CJIS Security Policy Compliance

Axon has signed the CJIS Security Addendum in all states

Axon is committed to meeting the Criminal Justice Information Services (CJIS) Security Policy requirements of all of its customers. As a reflection of this commitment, Axon has contractually committed to the CJIS Security Policy within all states.

Law enforcement agencies across the United States can confidently utilize Axon cloud services knowing that Axon is a partner in meeting CJIS Security Policy requirements.

What is the CJIS Security Policy?

The Federal Bureau of Investigation’s CJIS Security Policy sets the minimum security requirements to provide an acceptable level of assurance to protect the full lifecycle of Criminal Justice Information. Agencies using cloud based services are required to make informed decisions on whether or not the cloud provider can offer services that maintain compliance with the requirements of the CJIS Security Policy.

Axon cloud based services are designed and operated to ensure that they are compliant with the FBI CJIS Security Policy. The Axon CJIS Compliance Whitepaper outlines the the specific security policies and practices for Evidence.com and how they are compliant with the CJIS Security Policy. Customers can be assured that their digital data is protected by a robust information security program that is designed to exceed the CJIS security requirements as well as provide protection against current and emerging threats.

CJIS and Cloud Services

While the CJIS Security Policy sufficiently outlines security and privacy considerations for cloud computing, it lacks in providing agencies an effective mechanism or scalable guidance to ensure compliance with the CJIS Security Policy Personnel Security requirements when utilizing large scale cloud providers such as Axon. Without recommendations for personnel security reciprocity or community-wide personnel adjudication mechanisms, each individual agency becomes burden with the execution of often times redundant personnel screening, training and adjudication activities.

As there are over 18,000 law enforcement agencies in the United States, Axon has advocated the coordination of CJIS-related vendor requirements processes at the state, CJIS System Agency (CSA) level. Axon encourages all CSAs to provide a statewide or community-wide process or guidance for managing CJIS-related vendor requirements for law enforcement agencies in their community. Axon believes CSA-organized processes promote the availability of CJI data processing options for law enforcement.

In support of this belief, Axon has partnered with CJIS ACE to assist state level CSOs, ISOs and others to develop, identify and implement processes in their states to streamline and centralize the CJIS requirements to take advantage of the resulting increases in efficiency, quality assurance and overall security compliance. Through our partnership, we’ve worked with many states and can help bring those best practices and our subject matter expertise to your state for consideration. Learn more about this free service here or contact infosec@axon.com.

Axon has performed statewide CJIS-related vendor requirements with many states including Colorado, Michigan, North Carolina, Washington, Texas, and Minnesota. Contact your Axon Sales Representative to confirm the status of centralized CJIS-related vendor requirements in your state or community.

Axon's CJIS Commitment

Axon is committed to the following CJIS compliance elements with all of our US based customers:

CJIS Security Addendum

The CJIS Security Addendum is a uniform addendum to an agreement between a government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to criminal justice information, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require.

Axon has incorporated the CJIS Security Addendum by reference into Evidence.com service contracts. This contractual language can be reviewed in the Axon Master Services Purchasing Agreement.

Personnel Adjudication

As mandated by the CJIS Security Policy, all law enforcement agency contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum.

Fingerprint-based Record Checks

Authorized Axon personnel are available for state of residency and national fingerprint-based record checks at either the state or local level.

Personnel Security Addendum Certifications

Axon maintains signed CJIS Security Addendum certification pages for Axon personnel that can be provided to customer agencies.

CJIS Security Awareness Training

Axon maintains a comprehensive security awareness program which includes annual computer-based training, simulated security attacks and social engineering testing. Additionally, Axon has engaged with Peak Performance Solutions and partnered with NLETS to enroll authorized Axon personnel in Peak Performance's CJIS Online training solution. This training provides CJIS-specific training for personnel working on the Evidence.com services. Authorized Axon personnel are required to complete Level 4 CJIS Security Training upon assignment and biennially thereafter.

Law enforcement agencies can access the CJIS Online portal to validate Axon personnel training status. Alternatively, a completion report can be provided by Axon to customer agencies.

Data sovereignty within the United States

Axon contractually commits with United States customers that agency evidence data stored in Evidence.com remains within the United States including any backup data, replication sites, and disaster recovery sites. This contractual language can be reviewed in the Axon Master Services Purchasing Agreement.

Providing detailed security, privacy and compliance information or CJIS assistance

Axon has created the Axon CJIS Compliance Whitepaper to outline the the specific security policies and practices for Evidence.com and how they are compliant with the CJIS Security Policy. Also, responses to questions posed in the CJIS Security Policy Appendix G.3 Cloud Computing are provided within the whitepaper. This whitepaper can be used by law enforcement agencies as detailed information to assist in CJIS assessment or audit activities.

Axon can provide additional security, privacy and compliance information beyond what is communicated on the Axon.com website and the Axon CJIS Compliance Whitepaper.

Evidence.com's CJIS compliance status has been validated independently by CJIS ACE and has been reviewed by numerous US law enforcement agencies. Axon is confident that Evidence.com will not cause a customer to fail a CJIS audit. To support customers in any CJIS audit that includes Evidence.com, Axon employs dedicated Information Security and Compliance professionals that are available to directly assist customers.

Please reach out to your Axon Sales Representative with questions or requests for CJIS related documentation, Axon personnel documentation, or CJIS audit or compliance assistance.