Proton
CJIS Compliance and how Proton secures your data

If you’re starting or operating a business that works with criminal justice information (CJI) as a contractor with government or law enforcement agencies, you’re likely aware of CJIS compliance.

If not, this article will help you understand what CJIS compliance is, who needs to comply, and how you can access privacy-first tools and services so your business meets these standards.

What is CJIS?

The CJIS Security Policy(new window) is a set of security standards assembled by the FBI’s (new window)Criminal Justice Information Services(new window) (CJIS) division. They were designed to protect CJI in every stage of its lifecycle — from collection to storage to sharing to disposal.

CJIS compliance is not only essential for US-based organizations, but international businesses that work with U.S. law enforcement or government agencies. It has become an industry standard for companies that handle, store, or process CJI to adhere to the CJIS Security Policy.

What data does CJIS include?

There are many types of information that fall under the CJIS policy:

  • Biometric data: Data extracted from physical or behavioral traits (e.g., fingerprints, facial recognition) that identifies individuals.
  • Identity history data: Text data that is linked with biometric data. This data is often used to assemble a history of criminal activity.
  • Biographical data: Information tied to a specific case but not necessarily linked to a person’s identity.
  • Property data: Information about vehicles and property associated with an incident.
  • Case/incident history: A person’s criminal history.
  • Personally identifiable information (PII): Any information that can be used to identify a person, including names, Social Security numbers, and biometric records

If state, local, or federal law enforcement agencies access criminal justice information through the FBI, appropriate controls must be applied throughout its entire lifecycle.

Who needs to be compliant with CJIS?

Any organization that handles CJI, including law enforcement agencies, private contractors, and cloud service providers, must comply with CJIS standards.

While it is primarily an FBI requirement, CJIS compliance has effectively become an industry standard because of the sensitive nature of all data involved. Even if an organization does not work directly with the FBI but handles CJI, it must comply with CJIS standards to continue operations without repercussions.

This extends to data systems, backups, networks, and devices — such as printers — that interact with CJI, which must all be protected under CJIS guidelines.

A company can face federal and state civil and criminal penalties for improperly accessing or disseminating CJIS data. Those penalties could include fines, as well as suspension, revocation, or monitoring of access to CJIS(new window).

It’s important to note that information collected by any government entity that gathers, processes, or uses criminal justice information (CJI) is not subject to CJIS controls unless it has been submitted to the National Data Exchange (N-DEx)(new window) system.

Once submitted, however, the information must adhere to CJIS standards. N-DEx is a key system for sharing criminal justice information across agencies, allowing that data to be managed securely and consistently​.

The Criminal Justice Information Services (CJIS) Audit Unit (CAU) protects the integrity of criminal justice information by auditing agencies that use CJIS systems and programs. Those agencies include(new window):

  • State CSA and repository
  • State UCR Program office
  • Federal CSA
  • Federally regulated agency
  • Agency within a U.S. territory with a Wide Area Network connection
  • FBI-approved channeler (a contractor picked by the FBI that facilitates the electronic submission of fingerprints for noncriminal justice background checks on behalf of an authorized recipient)
  • Authorized recipient of criminal history record information
  • Sex offender registry
  • Law Enforcement Enterprise Portal identity provider
  • Any FBI component

For CJIS compliance, encryption is key

To access CJIS databases, organizations must comply with a range of security standards, including implementing multi-factor authentication (MFA) to verify user identities, maintaining strict access controls to limit who can view or alter sensitive data, and enforcing physical security measures to protect systems and devices that handle CJI.

Encryption, however, is key to CJIS compliance.

What is encryption?

Encryption is a way to obscure information so nobody except the people it’s meant for can access it. This is done with computer programs that use mathematical algorithms that lock and unlock the information.

There are two sections of the CJIS Security Policy that explicitly mention encryption:

  • Section 5.10.1.2.1: When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption. When encryption is employed, the cryptographic module used shall be FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to protect CJI.
  • Section 5.10.1.2.2: When CJI is at rest (i.e. stored digitally) outside the boundary of the physically secure location, the data shall be protected via encryption. When encryption is employed, agencies shall either encrypt CJI in accordance with the standard in Section 5.10.1.2.1 above, or use a symmetric cipher that is FIPS 197 certified (AES) and at least 256 bit strength.

Encryption helps to make sure CJI is protected both at rest and in transit. Unfortunately, many online services, such as for cloud storage and email, do not use end-to-end encryption by default, leaving data vulnerable during transmission.

We created Proton in 2014 to fill this need. Developed by scientists who met at CERN (the European Organization for Nuclear Research) in Switzerland, Proton secures sensitive emails, files, passwords, and other data with robust end-to-end encryption in a way that’s also easy for anyone to use. Today over 100 million users, including governments, military units, and Fortune 500 companies, trust Proton to secure their information and comply with data protection standards.

Protect your data with Proton

Whether you’re sending information through Proton Mail, storing files in Proton Drive, or managing credentials with Proton Pass, Proton keeps your data secure and protected from unauthorized access.

Private by default

When you use Proton Mail, emails sent within your organization are end-to-end encrypted by default, meaning the messages and attachments are locked on your device before being transmitted to our servers and can only be unlocked and read by the recipient. For emails to non-Proton Mail accounts, you can send password-protected emails, and zero-access encryption is in place to secure incoming emails automatically. 

In every case, messages are always encrypted on our servers. This means that even in the event of a server breach, your company’s emails remain secure and unreadable to anyone but you, protecting your confidential information from cyberattacks.

It’s mathematically impossible for Proton to decrypt your messages, files, and many kinds of metadata. (See what is encrypted.) And since Proton is based in Switzerland, the little data about you that is collected is protected by Swiss privacy laws and is not subject to foreign law enforcement requests.

Defend against hackers

Proton also has several layers of defense against potential cyberattacks:

  • PhishGuard: Proton’s PhishGuard filter is designed to identify and flag phishing attempts. When a phishing attack is detected, you will see a warning.
  • Two-factor authentication (2FA): Proton Mail offers security beyond just a password with two-factor authentication (2FA). Proton supports several 2FA methods, including authenticator apps and physical security keys, meaning you can choose the most convenient and secure option. With a Proton for Business plan, administrators can also enforce 2FA as mandatory for their organizations to strengthen security among employees.
  • Proton Sentinel: This is Proton’s advanced account protection program, which is available with a Proton Mail Professional or Proton Business Suite plan. It is designed to provide maximum security for those who need it by combining AI with human analysis. This is particularly useful if you’re an executive — or someone who deals with sensitive data and communications. Proton Sentinel offers 24/7 support to escalate suspicious login attempts to security analysts.

Stay compliant with Proton

Our goal is to reshape the internet to put people and organizations in control of their data.

Switching to Proton Mail is simple with our Easy Switch feature, allowing you to seamlessly transition all your organization’s emails, contacts, and calendars from other services without any training required for your team.

Our Support team is also on hand 24/7 to provide live support if you need additional help.  Proton Mail, our end-to-end encrypted email, and Proton Drive, our end-to-end encrypted cloud storage service, make it simple to meet data protection and privacy requirements.

Using Proton for Business offers additional benefits, including:

  • Proton Mail: Protect your business communications with end-to-end encrypted email, ensuring only you and your intended recipients can read your messages.
  • Proton VPN(new window): Secure your internet connection and protect your online activity with high-speed VPN access.
  • Proton Calendar: Manage your schedule with an encrypted calendar that keeps your business events private.
  • Proton Pass: Store and manage your passwords securely with our encrypted password manager.
  • Proton Drive: Securely store and share files with end-to-end encryption, ensuring that your data remains private and protected.

Discover how Proton can make compliance simple for your organization by signing up for Proton for Business or get in touch with our Sales team for more tailored solutions.

When you move your business into the Proton ecosystem, you’re simultaneously protecting yourself and the data entrusted to you, staying compliant, and helping build a future where privacy is the default.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.