Criminal Justice Information Services Security Policy

Data centers must establish and maintain detailed information exchange agreements with each law enforcement agency accessing CJI through their infrastructure, explicitly authorizing data types, transmission methods, access scope, and security responsibilities.

These agreements must document the specific criminal justice information categories being shared, define the purpose and legal authority for each data exchange, specify encryption standards and transmission protocols, and establish incident notification procedures with maximum response timeframes of 24 hours for security breaches.

The IEA serves as the legal and technical foundation governing all CJI handling within the data center environment.

All data center personnel with any access to CJI, including administrators, security personnel, and third-party contractors, must complete FBI-recognized CJIS security awareness training within 30 days of hire and annually thereafter, with documented certification maintained and auditable.

Training must cover the sensitivity of criminal justice information, unauthorized access penalties under federal law, proper handling procedures specific to law enforcement data, social engineering threats targeting criminal justice systems, and the data center's specific security policies for CJI protection.

Data center management must maintain training records for a minimum of three years and demonstrate 100% completion rates during compliance audits.

Data centers must implement role-based access control (RBAC) with principle of least privilege, ensuring each user account has access only to the minimum CJI necessary for their specific job function, with administrative access separated from operational access.

Multi-factor authentication must protect all remote access to systems containing CJI, utilizing methods such as hardware tokens, SMS verification, or biometric authentication; default credentials must be disabled; and system accounts must be individually identifiable rather than shared.

Access logs must capture user identity, access method, resources accessed, time, and action taken, with logs retained for minimum 90 days and protected against tampering.

Data centers must establish and maintain a formal incident response plan specifically addressing CJI security incidents, with defined escalation procedures, investigation protocols, and notification requirements to the FBI and affected law enforcement agencies within 24 hours of discovery of any unauthorized CJI access or suspected data breach.

The incident response team must include technical personnel, legal representatives, and security leadership; a documented chain of custody must be maintained for all forensic evidence; and root cause analysis must be completed within 30 days with corrective actions implemented before resuming full CJI operations.

All systems accessing, storing, or transmitting CJI must generate comprehensive audit logs capturing every access event with timestamps, user identification, resources accessed, and actions performed, with logs maintained for minimum 90 days and protected with write-once storage or cryptographic integrity verification.

Data centers must implement real-time monitoring systems that alert security personnel to suspicious access patterns, failed authentication attempts exceeding thresholds, after-hours access to CJI repositories, and bulk data extractions that may indicate unauthorized exfiltration.

Log analysis must occur at least weekly with documented reviews and escalation of anomalies.

All personnel accessing CJI must be individually authenticated through unique user credentials, with passwords meeting complexity requirements (minimum 12 characters, uppercase, lowercase, numbers, and special characters) and changed every 90 days with prohibition on password reuse for at least 12 previous passwords.

Administrative accounts accessing CJI must require multi-factor authentication for each access session; service accounts must be prohibited from accessing CJI; and privileged access must be logged separately and reviewed for appropriateness monthly.

Account lockout must activate after five failed authentication attempts within 15 minutes.

Data center facilities storing or processing CJI must implement badge access controls with time-based permissions, closed-circuit camera surveillance in server rooms and tape storage areas with 30-day video retention, environmental controls maintaining temperature between 65-75°F and humidity between 45-55%, and segregated network infrastructure physically isolated from non-CJI systems where technically feasible.

Visitor access to CJI areas must be prohibited; contractor access must be pre-approved and escorted; and removable media containing CJI must be stored in locked cabinets with separate access tracking.

All CJI in transit must be encrypted using FIPS 140-2 validated cryptographic algorithms (minimum AES-256 for data at rest, TLS 1.2 or higher for data in transit), with encryption keys managed through secure key management systems separate from encrypted data

Network segregation must isolate CJI systems from internet-facing and non-law-enforcement systems through firewalls, demilitarized zones (DMZ), and virtual private networks (VPN); unencrypted CJI must never traverse public or untrusted networks.

Data centers must implement intrusion detection and prevention systems monitoring for unauthorized access attempts or data exfiltration patterns specific to criminal justice information characteristics.