What is the Criminal Justin Information Services Division (CJIS)?
The Criminal Justice Information Services (CJIS) division of the FBI provides relevant data and tools to law enforcement and intelligence organizations. It is located at a high-security facility on 986 acres of land in West Virginia. Criminal justice agencies at local, state, and federal levels — as well as the general public — use CJIS databases and platforms to access and share information related to criminal operations and investigations.
WHAT IS CJIS COMPLIANCE?
Given the large volume and sensitive nature of the data CJIS collects, stores, and uses, security is critical to the integrity of CJIS information. As such, the CJIS Security Policy outlines the standards for handling crime-related data under the FBI’s jurisdiction. (Note: CJIS does not require agencies to use any specific technology product to comply with this policy, but does require documentation that the stipulations of the policy have been met.)
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to FBI CJIS systems and information for the protection and safeguarding of CJI. EasyITGuys manages the compliance with CJIS Security Policy requirements where applicable, such as providing states with fingerprint cards for EasyITGuys employees with access to CJI and signing CJIS security addendum agreements with our clients.
To access the FBI’s CJIS Security Policy itself, please visit the FBI’s CJIS Security Policy Resource Center. Quick link: CJIS Security Policy v5-9
The policy is broken down into 13 areas:
- Information Exchange Agreements: Requires a written agreement of security compliance between organizations exchanging CJIS information
- Security Awareness Training: Requires regular security training for users with authorized access to CJIS
- Incident Response: Requires agencies to establish an incident response plan
- Auditing and Accountability: Requires logging for login attempts, system changes, file modifications, and similar events related to accessing CJIS data
- Access Control: Requires the ability to control who can access CJIS data and the actions authorized users may perform
- Identification and Authentication: Requires regular password updates, multi-factor authentication, and similar credential standards
- Configuration Management: Requires a limit on who can perform configuration changes or upgrades to an organization’s information systems
- Media Protection: Requires protection measures for CJIS data of all kinds at all times
- Physical Protection: Requires specific protocols for how physical documents or devices are stored and managed
- Systems and Communications Protection and Information Integrity: Requires internal security measures like encryption, endpoint protection, and network firewalls
- Formal Audits: Requires organizations to allow the FBI and other agencies to conduct formal audits of systems and policies
- Personnel Security: Requires security screening for all authorized users
- Mobile Devices: Requires security controls and usage restrictions on authorized users’ mobile devices
Criminal Justice Information (CJI), Defined
CJI refers to all of the FBI’s CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws. CJI includes biometric, identity history, person, organization, property and case/incident history data. It also includes FBI’s CJIS-provided data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules. The CJIS Security Policy outlines a minimum set of security requirements that create security controls for managing and maintaining CJI data. There is no centralized body authorized to certify compliance with the CJIS Security Policy.
Many vendors incorrectly state that their solution is “CJIS certified.” There is no such thing as being “CJIS certified.”
The FBI has advised that CJAs and NCJAs are ultimately responsible for ensuring compliance, even when they engage with a third-party vendor to provide software or services relating to the agency’s CJI.
History of CJIS
The predecessor to CJIS was the Identification Division (also called “Ident”). This division was established in 1924 to create a national database for fingerprints that could be searched to match crime scene evidence. As technology advanced and crime became more sophisticated, the FBI needed to cover a broader spectrum of information related to identification and criminal justice. Thus, the CJIS division was established in 1992 as an evolution of the Identification Division. It is currently the largest division of the FBI and home to many programs and ongoing projects that involve biometric data and criminal records.
What Departments and Programs Make Up CJIS?
CJIS consists of numerous databases, departments, and programs, including but not limited to:
- National Crime Information Center (NCIC), an nationwide database of records relating to lost/stolen property, missing persons, fugitives, protection orders, identity theft, and similar crime-related incidents, documentation, and behaviors
- Identity History Summary Checks, a program that provides individuals with background information including criminal history, federal employment, naturalization, and military service
- Uniform Crime Reporting (UCR), a program that collects data and publishes statistical information on general crime incidents, hate crimes, active duty deaths, and use-of-force incidents
- Foreign Biometric Exchange (FBE), a program that collects and shares biometric data with law enforcement agencies internationally
- Next Generation Identification (NGI), a database of biometric data including finger and palm prints, iris and facial recognition, DNA, etc.
- National Instant Criminal Background Check System (NICS), a database used to verify a person’s eligibility to purchase firearms
Data security is constantly evolving, and the requirements around CJIS compliance are no exception. EasyITGuys takes its data security and CJIS compliance obligations seriously, and continuously works to enhance and refine its data security programs.
We are committed to partnering with our clients in this effort. The resources we have committed to that partnership are significant. We will continue leveraging internal resources to foster a culture of compliance across our company.