CJIS Security Policy Network Requirements Checklist
Dispatch centers and records units pass CJIS audits on paperwork more often than on the network itself — here's where the technical controls actually live.
By Uniqcli Team · · 6 min read

Compliance checklist
The CJIS Security Policy network requirements checklist most agencies build piecemeal
CJIS Security Policy is not a single form to sign — it's a set of technical controls layered across the network path between a records-management system, a dispatch console, and the FBI's criminal justice information services. Most agencies meet parts of it well: they lock down the RMS server, train staff on handling procedures, and pass the personnel-vetting requirements without issue. Where audits stall is the network itself — the switches, wireless access points, VPN concentrators, and boundary devices that carry CJI between buildings, vehicles, and partner agencies. Those requirements are specific (advanced authentication, FIPS 140-2/140-3 validated encryption, session lock timing, boundary logging) and they get missed because they sit between departments: IT owns the network, records owns the data, and nobody owns the checklist end to end.
Where the network-layer requirements actually sit in CJIS Security Policy
CJIS Security Policy organizes its technical controls into policy areas — access control, identification and authentication, configuration management, media protection, system and communications protection, and audit and accountability. The network requirements are distributed across several of these rather than collected in one place, which is the first reason they get missed: a checklist built from Policy Area 5 (access control) alone will pass over the encryption-in-transit language sitting in Policy Area 13 (mobile devices) or the boundary protection language in Policy Area 10 (system and communications protection).
Practically, this means the network requirements touch four layers: the perimeter (firewalls and boundary protection between the agency network and any external connection), the transport (encryption for CJI in transit, including over wireless), the endpoint (advanced authentication for any device accessing CJI outside a physically secure location), and the audit trail (logging that can reconstruct who touched what, from where, and when). A checklist that only covers one layer looks complete but isn't.
What advanced authentication actually requires on the network
CJIS Security Policy requires advanced authentication — a second factor beyond a username and password — for any access to CJI from outside a physically secure location. In practice that means patrol laptops, take-home devices, and any remote RMS or dispatch access. A single sign-on portal with just a password does not satisfy this even if the underlying application is compliant; the control lives at the network access point, not the application.
The infrastructure most agencies underestimate here is the VPN concentrator and the wireless authentication server. A patrol vehicle's mobile data terminal connecting over cellular needs the same advanced-authentication enforcement as a desktop inside the building connecting over a compliant wireless network — the location changes, the requirement doesn't. Agencies that treat in-building wireless as 'internal' and skip advanced authentication on it are applying an exemption CJIS Security Policy does not actually grant.
Encryption in transit: what FIPS 140-2/140-3 validation means for switches and access points
CJI in transit over any network the agency does not fully control — cellular, public internet, a shared county WAN — must be encrypted using FIPS-validated cryptographic modules. This is a specific bar: consumer-grade Wi-Fi encryption (standard WPA2/WPA3 without a validated module) does not meet it, and neither does a VPN client whose cryptographic implementation hasn't gone through validation. The module itself needs the certificate, not just the encryption algorithm's name on a spec sheet.
This is also where the sunset of FIPS 140-2 validations matters for procurement timing: modules validated only under 140-2 are being phased toward 140-3, and agencies refreshing wireless access points, VPN appliances, or mobile data terminals now should confirm the replacement hardware carries a current or transitioning validation rather than one nearing expiration. Buying hardware with an aging FIPS certificate creates a compliance gap on a multi-year refresh cycle, not an immediate one — which is exactly the kind of gap that surfaces at the next audit.
Boundary protection, session controls, and the audit trail
Boundary protection requires that any connection between the agency's network and an external network — a state fusion center, a neighboring jurisdiction, an RMS vendor's hosted environment — passes through a managed access control point, typically a firewall with documented rules and logging, not an open trust relationship. Flat networks where dispatch, records, and guest or public-facing systems share the same broadcast domain fail this requirement even when every individual device is otherwise compliant.
Session lock and audit logging round out the network-facing controls: workstations and mobile terminals need automatic session lock after a defined period of inactivity, and every access point in the chain — switch, wireless controller, VPN, firewall — needs to generate logs sufficient to reconstruct an access event. Agencies often log at the application layer (who logged into the RMS) but not at the network layer (which device, on which access point, at what time), and CJIS Security Policy expects both to be reconstructable together.
CJIS network requirements checklist
Items most audits flag when they're missing, organized by the layer they sit in.
- Advanced authentication enforced at every access point outside a physically secure location, including patrol MDTs and take-home devices
- Wireless access points using FIPS-validated encryption modules, not default consumer WPA2/WPA3
- VPN concentrators and firewalls carrying current (or actively transitioning) FIPS 140-2/140-3 module validation
- Dispatch, records, and guest/public network segments physically or logically separated — no flat network carrying CJI
- Managed access control point (firewall with documented rule set) at every boundary to an external network or partner agency
- Automatic session lock configured on all workstations and mobile terminals after a defined inactivity period
- Network-layer logging (switch, wireless controller, VPN, firewall) retained and correlatable with application-layer access logs
- Configuration management baseline documented for network devices, with change control separate from day-to-day admin access
Frequently asked
Does CJIS Security Policy require FIPS 140-2 or FIPS 140-3 validated encryption?
CJIS Security Policy requires FIPS-validated cryptographic modules for CJI in transit over uncontrolled networks. NIST is transitioning validations from 140-2 to 140-3, so new procurement should favor modules with current or actively transitioning certificates rather than modules nearing the end of their 140-2 validation window.
Is in-building Wi-Fi exempt from CJIS advanced authentication requirements?
No. Advanced authentication requirements attach to access from outside a physically secure location, not to the network medium. Wireless access inside a facility that is not itself designated a physically secure location for CJI still requires advanced authentication, the same as remote or mobile access.
Can dispatch and records share the same network segment under CJIS Security Policy?
A shared, unsegmented network where CJI-handling systems sit on the same broadcast domain as guest, public-facing, or unrelated administrative systems does not meet CJIS Security Policy's boundary protection expectations. Logical or physical segmentation with a managed access control point between segments is the standard approach.
What network logging does a CJIS audit typically check?
Auditors look for logs that can reconstruct an access event end to end — device, access point, timestamp, and outcome — at the network layer (switch, wireless controller, VPN, firewall), not just application login logs. Retention length and the ability to correlate network and application logs together are common findings.
Related resources
Go deeper
Public safety infrastructure
Network, radio, and dispatch infrastructure sourcing for police, fire, and 911 centers.
Learn moreCybersecurity capability
Screening, staging, and integration support for compliance-driven security infrastructure.
Learn moreState, local, and education solutions
Procurement support built around SLED budget cycles and compliance requirements.
Learn moreSourcing CJIS-aligned network hardware
Uniqcli sources, screens, and stages switches, wireless access points, VPN appliances, and firewalls to help public safety agencies meet CJIS Security Policy's network-layer requirements — get a quote scoped to your dispatch center or records unit.