Imagine your organization has just won a contract to handle sensitive law-enforcement data – you might be a cloud provider, a software vendor, or an analytics firm. It won’t be long before CJIS is top of mind.
You know the FBI’s Criminal Justice Information Services Security Policy governs how criminal histories, fingerprints, and investigation files must be protected, but beyond that, it all feels a bit opaque.
Whether you’re a veteran security pro or new to the world of criminal-justice data, understanding CJIS compliance is critical. We’ll start by exploring the origin and purpose of CJIS: why it exists, and why it matters to every organization that comes anywhere near criminal-justice information.
Then we’ll pay special attention to the pillars of identity (passwords, multifactor authentication, and strict access controls) and how to embed those controls seamlessly into your environment.
What is CJIS?
CJIS traces its roots to the late 1990s, when the FBI consolidated various state and local criminal databases into a single, nationwide system. Today, it serves as the nerve center for sharing biometric data, criminal histories, and tactical intelligence across federal, state, local, and tribal agencies.
At its core, the CJIS Security Policy exists to ensure that every party touching this data (government or private contractor alike) adheres to a uniform standard of security. When you think “CJIS,” think “unbreakable chain of custody,” from the moment data leaves a patrol car’s mobile terminal until it’s archived in a forensic lab.
Who needs to comply?
You might assume CJIS concerns only police departments, as it’s the FBI’s policy. In reality, the net is much wider:
Law-enforcement agencies (SLTF): Every state, local, tribal, and federal agency that stores or queries criminal-justice information.
... continue reading