Police departments have enthusiastically embraced records-management systems delivered “as a service,” but the FBI’s Criminal Justice Information Services (CJIS) Security Policy applies no matter where the data lives. Version 5.9.5, issued July 9 2024, reiterates that the policy is architecture-independent, agencies can absolutely use hyperscale clouds if every control in the policy is still met.

CJIS Security Policy Snapshot (v5.9.5)

The 451-page policy groups hundreds of requirements into 19 “Policy Areas,” covering everything from information-exchange agreements to contingency planning. Cloud providers, and the SaaS vendors that build on them, must especially watch five high-risk areas:

1. Information-Exchange Agreements (PA-1). A signed CJIS Security Addendum plus any state-specific cloud agreements. (le.fbi.gov)

2. Access Control & Remote Access (PA-5/PA-6). Role-based access plus strict limits on who can reach administrative consoles.

3. Identification & Advanced Authentication (AA). Multifactor authentication is mandatory for all direct access to CJI by October 1 2024. (silverfort.com)

4. Encryption (PA-10). All CJI must be encrypted in transit and at rest using FIPS-validated modules (140-2 or 140-3). (aws.amazon.com)

5. Incident Response (PA-3). Agencies must be notified of any suspected breach within eight hours and receive full forensic data.

The CJIS Cloud Compliance Checklist

Below is a pragmatic, audit-ready list you can hand to any prospective Police-Records SaaS vendor. Require written evidence (policies, test results, or third-party attestations) for each item:

Shared Responsibility: What Stays on the Agency

Even with a perfect vendor, some duties cannot be outsourced: vetting local users, training officers, securing mobile endpoints, and enforcing data-sharing policies with prosecutors and courts remain the agency’s job. The policy spells this out as a shared-management philosophy between the CSA, the vendor, and each using agency.

Vendor Evaluation Questions

Ask each SaaS contender:

1. Which state CJIS Information Agreements have you executed? (47 states + DC have Microsoft agreements; far fewer exist for smaller vendors.) (learn.microsoft.com)

2. Can we review your most recent CJIS-aligned audit or penetration-test report?

3. Describe your key-escrow model. Who can decrypt data if subpoenaed?

4. Do all subcontractors sign the CJIS Addendum?

5. What is your process for privilege revocation within 24 hours when an officer leaves?

Common Pitfalls to Avoid

• Endpoint Blind Spots. CJIS compliance fails if patrol-car laptops lack whole-disk encryption or MFA, regardless of how secure the cloud is.

• Shadow Integrations. Middleware or BI tools pulling raw CJI can break the encryption-at-rest chain.

• “Compliant-By-Default” Marketing Claims. There is no federal CJIS certification program; only your state CSA can bless a solution. (aws.amazon.com)

Key Takeaways

• Cloud is allowed - CJIS v5.9.5 explicitly supports modern architectures.

• Compliance is holistic. Every control in all 19 policy areas must still be met.

• Check the checklist. Use the ten items above as deal-breakers when selecting any police-records SaaS platform.

By grounding your procurement in the CJIS Security Policy, and demanding hard evidence that vendors meet or exceed each requirement, you can modernize records management without compromising the integrity or confidentiality of Criminal Justice Information.