FBI CJIS Security Policy Readiness for NC Agencies
Any organization that touches Criminal Justice Information: police departments, courts, corrections, 911 centers, and their IT vendors must meet FBI CJIS Security Policy requirements. Petronella Technology Group has supported government and public safety IT teams across North Carolina for more than 24 years, preparing agencies for CJIS audits and keeping them compliant between cycles.
What CJIS Compliance Actually Means
The Criminal Justice Information Services division of the FBI manages the nation's largest repository of criminal justice data: the National Crime Information Center (NCIC), the Interstate Identification Index (III), the National Instant Criminal Background Check System (NICS), and dozens of supporting databases. To access any of these systems, your organization must comply with the CJIS Security Policy, currently at version 5.9.x.
Compliance is not optional and it is not self-certified in isolation. The FBI's CJIS Audit Unit and your state's Criminal Justice Information Network (CJIN) or equivalent agency (in North Carolina, that is the State Bureau of Investigation, the SBI) conduct triennial audits of every agency and authorized third party. Findings are graded, and organizations that fall short risk losing access to federal databases entirely. For a law enforcement agency, that means losing the ability to run wants-and-warrants checks. For an IT vendor, it means losing the contract.
The Security Policy divides requirements into 13 policy areas, each mapping to control families in NIST SP 800-53 (Moderate baseline). If your organization already operates under CMMC Level 2 or NIST 800-171, you have covered a significant portion of the ground: the CJIS and CMMC control sets share roughly 70% overlap. Our team holds CMMC Registered Practitioner credentials, which means we read these control families in detail every day and understand exactly where they align and where CJIS goes further.
The practical compliance burden breaks into three categories: what you must configure technically, what you must document administratively, and what you must train your staff to do. All three are audited. Triennial audits examine everything from firewall rules and MFA enrollment logs to signed Information Exchange Agreements and training completion records. Gaps in any category can produce findings that require remediation under a time-bound corrective action plan.
All 13 CJIS Security Policy Areas
Version 5.9.x of the CJIS Security Policy covers 13 distinct areas. Our assessments evaluate your current posture against every one of them, not just the high-visibility controls that tend to generate findings.
Information Exchange Agreements
Every organization receiving CJI must have a current, signed Information Exchange Agreement with its Compact Council or CSA. Unsigned or lapsed agreements are a common audit finding and can immediately disqualify access.
Security Awareness Training
All personnel with access to CJI must complete CJIS-specific awareness training within six months of hire and refresh it biennially. The training must cover the specific threats to criminal justice data, not generic cybersecurity awareness.
Incident Response
You must maintain a documented incident response plan that addresses detection, containment, eradication, recovery, and post-incident review. CJIS adds a specific requirement to report CJI-related security incidents to your CSA within defined windows.
Auditing and Accountability
Every query, access attempt, and administrative action touching CJI must be logged. Logs must be retained for a minimum of one year. Log review must be ongoing, not just event-driven. Audit log integrity must be protected against tampering.
Access Control
Role-based access control, least privilege, account lockout policies (five attempts, 10-minute lockout, administrator-release or 10-minute auto-reset), and session timeouts of 30 minutes or less for unattended systems accessing CJI.
Identification and Authentication
Advanced authentication (multi-factor) is required for any remote access to CJI and for any locally accessed terminal not in a physically secure location. FIDO2 tokens, smart cards, and authenticator apps all qualify. SMS-only OTP is under increasing scrutiny.
Configuration Management
Baseline configurations must be documented and enforced for every system that stores, processes, or transmits CJI. Unauthorized software must be blocked. Patch management timelines must be tracked and documented.
Media Protection
Physical and digital media containing CJI must be labeled, tracked, transported securely, and sanitized or destroyed when decommissioned. This includes laptops, USB drives, backup tapes, and cloud storage volumes. NIST 800-88 sanitization guidance applies.
Physical Protection
Facilities that house CJI systems must enforce physical access controls: badge readers, visitor logs, security cameras, and controlled entry for authorized personnel. Unattended terminals in public areas require screen locks or physical enclosures.
System and Communications Protection
CJI must be encrypted in transit using FIPS 140-2 validated cryptography. AES-256 or equivalent. TLS 1.2 minimum (TLS 1.3 strongly preferred). Unencrypted transmission of CJI over any network is a critical finding.
Formal Audits
This area addresses the triennial audit process itself: documentation requirements, cooperation with auditors, and corrective action plan timelines. Organizations with repeat findings face escalating consequences including access suspension.
Personnel Security
All personnel with unescorted access to CJI or CJI systems must pass fingerprint-based background checks through the FBI. Contractors and IT vendors are included. Checks must be re-run periodically, and terminated personnel must be offboarded immediately.
Mobile Devices
Any mobile device used to access, store, or display CJI must be enrolled in a mobile device management system with remote wipe capability, full-device encryption, and screen lock enforcement. Consumer-grade BYOD devices are generally prohibited without additional controls.
Technical and Administrative Requirements
Passing a CJIS audit requires both. Technical controls protect the data; administrative controls prove you have a repeatable program. Auditors look for both in tandem.
Technical Controls
- FIPS 140-2 encryption for CJI at rest (AES-256) and in transit (TLS 1.2+). This is the most frequently cited audit failure and the highest-priority remediation for most organizations we work with.
- Multi-factor authentication for all remote CJI access. On-premise terminals in physically secure locations may qualify for single-factor, but the definition of "physically secure location" is strict.
- Centralized SIEM and audit logging covering every system that touches CJI. Logs must be tamper-evident, retained for one year, and reviewed regularly for anomalies.
- Mobile device management with remote wipe, full-disk encryption, screen lock enforcement, and certificate-based authentication for any device accessing CJI remotely.
- Patch management and configuration baselines documented per system, with patch deployment tracked against a defined SLA (critical patches typically within 30 days).
Note: Cloud service providers must provide documentation of their own CJIS compliance before you can store CJI in their environment. CJIS-compliant cloud options are a growing category, but not every major cloud provider is covered by a current CJIS Cloud Policy agreement.
Administrative Controls
- Information Exchange Agreements signed with every entity that receives CJI from your organization, including IT vendors and contractors who have any access to systems handling CJI.
- Personnel screening records documenting fingerprint-based background checks for every employee and contractor with CJI access. Rescreening timelines vary by state policy but are typically every five years.
- Security awareness training records with completion dates, training content, and biennial refresh documentation for every CJI user. CJIS-specific curriculum is required, not generic security awareness.
- Incident response plan with documented CSA notification procedures, breach classification criteria, and evidence of at least one tabletop exercise within the past year.
- System security plan documenting your environment boundary, all in-scope systems, data flows for CJI, and the controls in place. This document is the foundation auditors work from.
Note: Many organizations we assess for the first time have the technical controls partially in place but missing the administrative documentation. Auditors examine both. A well-configured firewall with no system security plan still generates findings.
Common CJIS Audit Findings and How to Prevent Them
Most CJIS audit findings cluster around a handful of recurring failure modes. Understanding them before your audit gives you time to address them on your own schedule rather than under a corrective action plan deadline.
Encryption Gaps on Endpoints and in Transit
The most common technical finding is CJI traveling over an unencrypted or weakly encrypted connection. This includes VPN connections using deprecated ciphers, internal network segments where CJI moves without TLS, and workstations where full-disk encryption was deployed but not confirmed active on all units. Auditors will test connections directly. We check every hop CJI takes through your network before your auditor does.
Missing or Stale MFA Enrollment
Many agencies deployed MFA for remote access under a specific tool (a VPN client, a terminal emulator) but left gaps: local admin accounts, service accounts, management interfaces, or secondary entry points. Auditors look for MFA exceptions and require documented justification for each. We map every access path to CJI systems and verify MFA coverage end to end.
Unsigned Information Exchange Agreements
It is not uncommon to find an IT vendor or software company with access to an agency's network who was never put through the IEA process. The vendor has been providing support for years, the relationship has grown organically, and nobody formalized the agreement. Auditors pull access logs and will identify every entity that touched the network. Any unsigned IEA is an immediate finding.
Insufficient Audit Log Coverage or Retention
Logging CJI access is required, but logging every relevant action across every in-scope system is harder than it sounds. Agencies frequently have logs from their CAD or records management system but gaps on the workstations, network devices, and secondary applications that interact with those systems. One-year retention requirements are also a common failure point when log storage is not properly sized or managed.
Incomplete or Outdated Personnel Screening Records
Personnel change. Contractors rotate. IT vendors bring in new engineers. Each of these transitions requires tracking fingerprint background check status. Agencies without a formal offboarding checklist that includes CJI access revocation are particularly vulnerable here. We build and help you maintain a current access registry with screening dates, so you can produce it on demand.
Training Gaps and Outdated Records
CJIS requires CJIS-specific training, not just a generic security awareness course. If your training provider is not delivering curriculum that references the CJIS Security Policy directly and addresses criminal justice-specific threats, auditors can disqualify the training. We design and deliver CJIS-aligned training programs and maintain completion records in a format auditors can review quickly.
How Petronella Technology Group Supports CJIS Readiness
We work with NC government agencies, law enforcement IT teams, and private vendors to public safety organizations. Our approach is structured: assess first, remediate with evidence, document thoroughly, then prepare you to face the auditor with confidence.
CJIS Gap Assessment
Full evaluation across all 13 policy areas, producing a risk-ranked finding list with specific remediation steps and timeline estimates for each gap.
Encryption Deployment
We verify and document FIPS 140-2 validated encryption at rest on every endpoint and in transit on every connection that carries CJI. Where gaps exist, we close them.
MFA Rollout and Coverage Verification
Enterprise MFA deployment covering every access path to CJI systems, including exceptions documentation where specific terminals qualify for local single-factor.
SIEM and Log Management
Centralized log collection, one-year retention configuration, tamper-evident storage, and regular review workflows so you have a continuous compliance posture between audits.
Policy and Procedure Writing
System security plan, incident response plan, media protection procedures, and all other required documentation written to CJIS policy language and ready for auditor review.
Mock Audit and Corrective Action
We run an internal assessment using the same structure as a triennial audit, identify remaining gaps, and close them before your official audit window opens.
Organizations in Scope for CJIS
Any entity that accesses, stores, processes, or transmits Criminal Justice Information is in scope, including private companies that provide technology or support services to agencies that handle CJI.
"CJIS compliance and CMMC compliance share the same underlying logic: apply NIST controls, document everything, and be able to prove it to an auditor. We spend a lot of time helping agencies understand that passing your CJIS audit and passing your CMMC assessment are not two separate programs. They reinforce each other. Starting from one makes the other far less painful."
Petronella Technology Group was founded in Raleigh in 2002. Craig Petronella is a Certified CMMC Registered Practitioner (CMMC-RP), Certified Network Associate (CCNA), and Certified Wireless Network Expert (CWNE). The entire delivery team holds CMMC-RP credentials. While our formal certifications are in the CMMC framework, the control overlap between CMMC Level 2 and the CJIS Security Policy is substantial: access control, audit logging, configuration management, identification and authentication, incident response, media protection, personnel security, physical protection, risk assessment, system and communications protection, and system and information integrity are all shared control families.
We work with county government IT teams, sheriff departments, and private technology vendors across North Carolina who support public safety operations. Our assessments are structured as readiness advisory engagements: we identify gaps, help you close them with evidence, and prepare you for the actual audit rather than just handing you a spreadsheet. We do not claim FBI CJIS audit credentials we do not hold. What we provide is deep technical and procedural knowledge of the control requirements and practical experience helping organizations meet them.
We operate from 5540 Centerview Drive in Raleigh and have held a BBB A+ rating since 2003. Reach us at (919) 348-4912 or through the contact form below.
Related Compliance Frameworks and Services
CJIS does not exist in isolation. Many agencies and vendors in scope for CJIS also face CMMC, NIST 800-53, or managed IT requirements. We handle all of them from the same team.
CMMC Compliance Guide
CMMC Level 2 shares 70%+ control overlap with CJIS. Start with either and the other becomes shorter.
NIST 800-53 Compliance
The CJIS Security Policy maps directly to NIST SP 800-53 control families at the Moderate baseline.
Virtual CISO Services
Ongoing compliance program management, audit preparation, and policy maintenance without a full-time security hire.
Managed IT Services
Continuous endpoint management, patch deployment, and log monitoring aligned to your compliance requirements.
Compliance Services Hub
Overview of all compliance frameworks we support: HIPAA, FedRAMP, IRS 1075, NIST 800-171, and more.
IT Infrastructure Consulting
Network architecture, segmentation design, and infrastructure hardening that supports CJI compliance requirements.
CJIS Compliance Questions We Hear Every Week
What is the CJIS Security Policy and who enforces it?
The CJIS Security Policy is the FBI's mandatory security framework governing access to criminal justice databases including NCIC, III, and NICS. It is currently at version 5.9.x. Enforcement is carried out by the FBI's CJIS Audit Unit and by each state's Compact Council or equivalent agency. In North Carolina, the SBI oversees CJIS compliance at the state level. Organizations that fail audits face loss of database access and must complete a corrective action plan on a defined timeline.
How often are CJIS audits conducted?
The formal audit cycle is triennial: every three years. However, your state CSA may conduct interim compliance checks, and incidents such as a reported breach or a significant policy change can trigger an out-of-cycle review. We recommend treating compliance as a continuous posture, not a three-year sprint-and-rest cycle. Continuous log monitoring, annual policy reviews, and regular training refreshes keep you ready at any time.
Does CJIS apply to private IT vendors that support law enforcement?
Yes. Any private company that has access to systems that store, process, or transmit Criminal Justice Information is in scope. This includes IT managed services providers, CAD software vendors, records management companies, cloud hosting providers, and even on-site support technicians. Vendors must sign Information Exchange Agreements and meet all applicable CJIS controls. Background screening requirements also extend to vendor personnel.
Does CJIS require multi-factor authentication for all users?
MFA is required for any remote access to CJI systems and for any locally accessed terminal that is not in a physically secure location as defined by the CJIS Security Policy. The policy does allow single-factor authentication for terminals inside a physically secure location, but the definition is strict: controlled entry, monitored access, no public access. In practice, most organizations find it easier and safer to deploy MFA everywhere rather than argue about which terminals qualify for an exception.
What encryption does CJIS require?
CJI must be encrypted using FIPS 140-2 validated cryptographic modules, both at rest and in transit. AES-256 is the standard for at-rest encryption. TLS 1.2 is the minimum for in-transit encryption, and TLS 1.3 is strongly preferred. Using deprecated protocols such as TLS 1.0 or 1.1, or non-FIPS-validated algorithms, is a critical finding. Encryption gaps on endpoints, backup systems, and mobile devices are the most frequently cited technical failures in CJIS audits.
Can we use cloud services to store CJI?
Yes, but only with a cloud service provider that has been assessed and approved under the CJIS Cloud Policy. The cloud provider must sign a CJIS Security Addendum and undergo its own compliance review. Major providers including Microsoft Azure Government, AWS GovCloud, and others have pursued CJIS compliance documentation, but you must verify their current status and ensure your specific configuration is in scope. Storing CJI in a non-compliant cloud environment, even temporarily, is a policy violation.
What is the reporting window for a CJIS security incident?
The CJIS Security Policy requires that incidents involving unauthorized access to CJI be reported to your CSA as soon as possible. Many state-level policies tighten this to a 72-hour window, consistent with other frameworks. Your incident response plan must document the specific notification chain and contact information for your CSA. We help organizations build and test this plan so that the notification process works under real incident conditions, not just on paper.
How much does a CJIS readiness assessment typically cost and how long does it take?
Scope drives both cost and timeline. A small municipal agency with a well-documented environment might complete an initial assessment in two to three weeks. A larger county with multiple departments, many vendors, and a complex network may take six to eight weeks for a full gap assessment and documentation review. We can discuss your specific environment and give you a realistic estimate during an initial conversation. Call us at (919) 348-4912 or submit the contact form to start.
How does CJIS relate to CMMC Level 2?
Both frameworks trace back to NIST SP 800-53 control families, and the overlap is substantial: access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, personnel security, physical and environmental protection, risk assessment, system and communications protection, and system and information integrity all appear in both. Organizations that have completed CMMC Level 2 assessments often find that their CJIS gap list is shorter than expected. We build on existing compliance work rather than starting from scratch, which reduces both time and cost.
Ready to Face Your Next CJIS Audit?
Contact Petronella Technology Group for a structured CJIS readiness assessment. We work with NC agencies and public safety vendors across all 13 policy areas, from encryption and MFA to documentation and mock audits.