CJIS Security Policy

For personnel working with information systems containing Criminal Justice Information (CJI), the portion of the CJIS Security Policy with the greatest significance is chapter five. This chapter of the policy is laid out into 13 policy areas which each define the standards for that policy area.  Below is a brief summary of the contents of the Policy Areas' standards:

Policy Area


Giải trí cá cược trực tuyến1: Information Exchange Agreements

Proactively formalize the sharing of data, and incorporate the CJIS Security Addendum into contracts.

Giải trí cá cược trực tuyến2: Security Awareness Training

Giải trí cá cược trực tuyếnTraining must be adequate for the individual's level of use of Criminal Justice Information (CJI).

3: Incident Response

Plan, act, and communicate. A security incident may affect interconnected systems.

Giải trí cá cược trực tuyến4: Auditing and Accountability

Systems storing CJI must record user and administrator activities and maintain those logs for at least one year.

5: Access Control

Giải trí cá cược trực tuyếnTo ensure proper security, follow least privilege and review access authorizations regularly.

Giải trí cá cược trực tuyến6: Identification and Authentication

Force complex passwords, and use advanced authentication and/or mobile device management when physical security is not available.

7: Configuration Management

Know what's in the agency's CJIS network.

8: Media Protection

Giải trí cá cược trực tuyếnDigital and physical media (disk and paper) must be kept secure until they sre securely destroyed.

9: Physical Protection

Control and secure access to areas with CJIS Systems.

Giải trí cá cược trực tuyến10: Systems and Communications Protection and Information Integrity

Giải trí cá cược trực tuyếnEncryption must be NIST-Certified FIPS 140-2 in transit, and FIPS 197 at rest when information is stored or held outside the physcially secure location. Also, intrusion and malware protections are required.

11: Formal Audits

Any system containing CJI may be audited by the FBI or CBI.

12: Personnel Security

Fingerprint-based background checks are required for all personnel with access to CJI in any format.

Giải trí cá cược trực tuyến13: Mobile Computing

Giải trí cá cược trực tuyếnEnsure the security of wireless communications and mobile devices.

The entire CJIS Security policy is found here: 

Giải trí cá cược trực tuyến These standards apply to both criminal justice agencies as well as non-criminal justice agencies who have access to CJI, with some variation due to the different levels and standards for access.  The Denver Police Department would be one example of a criminal justice agency, and the Colorado Department of Education an example of a non-criminal justice agency.

The standards also apply to private businesses providing services to criminal justice and non-criminal justice agencies. The CBI has programs for businesses working with both types of agencies. For criminal justice agency vendors, the CBI maintains the CJIS Vendor Program.

Operational Assistance with the CJIS Security Policy

The CJIS Security Policy is desgined to contain standards which do not designate a specific technology, but can be applied in diverse environments. For that reason, the CBI fields many questions regarding the application of the policy in specific circumstances.  In order to assist in the implementation of the policy, the CBI has created the Colorado CJI Hot Topics Blog to provide agencies accessing criminal justice information with consistent informaton regarding areas of frequent interest.

The blog may be accessed here: 

For specific CJIS Policy questions, please contact the CIMU CJIS Compliance Team at (303) 239-4299, or cdps.cbi.cjisvendors@state.co.us.