CJIS Security Policy v5.9+ — law-enforcement content, controlled.
The FBI Criminal Justice Information Services (CJIS) Security Policy governs access, transmission, storage, and audit of Criminal Justice Information (CJI) including Criminal History Record Information (CHRI). The policy is mandatory for any cloud service touching CJI on behalf of a Criminal Justice Agency (CJA) or Non-Criminal Justice Agency (NCJA) authorised to access CJI.
Talk to a Law-Enforcement solutions engineer · Read the law-enforcement CIO page
What CJIS Security Policy v5.9+ requires.
13 policy areas (Sections 5.1-5.13) covering: information exchange agreements, security awareness training, incident response, auditing + accountability, access control, identification + authentication, configuration management, media protection, physical protection, system + communications protection, formal audits, personnel security, mobile devices.
Specific controls of note: advanced authentication (AA) for indirect access (typically MFA), session lock after 30 minutes inactivity, encryption FIPS 140-2/3 validated, audit-event retention 365 days minimum, personnel screening + fingerprint-based background investigation for personnel touching CJI.
How TeamSync addresses CJIS.
1. CJIS-aligned control implementation across 13 sections.
Section-by-section control implementation; CJIS-CSP mapping pack provided.
2. Advanced Authentication enforced.
MFA enforced for CJI access; supported MFA factors per CJIS specifications.
3. FIPS-validated encryption.
FIPS 140-2/3 validated cryptographic modules in transit + at rest.
4. Audit retention + integrity.
CJIS-required audit retention (365 days minimum) exceeded; Merkle audit ledger anchors integrity beyond the floor.
5. Personnel screening attestations.
US-person + fingerprint-based background-investigated personnel for support; attestations provided.
6. CJI / CHRI compartment.
CHRI compartmentalised with stricter access; "need to know + right to know" enforced.
7. Brady / Giglio + FOIA workflows compatible.
eDiscovery handles defence-discovery production and public-records release with CJI controls preserved.
What customers see.
| Aspect | TeamSync coverage |
|---|---|
| 13 policy areas | Implemented |
| Advanced Authentication | MFA |
| FIPS-validated encryption | ✅ |
| 365-day audit retention | Exceeded |
| Personnel screening | US-person + fingerprint |
| CHRI compartmentalisation | ✅ |
| Brady / Giglio + FOIA workflows | Supported |
| Cryptographic audit | Merkle |
Adjacent rules + frameworks served.
- 28 CFR Part 23 (criminal intelligence systems) — adjacent regime
- CJIS Security Awareness Training — provided to CJI-touching personnel
- State CJIS systems (CLETS / NCIC / Nlets) — interface considerations