Criminal Justice Information Services (CJIS) compliance is top of mind for anyone working in law enforcement, U.S. government, legal services, and related fields — and naturally so: Effective law enforcement and justice initiatives must be handled with the utmost care, and that includes the responsible handling of sensitive data. But what, exactly, does CJIS compliance entail, and what do organizations need to know about properly managing and securing information gleaned from CJIS databases? Here's what you need to know about the compliance regulation and the data that falls underneath the CJIS umbrella. Criminal Justice Information Services (CJIS) is a compliance standard that regulates data security and privacy in local, state, and federal law enforcement. CJIS collects and analyzes criminal justice information (CJI) from law enforcement centers around the country and provides a centralized database to store and access CJI. But, in order to use CJIS databases, organizations must comply with several security regulations to ensure the proper handling of this sensitive data. The FBI notes in its CJIS Security Policy, "The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information." So, these policies are designed to safeguard sensitive criminal justice intelligence across the entirety of its lifecycle, from the moment it's created, to everywhere it's shared, and eventually destroyed. However, it's also significant that the FBI's CJIS Security Policy opens with this:What Is CJIS?
"Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime."
Not only does CJIS data need to be protected with the highest security, but it also needs the ability to move, so that law enforcement decisions can be made with all available data, in real time. To take advantage of this real-time information, organizations need to demonstrate that they will properly safeguard this data, anywhere it moves, in motion and at rest.
What Data Falls Under CJIS?
The data subject to CJIS falls under three key categories, CJI (criminal justice information), CHRI (a subset of CJI, criminal history record information), and PII (personally identifiable information). These types of data are subject to CJIS until that information is made public via authorized dissemination (through the court system, public safety announcements, crime report data, etc.).
CJI: Criminal Justice Information
This includes information about individuals, housed by the FBI CJIS architecture, including:
- Biometric data: Data typically used to identify an individual, such as fingerprints, palm prints, iris scans, and facial recognition data
- Identity history data: Textual data that corresponds with biometric data,
giving a history of criminal and/or civil events for the identified individual - Biographic data: Data that does not provide a history of an
individual, only information related to a unique case - Property data: Information about vehicles and property associated with crime when
accompanied by any personally identifiable information (PII) - Case/incident history: information about the history of criminal incidents
CHRI: Criminal History Record Information
A subset of CJI, this information can be referred to as "restricted data" and includes sensitive information directly related to an individual's history with law enforcement agencies. CHRI also includes National Crime Information Center (NCIC) Restricted Files, which include things like gang files, threat screening center files, identity theft files, sex offender registry files, violent person files, "person with information" files, etc. This type of information is subject to additional controls.
PII: Personally Identifiable Information
This refers to any information that can be used to distinguish or trace an individual's identity, including name, social security number, or biometric records alone or combined with other identifying information that can lead to the individual's identity (e.g., date and place of birth, employment history, or mother's maiden name).
CJIS Encryption Requirements and Compliance
To make use of CJIS databases, organizations need to meet several security standards. Some of these standards include best practices like using multi-factor authentication and physical security.
CJIS compliance is not a simple journey solved by a single vendor: There are, intentionally, many layers of security that need to be put into place for an organization to meet this compliance standard. However, one of the critical elements of data security is encryption: When handling sensitive data, encryption (with strong access controls) helps add a layer of security that safeguards information across its lifecycle.
There are two key sections of CJIS that call out encryption specifically as a requirement:
- Section 5.10.1.2.1: When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption that is FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to protect CJI.
Section 5.10.1.2.2: When CJI is at rest (i.e. stored digitally) outside the boundary of the physically secure location, the data shall be protected via encryption with the same standard mentioned above or use a symmetric cipher that is FIPS 197 certified (AES) and at least 256-bit strength.
Virtru's FIPS 140-2 Compliant Encryption for CJIS Compliance Support
Hundreds of federal, state, and local government organizations use Virtru's FIPS 140-2 compliantencryption and access control to support CJIS compliance. Not only is Virtru more cost-effective than many other FIPS-compliant encryption solutions, but Virtru also far more seamless to use, and it can even be automated to support the fast-paced workflow of the public sector.
Virtru's data-centric security and granular access controls travel with the data everywhere it moves, helping agencies ensure that CUI data is protected across its lifecycle, in transit and at rest. Virtru encryption enables data to be shared in common email and file-sharing workflows — even externally — without sacrificing control. Virtru also integrates with platforms like Microsoft Outlook and Google Workspace (including Gmail), and can be deployed as an automated server-side email gateway for automatic detection and encryption of sensitive CJI data before it leaves your organization. Virtru Secure Share can also be used for the intake and sharing of sensitive files, particularly if those files are too large to be shared via email (for example, files containing security footage).
Finally, the Virtru Private Keystore gives you an extra layer of confidence for your encrypted data: You have the option to store your private encryption keys in the location of your choosing, whether that's on-prem or in a private cloud — keeping your keys separate from the protected data and shielding encrypted information from cloud providers like Microsoft and Google.
Take the guesswork out of CJIS compliance: Talk to Virtru's team of experts today about CJIS-compliant data encryption.
Megan Leader
Megan is the Director of Brand and Content at Virtru. With a background in journalism and editorial content, she loves telling good stories and making complex subjects approachable. Over the past 15 years, her career has followed her curiosity — from the travel industry, to payments technology, to cybersecurity.
View more posts by Megan Leader
See Virtru In Action
Sign Up for the Virtru Newsletter
