Skip to main content
> CJIS

Criminal Justice Information Services Security Policy

Protecting criminal justice information across law enforcement and government agencies

Established: 1998 (original policy) Last Updated: December 2024 (Version 6.0) Scope: United States
6.0
Current Version

What changed in CJIS Security Policy v6.0?

The FBI released CJIS Security Policy v6.0 on December 27, 2024. It is the most significant restructuring of the policy in years. The entire policy is now mapped to NIST SP 800-53 Rev 5 at the moderate baseline, replacing the previous custom control structure. v6.0 introduces Priority tiers P1 through P4 so agencies can phase implementation by risk. P1 controls, which include multi-factor authentication, became subject to FBI CJIS sanctions on October 1, 2024. Agencies that have not deployed MFA for CJI access outside physically secure locations are already out of compliance. Full compliance with P2 through P4 controls is required by September 30, 2027. Organizations already running NIST-based programs will find the new structure reduces duplicative work.

// What is CJIS?

The CJIS Security Policy establishes the minimum security requirements for access to FBI Criminal Justice Information Services systems and data. It applies to every entity (law enforcement, government agency, private contractor, or cloud provider) that accesses, transmits, stores, or processes Criminal Justice Information (CJI).

CJI includes biometric data, identity history records, property records, case and incident data from the National Crime Information Center (NCIC), and data from the National Instant Criminal Background Check System (NICS). Unauthorized disclosure of CJI can compromise investigations, endanger individuals, and violate federal and state law.

Version 6.0, released December 27, 2024, is a major restructuring of the policy. It maps the entire CJIS policy to NIST SP 800-53 Rev 5 (moderate baseline) and introduces a tiered Priority framework (P1 through P4) so agencies can sequence compliance work by criticality. P1 controls, including multi-factor authentication, became subject to sanctions as of October 1, 2024. Full compliance with P2 through P4 controls is required by September 30, 2027.

The policy defines security areas covering everything from personnel screening and physical security to encryption standards and incident response. Compliance is audited by the FBI CJIS Division and state-level CJIS Systems Agencies (CSAs).

// Inside the Regulation

CJIS Security Policy v6.0 restructures the policy around NIST SP 800-53 Rev 5 and introduces Priority tiers P1-P4 to guide phased implementation. P1 (including MFA) is sanctionable now; P2-P4 compliance is required by September 30, 2027.

1

Priority Tier Framework (v6.0)

Version 6.0 introduced a tiered Priority framework to help agencies sequence compliance. P1 controls carry immediate sanction risk; P2-P4 follow a phased schedule.

P1 Controls (Sanctionable Now)

The highest-priority controls, including multi-factor authentication, became subject to FBI CJIS sanctions as of October 1, 2024. Agencies not meeting P1 requirements face access termination.

P2-P4 Controls (Due September 30, 2027)

Lower-priority controls have a phased implementation window. Full compliance with all P2 through P4 controls is required by September 30, 2027.

NIST SP 800-53 Rev 5 Alignment

The entire CJIS policy is now mapped to NIST SP 800-53 Rev 5 at the moderate baseline. Organizations already operating a NIST-based security program will find the alignment reduces duplicative compliance work.

2

Foundational Controls

Baseline requirements covering information exchange agreements, security awareness training, incident response, and auditing and accountability.

Information Exchange Agreements

Formal agreements required between agencies sharing CJI, establishing security responsibilities and compliance obligations.

Security Awareness Training

All personnel with CJI access must complete security awareness training within six months of assignment and biennially thereafter.

Incident Response

Organizations must maintain incident response capabilities including reporting security events to the CJIS ISO within 24 hours.

Auditing and Accountability

Audit logging of CJI access events with minimum one-year retention and regular review of audit records.

3

Access Controls

Authentication, access control, and identification requirements ensuring only authorized personnel access CJI. MFA is a P1 control sanctionable since October 1, 2024.

Multi-Factor Authentication (P1)

MFA is required for access to CJI systems from outside physically secure locations. This is a P1 control: agencies that have not implemented MFA face sanctions from the FBI CJIS Division.

Access Control

Least privilege and role-based access controls limiting CJI access to authorized personnel with a valid need.

Personnel Screening

State and national fingerprint-based background checks required for all personnel with unescorted access to CJI.

4

Technical Controls

Configuration management, media protection, physical protection, and system communications protection requirements, all mapped to NIST SP 800-53 Rev 5 controls in v6.0.

Encryption Standards

FIPS 140-2 certified encryption required for CJI in transit. Encryption at rest required for CJI stored outside physically secure locations.

Media Protection

Controls for electronic and physical media containing CJI including sanitization, disposal, and transport procedures.

Physical Protection

Physically secure locations with visitor controls, access logs, and environmental protections for systems housing CJI.

5

Governance

Formal security policies, cloud computing requirements, and mobile device security.

Formal Security Policy

Written security policy addressing all CJIS policy areas, approved by agency head, and reviewed annually.

Cloud Computing

Cloud providers must meet all CJIS requirements and sign the CJIS Security Addendum. Data must remain within U.S. boundaries.

Mobile Devices

Mobile device management, remote wipe capability, and encryption requirements for mobile access to CJI.

Note: CJIS compliance is audited triennially by the FBI CJIS Division or delegated state-level CJIS Systems Agency. Non-compliance can result in termination of access to CJIS systems including NCIC, III, and NICS. Under v6.0, P1 controls (including MFA) are sanctionable immediately; full P2-P4 compliance is required by September 30, 2027.

// Who Must Comply

  • 1 Law enforcement agencies at federal, state, and local levels
  • 2 Criminal justice agencies (courts, prosecutors, corrections)
  • 3 Government agencies accessing criminal history data
  • 4 Private contractors providing services to criminal justice agencies
  • 5 Cloud service providers hosting or processing CJI
  • 6 Network providers transporting CJI
  • 7 Background check providers accessing FBI databases

// Key Requirements

Personnel Security

Fingerprint-based background checks for all personnel with unescorted access to CJI

Multi-Factor Authentication

MFA for CJI access outside physically secure locations (P1 control, sanctionable since October 1, 2024)

Encryption

FIPS 140-2 certified encryption for CJI in transit and at rest outside secure facilities

Audit Logging

Complete audit trails of CJI access with minimum one-year retention

Incident Response

Security incident reporting to CJIS ISO within 24 hours of discovery

Configuration Management

Hardened system configurations, change control, and regular vulnerability assessments

// Enforcement & Penalties

Non-compliance with the CJIS Security Policy results in termination of access to FBI CJIS systems. Under v6.0, P1 controls (including MFA) are sanctionable immediately. Because law enforcement and criminal justice operations depend on these systems, losing access effectively impairs the organization's core mission.

Maximum Penalty

Termination of access to CJIS systems (NCIC, III, NICS)

Examples:

  • Loss of access to National Crime Information Center (NCIC)
  • Termination of Interstate Identification Index (III) access
  • Suspension of National Instant Criminal Background Check System (NICS) access
  • Federal and state criminal penalties for unauthorized disclosure of CJI
  • Liability under Privacy Act and state privacy laws

// Cyber Insurance Impact

Organizations handling CJI face elevated risk profiles due to the sensitivity of criminal justice data. Cyber insurers evaluate CJIS compliance as an indicator of security maturity. Breaches involving CJI can trigger federal reporting obligations and significant legal exposure beyond standard data breach scenarios.

// How Breach Craft Helps

We help organizations achieve CJIS compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CJIS.

// Common Questions

What version of the CJIS Security Policy is current?

Version 6.0, released December 27, 2024. It replaces v5.9.2 and represents a full restructuring of the policy around NIST SP 800-53 Rev 5 (moderate baseline). If your CJIS compliance program is based on an earlier version, it needs to be updated. The FBI CJIS Division publishes the policy at le.fbi.gov.

Is MFA required under CJIS today?

Yes, and non-compliance is now sanctionable. Multi-factor authentication for CJI access outside physically secure locations is a P1 Priority control under v6.0. P1 controls became subject to FBI CJIS sanctions on October 1, 2024. Law enforcement agencies, contractors, and cloud providers that have not yet deployed MFA for CJI-adjacent systems are at immediate risk of access termination.

What is the deadline for full CJIS v6.0 compliance?

It depends on the priority tier. P1 controls (including MFA) are sanctionable now. Full compliance with P2 through P4 controls is required by September 30, 2027. The phased timeline was designed to give agencies with complex environments time to implement the lower-priority controls without forcing everything at once. P1 received no such grace period.

How does CJIS v6.0 relate to NIST SP 800-53?

v6.0 maps every CJIS requirement to NIST SP 800-53 Rev 5 at the moderate baseline. This alignment is new as of December 2024. For organizations already operating a NIST-based security program, the mapping means you can assess CJIS compliance gaps within your existing control framework rather than treating CJIS as a separate silo. Cloud providers seeking to serve law enforcement should use the NIST mapping to identify which SP 800-53 controls address each CJIS requirement.

// Related Frameworks

// Industries That Need CJIS

These industries commonly require CJIS compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873