Criminal Justice Information Services Security Policy
Protecting criminal justice information across law enforcement and government agencies
What changed in CJIS Security Policy v6.0?
The FBI released CJIS Security Policy v6.0 on December 27, 2024. It is the most significant restructuring of the policy in years. The entire policy is now mapped to NIST SP 800-53 Rev 5 at the moderate baseline, replacing the previous custom control structure. v6.0 introduces Priority tiers P1 through P4 so agencies can phase implementation by risk. P1 controls, which include multi-factor authentication, became subject to FBI CJIS sanctions on October 1, 2024. Agencies that have not deployed MFA for CJI access outside physically secure locations are already out of compliance. Full compliance with P2 through P4 controls is required by September 30, 2027. Organizations already running NIST-based programs will find the new structure reduces duplicative work.
// What is CJIS?
The CJIS Security Policy establishes the minimum security requirements for access to FBI Criminal Justice Information Services systems and data. It applies to every entity (law enforcement, government agency, private contractor, or cloud provider) that accesses, transmits, stores, or processes Criminal Justice Information (CJI).
CJI includes biometric data, identity history records, property records, case and incident data from the National Crime Information Center (NCIC), and data from the National Instant Criminal Background Check System (NICS). Unauthorized disclosure of CJI can compromise investigations, endanger individuals, and violate federal and state law.
Version 6.0, released December 27, 2024, is a major restructuring of the policy. It maps the entire CJIS policy to NIST SP 800-53 Rev 5 (moderate baseline) and introduces a tiered Priority framework (P1 through P4) so agencies can sequence compliance work by criticality. P1 controls, including multi-factor authentication, became subject to sanctions as of October 1, 2024. Full compliance with P2 through P4 controls is required by September 30, 2027.
The policy defines security areas covering everything from personnel screening and physical security to encryption standards and incident response. Compliance is audited by the FBI CJIS Division and state-level CJIS Systems Agencies (CSAs).
// Inside the Regulation
CJIS Security Policy v6.0 restructures the policy around NIST SP 800-53 Rev 5 and introduces Priority tiers P1-P4 to guide phased implementation. P1 (including MFA) is sanctionable now; P2-P4 compliance is required by September 30, 2027.
Priority Tier Framework (v6.0)
Version 6.0 introduced a tiered Priority framework to help agencies sequence compliance. P1 controls carry immediate sanction risk; P2-P4 follow a phased schedule.
P1 Controls (Sanctionable Now)
The highest-priority controls, including multi-factor authentication, became subject to FBI CJIS sanctions as of October 1, 2024. Agencies not meeting P1 requirements face access termination.
P2-P4 Controls (Due September 30, 2027)
Lower-priority controls have a phased implementation window. Full compliance with all P2 through P4 controls is required by September 30, 2027.
NIST SP 800-53 Rev 5 Alignment
The entire CJIS policy is now mapped to NIST SP 800-53 Rev 5 at the moderate baseline. Organizations already operating a NIST-based security program will find the alignment reduces duplicative compliance work.
Foundational Controls
Baseline requirements covering information exchange agreements, security awareness training, incident response, and auditing and accountability.
Information Exchange Agreements
Formal agreements required between agencies sharing CJI, establishing security responsibilities and compliance obligations.
Security Awareness Training
All personnel with CJI access must complete security awareness training within six months of assignment and biennially thereafter.
Incident Response
Organizations must maintain incident response capabilities including reporting security events to the CJIS ISO within 24 hours.
Auditing and Accountability
Audit logging of CJI access events with minimum one-year retention and regular review of audit records.
Access Controls
Authentication, access control, and identification requirements ensuring only authorized personnel access CJI. MFA is a P1 control sanctionable since October 1, 2024.
Multi-Factor Authentication (P1)
MFA is required for access to CJI systems from outside physically secure locations. This is a P1 control: agencies that have not implemented MFA face sanctions from the FBI CJIS Division.
Access Control
Least privilege and role-based access controls limiting CJI access to authorized personnel with a valid need.
Personnel Screening
State and national fingerprint-based background checks required for all personnel with unescorted access to CJI.
Technical Controls
Configuration management, media protection, physical protection, and system communications protection requirements, all mapped to NIST SP 800-53 Rev 5 controls in v6.0.
Encryption Standards
FIPS 140-2 certified encryption required for CJI in transit. Encryption at rest required for CJI stored outside physically secure locations.
Media Protection
Controls for electronic and physical media containing CJI including sanitization, disposal, and transport procedures.
Physical Protection
Physically secure locations with visitor controls, access logs, and environmental protections for systems housing CJI.
Governance
Formal security policies, cloud computing requirements, and mobile device security.
Formal Security Policy
Written security policy addressing all CJIS policy areas, approved by agency head, and reviewed annually.
Cloud Computing
Cloud providers must meet all CJIS requirements and sign the CJIS Security Addendum. Data must remain within U.S. boundaries.
Mobile Devices
Mobile device management, remote wipe capability, and encryption requirements for mobile access to CJI.
Note: CJIS compliance is audited triennially by the FBI CJIS Division or delegated state-level CJIS Systems Agency. Non-compliance can result in termination of access to CJIS systems including NCIC, III, and NICS. Under v6.0, P1 controls (including MFA) are sanctionable immediately; full P2-P4 compliance is required by September 30, 2027.
// Who Must Comply
- 1 Law enforcement agencies at federal, state, and local levels
- 2 Criminal justice agencies (courts, prosecutors, corrections)
- 3 Government agencies accessing criminal history data
- 4 Private contractors providing services to criminal justice agencies
- 5 Cloud service providers hosting or processing CJI
- 6 Network providers transporting CJI
- 7 Background check providers accessing FBI databases
// Key Requirements
Personnel Security
Fingerprint-based background checks for all personnel with unescorted access to CJI
Multi-Factor Authentication
MFA for CJI access outside physically secure locations (P1 control, sanctionable since October 1, 2024)
Encryption
FIPS 140-2 certified encryption for CJI in transit and at rest outside secure facilities
Audit Logging
Complete audit trails of CJI access with minimum one-year retention
Incident Response
Security incident reporting to CJIS ISO within 24 hours of discovery
Configuration Management
Hardened system configurations, change control, and regular vulnerability assessments
// Enforcement & Penalties
Non-compliance with the CJIS Security Policy results in termination of access to FBI CJIS systems. Under v6.0, P1 controls (including MFA) are sanctionable immediately. Because law enforcement and criminal justice operations depend on these systems, losing access effectively impairs the organization's core mission.
Termination of access to CJIS systems (NCIC, III, NICS)
Examples:
- Loss of access to National Crime Information Center (NCIC)
- Termination of Interstate Identification Index (III) access
- Suspension of National Instant Criminal Background Check System (NICS) access
- Federal and state criminal penalties for unauthorized disclosure of CJI
- Liability under Privacy Act and state privacy laws
// Cyber Insurance Impact
Organizations handling CJI face elevated risk profiles due to the sensitivity of criminal justice data. Cyber insurers evaluate CJIS compliance as an indicator of security maturity. Breaches involving CJI can trigger federal reporting obligations and significant legal exposure beyond standard data breach scenarios.
// How Breach Craft Helps
We help organizations achieve CJIS compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CJIS.
// Common Questions
What version of the CJIS Security Policy is current?
Is MFA required under CJIS today?
What is the deadline for full CJIS v6.0 compliance?
How does CJIS v6.0 relate to NIST SP 800-53?
// Industries That Need CJIS
These industries commonly require CJIS compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873