What Is CJIS?
CJIS (Criminal Justice Information Services) Security Policy is the FBI standard governing access to and management of Criminal Justice Information (CJI), including data from the NCIC, fingerprint databases, and criminal history records. Any technology vendor, cloud provider, or managed service provider that accesses, stores, or processes CJI on behalf of law enforcement or criminal justice agencies must comply with CJIS requirements and sign a Management Control Agreement with the relevant state CJIS Systems Agency.
Why Choose AdVran for CJIS?
CJIS Security Policy applies to every organization, public or private, that accesses FBI CJIS systems or data. The requirements aren’t negotiable: background checks, encryption, advanced authentication, and auditing. All of them. AdVran meets those requirements operationally, not just on paper.
1. Personnel Security
Every AdVran employee with access to CJIS environments completes state and national fingerprint-based background checks. We keep documentation of personnel security status and clearance renewals current. No exceptions.
2. Advanced Authentication
CJIS requires multi-factor authentication for all CJI access. We deploy and manage MFA across every access point: local, remote, and mobile, with centralized policy enforcement so nothing slips through.
3. Encryption Standards
We set up FIPS 140-2 validated encryption for CJI at rest and in transit. Key management follows CJIS requirements with documented procedures and access controls that hold up under a state CSA audit.
4. Audit and Accountability
Our monitoring gives agencies the detailed audit logging CJIS requires: who accessed what data, when, and from where. Logs are tamper-resistant and retained per CJIS policy. That trail matters when something goes wrong.
5. CJIS Audit Readiness
We keep documentation aligned to the CJIS Security Policy’s 13 policy areas. When a state CJIS Systems Agency audit comes up, the evidence package is already organized. Minimal disruption. No scramble.
Frequently Asked Questions About CJIS Compliance
What is CJIS and who must comply?
CJIS compliance is required for any organization, including law enforcement agencies, courts, prosecutors’ offices, and their technology vendors, that accesses Criminal Justice Information from FBI systems. Cloud providers, MSPs, and IT vendors who support criminal justice agencies are all in scope. In California, the California Department of Justice (Cal DOJ) administers CJIS requirements for all state and local agencies.
What are the key CJIS security requirements?
CJIS Security Policy v5.9 requires multi-factor authentication for all CJI access, AES-256 encryption for CJI in transit and at rest, background screening for all personnel with unescorted access to CJI systems, security awareness training every two years, audit logging with 90-day retention, and physical security controls for systems processing CJI. Vendors must also complete CJIS security training and sign a Management Control Agreement with the agency’s CJIS Systems Officer.
What is a Management Control Agreement for CJIS?
A Management Control Agreement (MCA) is a contractual commitment by a vendor to comply with CJIS Security Policy requirements. AdVran signs an MCA with each criminal justice agency client, formally acknowledging our responsibility to set up and maintain CJIS-required security controls. All AdVran personnel with access to CJI systems complete FBI-required background checks and CJIS security awareness training before touching any CJI environment.
How does CJIS compliance interact with cloud services?
CJIS requires that cloud services storing or processing CJI meet requirements equivalent to on-premises standards. Not all commercial cloud environments qualify. Providers must show encryption, access controls, background screening, and physical security compliance. Microsoft Azure Government and AWS GovCloud are commonly used for CJIS workloads because of their documented CJIS compliance postures. AdVran uses only CJIS-eligible cloud environments for criminal justice agency clients.
What criminal justice agencies in Southern California does AdVran support?
AdVran offers CJIS-compliant IT and security services for law enforcement agencies, prosecutors’ offices, courts, and public safety organizations throughout Southern California, including Los Angeles County, Orange County, San Bernardino County, Riverside County, and San Diego County. All AdVran staff working with these clients hold current CJIS security training certifications and have completed the required background screening.