Executive Summary

The CJIS Security Policy outlines the minimum security requirements that Criminal Justice Agencies (CJAs) and Noncriminal Justice Agencies (NJCAs) must follow to access FBI CJIS systems and safeguard criminal justice information (CJI). Some Casebook clients include both CJAs and NJCAs that license Casebook products to manage CJI, placing both Casebook and its clients within a shared responsibility framework for compliance. Casebook fulfills its CJIS obligations where applicable — for example, by conducting background investigations for Casebook employees who require access to CJI and by executing CJIS security addendum agreements with relevant clients. This whitepaper aims to present an overview of Casebook’s CJIS compliance program, including the shared responsibility model it operates under in collaboration with affected clients.

Finally, it is important to note that Casebook undergoes periodic audits for SOC 2 Type 2 recertification and compliance with HIPAA security and privacy frameworks. This includes regular penetration testing in addition to Casebook’s execution of its policies and procedures that have been designed to be meaningfully adherent to NIST 800-53 and, more specifically, CJIS security controls. Also, Casebook hosts its customer environments in Amazon Web Services (AWS), which also takes a number of steps to ensure their solutions adhere to the CJIS framework.

To access the FBI’s CJIS Security Policy itself, please visit the FBI’s CJIS Security Policy Resource Center.

What is Criminal Justice Information (CJI)?

Criminal Justice Information (CJI) encompasses all data provided by the FBI’s CJIS division that is essential for law enforcement agencies to carry out their duties and enforce the law. This includes biometric data, identity history, personal and organizational records, property information, and case or incident histories. CJI also includes data made available by the FBI’s CJIS systems to support the missions of civil agencies, such as information used in background checks and hiring decisions. Casebook solutions may interact with or support the handling of such data in accordance with applicable security standards.

Criminal Justice Information (CJI) must be protected until it is either (a) lawfully disclosed to the public, such as through an authorized crime report, or (b) purged or destroyed in accordance with applicable record retention policies. The CJIS Security Policy establishes a baseline set of security requirements defining the controls necessary for managing and safeguarding CJI. 

While no centralized authority formally certifies vendor compliance with the CJIS security policy, many vendors mistakenly claim their solution is “CJIS certified.” In reality, no such certification exists.

The FBI has made clear that both Criminal Justice Agencies (CJAs) and Noncriminal Justice Agencies (NJCAs) remain ultimately responsible for ensuring CJIS compliance, even when they engage third-party vendors to provide software or services involving CJI. Each agency determines how a given solution meets CJIS requirements based on its own internal risk assessment and standards for compliance.

Casebook serves clients across the United States, each with unique security and compliance needs. In cases where a client’s specific CJIS compliance expectations exceed the minimum standards set by the FBI and differ from those of other Casebook clients, Casebook works collaboratively with the agency to define a mutually acceptable approach—one that aligns with the CJIS Security Policy and industry best practices. If Casebook agrees to implement additional measures to meet a unique client requirement, the company reserves the right to assess a fee for those enhancements and to schedule their delivery based on a commercially reasonable timeline.

To formally affirm its responsibilities under the CJIS Security Policy, Casebook has executed the CJIS Security Addendum. A copy of the signed CJIS Security Addendum is available for reference. In addition, every Casebook employee with access to CJI is required to sign the CJIS Security Addendum as part of their onboarding and compliance training process.

The Shared Responsibility Model

Casebook relies on the FBI’s shared responsibility matrix, which outlines the respective obligations of Casebook and its impacted clients in relation to the security controls defined by the FBI’s CJIS Security Policy.

Under the shared responsibility model, Casebook clients retain responsibility for managing their own environments and data, even when Casebook provides a hosted solution. For example, clients are expected to maintain responsibility for:

• Managing user identities and access within the Casebook system;
• Enforcing access control policies over their Casebook environment;
• Securing the devices and endpoints that connect to Casebook’s cloud services, including control over hardware, software, applications, and user permissions;
• Ensuring data protection, including secure transmission, data integrity, backup and recovery processes, and appropriate rights and permissions management.

By the end of 2025, Casebook will have an adaptation of the shared responsibility matrix that more discretely identifies what Casebook will claim responsibility for vs. what the client will have ownership over within the scope of a given control. We also aim to have our existing information security documentation further refined to demonstrate adherence to lower-level details of certain controls.

CJIS Policy Areas

The FBI’s CJIS Security Policy is organized into 19 thematic areas, each outlining controls required to safeguard CJI. Casebook adheres to these standards as part of a shared responsibility model with our clients. While the FBI shared responsibility matrix defines specific roles for Casebook and our agency partners, the following provides a high-level look at the policy areas and how Casebook aligns with them.

Policy Area 1 — Information Exchange Agreements

Any customer who uses Casebook to manage CJI should engage with Casebook to establish a formal agreement outlining data handling expectations, procedural safeguards, and security responsibilities. These terms will be considered addenda to Casebook’s standard business agreements. Casebook has also signed the CJIS Security Addendum to further reinforce this commitment.

Policy Area 2 — Security Awareness Training

All Casebook staff who have access to CJI go through annual security awareness training to ensure awareness of security protocols and responsibilities. Casebook will work with clients’ Security Officers to enroll relevant Casebook personnel in additional training as required. We maintain comprehensive training logs to ensure compliance is consistently upheld.

Policy Area 3 — Incident Response

Casebook has a structured response protocol that follows industry best practices across all stages: preparation, detection & analysis, containment/eradication/recovery, and post-incident activity. Our response systems are assessed as part of our SOC 2, Type 2, and HIPAA audits. Clients are responsible for managing incidents in their own environments, as Casebook does not oversee client-side security events.

Policy Area 4 — Auditing and Accountability

To support transparency and accountability, client systems must be able to log key security events. When clients undergo audits, Casebook assists by supplying relevant documentation and answering questions related to the usage of our hosted environments.

Policy Area 5 — Access Control

Access to CJI through Casebook systems is governed by robust controls, including secure authentication, VPN access, and encryption mechanisms compliant with FIPS 140-2 standards. We also apply policies to manage wireless and mobile device connections securely for Casebook employees. The Casebook platform relies on the concept of least privilege principles and will be providing even more granular permission functionality in 2025. Finally, Casebook customers are responsible for the authorization of access to their Casebook tenant and provisioning and decommissioning of user accounts.

Policy Area 6 — Identification and Authentication

Every Casebook team member with CJI access receives a unique login and must follow stringent password protocols. Credentials on customer tenants are rotated periodically and 2FA is enabled on all client environments for Casebook user accounts to mitigate risk and enforce accountability.

Policy Area 7 & 16 — Configuration Management & Maintenance

To protect sensitive data, Casebook maintains logically segregated tenants for CJI and limits administrative access. Configuration and architectural documentation, including systems diagrams and process descriptions, are secured internally. A summarized network topology can be requested by emailing security@casebook.net.

Policy Area 8 — Media Protection

CJI handled by Casebook is safeguarded in all formats—whether stored electronically or in hard copy. Our solutions support strong encryption during transmission and storage. We apply classification and risk-based controls to manage and secure sensitive data effectively.

Policy Area 9 — Physical and Environmental Protection

Casebook is a 100% virtual company where all employees work remotely. Employees are required to work within secure locations with secure internet connections when accessing CJI. Casebook also hosts its customer environments in Amazon Web Services (AWS), which also takes a number of steps to ensure their solutions adhere to the CJIS framework.

Policy Area 10 & 15 — Systems and Communications Protection and Information Integrity

Casebook leverages a layered defense strategy to secure its infrastructure. This includes encryption, continuous patching, anti-malware solutions, and other system integrity measures designed to keep data safe and communications secure. As mentioned previously, Casebook also hosts its customer environments in Amazon Web Services (AWS), which also takes a number of steps to ensure their solutions adhere to the CJIS framework. Finally, as an approved AWS public sector marketplace vendor, Casebook has gone through multiple review cycles with Amazon to ensure our system architecture adheres to internet security best practices and standards.

Policy Area 11 — Formal Audits

While the FBI directly audits law enforcement agencies, not vendors, Casebook collaborates fully with client agencies to support their audit readiness. We provide the appropriate technical and procedural information relevant to our role in the shared security model.

Policy Area 12 — Personnel Security

All Casebook personnel with potential access to CJI undergo background screening. Casebook retains verification records for audit and compliance purposes.

Policy Area 13 — Mobile Devices

Clients bear responsibility for managing the use of mobile devices by their users who access CJI. Agencies must establish usage guidelines and monitoring protocols for smartphones, tablets, and other portable endpoints, in line with CJIS requirements. Casebook can support agencies with guidance, but enforcement lies with the agency itself.

Policy Area 14 — System and Services Acquisition

Casebook ensures that all system components are actively supported by their original developers, vendors, or manufacturers, and establishes timelines to replace any components that reach end-of-support status.

Policy Area 17 — Planning

Casebook periodically reviews policies and procedures for revision on an on-going basis, culminating in a yearly SOC 2 Type 2 and HIPAA recertification. Customers are responsible for planning activities pertaining to their own security and privacy policies and procedures within their own tenants.

Policy Area 18 — Contingency Planning

Casebook maintains robust business continuity and disaster recovery plans in addition to the aforementioned incident response policies and procedures. Plans are periodically tested to ensure continued adherence to CJIS controls and operational viability.

Policy Area 19 — Risk Assessment

Casebook has a layered approach to risk assessment ensuring our overall approach to system security evaluates organizational, business process, and system levels for risk. Casebook software periodically undergoes vulnerability scanning, culminating in an at least yearly penetration test. In addition, policies and procedures are periodically reviewed and audited as part of SOC 2 Type 2 and HIPAA recertification processes.

Conclusion

As cybersecurity threats evolve, so too do the standards for safeguarding sensitive data—especially in regards to CJIS compliance. At Casebook, we remain vigilant and forward-thinking in our approach to data protection. Our commitment to CJIS compliance is not static; it’s a continuous process of refinement and improvement. This whitepaper reflects our current practices, but because those practices evolve, we recommend revisiting the compliance section of our website regularly for the most recent updates.

Casebook understands that maintaining compliance is a shared responsibility. We invest heavily in building strong foundations for our agency partners by appointing a security officer, ensuring executive-level sponsorship of compliance efforts and engaging third-party CJIS consultants. Internally, we champion a compliance-first culture by aligning technical and operational teams around our security mission. These combined efforts reflect our deep commitment to supporting our clients in meeting and exceeding CJIS expectations.

This document is provided for informational purposes only, and it is provided “as is,” without warranties of any kind, whether express or implied. In addition, this document does not create any representations, contractual commitments, conditions or assurances from Casebook or any of its related entities. Casebook’s responsibilities to its clients are set forth in the contract(s) it has signed with those clients, and this document is not a part of, and does not modify, any such contract. The document reflects Casebook’s current CJIS compliance practices, which may be updated from time to time at Casebook’s discretion and without advance notice. Casebook’s clients and prospects are responsible for making their own assessment of the information contained herein, and/or of Casebook’s products and services, each as they may be updated from time to time.