The Criminal Justice Information Services (CJIS) Security Policy is the FBI’s framework for protecting criminal justice information throughout its lifecycle, from creation and transmission to storage and destruction. It sets the minimum security standards that any agency or organization must meet to access CJIS systems and data.
The CJIS Division was established in 1992 and is the largest division of the FBI. It serves as the central hub for criminal justice data and services used by law enforcement, national security, and intelligence partners across the country. The Security Policy itself has been formalized and expanded over the years, with version 5.0 published in 2011 and a series of updates since. The policy draws on Presidential directives, federal law, FBI guidance, and recommendations from the CJIS Advisory Policy Board.
Two recent versions matter for compliance planning. Version 5.9.5, released in July 2024, remains the audit standard for many agencies during the current transition period. Version 6.0, released on December 27, 2024, is the most significant update in over a decade. It restructures the policy to align with NIST Special Publication 800-53 at the moderate baseline and introduces a phased compliance timeline, with full compliance required by October 1, 2027. Importantly, the MFA requirement is a Priority 1 control, which means it has been auditable and enforceable since October 1, 2024, regardless of which version an agency is assessed against.
The CJIS Security Policy applies to every person and organization that accesses, stores, transmits, or supports criminal justice information. The scope is broad and often surprises organizations that assume it only covers sworn officers. It includes:
A note for Canadian organizations: The CJIS Security Policy is a United States framework governing access to FBI criminal justice data. Canadian organizations generally fall under it only when they provide services or technology to US agencies that access CJI, or when they handle that data under an agreement with a US criminal justice agency. Canadian agencies have their own information-sharing frameworks, but any organization touching FBI CJI is expected to meet CJIS requirements.
The authentication requirements live in the Identification and Authentication policy area of the CJIS Security Policy. The current policy requires multi-factor authentication for all access to criminal justice information. The table below maps the key authentication-related requirements to their MFA relevance and how LoginTC supports them.
| CJIS Requirement Area | Requirement | MFA Relevance | LoginTC Relevance |
|---|---|---|---|
| Identification & Authentication | MFA required for all access to CJI, for both privileged and non-privileged accounts | Mandatory | MFA for Windows logon, VPN, RDP, and applications via RADIUS/LDAP/AD |
| Privileged Account Access | System administrators must authenticate with MFA at the system level | Mandatory | MFA enforcement for administrative and privileged accounts |
| Remote Access | Remote connections to CJI treated as higher risk, with stricter authentication controls | Mandatory | MFA for VPN and remote desktop gateway access |
| Authentication Strength | Authenticator selection guided by NIST SP 800-63 assurance levels | Method quality | Support for phishing-resistant factors including FIDO2 and hardware tokens |
| Audit & Accountability | Authentication and access events must be logged and available for audit | Audit evidence | Centralized authentication logs for CJIS audit support |
The CJIS Security Policy defines MFA the same way most modern standards do. A compliant solution requires at least two different types of authentication factor from the following three categories:
Using two passwords, or a password plus a security question, does not satisfy the requirement, because both fall into the same category. A compliant setup must draw from two distinct categories, for example a password plus a hardware token.
The current policy requires MFA for both privileged and non-privileged accounts. Privileged accounts, such as system administrators, must authenticate with MFA at the system level, and agencies are encouraged to apply additional MFA at the application level based on the account’s level of access and risk. Non-privileged accounts, meaning regular users, are also required to authenticate at the system level using MFA. This is a meaningful change from older versions of the policy, where advanced authentication was focused primarily on remote access.
The CJIS Security Policy does not mandate one specific MFA product or technology. Instead, it points agencies to NIST Special Publication 800-63, the federal digital identity guidelines, for help selecting appropriate authentication methods and assurance levels. For agencies that want to strengthen their posture, NIST’s Authenticator Assurance Level 2 (AAL2), which corresponds to phishing-resistant MFA, is the benchmark to aim for. This connection makes phishing-resistant methods such as FIDO2 security keys and certificate-based authentication especially relevant for CJIS compliance.
Criminal justice environments include access patterns that do not show up in a typical office setting. A few are worth planning for specifically:
Mapping these scenarios early helps avoid a common mistake: deploying MFA on obvious systems like VPNs while leaving shared terminals or field devices on password-only access, which leaves a compliance gap and a real security risk.
Yes. As of October 1, 2024, multi-factor authentication is a mandatory and auditable requirement for all access to criminal justice information. It is classified as a Priority 1 control, the highest priority tier, which means it became enforceable and subject to sanctions immediately rather than on the longer timeline that applies to other controls.
The requirement is comprehensive. It covers every account that accesses CJI, including regular users, administrators, and third parties. It applies whether the access happens remotely or from inside a physically secure facility. Earlier versions of the policy required advanced authentication mainly for remote connections, so agencies that built their authentication strategy around that older model need to extend MFA to all access points.
The policy is also clear that a username and password alone is no longer acceptable. The entire purpose of the requirement is to ensure that a stolen or guessed password cannot, by itself, grant access to criminal justice information. With compromised credentials behind most modern cyberattacks, this control is one of the most important defenses an agency can put in place.
For agencies planning ahead, version 6.0 of the policy reinforces and builds on the MFA requirement as part of its broader alignment with NIST 800-53. The bottom line is straightforward: if your agency accesses CJI and any account can reach that data with only a password, you are not compliant.
The consequences of failing to meet CJIS requirements are serious and specific to the criminal justice context. Compliance is verified through audits conducted by the FBI and by state-level CJIS Systems Agencies (CSAs), which oversee CJIS access within each state.
The most immediate consequence of a failed audit is the potential loss of access to FBI criminal justice databases. For a law enforcement agency, losing access to a system like the National Crime Information Center (NCIC) means officers cannot run criminal history or warrant checks in the field. This is not just an administrative problem; it is a direct public safety risk that affects the agency’s ability to do its job.
Beyond loss of access, non-compliance can lead to financial penalties and, in cases involving misuse of criminal justice information, potential criminal charges. Agencies may also face mandatory remediation requirements and increased audit scrutiny going forward. Because the CJIS Security Policy now expects continuous compliance rather than point-in-time checks, agencies are expected to demonstrate that their controls, including MFA, operate effectively over time.
There is also a reputational and operational dimension. A breach of criminal justice information can compromise active investigations, expose the personal data of individuals, and erode public trust in the agencies responsible for protecting that information. For vendors, failing to support an agency’s CJIS compliance can mean losing contracts and being passed over for future work, as agencies increasingly scrutinize their technology partners on CJIS readiness before signing.
Start by identifying every system, application, and device that stores or provides access to criminal justice information. Document how users currently authenticate to each one, and identify where only a password is in use. Pay attention to both remote access and access from inside secure facilities, since the current policy covers both. This inventory becomes the foundation of your compliance plan.
Map out who accesses CJI and through what kind of account. Separate privileged accounts, such as system administrators, from non-privileged user accounts, and include third-party contractors and vendors. Both privileged and non-privileged accounts require MFA, so every category needs to be covered. Vendor and contractor access is a common gap, so account for it explicitly.
Choose an MFA solution that works with the systems agencies actually run. Many law enforcement environments are built around Active Directory and use a mix of Windows workstations, VPNs, and field applications. Look for a solution that integrates through RADIUS, LDAP, and Active Directory so you can cover these systems without replacing them. Consider whether you need cloud-based, on-premises, or hybrid deployment, and confirm the solution supports the authentication factors that suit your workforce, including options for staff who do not carry personal mobile devices.
Because the policy points to NIST 800-63 and its AAL2 assurance level, phishing-resistant authentication is the stronger path. Where practical, prioritize methods such as FIDO2 security keys, smart cards, or certificate-based authentication, especially for privileged accounts and high-risk access. These methods defend against the phishing and credential theft attacks that the MFA requirement is designed to stop.
Roll out MFA to every system identified in your assessment. This includes Windows logon, VPN and remote access, remote desktop gateways, and the applications used to access criminal justice data. Make sure no access path is left where a password alone is enough. Pay particular attention to administrative and remote access, which carry the highest risk.
CJIS compliance is verified through audits, so your authentication system must produce clear records. Enable logging of authentication events, including successful logins, failed attempts, and account changes, and make sure those logs are retained and easy to retrieve. Good logging both satisfies the audit and accountability expectations of the policy and helps you detect suspicious activity.
When it comes to MFA, auditors generally want to see evidence of a few specific things: that MFA is enforced on every system and account that can reach CJI, that it uses at least two distinct factor types, that privileged accounts are covered, that vendor and contractor access is included, and that authentication logs are available to demonstrate the controls are working. Being able to produce a clear inventory of access points and their MFA coverage, along with supporting logs, is what separates a smooth audit from a difficult one.
Make sure everyone who accesses CJI understands how to use MFA and why it matters. Clear training reduces help desk load and improves adoption. Because the policy now expects continuous compliance, schedule regular reviews of your authentication controls, especially when you add systems, change vendors, or onboard new staff, and stay aware of upcoming policy updates such as version 6.0 and its 2027 deadline.
LoginTC is well suited to the systems that law enforcement agencies and their partners rely on, and offers MFA for government environments specifically. Many of these environments are built around Active Directory and include a mix of Windows workstations, VPNs, remote desktop, and field applications. LoginTC integrates with these systems through RADIUS, LDAP, and Active Directory, so agencies can add MFA across their access points without replacing existing infrastructure.
To meet the requirement for MFA on all access to criminal justice information, LoginTC enforces strong authentication for Windows logon, VPN and remote access, remote desktop gateways, and the applications staff use to reach CJI. It supports a range of authentication factors, including hardware tokens, smart cards, and FIDO2 security keys, which matters for officers and staff who cannot rely on a personal mobile device or who need phishing-resistant authentication aligned with the NIST AAL2 standard the policy references.
For agencies that need to keep authentication infrastructure within their own environment, LoginTC offers an on-premises deployment option. Detailed authentication logs and centralized administration give compliance teams the records they need to demonstrate MFA coverage during a CJIS audit. For a deeper breakdown of the requirements, LoginTC also maintains a detailed guide to CJIS MFA requirements.
Yes. As of October 1, 2024, multi-factor authentication is a mandatory and auditable requirement for all access to criminal justice information. It is a Priority 1 control, meaning it is immediately enforceable and subject to sanctions. The requirement covers privileged and non-privileged accounts and applies to both remote access and access from within secure facilities.
It applies to any person or organization that accesses, stores, transmits, or supports criminal justice information. This includes law enforcement agencies, courts, prosecution offices, dispatch centers, government IT staff, and any contractor or vendor with access to CJI or to the physical spaces where it is handled.
CJIS requires at least two different factor types from three categories: something you know (such as a password or PIN), something you have (such as a hardware token, smart card, or security key), and something you are (such as a fingerprint or facial scan). The policy points to NIST 800-63 for guidance on authentication strength, and phishing-resistant methods that meet the AAL2 standard, such as FIDO2 security keys, are strongly preferred for higher-risk access.
Yes. The current policy requires MFA whether access happens remotely or from inside a physically secure location. This is a change from older versions, which focused advanced authentication requirements mainly on remote access. Agencies that previously applied MFA only to remote connections need to extend it to all access to CJI.
The CJIS Security Policy is a United States framework governing access to FBI criminal justice data. Canadian organizations are generally subject to it when they provide technology or services to US agencies that access CJI, or when they handle FBI criminal justice data under an agreement. Any organization that touches this data is expected to meet CJIS requirements regardless of where it is located.
Version 5.9.5, released in July 2024, remains the audit standard for many agencies during the current transition period. Version 6.0, released in December 2024, is a major modernization that aligns the policy with NIST SP 800-53 and introduces a phased compliance timeline running to October 1, 2027. The MFA requirement applies under both versions, since it is a Priority 1 control that became enforceable on October 1, 2024.
The most serious consequence is the potential loss of access to FBI criminal justice databases such as NCIC, which directly affects an agency’s ability to run criminal history and warrant checks. Non-compliance can also bring financial penalties, mandatory remediation, increased audit scrutiny, and, in cases involving misuse of data, potential criminal charges.
Meeting the CJIS MFA requirement across Windows logins, VPNs, remote desktop, and field applications takes planning, especially in agencies that run a mix of older and newer systems and need to support staff who are not always at a desk. Getting the coverage right, and being able to prove it during an audit, is where many agencies want support.
Our team helps law enforcement agencies and their technology partners deploy MFA that meets CJIS requirements without disrupting day-to-day operations. If you are preparing for a CJIS audit or extending MFA across your systems, we are ready to help.