Criminal Justice Information (CJI) Governance and Regulation
The Colorado Bureau of Investigation (CBI) is the state CJIS Systems Agency (CSA) providing all Colorado criminal justice agencies with connectivity to the Federal Bureau of Investigation Criminal Justice Information Services (FBI-CJIS) information systems. Additionally, some non-criminal justice agencies also have limited access to CJI pursuant to state and federal laws.
Under the agreement between the FBI and CBI, the CBI is tasked with ensuring proper use, storage and security of CJI within the state of Colorado. Criminal justice agencies accessing CCIC and the National Crime Information Center (NCIC) do so under agreements between CBI and their respective agencies. Under this shared management model, the FBI, CBI, and each local agency does their part to ensure record quality and security.
Rules governing the use of CCIC and NCIC information are based on the following federal laws:
- Title 28 of the Code of Federal Regulations (CFR), Part 20
- Title 18 of United States Code (USC), Section 2721
- Public Law 92-544
- National Crime Prevention and Privacy Compact
These standards specifically apply to CJI derived from the Colorado Crime Information Center (CCIC), the National Crime Information Center (NCIC), and the International Justice and Public Safety Network (Nlets).
Each agency in Colorado with access to CCIC and its interconnected systems must comply with the aforementioned standards as a condition of access. These standards are reflected in detailed policies including the CJIS Security Policy.
The CJIS Security Policy was developed by the Federal Bureau of Investigation Criminal Justice Information Services Division, also known as FBI-CJIS, at the request of the CJIS Advisory Policy Board, who manages the policy. The policy sets wide-ranging requirements for everything from facility security to encryption. The CBI validates that Colorado agencies are ensuring the quality and security of CJI by performing audits of all agencies using these systems. Failure to comply with the CJIS security policy may place a agency's access to CCIC in jeopardy.
For more information on the CJIS Security Policy, please visit the FBI CJIS Security Policy website.
What Areas or Topics Are Covered in the CJIS Security Policy?
For personnel working with information systems containing criminal justice information (CJI), the portion of the CJIS Security Policy with the greatest significance is chapter five. This chapter of the policy is laid out in 13 policy areas which each define the standards for that policy area. Below is a brief summary of the contents of the policy areas' standards:
| Policy Area | Summary |
| 1: Information Exchange Agreements | Proactively formalize the sharing of data, and incorporate the CJIS Security Addendum into contracts. |
| 2: Security Awareness Training | Training must be adequate for the individual's level of use of Criminal Justice Information (CJI). |
| 3: Incident Response | Plan, act, and communicate. A security incident may affect interconnected systems, and the CBI may need to know about it. |
| 4: Auditing and Accountability | Systems storing CJI must record user and administrator activities and maintain those logs for at least one year. |
| 5: Access Control | To ensure proper security, follow least privilege and review access authorizations regularly. |
| 6: Identification and Authentication | Force complex passwords, and use advanced authentication and/or mobile device management when physical security is not available. |
| 7: Configuration Management | Know what's in the agency's CJIS network and how data is protected. |
| 8: Media Protection | Digital and physical media (disk and paper) must be kept secure until they are securely destroyed. |
| 9: Physical Protection | Control and secure access to areas with CJIS Systems. |
| 10: Systems and Communications Protection and Information Integrity | Encryption must be NIST-Certified FIPS 140-2 in transit, and FIPS 197 at rest when information is stored or held outside the physically secure location. Also, intrusion and malware protections are required. |
| 11: Formal Audits | Any system containing CJI may be audited by the FBI or CBI. |
| 12: Personnel Security | Fingerprint-based background checks are required for all personnel with unescorted access (physical or logical) to unencrypted CJI, or areas where it is processed or stored. |
| 13: Mobile Computing | Ensure the security of wireless communications and mobile devices. |
These standards apply to both criminal justice agencies as well as non-criminal justice agencies who have access to CJI, with some variation due to the different levels and standards for access. The Denver Police Department would be one example of a criminal justice agency, and the Colorado Department of Education an example of a non-criminal justice agency.
The standards also apply to private businesses providing services to criminal justice and non-criminal justice agencies. These private businesses may be interested to know more about our CJIS Vendor Management Program, which consolidates the fingerprinting requirement for these contractors.
How Do I Know If My System Contains or Uses CJI?
Please view this page to learn more about what specific data types may constitute CJI.
Operational Assistance with the CJIS Security Policy
The CJIS Security Policy is designed to contain standards which do not designate a specific technology, but can be applied in diverse environments. For that reason, the CBI fields many questions regarding the application of the policy in specific circumstances.
In order to assist in the implementation of the policy, the CBI welcomes inquiries about the CJIS Security Policy. Please email your inquiries to CJIS Compliance Manager Matt Fisher at matthew.fisher@state.co.us.