Criminal Justice Information Services (CJIS) Audit and Assessments; we are ready when you are! Call +1 (888) 896-7580 today.
The Federal Bureau of Investigation (FBI) established the Criminal Justice Information Services (CJIS) Security Policy to ensure the protection of sensitive criminal justice information (CJI) across law enforcement and related entities. Lazarus Alliance, an A2LA ISO/IEC 17020-accredited firm, collaborates directly with your organization to schedule and conduct CJIS compliance audits.
Our certified 3PAO Cybervisors™ assess your security controls against CJIS requirements, tailoring the evaluation to your organization’s specific operational needs. Upon successful demonstration of compliance, your organization will achieve CJIS Security Policy certification, ensuring robust protection of CJI.
Cybervisors™ are highly skilled cybersecurity professionals at Lazarus Alliance, certified to conduct audits and assessments, including CJIS compliance evaluations. They combine deep expertise in security frameworks like NIST SP 800-53 and CJIS Security Policy with practical experience to guide organizations through complex compliance processes. Using tools like the IT Audit Machine (ITAM), Cybervisors streamline evidence collection, risk management, and reporting, ensuring accurate, efficient results tailored to each client’s needs.
Criminal Justice Information Services (CJIS)
The FBI’s Criminal Justice Information Services (CJIS) Security Policy is a comprehensive set of standards designed to safeguard sensitive criminal justice information (CJI), including fingerprints, criminal histories, and background check data, accessed through FBI CJIS systems. Established under the FBI’s CJIS Division, the policy ensures the confidentiality, integrity, and availability of CJI for authorized users, such as law enforcement agencies, criminal justice organizations, and approved non-criminal justice entities (e.g., vendors conducting background checks).
The CJIS Security Policy outlines 13 policy areas derived from NIST SP 800-53, including:
- Access Control: Restricting system access to authorized users with proper authentication (e.g., multi-factor authentication).
- Awareness and Training: Mandating regular cybersecurity training for personnel handling CJI.
- Incident Response: Requiring plans to detect, report, and mitigate security incidents.
- Encryption: Ensuring data protection during transmission and storage using strong cryptographic standards.
- Physical Security: Safeguarding facilities and systems that store or process CJI.
- Personnel Security: Enforcing background checks and security clearances for individuals with access to CJI.
Compliance is mandatory for any organization accessing CJI, whether directly (e.g., police departments) or indirectly (e.g., third-party vendors). The policy requires triennial audits, typically conducted by accredited firms like Lazarus Alliance, to verify adherence to over 100 security controls. These audits assess technical, administrative, and physical safeguards, often using automated tools like the IT Audit Machine (ITAM) for efficient evidence collection and risk analysis.
Non-compliance can result in severe consequences, including loss of access to CJIS systems, fines, or legal repercussions, which could disrupt operations for agencies or vendors. The policy also evolves to address emerging threats, requiring organizations to stay updated on revisions. By enforcing rigorous standards, the CJIS Security Policy ensures the protection of sensitive data, fosters trust in the criminal justice ecosystem, and supports secure information sharing across federal, state, local, and tribal entities.
Frequently Asked Questions
What is the CJIS Security Policy?
The CJIS Security Policy is a comprehensive framework outlining security controls for handling CJI. It aligns with NIST SP 800-53 and covers 19 policy areas, including access control, encryption, and incident response.[
What are the CJIS certification requirements?
There is no official “CJIS certification.” Compliance is achieved by meeting the CJIS Security Policy requirements, including:
- Implementing NIST 800-53-based controls.
- Signing the CJIS Security Addendum.
- Conducting background checks and fingerprinting.
- Completing CJIS security awareness training.
- Undergoing triennial audits by the FBI or a CJIS Systems Agency (CSA).
- Coordinate with Lazarus Alliance to undergo a CJIS assessment.
How do I get CJIS compliant?
To become CJIS compliant:
- Conduct a gap analysis against the CJIS Security Policy.
- Implement controls (e.g., MFA, encryption, access controls).
- Document policies in a System Security Plan (SSP).
- Complete CJIS security awareness training via CJIS Online.
- Undergo background checks and fingerprinting.
- Engage a CJIS Systems Agency (CSA) or Local Agency Security Officer (LASO) for audit coordination.
- Coordinate with Lazarus Alliance to undergo a CJIS assessment.
What are the CJIS compliance requirements?
The CJIS Security Policy includes 19 policy areas, such as:
- Access Control: Restrict CJI access to authorized users (least privilege).
- Identification and Authentication: Use MFA at AAL2 (NIST 800-63B).
- Incident Response: Report breaches to the Justice Department.
- Encryption: Secure data in transit and at rest (FIPS 140 Level 1).
- Security Awareness Training: Mandatory training every two years.
- Audit and Accountability: Maintain logs for CJI access
How can organizations prepare for a CJIS compliance audit?
To prepare for a CJIS audit:
- Review the CJIS Security Policy.
- Ensure MFA, encryption, and access controls are implemented.
- Maintain audit logs and an SSP.
- Train staff via CJIS Online.
- Conduct internal gap assessments.
- Coordinate with the CSA or LASO.
Are agencies required to develop internal information security policies?
Yes, agencies must develop and publish internal information security policies aligned with the CJIS Security Policy. These cover access control, incident response, and data handling to ensure CJI protection.
Benefits of CJIS Compliance
CJIS compliance, mandated by the FBI’s Criminal Justice Information Services Security Policy, offers several key benefits for organizations handling criminal justice information (CJI):
- Enhanced Data Security: Compliance ensures robust safeguards for sensitive CJI, reducing the risk of data breaches, unauthorized access, or cyber threats.
- Access to Critical Systems: Compliant organizations gain authorized access to FBI CJIS systems, enabling seamless interaction with criminal justice databases essential for law enforcement and background check operations.
- Legal and Regulatory Adherence: Meeting CJIS requirements avoids penalties, legal liabilities, or loss of access to CJI, ensuring uninterrupted operations for agencies and vendors.
- Improved Trust and Reputation: Demonstrating compliance signals a commitment to security, building trust with partners, clients, and stakeholders in the criminal justice ecosystem.
- Risk Mitigation: Regular audits and controls mandated by CJIS identify vulnerabilities, enabling proactive risk management and stronger cybersecurity posture.
- Operational Efficiency: Streamlined processes, often supported by tools like Lazarus Alliance’s ITAM, reduce the complexity and time required to maintain compliance.
- Competitive Advantage: For vendors and non-criminal justice entities, CJIS compliance can differentiate your organization, opening opportunities to work with law enforcement and government agencies.
By achieving and maintaining CJIS compliance, organizations protect sensitive data, ensure operational continuity, and strengthen their credibility in handling CJI.
Talk with one of our experts
Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.
We're here to answer any questions you may have.
CJIS Certification Process
The CJIS certification process, governed by the FBI’s Criminal Justice Information Services (CJIS) Security Policy, ensures organizations handling criminal justice information (CJI) meet stringent security standards. While there is no formal "CJIS certification" issued as a standalone credential, compliance with the CJIS Security Policy is verified through a structured assessment and audit process. Below is a detailed overview of the steps involved:
- Understand CJIS Requirements:
- Organizations must familiarize themselves with the CJIS Security Policy (Version 5.9.2 as of the latest updates), which outlines 13 policy areas, including access control, encryption, incident response, personnel security, and physical security, mapped to NIST SP 800-53 controls.
- Determine the scope of CJI access, whether direct (e.g., law enforcement agencies) or indirect (e.g., vendors or non-criminal justice agencies like those processing background checks).
- Conduct a Gap Assessment:
- Perform an internal review to identify gaps between current security practices and CJIS requirements. This includes evaluating technical controls (e.g., firewalls, encryption), administrative policies (e.g., training, incident response plans), and physical safeguards (e.g., secure facilities).
- Many organizations engage accredited firms like Lazarus Alliance to conduct a preliminary assessment, leveraging tools like the IT Audit Machine (ITAM) for automated evidence collection and gap analysis.
- Implement Security Controls:
- Address identified gaps by implementing required controls, such as:
- Multi-factor authentication (MFA) for system access.
- Encryption for data in transit and at rest (e.g., FIPS 140-2 compliant algorithms).
- Background checks for personnel with CJI access.
- Security awareness training for all staff.
- Develop or update policies and procedures to align with CJIS standards, including incident response plans and access control protocols.
- Address identified gaps by implementing required controls, such as:
- Engage an Accredited Auditor:
- For organizations subject to triennial audits (typically state, local, or tribal agencies with direct CJIS access), hire an accredited firm, such as Lazarus Alliance, to conduct the official compliance audit.
- Non-criminal justice agencies (e.g., vendors) may require assessments as part of their authorization to access CJI, often coordinated through a state CJIS Systems Agency (CSA) or contracting authority.
- Audit and Evidence Collection:
- The audit involves a comprehensive review of the organization’s security posture, including documentation, system configurations, and physical security measures.
- Auditors collect evidence to verify compliance with CJIS controls, often using automated tools to streamline the process and ensure accuracy.
- For example, Lazarus Alliance’s Cybervisors™ use ITAM to gather and analyze evidence, reducing audit time and minimizing disruption.
- Address Findings and Remediation:
- If non-compliance issues are identified, the organization receives a report detailing deficiencies and recommended corrective actions.
- Develop a Plan of Action and Milestones (POA&M) to address findings within a specified timeframe, typically coordinated with the state CSA or FBI CJIS auditors.
- Re-assessments may be required to confirm remediation.
- Receive Compliance Verification:
- Upon successful audit and remediation, the organization is deemed compliant with the CJIS Security Policy. For agencies, this is documented through the state CSA or FBI CJIS Division. For vendors, compliance is often tied to specific contracts or agreements.
- Compliance status allows continued access to CJIS systems and data, subject to ongoing monitoring and triennial re-audits.
- Maintain Ongoing Compliance:
- Organizations must continuously monitor and maintain compliance through regular training, system updates, and incident reporting.
- Stay informed about CJIS Security Policy updates, as requirements evolve to address new cyber threats.
- Conduct internal reviews or engage third-party firms periodically to ensure readiness for triennial audits.
By working with experienced auditors like Lazarus Alliance, organizations can streamline the process, leveraging expertise and tools to achieve and maintain CJIS compliance efficiently.
Buyer Beware!
The Criminal Justice Information Services (CJIS) is based on the NIST SP 800-53 compliance framework which is complex and extensive in scope. Very few providers out there are actually qualified to properly conduct a Criminal Justice Information Services (CJIS) assessment.
We Have What It Takes!
Lazarus Alliance is an A2LA ISO/IEC 17020 accredited organization, certification number 3822.01.
Working Smarter, Not Harder
Lazarus Alliance creates sustainable Criminal Justice Information Services (CJIS) based compliance partnerships with our clients. We have a proven methodology and project plan that helps our clients achieve compliance on budget and on schedule. You will come to appreciate our Service, Integrity, and Reliability, which will be apparent to you from the very first call.
Leveraging the Continuum GRC IT Audit Machine, our Proactive Cyber Security® methodology, and the Policy Machine, Lazarus Alliance provides international standards that are recognized as “Best Practices” for developing organizational security standards and controls that support Criminal Justice Information Services (CJIS) based compliance audit certifications and assessments.