• Information Security Program: Organizations accessing or storing CJI are required to establish and maintain a documented information security program. This program should include policies, procedures, and standards that address security controls, risk management, incident response, and employee awareness.
• Access Control: The CJIS Security Policy emphasizes strong access controls to protect CJI. This includes implementing unique user identification, strong authentication, and role-based access control (RBAC). Access should be granted based on the principle of least privilege, ensuring individuals have access only to the information necessary to perform their duties.
• Auditing and Accountability: Organizations must implement logging and auditing mechanisms to track access to CJI and detect any unauthorized or suspicious activities. Audit logs should be retained for a specified period, and regular reviews should be conducted to identify and investigate any anomalies.
• Personnel Security: Organizations must conduct appropriate background checks on personnel who have access to CJI. This includes criminal history record checks and employment history verification. The policy may specify the specific requirements and frequency for conducting these checks.
• Physical Security: Facilities where CJI is stored or processed should have physical security measures in place, including access controls, surveillance systems, and protection against environmental hazards. The policy may outline specific requirements for securing physical access to CJI systems and storage areas.
• Incident Response and Reporting: Organizations must have a documented incident response plan that outlines procedures for responding to security incidents, including breach notification to appropriate parties. Incident response exercises and drills may also be required periodically to test the effectiveness of the plan. We offer a wide range of industry leading incident response plans for AWS, Microsoft Azure, Google Cloud Platform, and other environments.
• Security Awareness and Training: Organizations are expected to provide security awareness and training programs to employees who access or handle CJI. This includes educating personnel about their responsibilities, security policies, and best practices for protecting CJI.
• Configuration Management: The CJIS Security Policy may require organizations to implement configuration management practices to ensure the secure configuration of systems and applications that process or store CJI. This includes maintaining an inventory of authorized hardware and software, applying patches and updates, and controlling changes to the environment.
• Encryption and Data Protection: The policy typically emphasizes the use of encryption to protect CJI both in transit and at rest. Organizations may be required to implement strong encryption mechanisms, secure cryptographic key management, and appropriate data backup and recovery procedures.

It's important to note that the CJIS Security Policy is subject to updates and revisions. Organizations accessing or handling CJI should regularly review the most current version of the policy and ensure compliance with all applicable requirements.

We Provide a Full Life Cycle of Solutions for FBI CJIS Policy Compliance

• Gap Assessments
• Policies and Procedures Writing
• Independent CJIS Security Assessments
• CJIS Specific Continuous Monitoring Programs