U.S. DOJ-FBI Criminal Justice Information Services (CJIS) Security Policy 2011 Draft

Criminal Justice Information Services Division

  • 127 pages
  • Draft
  • For Official Use Only
  • January 1, 2011



Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice Information Services (CJIS) Division authorize the expansion of the existing security management structure in 1998. Administered through a shared management philosophy, the CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI); and the Personally Identifiable Information derived from CJI. The Federal Information Security Management Act of 2002 provides further legal basis for the APB approved management, operational, and
technical security requirements mandated to protect CJI and by extension the hardware, software
and infrastructure required to enable the services provided by the criminal justice community.
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the
full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for
the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI
data. This policy applies to every individual—contractor, private entity, noncriminal justice
agency representative, or member of a criminal justice entity—with access to, or who operate in
support of, criminal justice services and information.

The CJIS Security Policy integrates Presidential directives, Federal laws, FBI directives and the
criminal justice community’s APB decisions along with nationally recognized guidance from the
National Institute of Standards and Technology. The Policy is presented at both strategic and
tactical levels and is periodically updated to reflect the security requirements of evolving
business models. The policy features modular sections enabling more frequent updates to
address emerging threats and new security measures. The provided security criterion assists
agencies with designing and implementing systems to meet a uniform level of risk and security
protection while enabling agencies the latitude to institute more stringent security requirements
and controls based on their business model and local needs.

The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems
Agencies (CSA), including, in those states with separate authorities, the State Identification
Bureaus. Further, as use of criminal history record information for noncriminal justice purposes
continues to expand, the CJIS Security Policy becomes increasingly important in guiding the
National Crime Prevention and Privacy Compact Council and State Compact Officers in the
secure exchange of criminal justice records.

The policy describes the vision and captures the security concepts that set the policies,
protections, roles, and responsibilities with minimal impact from changes in technology. The
policy empowers CSAs with the insight and ability to tune their security programs according to
their needs, budgets, and resource constraints while remaining compliant with the baseline level
of security set forth in this policy. The CJIS Security Policy provides a secure framework of
laws, standards, and elements of published and vetted policies for accomplishing the mission
across the broad spectrum of the criminal justice and noncriminal justice communities.

Share this: