Skip to main content


Criminal Justice Information Services (CJIS) is a division of the Federal Bureau of Investigations (FBI). The CJIS Division publishes the CJIS Security Policy as a minimum set of security requirements for protecting and safeguarding Criminal Justice Information (CJI).

CJIS Security Policy

The CJIS Security Policy is published in the CJIS Resource Center. The CJIS Security Policy reflects the shared responsibility between FBI CJIS, CJIS Systems Agency (CSA), and the State Identification Bureaus (SIB) of the lawful use and appropriate protection of CJI. The policy is typically updated on an annual basis. Version 5.9 was updated on 6/1/2020.

The CJIS Security Policy applies to all entities with access to, or who operate in support of, FBI CJIS Division's services and information. This has broad impact on state and local law enforcements, state and local government offices, and private contractors supporting government organizations as CJI data may be processed or shared across organizations.

Criminal Justice Information (CJI)

CJI refers to the data necessary for law enforcement agencies to perform their mission and enforce the laws, such as biometric, identity history, person, organization, property, and case/incident history data. CJI also refers to data necessary for civil agencies to perform their mission, including data used to make hiring decisions.

Is Virtru CJIS certified?

There is no central CJIS authorization body, nor a standardized assessment approach to determining whether a service or solution is CJIS compliant. Each law enforcement organization is responsible for granting CJIS authorizations according to their own standard of what is considered compliant within the CJIS requirements. Authorizations from one state do not find reciprocity within another state (or even necessarily within the same state).

Virtru can not claim to be something that does not exist; however, many agencies have determined Virtru to be an effective solution for implementing CJIS requirements. Virtru's information security program is based upon FedRAMP and NIST SP 800-53 controls which are tightly aligned with the CJIS policy. Although a particular state or agency may have determined that Virtru (or a single Virtru product such as Browser Plugin or Gateway) is CJIS compliant for their purposes, there is no single CJIS certification that applies across all law enforcement departments.

Virtru CJIS Policy Workbook

As there is no formal CJIS certification, unique needs of each organization requiring CJIS compliance, and the shared responsibility model between Virtru and customer organizations to meet the requirements in the CJIS Security Policy, we have created a CJIS Policy Workbook. Customers or prospects interested in leveraging Virtru to maintain CJIS compliance should use the Virtru CJIS Policy Workbook to understand our controls and their responsibilities for supporting their CJIS program.

Please reach out to your account manager or submit a request via the Virtru Support Center to review the CJIS Policy Workbook.

Use Cases

Many Virtru customers leverage the Virtru Data Protection Platform to enable sharing of CJI outside of their controlled CJIS boundary (e.g., when sending emails) while meeting CJIS requirements Encryption of CJI in Transit and Encryption of CJI at Rest. These require that CJI is protected with FIPS 140-2 encryption when transmitted and stored outside of a physically secured location. Virtru's encryption clients encrypt CJI client-side before transmission to ensure that CJI is encrypted both in transit & at rest and also protects the data from being access by third-parties (such as cloud service providers). Refer to the FIPS 140-2 page for more information on how Virtru clients implement FIPS 140-2 encryption.