FBI CJIS v5.9.3
Criminal Justice Information Services Security Policy
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
232 All
4 — Criminal Justice Information (14 requirements)
4.1Criminal Justice Information (CJI)
4.1.1Criminal History Record Information (CHRI)
4.2Access, Use and Dissemination of CJI
4.2.1Proper Access to III Data
4.2.2NCIC Restricted Files
4.2.3NCIC Non-Restricted Files
4.2.3.1Non-Restricted Files Access and Use
4.2.3.2Non-Restricted Files Dissemination Limits
4.2.3.3CSO Discretion for Non-Restricted Files
4.2.4Storage of CHRI
4.2.5Accountability for III Inquiries
4.2.5.1Inquiry Reason Requirements
4.2.5.2Sanctions for Improper Access
4.3Personally Identifiable Information (PII)
5 — Policy and Implementation (94 requirements)
5.1Information Exchange Agreements
5.1.1Information Exchange Agreement Types
5.1.1.1Information Handling and Protection
5.1.1.2State and Federal Agency User Agreements
5.1.1.3Criminal Justice Agency Agreements
5.1.1.4Interagency and Management Control Agreements
5.1.1.5Private Contractor User Agreements and CJIS Security Addendum
5.1.1.6Agency User Agreements
5.1.1.7Channeler User Agreements
5.1.1.8Contractor Agreements for Noncriminal Justice Functions
5.1.2Monitoring, Review, and Delivery of Services
5.1.2.1Managing Changes to Service Providers
5.1.3Secondary Dissemination
5.1.4Secondary Dissemination of Non-CHRI CJI
5.2Security Awareness Training
5.3Security Awareness Training Requirements
5.4Auditing and Accountability
5.4.1Auditable Events and Content
5.4.1.1Events to be Logged
5.4.1.1.1Content of Audit Records
5.4.2Response to Audit Processing Failures
5.4.3Audit Monitoring, Analysis, and Reporting
5.4.4Time Stamps
5.4.5Protection of Audit Information
5.4.6Audit Record Retention
5.4.7Logging NCIC and III Transactions
5.5Access Control
5.6Identification and Authentication
5.7Configuration Management
5.7.1Access Restrictions for Changes
5.7.1.1Least Functionality
5.7.1.2Network Diagram
5.7.2Security of Configuration Documentation
5.8Media Protection
5.9Physical Protection
5.9.1Physically Secure Location
5.9.1.1Security Perimeter
5.9.1.2Physical Access Authorizations
5.9.1.3Physical Access Control
5.9.1.4Access Control for Transmission Medium
5.9.1.5Access Control for Output Devices
5.9.1.6Monitoring Physical Access
5.9.1.7Visitor Control
5.9.1.8Access Records
5.9.2Controlled Area
5.10Systems and Communications Protection and Information Integrity
5.10.1Information Flow Enforcement
5.10.1.1Boundary Protection
5.10.1.2Encryption
5.10.1.2.1Encryption in Transit
5.10.1.2.2Encryption at Rest
5.10.1.2.3Public Key Infrastructure
5.10.1.3Voice over IP
5.10.1.4Cloud Computing
5.10.2Facsimile Transmission of CJI
5.10.3Partitioning and Virtualization
5.10.3.1Application Partitioning
5.10.3.2Virtual Environment Security
5.11Formal Audits
5.11.1FBI CJIS Division Audit Authority
5.11.1.1Triennial Compliance Audits
5.11.1.2Triennial Security Audits
5.11.2CSA Audit Responsibilities
5.11.3Special Security Inquiries and Audits
5.11.4Compliance Evaluation
5.12Personnel Security
5.12.1Personnel Security Screening
5.12.2Personnel Termination
5.12.3Personnel Transfer
5.12.4Personnel Sanctions
5.13Mobile Devices
5.13.1Mobile Device Management
5.13.1.1Authorized Use
5.13.1.2Personally Owned Mobile Devices
5.13.1.2.1Official Use Mobile Devices
5.13.1.2.2Personal Use Mobile Devices
5.13.1.3Mobile Device Supplemental Guidance
5.13.1.4Mobile Device Disposal
5.13.2Wireless Device Risk Mitigations
5.13.3Cellular Devices
5.13.4Mobile Device Integrity
5.13.4.1Patch and Vulnerability Management
5.13.4.2Malware Protection
5.13.4.3Personal Firewall
5.13.5Mobile Device Incident Reporting
5.13.6Mobile Device Audit and Accountability
5.13.7Mobile Device Access Control
5.13.7.1Mobile Device Session Lock
5.13.7.2Mobile Device Authentication
5.13.7.2.1Advanced Authentication on Mobile Devices
5.13.7.3Mobile Device Remote Wipe
5.14Security Incident Reporting
5.15Criminal Justice Agency User Agreements
5.16Cloud Computing
AC — Access Control (40 requirements)
AC-1Policy and Procedures
AC-2Account Management
AC-2(1)Account Management (1)
AC-2(2)Account Management (2)
AC-2(3)Account Management (3)
AC-2(4)Account Management (4)
AC-2(5)Account Management (5)
AC-2(13)Account Management (13)
AC-3Access Enforcement
AC-3(14)Access Enforcement (14)
AC-4Information Flow Enforcement
AC-5Separation of Duties
AC-6Least Privilege
AC-6(1)Least Privilege (1)
AC-6(2)Least Privilege (2)
AC-6(5)Least Privilege (5)
AC-6(7)Least Privilege (7)
AC-6(9)Least Privilege (9)
AC-6(10)Least Privilege (10)
AC-7Unsuccessful Logon Attempts
AC-8System Use Notification
AC-11Device Lock
AC-11(1)Device Lock (1)
AC-12Session Termination
AC-14Permitted Actions Without Identification or Authentication
AC-17Remote Access
AC-17(1)Remote Access (1)
AC-17(2)Remote Access (2)
AC-17(3)Remote Access (3)
AC-17(4)Remote Access (4)
AC-18Wireless Access
AC-18(1)Wireless Access (1)
AC-18(3)Wireless Access (3)
AC-19Access Control for Mobile Devices
AC-19(5)Access Control for Mobile Devices (5)
AC-20Use of External Systems
AC-20(1)Use of External Systems (1)
AC-20(2)Use of External Systems (2)
AC-21Information Sharing
AC-22Publicly Accessible Content
AT — Awareness and Training (7 requirements)
IA — Identification and Authentication (25 requirements)
IA-0ORI Use and Validation
IA-1Policy and Procedures
IA-2Identification and Authentication (Organizational Users)
IA-2(1)Identification and Authentication (Organizational Users) (1)
IA-2(2)Identification and Authentication (Organizational Users) (2)
IA-2(8)Identification and Authentication (Organizational Users) (8)
IA-2(12)Identification and Authentication (Organizational Users) (12)
IA-3Device Identification and Authentication
IA-4Identifier Management
IA-4(4)Identifier Management (4)
IA-5Authenticator Management
IA-5(1)Authenticator Management (1)
IA-5(2)Authenticator Management (2)
IA-5(6)Authenticator Management (6)
IA-6Authentication Feedback
IA-7Cryptographic Module Authentication
IA-8Identification and Authentication (Non-Organizational Users)
IA-8(1)Identification and Authentication (Non-Organizational Users) (1)
IA-8(2)Identification and Authentication (Non-Organizational Users) (2)
IA-8(4)Identification and Authentication (Non-Organizational Users) (4)
IA-11Re-Authentication
IA-12Identity Proofing
IA-12(2)Identity Proofing (2)
IA-12(3)Identity Proofing (3)
IA-12(5)Identity Proofing (5)
IR — Incident Response (15 requirements)
IR-1Policy and Procedures
IR-2Incident Response Training
IR-2(3)Incident Response Training (3)
IR-3Incident Response Testing
IR-3(2)Incident Response Testing (2)
IR-4Incident Handling
IR-4(1)Incident Handling (1)
IR-5Incident Monitoring
IR-6Incident Reporting
IR-6(1)Incident Reporting (1)
IR-6(3)Incident Reporting (3)
IR-7Incident Response Assistance
IR-7(1)Incident Response Assistance (1)
IR-8Incident Response Plan
IR-8(1)Incident Response Plan (1)
MA — Maintenance (9 requirements)
MP — Media Protection (6 requirements)
SA — System and Services Acquisition (1 requirements)
SI — System and Information Integrity (21 requirements)
SI-1Policy and Procedures
SI-2Flaw Remediation
SI-2(2)Flaw Remediation (2)
SI-3Malicious Code Protection
SI-4System Monitoring
SI-4(2)System Monitoring (2)
SI-4(4)System Monitoring (4)
SI-4(5)System Monitoring (5)
SI-5Security Alerts, Advisories, and Directives
SI-7Software, Firmware, and Information Integrity
SI-7(1)Software, Firmware, and Information Integrity (1)
SI-7(7)Software, Firmware, and Information Integrity (7)
SI-8Spam Protection
SI-8(2)Spam Protection (2)
SI-10Information Input Validation
SI-11Error Handling
SI-12Information Management and Retention
SI-12(1)Information Management and Retention (1)
SI-12(2)Information Management and Retention (2)
SI-12(3)Information Management and Retention (3)
SI-16Memory Protection