28 CFR 20FBIactive
Criminal Justice Information Services (CJIS) Security Policy
Plain English Summary
Sets security requirements for all entities accessing FBI criminal justice databases and information systems.
CFR Title
28
CFR Part
20
Effective Date
Oct 1, 1992
Jurisdiction
US
Full Text
All entities with access to FBI Criminal Justice Information Services data must comply with the CJIS Security Policy. Requirements include advanced authentication for personnel accessing criminal justice information, encryption of CJI data at rest and in transit, personnel security screening, and audit logging.
Agencies must maintain security awareness training programs, incident response plans, and access controls. Physical security of facilities housing CJI systems must meet specified standards. Compliance assessments are conducted every three years.
criminaltechnologycybersecurity