What is CJIS Security Policy?

The FBI's Criminal Justice Information Services (CJIS) Security Policy establishes the minimum security requirements for agencies accessing CJIS data systems — including NCIC, NLETS, the Interstate Identification Index, and state criminal databases. Every Ohio law enforcement agency that queries these systems must comply.

Compliance is verified through periodic audits conducted by the Ohio State CSA (CJIS Systems Agency). Agencies that fail audits risk suspension of CJIS system access — which directly impacts the ability to run background checks, query warrants, and access national crime databases.

⚠️
CJIS v5.9.5 Critical Change: The MFA exemption has been removed. All personnel accessing CJIS data must now use multi-factor authentication regardless of access method or network location.

Key Changes in CJIS v5.9.5

CJIS v5.9.5 introduced several significant updates across multiple policy areas:

1. MFA Exemption Removed (Policy Area 6)

Previously, agencies could claim an exemption from MFA requirements in certain circumstances — particularly for on-premises access on agency networks. That exemption is gone. Every user who accesses CJIS data must authenticate with MFA, including:

  • Officers accessing MDTs (mobile data terminals) in patrol vehicles
  • Dispatch personnel accessing CAD systems connected to CJIS
  • Administrative staff running background checks
  • IT administrators with elevated access
  • Any remote access (VPN, RDP, web portals)

2. Advanced Authentication Standards Updated

The standards for what constitutes acceptable advanced authentication (AA) have been tightened. SMS-based one-time passwords are no longer considered sufficient for advanced authentication. Acceptable methods now include authenticator apps, hardware tokens, and biometric verification.

3. Mobile Device Requirements Strengthened

Agencies using mobile devices (including officer smartphones and tablets) to access CJIS data must enforce MDM with full-disk encryption, remote wipe, and screen lock requirements. BYOD configurations that cannot meet these requirements are no longer compliant.

4. Vendor and Contractor Screening Updated

The fingerprint-based background screening requirements for vendor personnel have been clarified and strengthened. Any MSP, IT vendor, or cloud service provider with access to your CJIS environment must have screened personnel and must have executed the Security Addendum.

The 14 CJIS Policy Areas: What Agencies Must Document

A complete CJIS compliance program requires documentation across all 14 policy areas:

  1. Information Exchange Agreements
  2. Security Awareness Training
  3. Incident Response
  4. Auditing and Accountability
  5. Access Control
  6. Identification and Authentication
  7. Configuration Management
  8. Media Protection
  9. Physical Protection
  10. Systems and Communications Protection and Encryption
  11. Formal Audits
  12. Personnel Security
  13. Mobile Devices
  14. Cloud Computing

FAQ: CJIS v5.9.5 for Ohio Agencies

The most significant change is the removal of the MFA exemption. All agencies must now implement multi-factor authentication for every user accessing CJIS data. Additionally, advanced authentication standards were tightened, mobile device requirements strengthened, and vendor screening requirements clarified.

Failing a CSA audit can result in suspension of access to CJIS systems including NCIC, NLETS, and state criminal databases — directly impacting your agency's operational capability. Securafy has helped Ohio agencies remediate prior findings and achieve zero-finding audit results.

Yes. Any IT vendor with access to your CJIS environment must execute the CJIS Security Addendum and provide evidence of background screening for all personnel with access. Securafy is a CJIS-compliant technology provider and maintains current Security Addendum agreements.