highly sensitive personal information that must be protected from unauthorized disclosure.
- Maintain System Integrity: Ensures criminal justice databases contain accurate, tamper-proof information that can be trusted by law enforcement and courts.
- Enable Secure Information Sharing: Allows authorized agencies to share critical information while maintaining security and accountability.
- Establish Consistent Standards: Creates uniform security requirements across all jurisdictions and organizations handling CJI.
What Data CJIS Protects (Criminal Justice Information)
- Criminal history records
- Arrest records and booking photos
- Police reports and incident documentation
- Body camera footage and surveillance video
- Discovery materials in criminal cases
- Witness statements and investigative files
- Fingerprints and biometric data
- Warrant information and court records
Who Needs CJIS Compliance?
CJIS compliance is required for any organization or individual that stores, processes, transmits, or accesses Criminal Justice Information in any form. This extends well beyond law enforcement to include the entire criminal justice ecosystem.
Organizations Handling CJI
- Law enforcement agencies at all levels
- Public defender offices handling discovery
- Prosecutor offices and district attorneys
- Court systems and judicial offices
- Probation and parole departments
- Criminal justice coordinating councils
- Legal technology vendors serving these organizations
When Legal Software Needs CJIS
If your software stores, processes, or transmits any of the following, CJIS compliance is required:
- Discovery evidence in criminal cases
- Police reports or investigative documents
- Body camera footage or surveillance video
- Arrest records or booking information
- Witness statements in criminal matters
- Criminal history or background check data
If you handle any criminal case data, assume CJIS applies until proven otherwise.
Important: Public Defenders Are NOT Exempt
There is sometimes confusion about whether public defenders need CJIS compliance since they represent defendants (not the state). This is incorrect. Public defender offices handle Criminal Justice Information (discovery, police reports, body cam footage, etc.) and therefore must comply with CJIS Security Policy requirements. The FBI and state CJIS Systems Agencies (CSAs) have confirmed this repeatedly. Software used by public defenders must be CJIS compliant.
The 13 CJIS Security Policy Areas
The CJIS Security Policy (Version 6.0, December 2024) organizes requirements into 13 security areas. Each area addresses specific aspects of information security. Organizations must implement controls for all applicable areas to achieve compliance.
Below, we explain each security area, what it requires, how it applies to legal software, and exactly how EqualLaw meets the requirements.
CJIS Compliance Checklist
Use this comprehensive checklist to evaluate software vendors or assess your own compliance status. This covers technical, operational, and administrative requirements.
Technical Requirements
Operational Requirements
Administrative Requirements
Download Complete Checklist
Get a downloadable PDF version of this checklist, plus a vendor security assessment template to use when evaluating legal technology providers.
Request Checklist & Assessment TemplateHow to Achieve CJIS Compliance
Achieving CJIS compliance requires systematic planning and implementation. Here's a step-by-step approach for organizations handling Criminal Justice Information.
Understand Your Obligations
Determine which CJIS requirements apply to your organization based on the type of CJI you handle and your role in the criminal justice system.
Key Actions:
- Review the complete CJIS Security Policy v6.0
- Contact your state CJIS Systems Agency (CSA) for guidance
- Document what types of CJI your organization handles
- Identify all systems and vendors that access CJI
Conduct Gap Analysis
Assess your current security posture against CJIS requirements to identify what needs to be implemented or improved.
Key Actions:
- Use the compliance checklist to evaluate current controls
- Document gaps between current state and requirements
- Prioritize gaps based on risk and implementation complexity
- Estimate costs and resources needed for compliance
Implement Technical Controls
Deploy the necessary security technologies and configurations to meet CJIS technical requirements.
Key Actions:
- Implement encryption for data at rest and in transit
- Deploy multi-factor authentication for all users
- Set up comprehensive audit logging with tamper protection
- Configure access controls and role-based permissions
- Establish firewalls, intrusion detection, and monitoring
Document Everything
Create comprehensive documentation of your security program, policies, and procedures.
Key Actions:
- Write security policies and procedures
- Document technical configurations and architectures
- Create incident response plans and procedures
- Prepare information exchange agreements
- Maintain records of training and background checks
Train Personnel
Ensure all personnel with CJI access understand security requirements and their responsibilities.
Key Actions:
- Complete FBI fingerprint background checks for applicable staff
- Provide CJIS security awareness training annually
- Train staff on incident reporting procedures
- Document training completion with certificates
- Establish ongoing security awareness program
Undergo Audit (if required)
Some state CSAs require periodic audits. Even if not required, self-audits verify compliance.
Key Actions:
- Engage with your state CSA about audit requirements
- Conduct internal self-assessments quarterly
- Address any findings promptly
- Maintain audit records and remediation documentation
- Schedule regular compliance reviews
How EqualLaw Meets CJIS Requirements
EqualLaw is built on CJIS-compliant infrastructure from day one. Here's our comprehensive compliance documentation showing exactly how we meet each of the 13 security areas.
Our Compliance Approach
Unlike many software vendors who retrofit security, EqualLaw was designed with CJIS compliance as a foundational requirement. Every architectural decision, from our choice of infrastructure provider to our authentication system, was made with CJIS Security Policy requirements in mind.
Security-First Design
Built on CJIS-compliant AWS infrastructure with security controls from day one
Comprehensive Documentation
Complete security policies, procedures, and audit trails available for review
Trained Personnel
All staff with CJI access undergo FBI background checks and annual training
Compliance Summary: All 13 Areas Implemented
EqualLaw implements controls for all 13 CJIS security areas. See the detailed breakdown in the "13 Security Areas" section above, or review our comprehensive security documentation.
Available to Customers
- CJIS Security Addendum: Signed formal agreement documenting security responsibilities and compliance commitments
- Infrastructure Compliance Reports: AWS CJIS compliance documentation and attestations
- Audit Trail Documentation: Technical specifications of logging and monitoring capabilities
- Security Assessment Reports: Third-party security evaluations and penetration test summaries
- Incident Response Procedures: Documented procedures for security incident detection, containment, and notification
Common CJIS Compliance Misconceptions
There's a lot of confusion around CJIS requirements. Let's clear up the most common misconceptions we hear from legal technology buyers and vendors.
"We use AWS, so we're automatically CJIS compliant"
AWS provides CJIS-compliant infrastructure, but YOU must implement the controls correctly. It's a shared responsibility model - AWS handles physical security and infrastructure, but you're responsible for configuration, access controls, and proper use.
"CJIS certification is required for vendors"
There's no official "CJIS certification" for software vendors. Compliance is about meeting the FBI CJIS Security Policy requirements, not obtaining a badge. Some states conduct audits, but there's no federal certification program.
"Only law enforcement needs CJIS compliance"
ANY organization accessing Criminal Justice Information needs compliance - including public defenders, prosecutor offices, courts, probation departments, and their software vendors. Discovery evidence is CJI.
"Cloud storage can't be CJIS compliant"
Cloud CAN be compliant if using CJIS-authorized regions (like AWS GovCloud or Azure Government) and implementing proper security controls. Many agencies successfully use compliant cloud services.
"CJIS is a one-time audit"
Compliance is continuous. Requirements include annual training, quarterly access reviews, ongoing monitoring, regular security assessments, and staying current with policy updates. It's not "set it and forget it."
"Consumer cloud services like Dropbox are fine for discovery"
Absolutely not. Consumer cloud services don't meet CJIS requirements for encryption, access control, audit trails, or physical security. Using non-compliant storage puts your office and clients at serious risk.
Red Flags When Evaluating Legal Tech Vendors
When evaluating software for your public defender office or law firm, watch for these warning signs that a vendor may not actually meet CJIS requirements:
What to Do Instead:
- Ask for specific documentation of how they meet each of the 13 areas
- Request a CJIS Security Addendum for review before signing
- Verify their infrastructure provider is CJIS-authorized
- Ask about personnel background checks and security training
- Contact your state CJIS Systems Agency if you're unsure
Frequently Asked Questions
Is there an official CJIS certification?
No. CJIS is a policy published by the FBI, not a certification program. "CJIS compliance" means meeting the requirements outlined in the FBI CJIS Security Policy. Some state CJIS Systems Agencies (CSAs) conduct audits of organizations in their state, but there is no federal "CJIS certified" badge. Be wary of vendors claiming "CJIS certification" - ask them to specify exactly which requirements they meet and how.
How much does CJIS compliance cost?
Costs vary significantly based on organization size and existing infrastructure. Key expenses include: CJIS-compliant infrastructure ($500-$5,000+/month), FBI background checks for personnel ($50-$150 per person), security training programs ($100-$500 per person annually), compliance audits ($5,000-$50,000 depending on scope), and ongoing monitoring tools. Many organizations find that cloud-based solutions reduce total cost compared to building and maintaining compliant infrastructure in-house.
Do public defenders need CJIS compliance?
Yes. Public defender offices handle Criminal Justice Information (CJI) including arrest records, police reports, body camera footage, and discovery materials. They must comply with CJIS Security Policy requirements. The software and services they use must also be CJIS compliant. This is not optional - it's a requirement for accessing FBI criminal justice databases and handling sensitive case data.
Can I use consumer cloud services (Dropbox, Google Drive)?
No. Consumer cloud services do not meet CJIS requirements for encryption, access control, audit logging, or physical security. You need enterprise cloud services (like AWS GovCloud, Azure Government, or Google Cloud for Government) with proper CJIS-compliant configuration. Using non-compliant storage can result in loss of access to FBI databases, grant ineligibility, data breach liability, and ethical violations.
What happens if my office isn't compliant?
Non-compliance can result in: (1) Loss of access to FBI criminal justice databases (NCIC, III), (2) Ineligibility for federal grants requiring CJIS compliance, (3) State sanctions or loss of state funding, (4) Legal liability in case of data breach, (5) Ethical violations for attorneys, and (6) Reputational damage. If a breach occurs due to non-compliance, the consequences are even more severe including potential criminal charges and civil liability.
How often does the CJIS Security Policy change?
The FBI updates the CJIS Security Policy periodically, typically releasing new versions every 1-2 years. The current version is 6.0 (December 2024). Organizations must stay current with policy updates and implement any new requirements. Major changes are usually announced with implementation timelines. Subscribe to your state CJIS Systems Agency (CSA) notifications to stay informed.
Do I need CJIS compliance for a case management system?
If your case management system stores, processes, or transmits Criminal Justice Information (arrest records, charging documents, discovery evidence, etc.), then yes - it must be CJIS compliant. This applies whether the system is on-premises, cloud-based, or provided by a vendor. Don't assume your current system is compliant - verify that your vendor meets all 13 security areas and has proper documentation.
How do I know if a software vendor is truly CJIS compliant?
Ask these questions: (1) What specific CJIS-compliant infrastructure do you use? (2) Have your personnel undergone FBI background checks? (3) Can you provide a CJIS Security Addendum? (4) Do you have audit logs and incident response procedures? (5) Can you provide documentation or audit reports? (6) What encryption standards do you use? Request written documentation - don't accept vague claims. Review their security page and ask for evidence of each requirement they claim to meet.
Resources & Further Reading
Official CJIS documentation, technical standards, and resources for deeper research.
FBI CJIS Security Policy v6.0
Official CJIS Security Policy document (December 2024)
FBI CJIS Division
Official FBI CJIS program information and resources
CJIS Advisory Policy Board
Board that provides input on CJIS policies and procedures
NIST Special Publication 800-88 Rev. 1
Guidelines for Media Sanitization (referenced in CJIS policy)
AWS CJIS Compliance
AWS documentation on CJIS compliance capabilities
Stay Current with CJIS Requirements
CJIS policy requirements evolve over time. Subscribe to receive updates when the policy changes, along with practical guidance on implementing new requirements.
We respect your privacy. Unsubscribe at any time.
Important Disclaimer
This guide is provided for informational and educational purposes only and does not constitute legal, compliance, or professional advice. CJIS compliance requirements can vary by state and specific use case. Always consult with your state CJIS Systems Agency (CSA), legal counsel, and compliance advisors for guidance specific to your organization. EqualLaw makes reasonable efforts to keep this guide current, but the FBI CJIS Security Policy is the authoritative source for all requirements. Organizations are responsible for their own compliance determination and implementation.
Need Help with CJIS Compliance?
Whether you're evaluating software vendors, need to understand your own compliance obligations, or want to see how EqualLaw meets CJIS requirements, we're here to help.