The Phone Call That Changes Your Business
Picture this. You run a 15-person IT services firm out of Newburgh. You have been supporting small businesses, medical offices, and a handful of municipal clients across Orange and Ulster counties for years. Then the Dutchess County Sheriff's Office calls. They need a managed services provider to handle endpoint management, network monitoring, and help-desk support. The contract is solid. The recurring revenue would stabilize your Q2. You shake hands, sign the statement of work, and start onboarding.
Two weeks in, someone from the sheriff's IT department mentions — almost casually — that your technicians will have access to systems connected to the New York State Police Information Network (NYSPIN) and, through it, the FBI's Criminal Justice Information Services (CJIS) databases. That means your firm, your staff, and your infrastructure are now subject to the CJIS Security Policy. Every single requirement in it.
This scenario plays out across the Hudson Valley more often than you would think. Sullivan County contracts out IT support for its 911 dispatch center. A Rockland County village PD hires a local firm to manage its Records Management System. An Ulster County correctional facility brings in outside help for network upgrades. In each case, the IT vendor suddenly finds itself under one of the most prescriptive federal security frameworks in existence — and most vendors have never heard of it.
What the CJIS Security Policy Actually Is
The CJIS Security Policy is published by the FBI's Criminal Justice Information Services Division, the same group that operates the National Crime Information Center (NCIC), the Interstate Identification Index (III), and the National Instant Criminal Background Check System (NICS). The policy governs how Criminal Justice Information (CJI) must be handled by anyone who accesses, stores, transmits, or processes it. That includes law enforcement officers, dispatchers, court clerks, and — critically — any private-sector contractor whose systems touch CJI.
CJI is a broad category. It includes biometric data (fingerprints, mugshots), criminal history records, active warrant information, case and incident data, driver's license records pulled through law enforcement channels, and any data derived from FBI CJIS systems. If your helpdesk technician can remote into a workstation that has access to an NCIC terminal, that technician is handling CJI. If your backup system captures images of a server that stores arrest records, those backups contain CJI. The policy's reach is wide on purpose.
The current version of the CJIS Security Policy (version 5.9.5, with updates continuing on a rolling basis) is organized into 13 policy areas. Not all of them apply equally to IT vendors, but several of them will require significant changes to how most managed services providers operate.
The Policy Areas That Trip Up IT Vendors
Advanced Authentication
CJIS Policy Area 6 requires advanced authentication (AA) for anyone accessing CJI remotely or on systems that are part of a network handling CJI. In practical terms, this means multi-factor authentication. Not optional MFA that your technicians can bypass when it is inconvenient. Mandatory, enforced MFA on every session.
For most Hudson Valley IT shops, this is the first friction point. You may already use MFA for your own internal systems, but CJIS requires that every authentication event touching CJI-connected systems goes through AA. That includes your RMM tool sessions, your remote desktop connections, your VPN tunnels into the client's network, and your access to any cloud platform that stores or processes CJI. The authentication factors must come from at least two of the three categories: something you know, something you have, and something you are. SMS-based one-time codes have been a gray area; hardware tokens or authenticator apps tied to individual user accounts are the safer path.
Encryption Requirements
Policy Area 6 also mandates encryption for CJI in transit and at rest. The in-transit requirement means a minimum of TLS 1.2 (TLS 1.3 preferred) or IPSec VPN tunnels for any data moving across networks. This includes your remote support sessions, file transfers, email communications that might contain CJI, and replication traffic to backup systems.
The at-rest requirement catches more vendors off guard. If your backup solution captures data from a server that holds CJI, those backup files must be encrypted with FIPS 140-validated cryptographic modules. Not just AES-256 in general — FIPS 140-validated implementations specifically. This distinction matters because many commercial backup products use strong encryption algorithms but have not gone through the FIPS validation process. You need to verify that your tools carry FIPS 140-2 or FIPS 140-3 validation certificates. Check the NIST Cryptographic Module Validation Program (CMVP) listings if there is any doubt.
Personnel Security and Background Checks
This is the requirement that generates the most pushback from IT vendors, and it is non-negotiable. Every person in your organization who will have unescorted access to unencrypted CJI must undergo a fingerprint-based background check processed through the state identification bureau and the FBI. In New York, this is coordinated through the Division of Criminal Justice Services (DCJS).
The process is not trivial. Your technicians will need to be fingerprinted at a designated site, and the prints will be submitted for a state and federal criminal history check. Depending on the results, individuals may be disqualified from accessing CJI. This is not a standard commercial background check from a third-party screening company — it must go through official law enforcement channels. Plan for the process to take several weeks, and build that lead time into your project timelines.
There is also a security awareness training requirement. All personnel with CJI access must complete CJIS security awareness training within six months of initial access and every two years thereafter. The training must cover the security policy's requirements, acceptable use, incident reporting procedures, and the consequences of non-compliance. Many agencies have their own training programs that contractors can use, but you are responsible for ensuring your staff completes it and for maintaining the records.
Audit Logging and Monitoring
Policy Area 6 requires that systems handling CJI generate audit logs capturing, at minimum, successful and failed login attempts, changes to user accounts and permissions, access to CJI records, and system events relevant to security. These logs must be retained for a minimum of one year. For IT vendors, this means your RMM platform, ticketing system, and any administrative tools you use on the client's CJI-connected systems must be configured to produce and retain detailed audit trails.
The policy also requires regular review of audit logs. Someone — either on the agency side or on your side, depending on the contractual arrangement — must be actively looking at these logs for anomalies. If you are providing managed security services, log review is likely your responsibility. If you are providing basic managed IT services, make sure the contract specifies who owns log review, because the sheriff's office will expect it to be handled.
Cloud Considerations for IT Vendors
If you are hosting any workloads in the cloud on behalf of a law enforcement client — backup targets, email systems, file storage, or SaaS platforms that will contain CJI — the cloud provider must meet CJIS requirements as well. This does not mean every cloud provider is automatically disqualified, but it does mean you need to verify compliance carefully.
The major hyperscalers (Microsoft Azure, AWS, Google Cloud) all maintain CJIS-compliant regions and have published CJIS compliance documentation. Microsoft, for example, offers Azure Government and has executed CJIS Security Addenda with numerous states. AWS has GovCloud regions and similar addendum arrangements. But simply deploying workloads on Azure or AWS does not make you compliant. You must configure the services correctly: enable encryption with FIPS-validated modules, restrict data residency to approved regions, enforce access controls that meet CJIS AA requirements, and ensure audit logging is enabled and retained.
If you use smaller or regional cloud providers, SaaS platforms, or any third-party tools that will touch CJI, each one of those providers must either execute a CJIS Security Addendum or be contractually bound through your agreement to meet the policy's requirements. This is a substantial due-diligence burden and is one of the reasons that CJIS-aware IT vendors tend to standardize on a narrow set of vetted tools.
New York State CJIS Requirements
New York adds a layer on top of the federal CJIS Security Policy. The Division of Criminal Justice Services (DCJS) serves as the CJIS Systems Agency (CSA) for the state and is responsible for enforcing CJIS compliance among all New York agencies and their contractors. DCJS administers access to NYSPIN, which is the state's conduit to FBI CJIS systems.
For IT vendors in the Hudson Valley, the practical implications include coordinating fingerprint-based background checks through DCJS rather than directly with the FBI, complying with any additional DCJS policies or procedures that supplement the federal policy, and being subject to DCJS audits. New York has historically been active in conducting compliance reviews of agencies and their contractors, so the expectation of an audit is realistic, not theoretical.
DCJS also maintains the state's Noncriminal Justice Information (NJCI) requirements for entities that access criminal history record information for non-law-enforcement purposes (such as employment background checks). If your firm handles both law enforcement IT contracts and commercial clients who run background checks, be aware that the compliance requirements are related but distinct. Do not assume that meeting one set of requirements satisfies the other.
Building Your Implementation Plan
If you have just landed a contract with a Hudson Valley law enforcement agency and need to get CJIS-compliant, here is a realistic sequence. First, execute the CJIS Security Addendum with the agency. Do this before your technicians touch any systems. The addendum is the legal foundation that everything else sits on, and without it, any access to CJI is unauthorized.
Second, identify every person in your organization who will have unescorted logical or physical access to CJI or CJI-connected systems, and begin the fingerprint-based background check process through DCJS immediately. This has the longest lead time of any compliance step, and you cannot allow personnel to access CJI until their background checks clear.
Third, audit your technology stack. Map every tool, platform, and service that will interact with the client's CJI environment. For each one, verify FIPS 140-validated encryption, MFA capability that meets CJIS AA requirements, audit logging to the policy's specifications, and either a CJIS Security Addendum with the vendor or contractual language that binds them to equivalent requirements.
Fourth, implement and document your security controls. This includes configuring encryption on all data paths and storage locations, enabling and testing MFA on every access point, turning on audit logging and validating that logs capture the required events, and establishing a log review schedule. Document everything as you go. CJIS audits are documentation-heavy, and the auditor will want to see written policies, configuration records, and training records — not just a verbal assurance that you are doing the right things.
Fifth, train your personnel. CJIS security awareness training must be completed within six months of initial access and refreshed every two years. Keep dated certificates or sign-off sheets for every employee who completes training. The agency may offer training, or you may need to develop your own curriculum based on the CJIS Security Policy's requirements.
The Evidence Pack: What to Have Ready for an Audit
When DCJS or the FBI conducts a compliance review, they will ask for documentation. Having a well-organized evidence pack saves time and demonstrates that your firm takes the requirements seriously. Below is a practical checklist of what to assemble and maintain.
| Evidence Item | Description | Typical Format | Retention Period |
|---|---|---|---|
| Signed CJIS Security Addendum | Executed CSA between your firm and the law enforcement agency (or state CSO), incorporating the CJIS Security Policy by reference | Signed PDF or wet-ink original | Duration of contract plus 3 years |
| Personnel screening records | Fingerprint-based background check confirmations for all personnel with CJI access, processed through DCJS and FBI | DCJS confirmation letters, internal tracking log | Duration of employment or contract engagement |
| Security awareness training records | Dated completion certificates or sign-off sheets for each employee, showing initial and refresher training | Certificates, signed attendance sheets, LMS export | Current cycle plus one prior cycle |
| Encryption configuration records | Documentation of FIPS 140-validated encryption for data in transit (TLS/IPSec configs) and at rest (disk encryption, backup encryption), including FIPS certificate numbers | Configuration exports, vendor FIPS certificates, architecture diagrams | Current configuration plus historical versions |
| MFA configuration evidence | Proof that advanced authentication is enforced on all CJI access points, including RMM tools, VPN, cloud platforms, and administrative consoles | Policy screenshots, conditional access rules, IdP configuration exports | Current configuration |
| Audit log retention proof | Evidence that audit logs are generated for required events and retained for a minimum of one year, with log review schedules and sample review reports | SIEM configuration, log storage policies, sample log review reports | Logs: minimum 1 year; review reports: 3 years |
| Facility security checklist | Physical security documentation for any location where CJI is accessed or stored, including visitor logs, access control mechanisms, and secure area designations | Completed facility checklist, photos of physical controls, visitor log samples | Current assessment plus one prior year |
| Incident response plan | Documented plan for responding to security incidents involving CJI, including notification procedures to the agency and DCJS | Written IR plan, contact list, tabletop exercise records | Current version plus revision history |
| Vendor/subcontractor compliance documentation | CJIS Security Addenda or equivalent contractual language for all cloud providers, SaaS tools, and subcontractors that handle CJI | Signed addenda, vendor compliance attestations, due diligence records | Duration of vendor relationship plus 3 years |
| Network topology and access control documentation | Diagrams showing how CJI systems are segmented, firewall rules, access control lists, and data flow maps | Network diagrams, firewall rule exports, data flow documentation | Current version plus prior version |
Common Mistakes Hudson Valley IT Vendors Make
Having worked with firms across the region, I see the same mistakes repeat. The first is treating CJIS like a checkbox exercise that can be handled after the contract starts. By the time your technicians are remoting into a deputy's workstation, you need to already have the addendum signed, background checks cleared, and controls in place. Doing it in reverse order — starting work and then figuring out compliance — puts both your firm and the agency at risk.
The second common mistake is assuming that your existing SOC 2 report or HIPAA compliance program covers CJIS. It does not. There is overlap in concepts (access controls, encryption, audit logging), but CJIS has specific requirements — particularly around fingerprint-based background checks and FIPS-validated encryption — that are not part of SOC 2 or HIPAA. You cannot hand an auditor your SOC 2 Type II report and call it done.
The third mistake is forgetting about physical security. If your technicians ever visit the agency's facility, or if CJI is accessed from your own office, the physical security requirements in CJIS Policy Area 5 apply. That means controlling physical access to areas where CJI is visible on screens or accessible on systems, maintaining visitor logs, and ensuring that unauthorized individuals cannot shoulder-surf or access unattended workstations. For a small IT firm operating out of a shared office space, this can require rethinking your workspace layout.
The fourth is neglecting the subcontractor chain. If you outsource any part of your service delivery — a co-managed SOC, a third-party backup provider, a freelance technician you bring in during busy periods — every one of those entities must meet CJIS requirements to the extent they access CJI. The compliance obligation flows downstream, and you are responsible for ensuring it is met.
The Business Case for Getting This Right
CJIS compliance is demanding, but for Hudson Valley IT firms willing to invest in it, the payoff is real. Law enforcement agencies, 911 centers, county jails, and court systems across Dutchess, Orange, Ulster, Sullivan, Putnam, and Rockland counties all need IT support, and the pool of local vendors who can actually meet CJIS requirements is small. Once you are compliant, you become a preferred provider for an entire category of public-sector work that most of your competitors cannot touch. The contracts tend to be long-term, the revenue is predictable, and the switching costs for the agency are high enough that you are unlikely to be displaced on price alone.
The cost of non-compliance, on the other hand, is severe. A CJIS audit failure can result in the agency losing its access to FBI CJIS systems — which effectively shuts down their ability to run warrant checks, process arrests, and perform basic law enforcement functions. If that happens because of your firm's negligence, the contractual and reputational consequences will follow you across the region for years.