CJIS: Finding the right solution to a tricky compliance situation

As of January 2021, the FBI is moving towards the more sophisticated method of data exchange known as the National Incident Based Reporting System (NIBRS), which collects 58 data elements about an incident including victim and offender characteristics, location, relationships, weapons involved, and much more. This is a major change from the previous Summary Reporting System (SRS) that did not collect this kind of contextual information.¹

Predictably, Criminal Justice Information Services (CJIS) will become an even more critical security component for organizations in the public sector than it already is. CJIS compliance relies on federally mandated data storage, access, and use guidelines for state, local, and federal authorities. This streamlines the process towards a standardized methodology for identifying and controlling information that is brought through the federal database.

What’s in Criminal Justice Information anyway?

Identifying the more granular information that is relevant to CJI (Criminal Justice Information) enables law enforcement agencies to better plan and prepare their own approach towards developing a workflow that promotes compliance with CJIS Security Policy. Sensitive data that is protected by CJIS includes:

Biometric data

Biometric data is derived from one or more intrinsic physical or behavioral traits of humans, typically for the purpose of identifying individuals from within a population. This kind of data includes:

  • Fingerprints
  • Palm prints
  • Recognition data

Identity history data

Identity history data consists of textual data that corresponds with biometric data. This helps to provide a history of criminal and civil events for the individual in question.

Biographic data

Biographic data includes information about individuals associated with the unique case. Not to be confused with its namesake, biographic data doesn’t pertain to the history of the individual but rather the information related to the specific case.

Property data

Property data contains information about vehicles, homes, and other valuable property associated with crime when accompanied by any personally identifiable information (PII).

Case/incident history data

Case/incident history reveals information surrounding the individual’s history of criminal incidents.

Taking into account one or more aspects of these data components can allow security teams to narrow down potential security threats.

CJIS: Not a straightforward compliance situation

Setting strict compliance mandates

The CJIS Security Policy sets strict standards for storage, access, and use of the data described above. These policy standards are designed to make sure that CJIS information is released to the public via authorized dissemination within a public court system and presented in crime reports data. Information leakage that hasn’t been properly secured can result in potentially damaging information reaching the public eye and having major downstream impacts on subsequent jury trials as well as defendant safety. Additionally, all information must be purged or destroyed in accordance with applicable record retention rules.

Challenges towards compliance

CJIS Security Policy standardizes how all criminal justice agencies and law enforcement organizations must collect, store, and utilize sensitive information.

At the moment, however, the processes used to audit, access, and authenticate CJI are disparate and disorganized. For example, spreadsheets are one of the most commonly used tools, yet they are prone to data entry errors and are inefficient to manage. Additionally, there is no uniform way of identifying CJI data or protecting it. Some teams practice periodic audits but can’t keep up with the velocity and volume of data. Others may have found tools to reveal patterns, however each team within an agency might be using their own local solution. This can have negative consequences when teams using their own solutions obtain different results. The debate then goes to not the identity of the individual but rather why a certain tool is not adequate for the process.

Failure to comply with CJIS can lead to sanctions, financial penalties, and even jail time. An agency may also spend additional overhead in order to account for “make-good” services like identity theft protection for users who had their personal data exposed.

Simplify compliance initiatives

By replacing manual compliance processes with an integrated software solution, security teams can become much more efficient and accurate.

The Spirion CJIS software solution is scalable and can automate essential data privacy and protection tasks including:

  1. Data Discovery: Allows teams and organizations to identify sensitive data subject to CJIS Security Policy across endpoints, on-premise systems, and in any cloud environment.
  2. Data Classification: The classification process tags individual data files with the appropriate privacy/sensitivity level to dictate storage, usage, and sharing.
  3. Data Remediation: Remediation removes, masks, or otherwise manipulates data visibility to comply with standards and policies, but still leaves essential business information and intelligence intact.

CJIS Security Policy is among the most important government regulations, yet compliance is extremely difficult. Maintaining data integrity helps keep the criminal justice system safe, secure, and honest. Understanding where your sensitive CJI lives, how it is collected and used, and if or when it’s shared is vital to remaining compliant.

Watch this demo to learn more about how Spirion’s Sensitive Data Platform can help your agency discover, classify, and remediate sensitive data across your entire IT environment with 98% accuracy.


¹ “National Crime Statistics Exchange.” Bureau of Justice Statistics. March 3, 2021.