CJIS Compliance: The Complete Guide to the FBI's Criminal Justice Information Services Security Policy
The Criminal Justice Information Services (CJIS) Security Policy is the FBI's mandatory security framework governing access to the nation's most sensitive law enforcement databases. Published and maintained by the FBI's CJIS Division, the policy establishes minimum security requirements for every agency, contractor, and cloud service provider that accesses Criminal Justice Information (CJI). CJI includes data from the National Crime Information Center (NCIC), the Interstate Identification Index (III), the National Instant Criminal Background Check System (NICS), and the Uniform Crime Reporting (UCR) program. As of the current CJIS Security Policy version 5.9.5 (October 2023), the framework contains 13 distinct policy areas that map directly to NIST SP 800-53 control families. Any organization that touches CJI, whether a local police department, a county court system, a corrections facility, or a private IT vendor providing services to those agencies, must comply with every applicable requirement in the CJIS Security Policy or face loss of access to FBI databases and potential criminal penalties.
Petronella Technology Group (PTG) has helped law enforcement agencies, courts, and public safety contractors across North Carolina achieve and maintain CJIS compliance since 2003. Led by Craig Petronella, a Licensed Digital Forensic Examiner (#604180) with 23+ years in cybersecurity, PTG combines AI-powered compliance automation with deep technical expertise to reduce the cost and complexity of meeting CJIS requirements. Call 919-348-4912 or view our compliance service packages to get started.
Who Must Comply with the CJIS Security Policy?
The CJIS Security Policy applies to a broader range of organizations than most people realize. Compliance is not optional; it is a condition of access to FBI criminal justice databases. The following entities must comply:
- Law enforcement agencies at the federal, state, local, and tribal levels that access NCIC, III, NICS, or other CJIS systems
- Courts and prosecutors' offices that query criminal history records for case proceedings
- Corrections and probation departments that access offender records through CJIS systems
- Public safety agencies including 911 dispatch centers and emergency management offices that receive CJI
- Private contractors and IT vendors that provide technology services (networking, cloud hosting, managed IT, software development) to any of the above agencies
- Cloud service providers hosting CJI data, including infrastructure (IaaS), platform (PaaS), and software (SaaS) providers
- Non-criminal justice agencies authorized to receive CJI for civil purposes, such as background check services for employment screening
Every state designates a CJIS Systems Agency (CSA) responsible for administering CJIS policy within its jurisdiction. The CSA appoints a CJIS Systems Officer (CSO) who serves as the primary point of contact between the state and the FBI CJIS Division. In North Carolina, the State Bureau of Investigation (SBI) functions as the CSA. Organizations seeking CJIS access must work through their state CSA and agree to comply with all applicable policy areas.
The 13 CJIS Security Policy Areas
The CJIS Security Policy v5.9.5 organizes its requirements into 13 policy areas. Each policy area addresses a specific domain of information security and maps to corresponding NIST SP 800-53 Rev. 5 control families. Below is a detailed overview of each area.
Policy Area 1: Information Exchange Agreements
All entities accessing CJI must execute formal information exchange agreements before receiving data. These agreements specify security responsibilities, authorized use, dissemination restrictions, and sanctions for non-compliance. Agreements must be reviewed and renewed at least every two years. This maps to NIST 800-53 controls in the System and Services Acquisition (SA) and Planning (PL) families.
Policy Area 2: Security Awareness Training
All personnel with access to CJI must complete security awareness training within six months of initial assignment and biennially thereafter. Training must cover the CJIS Security Policy, social engineering threats, password management, and incident reporting procedures. This aligns with NIST 800-53 Awareness and Training (AT) controls. PTG offers customized security awareness training programs that satisfy CJIS requirements while addressing current threat vectors including AI-powered phishing attacks.
Policy Area 3: Incident Response
Organizations must maintain a documented incident response plan that covers detection, analysis, containment, eradication, and recovery. Security incidents involving CJI must be reported to the FBI CJIS Division's Information Security Officer (ISO) and the state CSA. This maps to NIST 800-53 Incident Response (IR) controls. Craig Petronella's credentials as a Licensed Digital Forensic Examiner (#604180) make PTG uniquely qualified to support incident response for agencies handling CJI, because forensic evidence preservation is critical when breaches involve criminal justice data.
Policy Area 4: Auditing and Accountability
CJIS requires comprehensive audit logging of all access to CJI, including successful and failed authentication attempts, data queries, modifications, and deletions. Audit logs must be retained for a minimum of one year and must be reviewed regularly. This corresponds to NIST 800-53 Audit and Accountability (AU) controls. PTG's AI-powered monitoring tools automate audit log analysis, flagging anomalous access patterns in real time rather than waiting for periodic manual review.
Policy Area 5: Access Control
Access to CJI must follow the principle of least privilege. Only authorized personnel with a validated need and completed background check may access CJI. Logical and physical access controls must be enforced. This maps to NIST 800-53 Access Control (AC) controls.
Policy Area 6: Identification and Authentication
This is one of the most technically demanding CJIS requirements. All users accessing CJI must authenticate using Advanced Authentication (AA), which the CJIS policy defines as authentication that goes beyond a simple username and password. In practice, this means multi-factor authentication (MFA). The policy requires AA for all users accessing CJI from any location, including within secure facilities. This maps to NIST 800-53 Identification and Authentication (IA) controls.
Policy Area 7: Configuration Management
Systems processing CJI must maintain secure configurations with documented baselines, change control processes, and vulnerability management. Software patches must be applied within a timeframe appropriate to the severity of the vulnerability. This corresponds to NIST 800-53 Configuration Management (CM) controls.
Policy Area 8: Media Protection
Physical and electronic media containing CJI must be protected throughout its lifecycle, including during transport, storage, and disposal. Media sanitization must follow NIST SP 800-88 guidelines. Digital media must be sanitized using approved methods before reuse or disposal. This maps to NIST 800-53 Media Protection (MP) controls.
Policy Area 9: Physical Protection
Facilities housing systems that process, store, or transmit CJI must implement physical security controls including access control to server rooms, visitor management, and environmental protections. This aligns with NIST 800-53 Physical and Environmental Protection (PE) controls.
Policy Area 10: Systems and Communications Protection
CJI transmitted across public networks must be encrypted using FIPS 140-2 validated cryptographic modules at a minimum of AES 128-bit encryption. CJI at rest must also be encrypted to the same standard. Boundary protections including firewalls, intrusion detection systems, and network segmentation are required. This maps to NIST 800-53 System and Communications Protection (SC) controls. PTG's patented technology stack provides FIPS-compliant encryption for both data in transit and data at rest, verified through our internal compliance automation platform.
Policy Area 11: Formal Audits
The CJIS Division, state CSAs, and their designated auditors conduct formal audits of agencies and contractors at least once every three years. Audits verify compliance across all 13 policy areas. Agencies must also conduct internal self-assessments between formal audits. This aligns with NIST 800-53 Assessment, Authorization, and Monitoring (CA) controls.
Policy Area 12: Personnel Security
All individuals with unescorted access to CJI or systems processing CJI must undergo state and national fingerprint-based background checks. Personnel screening must be completed before access is granted. This corresponds to NIST 800-53 Personnel Security (PS) controls. The fingerprinting requirement extends to contractors, including IT staff. PTG's team members who work with CJIS-regulated clients maintain current background checks and fingerprint records.
Policy Area 13: Mobile Devices
Mobile devices (laptops, tablets, smartphones) used to access or store CJI must implement the same security controls as fixed systems, plus additional protections for the mobile environment. Remote wipe capability, device encryption, and mobile device management (MDM) are required. This maps to multiple NIST 800-53 control families including AC, SC, and MP.
How CJIS Maps to NIST SP 800-53
The CJIS Security Policy is not a standalone framework created from scratch. Its requirements derive directly from NIST SP 800-53 Rev. 5, the federal government's master catalog of over 1,000 security and privacy controls organized into 20 families. The CJIS Division selected and tailored specific controls from 800-53 to address the unique requirements of criminal justice information protection.
The following table shows how each CJIS policy area maps to its primary NIST SP 800-53 control family:
| CJIS Policy Area | Primary NIST 800-53 Family | Key Controls |
|---|---|---|
| 1. Information Exchange Agreements | SA (System and Services Acquisition), PL (Planning) | SA-9, PL-4 |
| 2. Security Awareness Training | AT (Awareness and Training) | AT-2, AT-3 |
| 3. Incident Response | IR (Incident Response) | IR-1 through IR-8 |
| 4. Auditing and Accountability | AU (Audit and Accountability) | AU-2, AU-3, AU-6, AU-12 |
| 5. Access Control | AC (Access Control) | AC-1 through AC-6 |
| 6. Identification and Authentication | IA (Identification and Authentication) | IA-2, IA-5, IA-6 |
| 7. Configuration Management | CM (Configuration Management) | CM-2, CM-3, CM-6, CM-7 |
| 8. Media Protection | MP (Media Protection) | MP-2, MP-4, MP-6 |
| 9. Physical Protection | PE (Physical and Environmental Protection) | PE-2, PE-3, PE-6 |
| 10. Systems and Communications Protection | SC (System and Communications Protection) | SC-8, SC-13, SC-28 |
| 11. Formal Audits | CA (Assessment, Authorization, and Monitoring) | CA-2, CA-7 |
| 12. Personnel Security | PS (Personnel Security) | PS-3, PS-6, PS-7 |
| 13. Mobile Devices | AC, SC, MP (multiple families) | AC-19, SC-8, MP-6 |
Understanding this mapping is critical for organizations that must comply with multiple federal frameworks. If you already maintain NIST SP 800-171 compliance for Controlled Unclassified Information (CUI) or hold a CMMC certification, you have already implemented many of the controls required by CJIS. PTG's AI-powered compliance platform automatically identifies overlapping controls across frameworks, eliminating redundant work and reducing the time to achieve compliance by 40% or more.
CJIS Encryption Requirements
Encryption is one of the most frequently cited areas of non-compliance in CJIS audits. The policy is explicit and non-negotiable on this point:
- Data in transit: CJI transmitted across any public network, wireless network, or virtual private network must be encrypted using a FIPS 140-2 validated cryptographic module with a minimum of AES 128-bit encryption (AES 256-bit is recommended)
- Data at rest: CJI stored on any device or media must be encrypted to the same FIPS 140-2 standard when the data is at rest and the device could be accessed by unauthorized personnel
- FIPS 140-2 validation: The cryptographic module itself must be listed on the NIST Cryptographic Module Validation Program (CMVP) list. Using AES encryption with a non-validated module does not satisfy the requirement
Common compliance failures include using consumer-grade VPNs that lack FIPS validation, storing CJI on unencrypted mobile devices, and transmitting CJI over email without end-to-end encryption. PTG's patented security technology stack provides FIPS-validated encryption across all transport and storage layers, configured and verified during our compliance assessment process.
Advanced Authentication (Multi-Factor Authentication) for CJIS
The CJIS Security Policy requires Advanced Authentication (AA) for all personnel accessing CJI. As defined in the policy, AA provides a higher level of confidence than simple username-and-password authentication. The policy supports several AA methods:
- Something you know (PIN, password) combined with something you have (token, smart card, authenticated device)
- Something you know combined with something you are (fingerprint, facial recognition)
- Something you have combined with something you are
The AA requirement applies at every point of access, including local workstations within secure facilities, remote access connections, mobile devices, and cloud-based applications. There are no exceptions based on location. Even officers accessing NCIC from inside a physically secured police station must use AA.
PTG deploys and manages enterprise MFA solutions that satisfy CJIS AA requirements across all access points. Our solutions integrate with existing directory services (Active Directory, LDAP) and support hardware tokens, authenticator apps, and biometric authentication depending on the agency's operational needs.
Personnel Security: Background Checks and Fingerprinting
Every person with unescorted access to unencrypted CJI, or unescorted access to physically secure areas containing CJI systems, must pass a fingerprint-based background check through the state identification bureau and FBI. This requirement applies without exception to:
- Sworn law enforcement officers
- Civilian agency employees
- IT administrators and help desk personnel
- Contractors, vendors, and consultants
- Janitorial and maintenance staff with unescorted physical access
Background checks must be completed before access is granted. There is no provisional or temporary access while a background check is pending. Personnel who fail the background check or who are subsequently convicted of a disqualifying offense must have all CJI access revoked immediately.
This requirement has significant implications for IT vendors. If your organization provides managed IT services, cloud hosting, or software support to a law enforcement agency, every member of your team who could access CJI must be fingerprinted and cleared. PTG maintains current background checks and fingerprint records for all team members who work with CJIS-regulated clients.
Cloud Computing and CJIS Compliance
The CJIS Security Policy addresses cloud computing in detail, recognizing that agencies increasingly rely on cloud services for data storage, application hosting, and disaster recovery. Cloud service providers (CSPs) hosting CJI must meet every applicable CJIS requirement, including:
- Executing a CJIS Security Addendum with the contracting agency
- Ensuring all personnel with potential access to CJI pass fingerprint-based background checks
- Encrypting CJI at rest and in transit using FIPS 140-2 validated modules
- Maintaining data within the United States (CJI must not be stored or processed outside U.S. borders)
- Providing audit logs and supporting formal audits by the CSA or FBI
- Implementing access controls that prevent unauthorized CSP employees from accessing CJI
Major cloud providers have established CJIS-compliant environments. AWS GovCloud, Microsoft Azure Government, and Google Cloud's Assured Workloads offer infrastructure configurations designed to meet CJIS requirements. However, deploying workloads in a CJIS-compliant cloud region does not automatically make your implementation compliant. You must properly configure encryption, access controls, audit logging, and network isolation within those environments.
PTG specializes in architecting CJIS-compliant cloud deployments. Our team evaluates your current infrastructure, designs a compliant architecture, migrates workloads, and provides ongoing monitoring. For agencies that require data sovereignty beyond what commercial cloud providers offer, PTG operates its own on-premise AI and compute infrastructure with GPU clusters and private cloud environments in Raleigh, NC, proving we practice what we recommend regarding data sovereignty and private infrastructure.
CJIS Audit Process and Frequency
CJIS compliance is verified through a layered audit structure:
- FBI CJIS Division audits: The FBI audits each state CSA on a triennial (every three years) cycle. These audits evaluate the CSA's administration of the CJIS program statewide.
- State CSA audits: State CSAs audit agencies and contractors within their jurisdiction, typically on a triennial cycle. In North Carolina, the SBI conducts these audits.
- Self-assessments: Agencies are expected to conduct internal self-assessments between formal audits to identify and remediate gaps proactively.
Audit findings are categorized by severity. Critical findings, such as failure to implement encryption or Advanced Authentication, require immediate remediation. Failure to remediate findings can result in suspension or termination of CJIS access, which would prevent an agency from querying NCIC, running background checks, or accessing criminal history records.
PTG prepares organizations for CJIS audits by conducting pre-audit assessments that mirror the formal audit methodology. Craig Petronella, a CMMC Registered Practitioner and Amazon #1 Best-Selling Author of 14+ cybersecurity books, leads these assessments using PTG's proprietary compliance automation tools to identify gaps before auditors do. Our clients consistently pass formal audits on the first attempt.
CJIS vs. Other Government Security Frameworks
Organizations that work with multiple government agencies often face overlapping compliance requirements. The following comparison table illustrates how CJIS relates to other major frameworks. All four frameworks in this comparison derive their controls from NIST SP 800-53.
| Attribute | CJIS Security Policy | FedRAMP | NIST SP 800-171 | IRS Publication 1075 |
|---|---|---|---|---|
| Governing Body | FBI CJIS Division | GSA / FedRAMP PMO | NIST (DoD enforcement) | IRS Office of Safeguards |
| Data Type Protected | Criminal Justice Information (CJI) | Federal data in cloud systems | Controlled Unclassified Information (CUI) | Federal Tax Information (FTI) |
| Control Source | NIST 800-53 (tailored subset) | NIST 800-53 High + additional | NIST 800-53 Moderate (CUI subset) | NIST 800-53 Moderate + IRS overlays |
| Number of Requirements | 13 policy areas, ~200 requirements | 325+ controls (High baseline) | 110 security requirements | NIST 800-53 Moderate + 50+ IRS additions |
| Encryption Standard | FIPS 140-2, AES 128-bit minimum | FIPS 140-2 | FIPS-validated cryptography | FIPS 140-2 |
| MFA Required | Yes (Advanced Authentication) | Yes | Yes | Yes |
| Background Checks | Fingerprint-based, FBI and state | Per agency requirements | Per DFARS/contract requirements | IRS background investigation |
| Audit Frequency | Triennial (every 3 years) | Annual assessment + continuous monitoring | Triennial (CMMC assessment) | Triennial by IRS Safeguards |
| Cloud Requirements | CJIS Security Addendum, U.S. data residency | FedRAMP Authorization (JAB or Agency) | FedRAMP Moderate equivalent for cloud | IRS Publication 1075 compliance, U.S. data residency |
| Primary Audience | Law enforcement, courts, public safety, their vendors | Cloud service providers to federal agencies | Defense contractors handling CUI | State/local agencies receiving FTI from IRS |
| Penalty for Non-Compliance | Loss of CJIS access, potential criminal charges | Loss of federal contracts | Loss of DoD contracts | Loss of FTI access, sanctions |
If your organization must meet multiple frameworks simultaneously, PTG's AI-powered compliance platform maps controls across CJIS, FedRAMP, NIST 800-171, IRS 1075, and other frameworks to identify shared requirements. This cross-framework mapping, powered by our private on-premise AI fleet, eliminates duplicate effort and reduces overall compliance costs by 30-50%.
Common CJIS Compliance Challenges
After conducting hundreds of compliance assessments for government agencies and their vendors, PTG has identified the most frequent CJIS compliance gaps:
1. Incomplete Advanced Authentication Deployment
Many agencies deploy MFA for remote access but fail to implement it for local access within secure facilities. The CJIS policy requires AA at all access points without exception. PTG deploys MFA solutions that cover every access vector, from VPN connections to local workstation logins.
2. Non-FIPS Encryption
Using AES encryption is not sufficient; the cryptographic module must be FIPS 140-2 validated. Organizations frequently use commercial VPN products or disk encryption tools that implement AES but are not listed on the NIST CMVP validated modules list. PTG verifies every cryptographic implementation against the CMVP list during our assessments.
3. Vendor Personnel Not Fingerprinted
IT vendors often overlook the fingerprinting requirement for their staff. If a help desk technician can remotely access a workstation that contains CJI, that technician must have passed a fingerprint-based background check. PTG helps organizations inventory all personnel with potential CJI access and ensure every individual is properly screened.
4. Inadequate Audit Logging
Audit logs must capture all CJI access events and be retained for at least one year. Many organizations log authentication events but fail to log individual data queries, exports, or modifications. PTG configures comprehensive audit logging that satisfies CJIS requirements and uses AI-powered analytics to automatically flag anomalous access patterns.
5. Mobile Device Gaps
Officers and investigators increasingly use mobile devices to access CJI in the field. Each device must be encrypted, managed through an MDM solution, and capable of remote wipe. PTG deploys and manages mobile device management solutions that enforce CJIS-compliant security policies across the entire mobile fleet.
PTG's CJIS Compliance Process
Petronella Technology Group follows a structured methodology to bring organizations into full CJIS compliance:
- Gap Assessment: PTG's team, led by Craig Petronella (Cisco CCNA, CWNE, MIT Artificial Intelligence Certificate), conducts a comprehensive assessment of your current security posture against all 13 CJIS policy areas. Our AI-powered assessment tools automate control evaluation and produce a detailed gap report within days, not weeks.
- Remediation Planning: We develop a prioritized remediation roadmap that addresses critical gaps first. PTG's patented compliance tools generate remediation task lists with specific technical configurations required for each control.
- Implementation: PTG's engineers implement the required security controls, including encryption deployment, MFA configuration, network segmentation, audit logging, and policy documentation. We handle both the technical implementation and the policy/procedure documentation required for audit.
- Continuous Monitoring: CJIS compliance is not a one-time event. PTG provides ongoing monitoring through our managed IT services to detect configuration drift, failed controls, and emerging vulnerabilities before they become audit findings.
- Audit Preparation: Before your formal CJIS audit, PTG conducts a mock audit using the same methodology the CSA auditors will use. We identify and remediate any remaining gaps so you pass the formal audit on the first attempt.
PTG is one of the only firms in the Research Triangle that combines AI development capabilities (custom AI agents, private LLMs, GPU hosting) with deep cybersecurity and compliance expertise. This combination allows us to automate compliance tasks that other firms handle manually, delivering faster results at lower cost, especially for small and mid-size agencies and contractors that lack dedicated compliance staff.
CJIS Compliance Checklist
PTG maintains a comprehensive, open-source CJIS compliance checklist on GitHub. The checklist covers all 13 policy areas with specific technical requirements and verification steps. Download it, fork it, and use it to track your organization's compliance status:
GitHub Repository: github.com/capetron/cjis-compliance-checklist
The checklist is maintained by Craig Petronella and the PTG compliance team and is updated with each new version of the CJIS Security Policy. It includes control mappings to NIST SP 800-53 Rev. 5, NIST SP 800-171, and CMMC Level 2 to support organizations that must comply with multiple frameworks.
Frequently Asked Questions About CJIS Compliance
What is Criminal Justice Information (CJI)?
CJI is the term used to describe all data provided by the FBI CJIS Division, including biometric data (fingerprints, palm prints, iris scans), identity history records, person and property records from NCIC, stolen vehicle information, active warrants, and any data derived from those sources. CJI also includes Criminal History Record Information (CHRI), which is the subset of CJI that contains an individual's arrest and conviction history. The CJIS Security Policy applies to CJI in all forms: electronic, printed, or verbal.
Does CJIS compliance require FIPS 140-3 or is FIPS 140-2 still accepted?
As of the CJIS Security Policy v5.9.5, the requirement specifies FIPS 140-2 validated cryptographic modules. FIPS 140-3 validated modules also satisfy the requirement, as FIPS 140-3 is the successor standard. NIST has transitioned the CMVP to accept only FIPS 140-3 submissions for new validations as of September 2021, but existing FIPS 140-2 certificates remain valid. Organizations deploying new solutions should prefer FIPS 140-3 validated modules for future-proofing.
How often are CJIS audits conducted?
Formal CJIS audits are conducted on a triennial (every three years) cycle. The FBI CJIS Division audits state CSAs, and state CSAs audit agencies and contractors within their jurisdictions. Between formal audits, agencies are expected to perform internal self-assessments. PTG recommends conducting annual internal assessments to identify and remediate drift before it becomes a formal finding.
Can CJI be stored in a commercial cloud environment?
Yes, but with strict conditions. The cloud service provider must execute a CJIS Security Addendum, all personnel with potential access to CJI must pass fingerprint-based background checks, data must be encrypted at rest and in transit with FIPS-validated modules, and CJI must remain within the United States. AWS GovCloud, Azure Government, and Google Assured Workloads provide infrastructure designed to meet these requirements. However, proper configuration of the cloud environment is the customer's responsibility, and many organizations fail CJIS audits despite using a compliant cloud platform due to misconfiguration.
What happens if an organization fails a CJIS audit?
Audit findings are categorized by severity. Critical findings require immediate remediation (typically within 30 days). If an organization fails to remediate critical findings, the state CSA can suspend or terminate that organization's access to CJIS systems. For a law enforcement agency, this means losing the ability to query NCIC, run background checks, or access criminal history records, which would severely impair operations. For contractors and vendors, loss of CJIS access means losing the contract.
Do IT vendors and managed service providers need to comply with CJIS?
Yes. Any contractor, vendor, or service provider whose personnel have access to CJI, or who could access CJI through their administrative access to systems processing CJI, must comply with all applicable CJIS requirements. This includes managed IT providers, cloud hosting companies, software vendors, and even janitorial companies with unescorted physical access to secure areas. Vendors must sign the CJIS Security Addendum and ensure all relevant personnel are fingerprinted and background-checked.
How does CJIS relate to FISMA?
The Federal Information Security Modernization Act (FISMA) requires federal agencies to implement security controls based on NIST SP 800-53 through the Risk Management Framework (RMF). CJIS and FISMA share the same foundational control catalog (NIST 800-53), but they serve different purposes. FISMA applies to federal information systems broadly, while CJIS specifically governs access to criminal justice databases. An organization subject to both frameworks can leverage significant control overlap, as both are rooted in the same NIST controls.
Is CJIS compliance required for body camera and evidence management systems?
If a body camera or digital evidence management system stores, processes, or transmits CJI (for example, by linking video evidence to NCIC records or criminal history information), then that system must comply with the CJIS Security Policy. Many modern evidence management platforms integrate with criminal justice databases, which triggers CJIS requirements for the entire system, including encryption, access controls, audit logging, and personnel security for anyone who administers the system.
What is the CJIS Security Addendum?
The CJIS Security Addendum is a contractual document that must be executed between any non-criminal justice agency or private contractor and the contracting government agency before the contractor can access CJI. The addendum incorporates the CJIS Security Policy requirements by reference, making them legally binding contractual obligations. It covers data handling, personnel screening, security controls, incident reporting, and the right of the CSA to audit the contractor's compliance. PTG executes CJIS Security Addenda with all clients who require CJIS-regulated services.
Start Your CJIS Compliance Journey
Whether you are a law enforcement agency preparing for a triennial audit, an IT vendor seeking to serve public safety clients, or a cloud provider looking to host CJI workloads, PTG has the expertise and technology to get you compliant efficiently. Craig Petronella's combined credentials as a CMMC Registered Practitioner, Licensed Digital Forensic Examiner (#604180), Cisco CCNA, CWNE, and MIT AI Certificate holder uniquely position PTG to handle both the technical and regulatory dimensions of CJIS compliance.
PTG makes enterprise-grade CJIS compliance accessible to small and mid-size agencies and contractors. Our AI-powered compliance platform, backed by on-premise GPU clusters and private LLMs, automates the assessment, remediation, and monitoring process, delivering results in weeks rather than months.
Call 919-348-4912 or schedule a free CJIS compliance assessment to identify your gaps and get a clear remediation roadmap.
Petronella Technology Group, Inc.
5540 Centerview Dr. Suite 200, Raleigh, NC 27606
919-348-4912
Last Reviewed: March 2026