Welcome, Today is May 19, 2024


About CJIS

The Criminal Justice Information Services (CJIS) Division is a branch of the FBI that allows access to criminal justice information to local, state, federal, and international law enforcement. Established in 1992, CJIS serves as a focal point for the FBI's information services and allows government agencies and law enforcement to access accurate criminal data in a timely and secure manner.

CJIS as a standard for security policy is also applicable and flows down in the vendor, contractor, and supplier supply chain for the FBI and for local, state, other federal, and international law enforcement. Some vendors, contracting agencies, and suppliers are classified as Noncriminal Justice Agencies (NCJA) that are Processors or Non-Processors of Criminal Justice Information.

CJIS Security Policy

The CJIS Security Policy (CSP) provides the controls and security requirements that are necessary to protect criminal justice information (CJI) at all stages of its lifecycle, all the way from the sources of the data to its storage. The policy is created so that it may stand as the sole security policy for an agency or NCJA, though it may be implemented alongside additional policies that work alongside the CJIS Security Policy or increase their standards of protection. Ultimately, the CSP is meant to serve as the baseline requirements for CJI protection.

The CJIS Security Policy consists of several “policy areas,” which define the measures required to protect CJI. The policy areas are to be examined within each agency or NCJA to determine their applicability. These policy areas are:

  • Information Exchange Agreements
  • Security Awareness Training
  • Incident Response
  • Auditing and Accountability
  • Access Control
  • Identification and Authentication
  • Configuration Management
  • Media Protection
  • Physical Protection
  • Systems and Communications Protection and Information Integrity
  • Formal Audits
  • Mobile Devices

Compliance with the CSP is essential for all organizations and individuals with access to CJIS systems or Criminal Justice Information.

What is CJI?

Criminal justice information, otherwise known as CJI, is all data that law enforcement may use to perform their duties. The CJIS Security Policy describes various types of data that are housed by CJIS: biometric data, identity history data, biographic data, property data, and case/incident history. CJI may be used for criminal investigations, background checks, and various decision-making processes. Regardless of its use case, it is imperative that the data remains confidential and integrous to protect the privacy rights of individuals and to prevent any misuse of the data.

Criminal History Record Information

Criminal History Record Information (CHRI) is a subset of CJI that requires additional controls due to its sensitivity. For this reason, CHRI is also sometimes referred to as “restricted data.” CHRI refers to a more specific and detailed records of an individual’s criminal history. This could include arrests, protection orders, and other pertinent data that is collected and used by law enforcement agencies or courts.

Restricted vs. Non-Restricted Information

The National Crime Information Center (NCIC) hosts both restricted and non-restricted files, but what differentiates these files and how are they accessed? Restricted files contain more sensitive data that require more stringent access and use policies. Restricted files include:

  • Gang Files
  • Threat Screening Center Files
  • Supervised Release Files
  • National Sex Offender Registry Filesy
  • Historical Protection Order Files of the NCIC
  • Identity Theft Files
  • Protective Interest Files
  • Person With Information data in the Missing Person Files
  • Violent Person File
  • NICS Denied Transactions File

Any files not mentioned in the above list is non-restricted and can be authorized for access and use at the discretion of the of the agency that would be providing these files. For example, a community member may go to their local police department to inquire about an individual. The department may share non-restricted records about that individual, but they cannot share if that individual has any records that align with the restricted files list.

What is PII?

CJIS systems and criminal justice information may also include personally identifiable information, or PII, as a broader scope of the information that is stored. PII is a broader scope of information and is defined as information that can be used to distinguish a single individual’s identity. This can include names, social security numbers, email addresses, biometric records, or other identifying factors. Although the CSP does not delve into the protection of PII due to its expansiveness, it assumes that agencies have appropriate controls in place for the protection of PII that is extracted from CJI.

Maintaining CJIS Compliance with Egis

Egis IT Security serves organizations within the Indianapolis metropolitan area and across the United States to help agencies and NCJAs understand CJIS requirements and maintain good standing with the CJIS Security Policy. Egis is dedicated to helping others understand and implement the necessary security controls for their business. With our extensive expertise and years of experience, Egis can offer tailored solutions to help your organization align with industry standards, allowing you to focus on your business. If your business handles, processes, or manages criminal justice information, Egis can help you by:

  • Improve upon current IT policies and procedures
  • Meet with your auditors
  • Perform vulnerability assessments
  • Continuously monitor your websites, networks, and servers
  • Recommend, sell, and deploy a variety of products as needed
  • Perform security awareness training
  • Consultations