Skip to content
Ditto
(720) 287-3710
(720) 287-3710

What Is CJIS (Criminal Justice Information Services) Compliance?

lock lock

By Ben Walker

Transcriptionists do more than just type the words they hear. The industry is complex, and any overlap with government agencies requires stricter security measures than your typical firewall. The CJIS is the largest division within the FBI and has a high-tech operations hub in West Virginia’s hills. CJIS offers advanced tools and services, such as the crime information center, to law enforcement agencies, national security agencies, and intelligence community partners. It is also tasked with ensuring criminal justice information (CJI) is kept as safe as possible. 

To that end, the CJIS monitors and requires ALL third-party government contractors to meet certain requirements for compliance. 

So, let’s talk about CJIS data security requirements – and what it means to have a CJIS-certified law enforcement transcription provider.

In this article, you’ll learn how:

  • Transcription companies working with law enforcement must follow strict CJIS security policies when handling sensitive materials like witness interviews, patrol reports, and jail calls. Non-compliance can result in serious data breaches, lawsuits, and loss of agency trust.
  • There are 19 CJIS compliance policies covering everything from data encryption, access control, and incident response to audit logging and physical facility security. These standards help safeguard Criminal Justice Information (CJI) in transcription workflows.
  • Ditto Transcripts maintains weekly audit reviews, uses cloud providers with secure infrastructure, and conducts ongoing staff training and risk assessments to protect law enforcement data and ensure full compliance.

Understanding CJIS Compliance: Why It Matters and How We Achieve It

CJIS stands for Criminal Justice Information Services. CJIS compliance ensures that companies working with sensitive information adhere to the data security and encryption standards set forth by the FBI and NIST.

Types of Criminal Justice Information (CJI)

These are the type of data that falls under criminal justice information (CJI):

Type of CJIDescription
Biometric DataFingerprints, DNA, iris scans used for identification
Identity History InfoRecords of arrests and criminal interactions
Criminal Case InfoCase files, interviews, reports from investigations
CHRI (Criminal History)Compiled criminal records and background checks
Biographical InfoPersonally identifiable data (e.g., name, SSN, DOB)
Property & Evidence DataInfo on stolen property or physical crime evidence
Warrants & OrdersArrest warrants, restraining or protection orders
Correctional DataSentencing outcomes, incarceration, probation details
Civil Fingerprint DataFingerprint submissions for jobs, licenses, or background checks
Supporting Unclassified DataTranscripts, audio/video files, surveillance, or wiretap content

The FBI And The Criminal Justice Information Services Provide:

  • The national instant criminal background check system
  • National Crime Information Center (NCIC)
  • Sex offender registry

With the advancement of cloud computing, challenges have risen regarding data security, compliance, and incident response. If data falls into the wrong hands, it could compromise the public’s trust in the government. Compliance and security will always be factors to consider before sharing sensitive information with anyone. 

As such, CJIS is an archive of criminal justice information for various government agencies across the United States. CJIS considers advanced authentication techniques, stays current with constant technological changes, and has established a set of security standards for businesses that cater to law enforcement.

If CJIS didn’t exist, the number of data and system breaches, unintentionally shared information, and crime rates would be out of control. 

Who Must Follow CJIS Compliance and Why

Are you a law enforcement agency that needs patrol reports, witness or suspect interviews, jail calls, wiretaps, or any other audio or video file transcribed? Any time a file with sensitive data is handed to an outside company or vendor, the company must comply with their requirements. Working with a company that does not follow CJIS policies can lead to disastrous data breaches and lawsuits for years to come. 

At Ditto Transcripts, we want to help you understand exactly what CJIS is, the policies it entails, and the steps we take to comply with it.

The History Of How CJIS Got Started

In 1924, the FBI created an Identification Division to gather fingerprints from police agencies nationwide. This made it easier to search for fingerprint matches from crime evidence upon request from one central location in the US. In 1992, the CJIS Division was established as the focal point and central repository for all criminal justice information services within the FBI. 

Who Needs to Be CJIS Compliant?

Every business with access to sensitive data or data from CJIS databases needs to align its data security standards with compliance guidelines.

This applies to law enforcement agencies, including police departments, prosecuting attorneys’ offices, transcription and translation companies, and security agencies, among others. 

The FBI’s outline of CJIS policies indicates that not all policies apply to every organization. That being said, any company handling sensitive information should be familiar with all relevant policies in case of changes that may affect them at some point. 

Note: Anyone who gains access to CJIS information must undergo a criminal background check to ensure the information doesn’t end up in the hands of someone with a criminal history. On the same note, US background checks cannot be done on foreign nationals. Foreign nationals cannot access CJIS databases or systems because a criminal background check is impossible. 

Below is a look at which CJIS compliance policies businesses must follow to be compliant. 

The 19 CJIS Security Policy Areas Explained

The requirements have changed since it was originally founded in 1992. Indeed, there are more internet hacking threats today than ever before. Further, cyber security can be very challenging, with a lot of today’s information stored in the cloud via an internet connection. Using a company with a CJIS security policy is crucial for all law enforcement agencies.

The CJIS policies enforce safety in wireless networking, data encryption, remote access, and multiple authentications

Here are some of the best practices:

  • A limit of unsuccessful login attempts. 
  • Keeping track of login activities, including password changes.
  • Weekly audit reviews.
  • Session lock after 30 minutes (or less) of inactivity. 
  • Access restrictions are based on job role, location, time of day, and network address. 

Now, let’s go into more depth. Here is a summary of the 19 CJIS policies. 

Policy #1: Information Exchange Agreements

Companies that share CJIS-protected data with other organizations must have a written agreement that both will comply with the CJIS security standards.

Policy #2: Security Awareness Training

All employees within a business handling CJIS data must undergo security training within the first six months of being assigned their roles. Every other year, training needs to be provided to accommodate CJIS updates.

Policy #3: Incident Response

Companies handling CJIS-protected data must have safeguards to detect and contain breaches. Data recovery measures are also crucial. Any data breaches must be reported to the authorities immediately. 

Policy #4: Auditing and Accountability

Audit controls must be implemented to see who is accessing data, when data is accessed, and why it’s being accessed. This information must be logged for future audits, which could help determine whether the company is accountable. 

Policy #5: Access Control

Restrictions must be set to control who can access data. The restrictions include who can access, upload, download, transfer, and delete secure data. Login management systems, remote access controls, and other security measures should be highly restricted and closely monitored. 

Policy #6: Identification and authentication 

CJIS has a set of login credentials, including advanced authentication methods like one-time and multi-factor authentication, and several password requirements (capital letters, numbers, characters, etc.) must be implemented for anyone accessing CJIS information. 

Policy #7: Configuration Management 

Only authorized users in a business can make configuration adjustments, such as upgrading systems or initiating modifications. 

Policy #8: Media Protection

CJIS-related data is to be protected in all digital and physical forms while in transit or stored at a facility. Equipment (including computers and other devices) that the company is no longer using must be wiped clean of all data and disposed of in accordance with CJIS policies. 

Policy #9: Physical Protection

The physical location where the CJIS data is stored must always be protected. This could be with guards, cameras, and advanced security systems. 

Policy #10: System and Communications Protection and Information Integrity 

Physical data files, organization systems, and communications must be protected. Steps to ensure protection include encryption, network security, data breach detection measures, and more. 

Policy #11: Formal Audits

Any company that uses and manages CJIS data is subject to audits at least every three years by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA). The organization conducting the audit depends on the state in which the company is located. Audits can occur at any time, and companies must comply; otherwise, they may be closed down. 

Policy #12: Personal Security 

Everyone who works within the company, including full-time, part-time, and contract employees, must undergo security screenings and national fingerprint-based record checks.  

Policy #13: Mobile Devices

Every employee’s mobile device (phones, laptops, tablets) is subject to CJIS oversight. The company must establish secure user restrictions to authorize, monitor, and control system access via non-work devices. Even employees and devices who have never been on the premises are subject to oversight. 

Policy #14: Systems and Services Acquisition

Agencies and third-party vendors must utilize secure systems and technologies, and replace system components when support is no longer available from manufacturers or vendors. Only using supported and updated systems ensures continuous security improvements. If the system cannot be replaced, an alternative source for support and updates should be found, or in-house support can be established. 

Policy #15: System and Information Integrity

A clear system must be established to ensure security integrity, including key elements. This includes: 

  • Policy and Procedures (SI-1): Responsibility should be assigned to the development and dissemination of system and information integrity policies, which are regularly reviewed to ensure alignment with legal standards.
  • Flaw Remediation (SI-2): Appropriately update configuration and management processes based on risk prioritization of the identified system flaws. Critical updates must be performed within 15 days.
  • Malicious Code Protection (SI-3): Explore and exhaust methodologies that detect and remove malicious codes.
  • System Monitoring (SI-4): Constant monitoring and evaluation of systems to detect anomalies, including attacks and unauthorized access attempts.
  • Security Alerts (SI-5): System for receiving and disseminating alerts to mitigate risks
  • Integrity Verification (SI-7): Alert, manage, and respond to unauthorized changes using verification tools.
  • Spam Protection (SI-8): Constant update of the system to manage unwarranted and unsolicited messages.
  • Error Handling (SI-11): Limit error message exposure to prevent exploitation.
  • Information Retention (SI-12): Minimize personal data risks through the management of information according to legal and policy requirements.
  • Memory Protection (SI-16): Incorporate measures, like data execution prevention, to strengthen the protection of system memory.

Policy #16: Maintenance

A comprehensive maintenance policy that encompasses security and privacy must be implemented across all systems that handle and store CJI. Maintenance activities must be recorded, scheduled, logged, and available for review upon request. This includes no unauthorized removal of any equipment containing critical organizational or CJ information. 

Policy #17: Planning

Organizations must establish comprehensive standard operating procedures, including a defined context and control systems, to strengthen information security protection. This policy should serve as the overarching framework for all organizational security and privacy systems. 

Policy #18: Contingency Planning

A case-specific framework must be established to ensure the operation of critical security systems during unforeseen events. The blueprint should include a manual of operations for addressing unwanted issues, including a clearly defined role and objectives to maintain essential functions such as telecommunications, power, processing sites, and backup systems. 

Policy #19: Risk Assessment

Organizations must identify, evaluate, and provide guidelines to mitigate risks to Critical Infrastructure Systems (CJIS) systems. Risk assessment policies and procedures should be aligned with existing laws and regulations (and other policies, if applicable) and must be updated annually or after attacks or incidents. Scanning and monitoring vulnerabilities must be performed monthly to ensure no critical security vulnerabilities are exposed to risks. 

What Happens When CJIS Compliance Breaks Down?

In June 2020, the Washington State Patrol experienced a data security incident involving the loss of a thumb drive containing unencrypted files from a child exploitation investigation, including personal identifying information (PII) and sensitive case data, during physical transit. Unfortunately, the drive was never recovered.

This is a clear violation of CJIS Policy Area 8 – Media Protection, which states that all digital and physical forms while in transit or stored at a facility must be protected.

Physical transport entails many risks, of which are mostly avoidable. Agencies, including the Washington State Patrol, must implement a strict and secure transfer protocol, encryption, and operational procedures to prevent cases like this.

Comparing CJIS, HIPAA, and FedRAMP Compliance Standards

FrameworkPrimary FocusScopeKey Requirements
CJISProtection of Criminal Justice Information (CJI)Law enforcement agencies and vendorsPersonnel background checks, access control, encryption, auditing
HIPAAProtection of Personal Health Information (PHI)Healthcare providers, insurers, and business associatesPrivacy rules, security safeguards, breach notification
FedRAMPSecurity assessment for cloud services used by federal agenciesCloud service providers working with the federal governmentStandardized security controls (based on NIST SP 800-53), continuous monitoring, third-party assessments

How to Choose the Right Data Encryption Cloud Provider

When choosing a cloud provider, there are many questions to consider. Do they have general liability insurance? Do they have cyber liability insurance? Are employee background checks kept confidential? How about authenticity? A good provider should do the above and be able to sign a contract that they are 100% US-based and will not outsource or allow any foreign nationals to access your data.  Ensure they are willing to sign a contract that guarantees all of the above and will pay financial penalties if they knowingly lied or didn’t disclose anything that could make them non-CJIS compliant.

The Problem With Some CJI Data Cloud Providers in the US

Knowing there is no central CJIS authorization body when choosing a provider is important. This means there are currently no CJIS certifications in the US. As a result, we recommend being suspicious of any company that claims to have a CJIS certification or any company that offers a CJIS certification. Unfortunately, law enforcement agencies are often left to find a provider that meets all the CJIS compliance requirements on their own. 

What’s even more confusing is each law enforcement agency can have its own compliance standards. For example, compliance standards vary from state to state and may differ even within a single state. Because of this, providers must create a list of what they offer, along with detailed descriptions, so agencies can determine if they meet their CJIS compliance requirements. 

CSA Assurance

The CJIS Systems Agency (CSA) can provide some assurance that the provider meets the minimum requirements for auditing providers. However, this audit should not be confused with a certification, as those are not available in the US yet. CJIS has created an outline of what a provider must do to hold average compliance across all US states:

  • Providers must implement restrictions to prevent unauthorized users from accessing information they don’t need to do their jobs.
  • Uses multi-factor authentication (one-time passwords, phone or email authentication).
  • Providers must limit access to data based on job role, network, location, and time of day. 
  • A computer left unattended will automatically log out after 30 minutes of inactivity. 
  • The provider must maintain the division between virtual and physical servers that store data. They must also separate servers available to the public through the Internet.
  • Login attempts are limited to 5 tries. After numerous unsuccessful attempts, the user will be locked out and must contact an administrator.
  • Maintains logs of automatic recordings, such as logins, password changes, and new user registrations, for at least one year.
  • Every staff member with access to sensitive or confidential data undergoes a criminal background check.
  • Performs frequent employee training for those with access to CJIS data. 

If law enforcement and government agencies are encouraged to share CJIS data, why do they make it so difficult? Agencies seeking compliance must adopt the 19 policies and undergo an audit by the CJIS division to ensure they meet the minimum requirements. Indeed, this can be costly for agencies and sometimes takes a considerable amount of time to implement. And remember, compliance is no easy task since CJIS data is highly sensitive. Agencies operating within a compliant cloud-based system require security measures to prevent hackers and spies from gaining access using their advanced intrusion techniques.

How Ditto Transcripts Meets CJIS Requirements

Ditto Transcripts specializes in law enforcement transcription solutions. Our trained law enforcement transcriptionists offer the best online transcription services, utilizing high-quality equipment.

At Ditto Transcripts, we take the security of all law enforcement transcription data seriously and are 100% CJIS compliant, encompassing the 19 policies that ensure complete data security. Here is how we comply:

Limited Access 

Not just anyone can see stored files. Ultimately, we determine who can access files based on job role, physical location, network address, and other factors. 

Limited Login Attempts

Users can attempt to log in up to five times before we lock their accounts. Once locked out, only a manager can reset the account and restore access.

Session Lock

Keeping sessions open for long periods gives unauthorized users more time to access information. Our systems sign out automatically after 30 minutes of inactivity. 

High Security on Business Facilities

Ditto Transcript’s office has full surveillance with a security system, cameras, and motion sensors. We store tangible files safely in a locked environment. Finally, we store files in the cloud at Amazon facilities protected by armed guards and a digital security system.

Weekly Audits 

We keep audit records that contain information needed to understand events that occurred, their sources, and the outcome of events. The team reviews these records weekly. Through audits, we can track who logged in, all actions done, and detect any breaches in the system and where they came from. Furthermore, Ditto Transcripts has a SOC 2 Type II Certification, ensuring that the company upholds high standards of security for customer data protection.

Multi-Factor Authentication and Encryption

So that the information doesn’t get into the wrong hands, we follow advanced multi-factor authentication requirements. Staff accessing certain documents must use a one-time password, codes, and facial recognition. 

Staff Training

Our staff are all on the same page regarding complete compliance. We frequently train our staff on the latest protocols and procedures and provide the documentation available.

System and Services Acquisition

At Ditto Transcripts, we ensure all systems and technologies used in our operations are secure, supported, and regularly updated. We replace outdated or unsupported components, maintaining security updates throughout the system or product’s lifecycle. 

Maintenance and Recording

We schedule, log, and review all maintenance activities to ensure system security and transparency. We carefully manage tools and media containing transcripts, recordings, or any operational information. Furthermore, we do not remove equipment containing sensitive information without proper authorization.

Extensive Planning

Our comprehensive planning covers all operating procedures, equipment, and personnel, and we have specific contingencies for cases like power disruptions, cybersecurity attacks, and more. 

Risk Assessment

We conduct regular risk assessments to identify and mitigate risks to our CJIS systems. We perform vulnerability scanning and monitoring monthly to ensure no critical vulnerabilities remain unaddressed. If we find any, we immediately log, address, and report them as required.

Compliance Verification Methodology

Ditto Transcript’s compliance claim is backed by security measures such as:

  • Personnel Security: All transcriptionists are highly-trained professionals who underwent extensive character checks to ensure they meet CJIS requirements.
  • Access Control: Ditto Transcript implements a strict access control that extends to a unique individual username, password, and PINs to filter people who can access the data.
  • Encryption: The data is protected using SSL 256-bit encryption.
  • Audit Trails: Ditto Transcript conducts detailed reporting and tracking to monitor data access and modification, ensuring it aligns with CJIS auditing standards.

Ditto Transcripts provides accurate transcription and complies with CJIS. 

Additional Information

If you have any questions about our compliance with CJIS, please let us know by calling (720) 287-3710, emailing info@dittotranscripts.com, or clicking the Contact Us button above and filling out the form.

« The Price of Poor Record-Keeping: A Tale of Albinali v. Calvert
AI Transcription Legal Risks: The Hidden Dangers in Automation »