0
Request A Quote

CJIS Security Policy Compliance for Law Enforcement Vendors

Feb
23
2027
through
Feb 24
Virtual 2-Day Intensive 10:00 AM ET

Two-day intensive for vendors and integrators serving state, local, and tribal law enforcement. Covers FBI CJIS Security Policy v5.9 areas including personnel screening, advanced authentication, encryption standards, audit logging, and incident response. Critical for SaaS providers with criminal justice information system access.

CJIS Security Policy CJI NCIC Law Enforcement
Instructor: Carl B. Johnson  |  Location: Virtual (Zoom)
Tuition
$1,495
Register

What This Session Covers

Law enforcement vendors and integrators face one of the most demanding compliance environments in the public sector. The FBI Criminal Justice Information Services (CJIS) Security Policy governs how any organization that touches Criminal Justice Information (CJI) must protect, transmit, store, and audit that data — and the consequences of non-compliance include contract termination and loss of system access. This two-day intensive builds the working knowledge your team needs to operate confidently inside that framework.

FBI CJIS Security Policy v5.9 Core Areas

The curriculum follows the structure of CJIS Security Policy v5.9 and covers the policy areas most likely to generate audit findings for vendors and SaaS providers:

  • Personnel Security and Screening: CJIS-compliant background check requirements, fingerprint-based screening obligations for vendor employees with unescorted access to CJI, and managing ongoing personnel adjudication workflows.
  • Advanced Authentication: Requirements for multi-factor authentication when accessing CJI from outside a physically secure location, acceptable authenticator types, and implementation considerations for cloud-hosted and SaaS platforms.
  • Encryption Standards: FIPS 140-2 and FIPS 140-3 validated encryption requirements for CJI in transit and at rest, key management obligations, and how these requirements apply to modern SaaS architectures.
  • Audit Logging and Accountability: What events must be logged, required log retention periods, log integrity controls, and how to demonstrate audit trail sufficiency to a CJIS Systems Agency (CSA) auditor.
  • Incident Response: CJIS-specific incident reporting timelines, notification obligations to the CSA and the FBI CJIS Division, and how to integrate CJIS requirements into an existing incident response plan.

CJI Handling and NCIC Access Considerations

Beyond the policy framework itself, the course addresses practical CJI handling obligations — including data minimization, permissible use boundaries, and the responsibilities vendors inherit when their platforms connect to or query National Crime Information Center (NCIC) systems. Participants work through realistic vendor scenarios covering system interconnection agreements, management control agreements, and the audit artifacts CSAs expect to review.

Compliance Program Design for Vendors

The second day shifts from policy interpretation to program execution. Participants learn how to structure a CJIS compliance program that holds up across multiple agency customers, how to prepare for and respond to CSA security audits, and how SaaS providers should address CJIS requirements in their shared-responsibility models. Organizations that also hold federal contracts will recognize the alignment between CJIS controls and broader Federal and SLED risk assessment obligations.

What You Will Leave With

This is a practitioner-level course. Participants leave with immediately usable outputs, not just slide decks:

  1. A working understanding of every major CJIS Security Policy v5.9 control area relevant to vendors and SaaS providers
  2. A gap-assessment checklist mapped to the personnel screening, authentication, encryption, logging, and incident response requirements covered in class
  3. Draft language and structural guidance for a management control agreement
  4. An audit-readiness checklist aligned to the artifacts a CSA auditor will request
  5. An incident response addendum template addressing CJIS-specific notification requirements
  6. Direct access to ask Carl B. Johnson — President, CISO, and your instructor — questions grounded in real vendor audit scenarios

Who Should Attend

This course is designed for the people inside a vendor or integrator organization who are accountable for making CJIS compliance real. Managers approving training budgets should look for these roles on their teams:

  • Compliance managers and analysts responsible for maintaining agency certifications and preparing for CSA audits
  • Information security officers and engineers implementing authentication, encryption, and logging controls on platforms that handle CJI
  • SaaS product and platform teams building or managing systems with criminal justice information system access
  • Contracts and program managers negotiating or administering agreements with state, local, or tribal law enforcement agencies
  • IT directors and CISOs at small-to-mid-size vendors who own both the technical and compliance functions

Organizations building or maturing a broader security and compliance practice will find this course pairs naturally with compliance program development support for sustained results after the training ends.

Cleared Systems designs this intensive for vendors who need more than a policy overview — you need the control-level detail and practical artifacts to satisfy agency customers and pass audits. If your organization supports law enforcement and handles or could handle CJI, this course belongs in your team's training plan. Explore our full compliance services to see how Cleared Systems supports vendors at every stage of the CJIS compliance lifecycle.

Questions About This Session?

Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.

Contact Us

We use cookies to improve site performance, analyze traffic, and support compliance-focused services. By using this site, you agree.