The Criminal Justice Information Services (CJIS) division of the FBI provides relevant data and tools to law enforcement and intelligence organizations. It is located at a high-security facility on 986 acres of land in West Virginia. Criminal justice agencies at local, state, and federal levels — as well as the general public — use CJIS databases and platforms to access and share information related to criminal operations and investigations.
History of CJIS
The predecessor to CJIS was the Identification Division (also called “Ident”). This division was established in 1924 to create a national database for fingerprints that could be searched to match crime scene evidence. As technology advanced and crime became more sophisticated, the FBI needed to cover a broader spectrum of information related to identification and criminal justice. Thus, the CJIS division was established in 1992 as an evolution of the Identification Division. It is currently the largest division of the FBI and home to many programs and ongoing projects that involve biometric data and criminal records.
CJIS programs and departments
CJIS consists of numerous databases, departments, and programs, including but not limited to:
- National Crime Information Center (NCIC), an nationwide database of records relating to lost/stolen property, missing persons, fugitives, protection orders, identity theft, and similar crime-related incidents, documentation, and behaviors
- Identity History Summary Checks, a program that provides individuals with background information including criminal history, federal employment, naturalization, and military service
- Uniform Crime Reporting (UCR), a program that collects data and publishes statistical information on general crime incidents, hate crimes, active duty deaths, and use-of-force incidents
- Foreign Biometric Exchange (FBE), a program that collects and shares biometric data with law enforcement agencies internationally
- Next Generation Identification (NGI), a database of biometric data including finger and palm prints, iris and facial recognition, DNA, etc.
- National Instant Criminal Background Check System (NICS), a database used to verify a person’s eligibility to purchase firearms
What is CJIS compliance?
Given the large volume and sensitive nature of the data CJIS collects, stores, and uses, security is critical to the integrity of CJIS information. As such, the CJIS Security Policy outlines the standards for handling crime-related data under the FBI’s jurisdiction. (Note: CJIS does not require agencies to use any specific technology product to comply with this policy, but does require documentation that the stipulations of the policy have been met.) The policy is broken down into 13 areas:
- Information Exchange Agreements: Requires a written agreement of security compliance between organizations exchanging CJIS information
- Security Awareness Training: Requires regular security training for users with authorized access to CJIS
- Incident Response: Requires agencies to establish an incident response plan
- Auditing and Accountability: Requires logging for login attempts, system changes, file modifications, and similar events related to accessing CJIS data
- Access Control: Requires the ability to control who can access CJIS data and the actions authorized users may perform
- Identification and Authentication: Requires regular password updates, multi-factor authentication, and similar credential standards
- Configuration Management: Requires a limit on who can perform configuration changes or upgrades to an organization’s information systems
- Media Protection: Requires protection measures for CJIS data of all kinds at all times
- Physical Protection: Requires specific protocols for how physical documents or devices are stored and managed
- Systems and Communications Protection and Information Integrity: Requires internal security measures like encryption, endpoint protection, and network firewalls
- Formal Audits: Requires organizations to allow the FBI and other agencies to conduct formal audits of systems and policies
- Personnel Security: Requires security screening for all authorized users
- Mobile Devices: Requires security controls and usage restrictions on authorized users’ mobile devices