Criminal Justice Information Services (CJIS) compliance is top of mind for anyone working in law enforcement, U.S. government, legal services, and related fields — and naturally so: Effective law enforcement and justice initiatives must be handled with the utmost care, and that includes the responsible handling of sensitive data.
But what, exactly, does CJIS compliance entail, and what do organizations need to know about properly managing and securing information gleaned from CJIS databases? Here's what you need to know about the compliance regulation and the data that falls underneath the CJIS umbrella.
Criminal Justice Information Services (CJIS) is a compliance standard that regulates data security and privacy in local, state, and federal law enforcement. CJIS collects and analyzes criminal justice information (CJI) from law enforcement centers around the country and provides a centralized database to store and access CJI. But, in order to use CJIS databases, organizations must comply with several security regulations to ensure the proper handling of this sensitive data.
The FBI notes in its CJIS Security Policy, "The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information."
So, these policies are designed to safeguard sensitive criminal justice intelligence across the entirety of its lifecycle, from the moment it's created, to everywhere it's shared, and eventually destroyed. However, it's also significant that the FBI's CJIS Security Policy opens with this:
"Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime."
Not only does CJIS data need to be protected with the highest security, but it also needs the ability to move, so that law enforcement decisions can be made with all available data, in real time. To take advantage of this real-time information, organizations need to demonstrate that they will properly safeguard this data, anywhere it moves, in motion and at rest.
The data subject to CJIS falls under three key categories, CJI (criminal justice information), CHRI (a subset of CJI, criminal history record information), and PII (personally identifiable information). These types of data are subject to CJIS until that information is made public via authorized dissemination (through the court system, public safety announcements, crime report data, etc.).
This includes information about individuals, housed by the FBI CJIS architecture, including:
A subset of CJI, this information can be referred to as "restricted data" and includes sensitive information directly related to an individual's history with law enforcement agencies. CHRI also includes National Crime Information Center (NCIC) Restricted Files, which include things like gang files, threat screening center files, identity theft files, sex offender registry files, violent person files, "person with information" files, etc. This type of information is subject to additional controls.
This refers to any information that can be used to distinguish or trace an individual's identity, including name, social security number, or biometric records alone or combined with other identifying information that can lead to the individual's identity (e.g., date and place of birth, employment history, or mother's maiden name).
To make use of CJIS databases, organizations need to meet several security standards. Some of these standards include best practices like using multi-factor authentication and physical security.
CJIS compliance is not a simple journey solved by a single vendor: There are, intentionally, many layers of security that need to be put into place for an organization to meet this compliance standard. However, one of the critical elements of data security is encryption: When handling sensitive data, encryption (with strong access controls) helps add a layer of security that safeguards information across its lifecycle.
There are two key sections of CJIS that call out encryption specifically as a requirement:
Hundreds of federal, state, and local government organizations use Virtru's FIPS 140-2 compliant encryption and access control to support CJIS compliance. Not only is Virtru more cost-effective than many other FIPS-compliant encryption solutions, but Virtru also far more seamless to use, and it can even be automated to support the fast-paced workflow of the public sector.
Virtru's data-centric security and granular access controls travel with the data everywhere it moves, helping agencies ensure that CUI data is protected across its lifecycle, in transit and at rest. Virtru encryption enables data to be shared in common email and file-sharing workflows — even externally — without sacrificing control. Virtru also integrates with platforms like Microsoft Outlook and Google Workspace (including Gmail), and can be deployed as an automated server-side email gateway for automatic detection and encryption of sensitive CJI data before it leaves your organization. Virtru Secure Share can also be used for the intake and sharing of sensitive files, particularly if those files are too large to be shared via email (for example, files containing security footage).
Finally, the Virtru Private Keystore gives you an extra layer of confidence for your encrypted data: You have the option to store your private encryption keys in the location of your choosing, whether that's on-prem or in a private cloud — keeping your keys separate from the protected data and shielding encrypted information from cloud providers like Microsoft and Google.
Take the guesswork out of CJIS compliance: Talk to Virtru's team of experts today about CJIS-compliant data encryption.