What Is CJIS Compliance?

Criminal Justice Information Services (CJIS) compliance is top of mind for anyone working in law enforcement, government agencies, legal services, and related fields — and naturally so: Effective law enforcement and justice initiatives must be handled with the utmost care, and that includes the responsible handling of sensitive data. 

But what, exactly, does CJIS compliance entail, and what do organizations need to know about properly managing and securing information gleaned from CJIS databases? Here's what you need to know about the compliance regulation and the data that falls underneath the CJIS umbrella. 

What Is CJIS?

Criminal Justice Information Services (CJIS) is a compliance standard that regulates data security and privacy in local, state, and federal law enforcement. CJIS collects and analyzes criminal justice information (CJI) from law enforcement centers around the country and provides a centralized database to store and access CJI. But, in order to use CJIS databases, organizations must comply with several security regulations to ensure the proper handling of this sensitive data. 

The FBI notes in its CJIS Security Policy, "The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information." 

So, these policies are designed to safeguard sensitive criminal justice intelligence across the entirety of its lifecycle, from the moment it's created, to everywhere it's shared, and eventually destroyed. However, it's also significant that the FBI's CJIS Security Policy opens with this: 

"Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime."

Not only does CJIS data need to be protected with the highest security, but it also needs the ability to move, so that law enforcement decisions can be made with all available data, in real time. To take advantage of this real-time information, organizations need to demonstrate that they will properly safeguard this data, anywhere it moves, in motion and at rest.

What is CJIS Data? 

The data subject to CJIS falls under three key categories, CJI (criminal justice information), CHRI (a subset of CJI, criminal history record information), and PII (personally identifiable information). These types of data are subject to CJIS until that information is made public via authorized dissemination (through the court system, public safety announcements, crime report data, etc.).

CJI: Criminal Justice Information

This includes information about individuals, housed by the FBI CJIS architecture, including: 

• Biometric data: Data typically used to identify an individual, such as fingerprints, palm prints, iris scans, and facial recognition data
• Identity history data: Textual data that corresponds with biometric data,
  giving a history of criminal and/or civil events for the identified individual
• Biographic data: Data that does not provide a history of an
  individual, only information related to a unique case
• Property data: Information about vehicles and property associated with crime when
  accompanied by any personally identifiable information (PII)
• Case/incident history: information about the history of criminal incidents

CHRI: Criminal History Record Information

A subset of CJI, this information can be referred to as "restricted data" and includes sensitive information directly related to an individual's history with law enforcement agencies. CHRI also includes National Crime Information Center (NCIC) Restricted Files, which include things like gang files, threat screening center files, identity theft files, sex offender registry files, violent person files, "person with information" files, etc. This type of information is subject to additional controls. 

PII: Personally Identifiable Information

This refers to any information that can be used to distinguish or trace an individual's identity, including name, social security number, or biometric records alone or combined with other identifying information that can lead to the individual's identity (e.g., date and place of birth, employment history, or mother's maiden name).  

CJIS Encryption Requirements and Compliance

To make use of CJIS databases, organizations need to meet several security standards. Some of these standards include best practices like using multi-factor authentication and physical security.

CJIS compliance is not a simple journey solved by a single vendor: There are, intentionally, many layers of security that need to be put into place for an organization to meet this compliance standard. However, one of the critical elements of data security is encryption: When handling sensitive data, encryption (with strong access controls) helps add a layer of security that safeguards information across its lifecycle.

There are two key sections of CJIS that call out encryption specifically as a requirement:

• Section 5.10.1.2.1: When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption that is FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to protect CJI.
  Section 5.10.1.2.2: When CJI is at rest (i.e. stored digitally) outside the boundary of the physically secure location, the data shall be protected via encryption with the same standard mentioned above or use a symmetric cipher that is FIPS 197 certified (AES) and at least 256-bit strength.

CJIS Compliance Examples

Virtru has many CJIS customers who use our software for encrypted email and file sharing of CJI. Here are some examples of how they're using data-centric security to support compliance.

The State of Maryland: CJIS Cloud Compliance

When it began migrating files to the cloud, the State of Maryland wanted to ensure that a wide range of data — including CJI — was protected, private, and secure. Ken Cheney, Acting CIO, said this: "Our departments handle private data that is subject to strict regulatory compliance requirements like Criminal Justice Information Services (CJIS), and there were concerns that we would lose direct control and oversight of that data when moving to the cloud. Virtru’s end-to-end email encryption and security expertise allowed us to achieve both efficiency and peace of mind by keeping control of our data."

Hidalgo County, Texas: Automating Secure CJIS Workflows in Custom Apps 

Many state and local government agencies have home-grown systems for managing data. Hidalgo County, Texas, needed a method for protecting CJI in emails and files, as well as those flowing in and out of its custom apps. Jesus Rodriguez, IT Application Developer, said: “Leveraging the Data Security Platform — and Virtru’s user-friendly technology that we depend on for Gmail encryption — meant that we were able to easily deliver secure code for Hidalgo Country’s in-house apps. Now, we can automate reporting and improve our services, all while staying compliant.” 

Arkansas Game and Fish Commission:CJIS Compliance in Gmail, Google Drive, and Google Workspace 

The Arkansas Game and Fish Commission wanted to step up its data security in Google Cloud. Park rangers, field officials, and officers needed a way to securely share information with the state’s various law enforcement agencies while maintaining CJIS compliance. AGFC also recognized that security could not hinder collaboration: When a law enforcement investigation was underway, for example, the AGFC team needed a fast, secure, and reliable way to share emails and files with agencies conducting the investigation. They use Virtru for Gmail (end-to-end encryption for emails and attachments), the Virtru Gateway, which provides an automated safety net for emails and files leaving the perimeter, and Virtru Secure Share, encrypted CJIS file sharing for confident collaboration. 

Virtru's FIPS 140-2 Compliant Encryption for CJIS Compliance

Hundreds of federal, state, and local government organizations use Virtru's FIPS 140-2 compliant encryption and access control to support CJIS compliance. Not only is Virtru more cost-effective than many other FIPS-compliant encryption solutions, but Virtru also far more seamless to use, and it can even be automated to support the fast-paced workflow of the public sector.

Virtru's data-centric security and granular access controls travel with the data everywhere it moves, helping agencies ensure that CUI data is protected across its lifecycle, in transit and at rest. Virtru encryption enables data to be shared in common email and file-sharing workflows — even externally — without sacrificing control. Virtru also integrates with platforms like Microsoft Outlook and Google Workspace (including Gmail), and can be deployed as an automated server-side email gateway for automatic detection and encryption of sensitive CJI data before it leaves your organization. Virtru Secure Share can also be used for the intake and sharing of sensitive files, particularly if those files are too large to be shared via email (for example, files containing security footage).  

Finally, the Virtru Private Keystore gives you an extra layer of confidence for your encrypted data: You have the option to store your private encryption keys in the location of your choosing, whether that's on-prem or in a private cloud — keeping your keys separate from the protected data and shielding encrypted information from cloud providers like Microsoft and Google.

Take the guesswork out of CJIS compliance: Talk to Virtru's team of experts today about CJIS-compliant data encryption. 

CJIS Compliance FAQs

Is TLS encryption CJIS compliant? 

Because CJIS stipulates that data must be protected in motion and at rest, TLS encryption alone is not sufficient for CJIS compliance. This is because  TLS encryption (Transport Layer Security) protects data at a moment in time, while it is in motion between the sender and recipient. This does not protect the data when it is at rest, whether in your own systems or in a recipient's inbox. 

What is the CJIS Security Policy? 

The CJIS Security Policy is maintained by the FBI and provides guidance for how CJI should be handled, including creation, viewing, modification, transmission, dissemination, storage, and destruction.

Is there a CJIS compliance checklist? 

This blog post lays out many of the things you need to know about CJIS compliance for email and file sharing. The CJIS Security Policy should be your north star for ensuring you handle CJIS data securely.

What does CJI stand for? 

CJI stands for Criminal Justice Information. This includes things like biometric data, identity history data, biographic data, property data, and case or incident history. CJI can also encompass personally identifiable information (PII) and criminal history record information (CHRI). 

Are CJI and PII the same thing? 

There is some overlap, but CJI and PII are different. PII (Personally Identifiable Information) is any information that could be used to identify a specific individual. In the context of criminal justice and law enforcement, PII is considered CJI (Criminal Justice Information) and therefore should be protected according to CJIS requirements.