Documentation
CJIS Security Policy Overview
CJIS Security Policy v6.0 · FBI CJIS Division · December 27, 2024
This page summarizes CJIS Security Policy v6.0 as it applies to EasyWarrant and the agencies that use it. It is not a substitute for the full policy document, which is available from the FBI CJIS Division.
What is CJIS?
The Criminal Justice Information Services (CJIS) Security Policy is a set of security standards established by the FBI CJIS Division that governs the access, use, and protection of Criminal Justice Information (CJI). Any system that creates, receives, transmits, or stores CJI — including warrant documents — must comply with the policy.
EasyWarrant handles CJI by design: warrant documents, officer and judge identities, case information spoken during video sessions, and judicial signatures all constitute CJI under the policy.
Brigade Management as Private Contractor
Because Brigade Management owns the infrastructure and handles CJI on behalf of law enforcement agencies, it is classified as a Private Contractor under CJIS Security Policy v6.0 (Section 3.2.9). This classification requires:
- Execution of a CJIS Security Addendum with every agency before go-live
- Submission to CJIS audits at any time after addenda are signed
- All staff with unescorted access to unencrypted CJI must pass a fingerprint-based background check
- A designated CJIS Compliance Officer must be in place before go-live
Key Controls Applied to EasyWarrant
| Control | Title | Application |
|---|---|---|
SC-8 | Transmission Confidentiality | All video and document transmission |
SC-8(1) | Cryptographic Protection | TLS 1.2+ and AES for all CJI in transit |
SC-13 | Cryptographic Protection | FIPS 140-3 + AES-128 minimum; FIPS 140-2 sunset Sep 2026 |
SC-17 | PKI Certificates | E-signature and judicial approval PKI |
SC-23 | Session Authenticity | MitM protection, session hijacking prevention |
SC-28 | Protection at Rest | Encrypted document storage, US jurisdiction only |
SC-10 | Network Disconnect | 1-hour inactivity session termination |
SC-12 | Key Establishment | Agency-controlled key lifecycle via Azure Key Vault |
IA-2(1) | Multi-Factor Authentication | AAL2 for all officers and judges |
AU | Audit and Accountability | Full access audit trail, tamper-evident export |
The Physical Location Rule
CJIS Security Policy v6.0 Appendix G.6 specifies that encryption is not required for CJI transmitted within a physically secure location. However, the moment either endpoint is outside that boundary, full encryption is mandatory.
EasyWarrant Policy
For officer-to-judge transmission, EasyWarrant assumes encryption is always required — regardless of the physical location of either endpoint. This exceeds the minimum policy requirement and simplifies compliance.
FIPS 140-2 Sunset
CJIS Security Policy v6.0 mandates FIPS 140-3 validated cryptographic modules. FIPS 140-2 is not acceptable after September 21, 2026. EasyWarrant uses only FIPS 140-3 validated modules via Azure Government infrastructure. Agencies operating any FIPS 140-2 systems must upgrade before this date to remain compliant.
Agency Obligations
Agencies that use EasyWarrant retain the following CJIS obligations independent of Brigade Management:
- Obtain state CSA approval before connecting to the EasyWarrant platform
- Ensure all officers and judges using the system have passed background checks
- Maintain their own CJIS Security Addendum with Brigade Management
- Configure and enforce retention policies per agency requirements
- Export and retain audit logs per agency and state retention requirements
Compliance Documentation Package
EasyWarrant provides a full compliance documentation package to every agency partner, including the Security Addendum template, control mapping documentation, and infrastructure compliance attestations. Contact us to request the package.