Criminal Justice Information Services (CJIS) Security Policy

The Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Security Policy sets the minimum security requirements to provide an acceptable level of assurance to protect the full lifecycle of Criminal Justice Information. Agencies using cloud based services are required to make informed decisions on whether or not the cloud provider can offer services that maintain compliance with the requirements of the CJIS Security Policy.

Evidence.com was designed and is operated to ensure that it is compliant with the FBI CJIS Security Policy. The Axon CJIS Compliance Whitepaper outlines the the specific security policies and practices for Evidence.com and how they are compliant with the CJIS Security Policy. Customers can be assured that their digital data is protected by a robust information security program that is designed to exceed the CJIS security requirements as well as provide protection against current and emerging threats.

As there are over 18,000 law enforcement agencies in the United States, Axon has advocated the coordination of CJIS-related vendor requirements processes at the state, CJIS System Agency (CSA) level. Axon encourages all CSAs to provide a statewide or community-wide process or guidance for managing CJIS-related vendor requirements for law enforcement agencies in their community. Axon believes CSA-organized processes promote the availability of CJI data processing options for law enforcement.

In support of this belief, Axon has partnered with CJIS ACE to assist state level CSOs, ISOs and others to develop, identify and implement processes in their states to streamline and centralize the CJIS requirements to take advantage of the resulting increases in efficiency, quality assurance and overall security compliance. Through our partnership, we’ve worked with many states and can help bring those best practices and our subject matter expertise to your state for consideration. Learn more about this free service here or contact infosec@axon.com.

Axon has performed statewide CJIS-related vendor requirements with many states including Colorado, Michigan, North Carolina, Washington, Texas, and Minnesota. Contact your Axon Sales Representative to confirm the status of centralized CJIS-related vendor requirements in your state or community.

We are committed to working with all CSAs to make these requirements as effective and efficient as possible for our customers. In lieu of the existence of a statewide or community-wide process, Axon is committed to meet the CJIS Security Policy needs of all of its customers.

Axon is committed to the following CJIS compliance elements with all of our US based customers:

CJIS Security Addendum

The CJIS Security Addendum is a uniform addendum to an agreement between a government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to criminal justice information, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require.

Axon has incorporated the CJIS Security Addendum by reference into Evidence.com service contracts. This contractual language can be reviewed in the Axon Master Services Purchasing Agreement.

Personnel Adjudication

As mandated by the CJIS Security Policy, all law enforcement agency contractors who perform criminal justice functions shall
meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be
subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice
functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS
Security Addendum.

Fingerprint-based Record Checks

Authorized Axon personnel are available for state of residency and national fingerprint-based record checks at either the state or local level.

Personnel Security Addendum Certifications

Axon maintains signed CJIS Security Addendum certification pages for Axon personnel that can be provided to customer agencies.

CJIS Security Awareness Training

Axon maintains a comprehensive security awareness program which includes annual computer-based training, simulated security attacks and social engineering testing. Additionally, Axon has engaged with Peak Performance Solutions and partnered with NLETS to enroll authorized Axon personnel in Peak Performance's CJIS Online training solution. This training provides CJIS-specific training for personnel working on the Evidence.com services. Authorized Axon personnel are required to complete Level 4 CJIS Security Training within six months of assignment and biennially thereafter.

Law enforcement agencies can access the CJIS Online portal to validate Axon personnel training status. Alternatively, a completion report can be provided by Axon to customer agencies.

Data sovereignty within the United States

Axon contractually commits with United States customers that agency evidence data stored in Evidence.com remains within the United States including any backup data, replication sites, and disaster recovery sites. This contractual language can be reviewed in the Axon Master Services Purchasing Agreement.

Providing detailed security, privacy and compliance information

Axon has created the Axon CJIS Compliance Whitepaper to outline the the specific security policies and practices for Evidence.com and how they are compliant with the CJIS Security Policy. Also, within the whitepaper responses are provided to questions posed in the CJIS Security Policy Appendix G.3 Cloud Computing. This whitepaper can be used by law enforcement agencies as detailed information to assist in CJIS assessment or audit activities.

Axon can provide additional security, privacy and compliance information beyond what is communicated on the Axon.com website and the Axon CJIS Compliance Whitepaper.

Please contact your Axon Sales Representative with questions or requests for CJIS related documentation or Axon personnel documentation.

FAQ

Is Evidence.com compliant with the FBI CJIS Security Policy?

Yes, Evidence.com was designed and is operated to ensure that it is compliant with the FBI CJIS Security Policy. You can be assured that your digital data is protected by a robust information security program that is designed to exceed the CJIS security requirements as well as provide protection against current and emerging threats, even if digital data isn't required to be protected by the FBI CJIS Security Policy in your state. Evidence.com's CJIS compliance status has been validated independently by CJIS ACE and has been reviewed by numerous US law enforcement agencies.

Does Axon agree to the CJIS Security Addendum?

Yes, Axon acknowledges and abides by all aspects of the CJIS Security Addendum. CJIS Security Addendum Certification pages are maintained for each authorized Axon personnel and are available to customers. Authorized Axon personnel are available for state of residence and national fingerprint-based record checks at either the state or local level and are available to complete state specific security awareness training. Additionally, Axon adheres to the audit requirements of the FBI CJIS Security Policy.

Other providers say that they build on a CJIS-capable platform, so there's no risk of failing a CJIS audit. Can Evidence.com say the same thing, or how is your security different?

Evidence.com is CJIS-compliant and Axon is confident that Evidence.com will not cause a customer to fail a CJIS audit. To support customers in any CJIS audit that includes Evidence.com, Axon employs dedicated Information Security and Compliance professionals that are available to directly assist customers. Please reach out to your Axon Sales Representative for CJIS audit or compliance assistance.