Skip to content

What Is CJIS (Criminal Justice Information Services) Compliance?

lock lock

CJIS is the Criminal Justice Information Services division within the FBI. The CJIS Division is the largest of all the divisions within the FBI and has a high-tech hub of operations located in the hills of West Virginia. CJIS offers advanced tools and services like the crime information center to law enforcement agencies, national security agencies, and intelligence community partners. 

CJIS compliance ensures that companies who work with sensitive information stay within the data security and encryption standards that the FBI and NIST have set forth. Sensitive information can include background checks, fingerprints, DNA evidence, copies of government-issued documents like passports, witness or suspect interviews, etc.

The FBI and the Criminal Justice Information Services provide:

  • The national instant criminal background check system
  • National Crime Information Center (NCIC)
  • Sex offender registry

With the advancement of cloud computing, challenges have risen regarding data security, compliance, and incident response. If data is found in the wrong hands, it could cause havoc to the public trust of the government. Compliance and security will always be factors to consider before sharing sensitive information with anyone. 

As such, CJIS is an archive of criminal justice information for many different government agencies around the United States. CJIS stays on top of constant technological changes and has created a set of security standards for businesses that cater to law enforcement.

If CJIS didn’t exist, the number of system breaches, unintentionally shared information, and crime rates would be out of control. 

CJIS Compliance

Are you a law enforcement agency that needs patrol reports, witness or suspect interviews, jail calls, wiretaps, or any other audio or video file transcribed? Any time a file with sensitive data is handed to an outside company or vendor, the company must comply with their requirements. Working with a company that does not follow CJIS policies can lead to disastrous data breaches and lawsuits for years. 

Here at Ditto Transcripts, we want to help you understand exactly what CJIS is, the policies it entails, and the steps we take to comply with it. What follows pertains to companies like us that provide law enforcement transcription services and any other company in the US that wants to be CJIS compliant.

The History of How CJIS Got Started

In 1924, the FBI created an Identification Division to gather fingerprints from police agencies nationwide. This made it easier to search for fingerprint matches from crime evidence upon request from one central location in the US. In 1992, the CJIS Division was established as the focal point and central repository for all criminal justice information services within the FBI. 

Who Needs to be CJI Compliant?

Every business with access to sensitive data or data from CJIS databases needs to align its data security standards with the policies below. 

This applies to law enforcement agencies, including police departments, prosecuting attorneys’ offices, transcription and translation companies, security agencies, etc. 

The FBI’s outline of CJIS policies indicates that not all policies apply to every organization. That being said, any company handling sensitive information should be familiar with all of the policies in case of changes that could include them at some point. 

Note: Anyone who gains access to CJIS information must undergo a criminal background check to ensure the information doesn’t end up in the hands of someone with a criminal history. On the same note, US background checks cannot be done on foreign nationals. Foreign nationals cannot access CJIS databases or systems because a criminal background check is impossible. 

Below is a look at which CJIS compliance policies businesses must follow to be compliant. 

Requirements to be CJIS compliant

The requirements have changed since it was originally founded in 1992. Indeed, there are more internet hacking threats today than ever before. Further, cyber security can be very challenging, with a lot of today’s information stored in the cloud via an internet connection. Using a company with a CJIS security policy is crucial for all law enforcement agencies.

The CJIS policies enforce safety in wireless networking, data encryption, remote access, and multiple authentications. Here are some of the best practices:

  • A limit of unsuccessful login attempts. 
  • Keeping track of login activities, including password changes.
  • Weekly audit reviews.
  • Session lock after 30 minutes (or less) of inactivity. 
  • Access restrictions are based on job role, location, time of day, and network address. 

Now, let’s go into more depth. Here is a summary of the 19 CJIS policies. 

Policy #1: Information Exchange Agreements

Companies that share CJIS-protected data with other organizations must have a written agreement that both will comply with the CJIS security standards.

Policy #2: Security Awareness Training

All employees within a business handling CJIS data must undergo security training within the first six months of being assigned their roles. Every other year, training needs to be provided to accommodate CJIS updates.

Policy #3: Incident Response

Companies handling CJIS-protected data must have safeguards to detect and contain breaches. Data recovery measures are also crucial. Any data breaches must be reported to the authorities immediately. 

Policy #4: Auditing and Accountability

Audit controls must be implemented to see who is accessing data when data is accessed, and why it’s being accessed. This information must be logged for future audits, which could help determine whether the company is accountable. 

Policy #5: Access Control

Restrictions must be set to control who can access data. The restrictions include who can access, upload, download, transfer, and delete secure data. Login management systems, remote access controls, and more should all be highly restricted and monitored. 

Policy #6: Identification and authentication 

CJIS has a set of login credentials, including advanced authentication methods like one-time and multi-factor authentication, and several password requirements (capital letters, numbers, characters, etc.) must be implemented for anyone accessing CJIS information. 

Policy #7: Configuration Management 

Only authorized users in a business can make configuration adjustments like upgrading systems or initiating modifications. 

Policy #8: Media Protection

CJIS-related data is to be protected in all digital and physical forms while in transit or stored at a facility. Equipment (computers and other devices) that the company is no longer using must wipe the systems of all data and dispose of the device in alignment with CJIS policies. 

Policy #9: Physical Protection

The physical location where the CJIS data is stored must always be protected. This could be with guards, cameras, and advanced security systems. 

Policy #10: System and Communications Protection and Information Integrity 

Physical data files, organization systems, and communications must be protected. Steps to ensure protection include encryption, network security, data breach detection measures, and more. 

Policy #11: Formal Audits

Any company that uses and manages CJIS data is subject to audits at least every three years by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA). The organization that does the audit depends on which state the company is in. Audits can happen anytime, and companies must comply, or they could be closed down. 

Policy #12: Personal Security 

Everyone who works within the company, including full-time, part-time, and contractors, must submit to security screenings and national fingerprint-based record checks.  

Policy #13: Mobile Devices

Every employee’s mobile device (phones, laptops, tablets) is subject to CJIS oversight. The company must establish secure user restrictions to authorize, monitor, and control system access via non-work devices. Even employees and devices who have never been on the premises are subject to oversight. 

Policy #14: Systems and Services Acquisition

Agencies and third-party vendors must use secured systems and technologies and replace system components when support is no longer available from manufacturers or vendors. Only using supported and updated systems ensures continuous security improvements. If the system cannot be replaced, an alternative source for support and updates should be found, or in-house support can be established. 

Policy #15: System and Information Integrity

Organizations must establish a system to ensure security integrity, including key elements such as: 

  • Policy and Procedures (SI-1): Develop and disseminate comprehensive system and information integrity policies and procedures. Assign responsibility for their implementation, review annually or after security incidents, and ensure alignment with laws and standards.
  • Flaw Remediation (SI-2): Identify, report, test, and correct system flaws, integrating updates into configuration management processes. Install updates based on risk prioritization (e.g., critical updates within 15 days).
  • Malicious Code Protection (SI-3): Use mechanisms to detect and remove malicious code, conduct daily scans, block threats, and implement incident response protocols.
  • System Monitoring (SI-4): Continuously monitor systems to detect attacks, unauthorized access, and anomalies, employing tools like intrusion detection and network monitoring.
  • Security Alerts (SI-5): Receive and disseminate alerts and directives, implementing actions promptly to mitigate risks.
  • Integrity Verification (SI-7): Detect unauthorized changes to software, firmware, or data using verification tools and respond appropriately.
  • Spam Protection (SI-8): Implement and update mechanisms to manage unsolicited messages.
  • Error Handling (SI-11): Limit error message exposure to prevent exploitation.
  • Information Retention (SI-12): Manage information per legal and policy requirements, minimizing personal data risks.
  • Memory Protection (SI-16): Implement controls like data execution prevention to guard system memory.

Policy #16: Maintenance

Organizations must establish a maintenance policy for all systems handling and storing CJI. The policy can be included as a general security or privacy policy, depending on the complexity of the business. All maintenance events must be scheduled, logged, and available for review upon request. 

System-wide maintenance activities must cover tools and media and ensure no unauthorized removal of any equipment containing critical organizational or CJ information. 

Policy #17: Planning

Organizations must establish and enforce comprehensive policies, procedures, and practices to maintain and protect information security. Roles, threats, operational contexts, and control systems must be defined. This policy should be the overarching framework of all organization security and privacy systems. 

Policy #18: Contingency Planning

Organizations must establish case-specific frameworks for ensuring continued operations for critical security systems during disruptions or failures. Plans should include maintaining operations and security during said issues and defining roles, objectives, and procedures to restore essential functions and systems like telecommunications, power, processing sites, and backup systems. 

Policy #19: Risk Assessment

Organizations must identify, evaluate, and provide guidelines to mitigate risks to CJIS systems. Risk assessment policies and procedures should be aligned with existing laws and regulations (and other policies, if applicable) and must be updated annually or after attacks or incidents. Scanning and monitoring vulnerabilities must be performed monthly to ensure no critical security vulnerabilities are exposed to risks. 

How to Choose the Right Data Encryption Cloud Provider

When choosing a cloud provider, there are many questions to consider. Do they have general liability insurance? Do they have cyber liability insurance? Are employee background checks kept confidential? How about authenticity? A good provider should do the above and be able to sign a contract that they are 100% US-based and will not outsource or allow any foreign nationals to access your data.  Ensure they are willing to sign a contract that guarantees all of the above and will pay financial penalties if they knowingly lied or didn’t disclose anything that could make them non-CJIS compliant.

The problem with some CJI Data Cloud Providers in the US

Knowing there is no central CJIS authorization body when choosing a provider is important. This means there are no CJIS certifications in the US right now. As a result, we recommend being suspicious of any company that claims to have a CJIS certification or any company that offers a CJIS certification. Unfortunately, law enforcement agencies are on their own to find a provider that ticks all the CJIS compliance boxes. 

What’s even more confusing is each law enforcement agency can have its compliance standards. For example, the compliance standards will vary from state to state and may not even be the same within a state. And, because of this, providers must create a list of what they offer with detailed descriptions so agencies can see if they meet their CJIS compliance requirements. 

CSA Assurance

The CJIS Systems Agency (CSA) can give some assurance that the provider follows the minimum requirements of auditing providers. However, this audit should not be confused with a certification, as those are not available in the US yet. CJIS has created an outline of what a provider must do to hold average compliance across all US states:

  • Restrictions are implemented to prevent unauthorized users from accessing information they don’t need to do their jobs. 
  • Uses multi-factor authentication (one-time passwords, phone or email authentication).
  • Access to data is limited based on job role, network, location, and time of day. 
  • A computer left unattended will automatically log out after 30 minutes of inactivity. 
  • The division between virtual and physical servers that store data is maintained. Servers available to the public through the Internet are divided as well. 
  • Login attempts are limited to 5 tries. After too many unsuccessful attempts, the user will be locked out and need to contact an administrator.
  • Maintains logs of automatic recordings such as logins, password changes, new users, etc., for at least one year.
  • Every staff member with access to sensitive or confidential data undergoes a criminal background check.
  • Performs frequent employee training for those with access to CJIS data. 

If law enforcement and government agencies are encouraged to share CJIS data, why do they make it so difficult? Agencies looking to be compliant must adopt the 19 policies and be audited by the CJIS division to ensure they have the minimum requirements in place. Indeed, this can be costly for agencies and sometimes takes much time to implement. And remember, compliance is no easy task since CJIS data is highly sensitive. Agencies running within a compliant cloud-based system need security measures to avoid hackers and spies getting in using their intrusion techniques.

How Ditto Transcripts Complies with CJIS

Ditto Transcripts specializes in law enforcement transcription solutions. Our trained law enforcement transcriptionists provide the best online transcription services using high-quality equipment. At Ditto Transcripts, we take the security of all law enforcement transcription seriously and are 100% CJIS compliant.

Here is how we comply:

Limited Access 

Not just anyone can see stored files. Ultimately, we decide who can access files based on job role, physical location, network address, etc. 

Limited Login Attempts

A user is allowed five login attempts before being locked out of the account. And, once the user is locked out, a manager is needed to reset and allow access again.

Session Lock

Keeping sessions open for long periods gives unauthorized users more time to access information. Our systems sign out automatically after 30 minutes of inactivity. 

High Security on Business Facilities

Ditto Transcript’s office has full surveillance with a security system, cameras, and motion sensors. Tangible files are stored safely in a locked environment. Finally, files in the cloud are stored in Amazon facilities with armed guards and a digital security system. 

Weekly Audits 

We keep audit records that contain information needed to understand events that occurred, their sources, and the outcome of events. These records are reviewed weekly. Through audits, we can track who logged in, all actions done, and detect any breaches in the system and where they came from.

Multi-Factor Authentication and Encryption

So that the information doesn’t get into the wrong hands, we follow advanced multi-factor authentication requirements. Staff accessing certain documents must use a one-time password, codes, and facial recognition. 

Staff Training

Our staff are all on the same page regarding complete compliance. We frequently train our staff on proper procedures and provide documents and knowledge.

System and Services Acquisition

At Ditto Transcripts, we ensure all systems and technologies used in our operations are secure, supported, and regularly updated. Outdated or unsupported components are promptly replaced, maintaining security updates throughout the system or product’s lifecycle. 

Maintenance and Recording

We schedule, log, and review all maintenance activities to ensure system security and transparency. Further, tools and media containing transcripts, recordings, or any information used for operations are carefully managed, and no sensitive information equipment is removed without proper authorization. 

Extensive Planning

Our comprehensive planning covers all operating procedures, equipment, and personnel, and we have specific contingencies for cases like power disruptions, cybersecurity attacks, and more. 

Risk Assessment

We conduct regular risk assessments to identify and mitigate risks to our CJIS systems. Vulnerability scanning and monitoring are performed monthly to ensure no critical vulnerabilities remain unaddressed. Any found are immediately logged, addressed, and reported as required. 

Additional Information

If you have any questions about our compliance with CJIS, please let us know by calling (720) 287-3710, emailing info@dittotranscripts.com, or clicking the Contact Us button above and filling out the form.

Looking For A Transcription Service?

Ditto Transcripts is a U.S.-based HIPAA and CJIS compliant company with experienced U.S. transcriptionists. Learn how we can help with your next project!