CJIS compliance can feel like a wall of jargon, but underneath it is a fairly concrete set of controls your technology and your team need to meet. This checklist breaks the FBI CJIS Security Policy down into plain language for Oklahoma police departments, sheriff's offices and the vendors who serve them, grouped by access, data, people, and oversight. Use it to gauge where you stand before OSBI does. If you can't confidently check a box, that's your roadmap.
First, what CJIS actually covers
CJIS compliance applies to anyone who accesses, stores or transmits criminal justice information (CJI), including not just sworn personnel but IT staff, dispatchers and outside vendors with access to your systems. In Oklahoma, the standard is enforced by OSBI as the state's CJIS Systems Agency.
The policy spans the full lifecycle of that data. The checklists below organize the most important, audit-relevant controls into four buckets so a non-technical administrator can work through them with their IT provider.
Access and authentication
Controlling who can reach CJI, and proving it, is the foundation of CJIS. Shared logins and weak authentication are the fastest ways to fail.
- Every user has a unique ID; no shared or generic accounts
- Multi-factor (advanced) authentication on all access to CJI
- Least-privilege access: people can reach only what their role requires
- Prompt removal of access when staff leave or change roles
- Automatic session lock on unattended workstations and devices
Data protection
CJI has to be protected wherever it lives and however it moves, and the devices that handle it need to be controlled and, eventually, sanitized.
- Encryption of CJI in transit (email, transfers, remote access)
- Encryption of CJI at rest on servers, workstations and mobile devices
- Managed, encrypted mobile devices for any field access to CJI
- Secure handling and documented sanitization of media before disposal
- Network segmentation that isolates CJI systems from general traffic
People and process
Technology alone doesn't make you compliant. CJIS puts heavy weight on vetting, training and clear ownership of security.
- Fingerprint-based background checks for everyone with CJI access
- Security awareness training on hire and on a recurring basis, with records
- A designated, active Local Agency Security Officer (LASO)
- A written, tested incident-response plan
- Signed CJIS Security Addenda with every vendor that touches CJI
Monitoring, audit and documentation
Finally, you have to be able to see what's happening and prove your program exists. Auditors treat undocumented controls as missing.
- Audit logging enabled, retained, and actually reviewed
- Current written security policies mapped to the CJIS policy areas
- Physical security for areas and devices where CJI is handled
- An up-to-date inventory of systems and vendors that touch CJI
- Evidence kept on file: training, background checks, addenda, diagrams
Key Takeaways
- CJIS applies to anyone touching CJI, including IT staff and outside vendors.
- Access: unique logins, multi-factor authentication and least privilege are non-negotiable.
- Data: encrypt CJI in transit and at rest, and control the devices that handle it.
- People: background checks, recurring training, an active LASO and vendor addenda.
- If you can't evidence a control, an auditor counts it as not done.



