What is Criminal Justice Information (CJI)?
From the desk of Larry Coffee, Senior Security Analyst
I’m going to answer the question “What is Criminal Justice Information (CJI)?” Are you ready? Are you sure? Here we go!
CJI is any data obtained from a state or national CJIS data system.
There you go. Have a great day and we’ll see you again next month!
That’s what you wanted, right, the easy answer? Well, that’s it, in a nutshell.
I guarantee that you’ll pass* any FBI or state CJIS technical audit if you protect state and national CJIS data by appropriately applying the requirements of the CJIS Security Policy (CSP).
The Detailed Explanation
Alright, so, that’s the generalized, oversimplification (the definition, not the guarantee). I reckon some of you want a little more explanation.
If you’re reading this newsletter I’m pretty sure you need to know what CJI is. Knowing the answer is more than half the battle for compliance.
All of that being said, here’s the official CSP definition of CJI:
“All of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to biometric, identity history, biographic, property, and case/incident history data. “
In the CSP, there is also a little caveat that goes with the definition:
“The following type of data are exempt from the protection levels required for CJI: transaction control type numbers (e.g., ORI, NIC, FNU, etc.) when not accompanied by information that reveals CJI or PII.”
Well that was sorta helpful, right? In my conversations with the FBI audit staff, they provided a “quick and dirty” definition: if it came from NCIC, III, or NDEx it’s CJI.
Like I said earlier, that is an oversimplification, but it’s a good working definition.
To match with my earlier definition, I’m going to add something onto that, and it’s not in the CSP; most CJIS Systems Agencies (CSAs) will tell criminal justice agencies within their jurisdiction to treat state CJIS data with the same CSP protections. Heads-up: they get to make that call.
The CSP, and their agreement with the FBI, holds the CSA responsible for compliance within their respective states/agencies.
Although, the CSP specifically states “FBI CJIS” data, at issue is the fact that FBI CJIS data gets mixed into other data, both state and local data.
Let me quote my former boss Charlie Schaeffer, the CSO for Florida:
“When determining if information should be considered and protected as CJI, agencies should consider the source of the information and not the data elements that make up the information.”
He also went onto say:
“Essentially, it is is like putting salt in soup… once it is in there, it is not easily removed.”
Is Your System “Infected”?
The terminology I used when I was an ISO was “infected.” Once you introduce CJI in a system, you have essentially infected it with the requirement to comply with the CSP.
I will go on to say that the official “infection diagnosis,” as it were, will come from the CSA for the state or agency. It is their determination whether an application or system is infected with CJI.
In the end they are the authority. You could appeal to the FBI, but historically they are going to tell you that it is the CSA’s call. The only time the FBI will get involved is if a CSA doesn’t designate something CJI that should be.
Again, determine where the information came from. If part of its “history” includes something out of a national or state CJIS system, you’re dealing with CJI, and the CSP applies.
Bottom line, you need to know what CJI is, because you need to know where it is within your agency, so that you can apply the CJIS Security Policy.
Hope this helped a little. If you have questions, feel free to call me or send me an email.
*By the way, “pass” really isn’t the appropriate term, technically you don’t pass an audit. Your goal is that there will be no findings of noncompliance, but that didn’t sound as good as “pass.”.
Need help with your agency’s compliance? We’ve got your back.