Overview
What it is, in plain English.
The FBI CJIS Security Policy governs every system, network, and human that touches Criminal Justice Information (CJI) — from local police departments to the contractors and vendors that support them. CJIS is uniquely strict: cleared personnel, fingerprinting, advanced authentication, and audit requirements that go beyond most commercial frameworks. Lyra brings CJIS Level 4 cleared technicians and runs the program end-to-end for law enforcement agencies and their vendors.
CJIS Security Policy compliance for law enforcement and adjacent public-sector environments — backed by CJIS Level 4 cleared technicians.
Who needs it
Built for organizations that have to get this right.
Local, county, and state law enforcement agencies
9-1-1 PSAPs and emergency communications centers
Courts, corrections, prosecutors, and probation offices
Vendors and MSPs serving any of the above with CJI in scope
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Scope CJI Environment
We map every system, network segment, and user that touches CJI, and identify the CJIS Information Security Officer (ISO) chain.
- 02
Personnel & Background
Fingerprint-based background checks, security awareness training, and access agreements for every person with CJI access.
- 03
Technical Implementation
Advanced authentication (MFA), FIPS 140-2 encryption, audit logging, mobile device management, and physical security per CJIS policy areas 5.1–5.13.
- 04
Audit Readiness
We prepare you for the FBI / state CSO triennial audit — with the documentation, screen-shares, and walkthroughs they will ask for.
Key controls
What's actually in scope.
13 CJIS Policy Areas: Information Exchange, Security Awareness Training, Incident Response, Auditing, Access Control, Identification & Authentication, Configuration Management, Media Protection, Physical Protection, Systems & Comms Protection, Formal Audits, Personnel Security, Mobile Devices
Advanced Authentication (MFA) for any access from outside a physically secure location
FIPS 140-2 validated encryption for CJI in transit and at rest
Fingerprint-based background checks for every person with CJI access (including IT support)
Detailed audit logging with 365-day retention
Deliverables
What you walk away with.
CJIS gap assessment and remediation plan
Security policy and procedures aligned to all 13 policy areas
Personnel security program and access agreements
MDM and mobile device security configuration
Audit readiness package for state CSA / FBI audits
Timeline
Initial readiness: 4–8 months depending on environment maturity. Triennial CSA audits: 3–6 month prep cycles.
Questions we hear
Straight answers to the real questions.
- Why do your technicians need clearance?
- Anyone with the technical ability to access CJI — even an MSP engineer — is subject to CJIS personnel security requirements: fingerprinting, background checks, signed agreements. We've already done all of that for our team.
- What about cloud and SaaS?
- Cloud is allowed under CJIS — but the provider must meet specific requirements (FedRAMP Moderate is the common path) and you must have a signed CJIS Security Addendum with them. We help select compliant vendors.
- What happens if we fail an audit?
- Findings result in a corrective action plan with deadlines. Persistent or serious findings can result in CJI access being suspended — which for most agencies is operationally catastrophic. Audit prep is not optional.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.