The Public Defender's Guide to
CJIS Compliance.

Agreements must be executed "before exchanging CJI" and must specify security controls, data ownership, and roles.

EqualLaw executes the official FBI CJIS Security Addendum (Appendix H) with every agency. This legally binds us to FBI security mandates and establishes your ownership of the data.

Designate an "Agency Coordinator" to maintain visibility into our security posture and manage the agreement.

Systems must enforce "Least Privilege" (AC-6), limit failed logins to 5 attempts (AC-7), automatically lock sessions (AC-11), and strictly regulate External Systems/Bring Your Own Device (BYOD) usage (AC-20).

EqualLaw enforces RBAC (Role-Based Access Control) to ensure attorneys only access assigned cases. We implement automated 90-day inactivity disabling (AC-2), AES-256 encrypted remote access (AC-17), and restrict data downloads on unmanaged devices.

Letting us know promptly when someone leaves your office helps us revoke their access quickly, though this can also be self-service. If your staff accesses case files from personal phones, we recommend establishing a BYOD policy, though EqualLaw restricts data downloads on unmanaged devices by default.

Systems shall enforce MFA at Authenticator Assurance Level 2 (AAL2) for all users (IA-2). Passwords must be checked against "banned password lists" (IA-5), and users must re-authenticate every 12 hours or after 30 minutes of inactivity (IA-11). Remote users must undergo "Identity Proofing" (IA-12) with address confirmation (IA-12(5)).

EqualLaw enforces AAL2 phishing-resistant MFA using Federal Information Processing Standards (FIPS) 140-validated cryptographic modules. We implement automated 30-minute session re-authentication and block weak or compromised passwords using a real-time banned-password API. Our onboarding includes IAL2-compliant identity verification to ensure every user is a uniquely resolved individual.

MFA is enforced automatically by the platform. If a staff member loses an MFA device, letting us know allows us to reset their credentials quickly. During onboarding, we handle identity verification to bind each user to their account.

All personnel with unescorted access to CJI must undergo national fingerprint-based record checks (PS-3). Upon termination or transfer, system access must be disabled within 24 hours (PS-4, PS-5). Agencies must maintain a formal list of all authorized users (PS-3).

Every EqualLaw engineer with logical access to our production environment has passed a state and national fingerprint-based background check. We maintain a rigorous internal "Insider Threat" program and execute annual security re-attestations. Our SaaS architecture ensures that while we manage the application, your data remains encrypted such that the underlying cloud provider (AWS) never has access (PS-7).

When someone leaves your office, an admin can revoke their access directly from the platform. You can also contact us and we will handle it for you.

Per AT-2 and AT-3, all personnel must complete security training "prior to accessing CJI" and "annually thereafter." Training must specifically cover social engineering, insider threats, and Personally Identifiable Information (PII) handling. Training records must be retained for a minimum of 3 years (AT-4).

EqualLaw mandates rigorous role-based training for all internal engineering staff (Privileged Users). To assist your compliance, our platform includes a "General User" training tracking module to help you log completion status.

If your office handles CJI directly, annual security awareness training may be required by your state CSA. Our platform includes a training tracking module to make this easy if you need it.