CJIS Security Policy Checklist

Written by

Sarah Cottone

Sr. Content Marketing Manager

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

The Criminal Justice Information Services (CJIS) Security Policy is a set of guidelines and requirements that organizations must follow to protect criminal justice information (CJI) until it’s released to the public through authorized channels or destroyed according to retention rules.
‍

Similarly to how organizations working with protected health information must comply with HIPAA, any organization that deals with CJI—such as biometric data or case history—needs to comply with the CJIS Security Policy.
‍

If you work—or plan to work—with law enforcement or related government agencies, this checklist is for you. It covers the basics of the policy and who it applies to, the steps to achieve compliance, and how to maintain your compliance status.

‍

What is the CJIS Security Policy?

The goal of the CJIS Security Policy is to provide organizations with minimum security practices they must follow to work with CJI responsibly so it maintains its confidentiality, integrity, and availability.
‍

CJI refers to information used by law enforcement and related agencies to perform their missions. CJI encompasses several types of data, including:

Biometric data: Information about a person’s unique physical or behavioral characteristics used to identify or authenticate them
Identity history data: Text-based data that corresponds with someone’s biometric data and provides a chronological record of their criminal and/or civil events
Biographic data: Information about a person associated with a criminal justice case or incident
Property data: Any information about vehicles and property associated with a crime that includes personally identifiable information
Case or incident history: Records and information related to criminal incidents, investigations, arrests, and warrants
Criminal history record information (CHRI): A compilation of a person’s interactions with the criminal justice system*
‍

*Note: CHRI is a highly sensitive subset of CJI, sometimes referred to as “restricted data.” As a result, it often requires additional, stricter controls for its access, use, and dissemination than other types of CJI.
‍

The CJIS Security Policy was formalized in 1998 by the CJIS, a division of the Federal Bureau of Investigation (FBI) responsible for managing criminal justice information and related initiatives.
‍

The CJIS Security Policy has been updated regularly over the years to accommodate evolving technologies, threats, and policies. For example, CJIS Policy Version 6.0 was released in December 2024 and consolidates updates around cloud services, encryption standards, and remote access.

‍

Who needs to comply with the CJIS Security Policy?

Any organization or individual that accesses, stores, transmits, or processes CJI must comply with the CJIS Security Policy. This includes:

Law enforcement agencies: Including federal, state, county, and local police departments
Criminal justice agencies: Such as courts and district attorneys’ offices
Other government organizations: Including public safety organizations like fire services or 911 dispatch centers
Government contractors, subcontractors, and vendors: Encompasses private companies, such as SaaS and cloud vendors, that handle CJI on behalf of government agencies

As a U.S. federal mandate, the CJIS Security Policy generally applies to U.S. organizations. However, international entities that do business in the U.S. and access CJI must also comply.

‍

How is the CJIS Security Policy enforced?

The CJIS follows a shared-management philosophy when it comes to enforcing CJIS Security Policy compliance. For example, the CJIS Audit Unit (CAU) audits all CJIS Systems Agencies (CSAs) and repositories every three years. Each state has its own CSA that oversees the administration and usage of CJIS programs within that state. In other words, while the CJIS Security Policy is a federal framework, it’s largely enforced at the state and local level.
‍

Non-compliance with the CJIS Security Policy can result in revoked access to CJIS systems and data, contractual penalties, or other disciplinary actions.

‍

Why should non-government organizations pursue CJIS Security Policy compliance?

Pursuing CJIS Security Policy compliance is a strategic move for non-government organizations aiming to serve the public safety and law enforcement sectors. It signals readiness to handle sensitive CJI, opening doors to state, local, and education (SLED) contracts that require or strongly prefer compliance.
‍

Aligning with CJIS standards de-risks the procurement process, making it easier to gain trust and accelerate sales cycles with law enforcement agencies. Beyond contracts, compliance also enhances an organization’s overall security posture, reinforcing data privacy practices and demonstrating a commitment to safeguarding critical information.

‍

CJIS Security Policy compliance checklist:

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail