How to Maintain CJIS Compliance When Your Agency Moves to a Browser-Based Portal

For law enforcement agencies evaluating a move from installed portal software to a browser-based platform, CJIS compliance is often the first concern. And it should be. Any system that accesses, transmits, or stores Criminal Justice Information (CJI) must meet the security requirements outlined in the FBI CJIS Security Policy.

The good news is that moving to a browser-based portal doesn’t change the CJIS compliance requirements your agency must meet. The same policy areas apply whether the software is installed locally or accessed through a browser. What changes is how those requirements are implemented, and in many cases, a browser-based architecture makes compliance easier to maintain, not harder.

This article walks through the specific CJIS policy areas that IT teams should verify when moving to a browser-based portal, what to look for in a vendor, and where the compliance advantages of this architecture actually show up in practice.

What the CJIS Security Policy Requires for Hosted Platforms

The CJIS Security Policy (currently version 5.9.5, released July 2024) covers 19 policy areas that apply to any system handling CJI. When an agency uses a vendor-hosted, browser-based portal instead of on-premise installed software, both the agency and the vendor share responsibility for meeting these requirements.

The policy does not prohibit hosted or browser-based access to CJI. Appendix G.3 specifically addresses cloud computing environments and outlines the conditions under which CJI can be processed, stored, and transmitted through third-party infrastructure.

The core principle is straightforward: the agency retains control over how CJI is protected, even when the infrastructure is managed by a vendor. This means the vendor must sign the CJIS Security Addendum, and the agency must verify that the security controls are in place before any CJI flows through the new system.

Encryption Requirements for CJI in Browser-Based Portals

Encryption is one of the most scrutinized areas during any CJIS audit. The policy requires that CJI be encrypted at every stage:

In transit: All data exchanged between the agency and the portal must be encrypted using TLS 1.2 or higher. This applies to every query, response, and message that moves between the browser and the server.

At rest: CJI stored on the server must be encrypted in a way that prevents unauthorized access, even if the storage infrastructure is compromised. Agencies focused on

law enforcement data protection should confirm that their vendor uses FIPS 140-2 or FIPS 140-3 validated encryption modules for data at rest.

In processing: When CJI is decrypted for active processing, the environment must be secured so that vendor personnel cannot access unencrypted data. This is typically achieved through hardware security modules (HSMs) or confidential computing environments.

The encryption key control point is critical. Under the CJIS Security Policy, the agency must retain control over the cryptographic keys used to protect CJI. The vendor should not have the ability to decrypt CJI independently. This is a non-negotiable requirement, and it should be verified before any data migration begins.

Authentication and Access Controls

The CJIS Security Policy requires multi-factor authentication (MFA) at Authenticator Assurance Level 2 (AAL2) for any user accessing CJI. In a browser-based portal, CJIS-compliant authentication is handled centrally on the server rather than configured on each individual device.

This centralized approach has practical advantages for law enforcement IT teams:

MFA policies are enforced uniformly across all users and devices. There’s no risk of one workstation being configured differently from another.
Session management rules, including automatic lockout after inactivity, apply consistently regardless of whether an officer logs in from a desktop, MDT, or shared terminal.
Role-based access controls (RBAC) are defined once at the server level. Officers, dispatchers, investigators, and administrators each see only the data and functions relevant to their role.
Failed login lockout policies protect against brute-force attempts uniformly, without needing per-device configuration.

For agencies currently managing authentication across dozens of installed endpoints, a browser-based portal consolidates these controls into a single management layer. That’s less configuration work for IT and a more consistent security posture for the agency.

Audit Logging and Compliance Documentation

One of the most significant compliance advantages of a browser-based portal is centralized audit logging. Every query, login, data access, and user action is recorded in one system. When a CJIS compliance audit requires documentation of who accessed what CJI and when, the logs are already consolidated.

With installed software, audit trails are often scattered across individual workstations and endpoints. Assembling a complete picture of user activity during an audit requires pulling data from multiple sources, which is time-consuming and prone to gaps.

A browser-based architecture resolves this by design. All user activity passes through the server, so the audit trail is inherently complete. This makes it significantly easier for IT teams to demonstrate compliance and for CJIS coordinators to produce the documentation auditors expect.

.elementor-5585 .elementor-element.elementor-element-46b1178:not(.elementor-motion-effects-element-type-background), .elementor-5585 .elementor-element.elementor-element-46b1178 > .elementor-motion-effects-container > .elementor-motion-effects-layer{--wpr-bg-feaabcf1-8876-4f92-96c5-b65ea9e6491d: url('https://www.psportals.com/wp-content/uploads/2025/09/Group-1000005985.png');}

Compliance

Talk to a Compliance Specialist

See how PsPortals’ browser-based architecture meets every CJIS policy area. Walk through the audit logging, encryption, and access controls with our compliance team.

Talk to a Specialist →

No commitment required

What to Verify Before Selecting a Vendor

Not every browser-based portal vendor meets the CJIS Security Policy requirements. Before committing to a platform, IT teams and CJIS coordinators should confirm the following:

The vendor has signed the CJIS Security Addendum.

This is the foundational agreement between the agency and the vendor. It defines the security obligations the vendor must meet when handling CJI. If a vendor hasn’t signed the Security Addendum, the conversation should stop there.

The vendor’s infrastructure is hosted exclusively in the United States.

CJI must not be stored or processed in data centers outside U.S. jurisdiction. Confirm that the vendor’s primary and backup infrastructure are both U.S.-based.

The vendor can demonstrate FIPS-validated encryption.

Encryption modules must be validated under FIPS 140-2 or FIPS 140-3. The vendor should be able to provide certification documentation, not just claims of compliance.

The vendor provides audit-ready documentation.

The vendor should be able to produce audit logs, security architecture documentation, and compliance reports on demand. For agencies following law enforcement IT audit best practices, this documentation should be available before go-live, not assembled after the fact.

Personnel with access to CJI infrastructure have undergone background checks.

Under the CJIS Security Policy, the requirement for fingerprint-based background checks on vendor personnel depends on the service model and whether vendor staff have access to unencrypted CJI. If the vendor uses customer-managed encryption keys and the infrastructure prevents vendor access to unencrypted data, the fingerprint-based check requirement may be adjusted. This should be reviewed against the current version of Appendix G.3.

The vendor provides 24/7 support with law enforcement experience.

Technical support for a CJIS-compliant system isn’t general IT support. The vendor’s team should understand law enforcement operations, NCIC/NLETS query workflows, and the compliance documentation chain.

The Zero-Footprint Advantage for CJIS Compliance

One of the most practical compliance advantages of a browser-based portal is zero-footprint architecture. In a zero-footprint deployment, no software is installed on local devices and no CJI is stored on endpoints.

This matters for CJIS compliance in several ways:

If a patrol laptop or shared workstation is lost, stolen, or compromised, no CJI is exposed because none was ever stored on the device.
When an agency migrates away from an installed system, the CJIS endpoint sanitization requirements are significantly reduced. There’s no local database to wipe, no cached queries to clear, and no data destruction certificates to obtain for individual devices.
Patch management and version control happen on the server. Every user accesses the same current version through the browser, so there’s no risk of version inconsistency creating compliance gaps across the device fleet.

For agencies managing compliance across multiple locations, shifts, and user roles, zero-footprint deployment reduces the attack surface and the documentation burden simultaneously. The portal security architecture handles what would otherwise require per-device configuration and monitoring.

How PsPortals Meets CJIS Requirements

PsPortals provides browser-based, CJIS-compliant database access software built specifically for law enforcement agencies. Portal XL connects officers, dispatchers, and investigators to NCIC, NLETS, state criminal history repositories, and local databases through a single browser interface.

From a CJIS compliance standpoint, Portal XL is designed around the policy requirements rather than retrofitting security controls onto a general-purpose platform:

Zero-footprint architecture: no CJI stored on any local device. The browser acts as a secure viewing window into a centralized, protected environment.
FIPS-validated encryption for data in transit and at rest, with agency-controlled encryption keys.
Multi-factor authentication enforced for every user session, meeting the AAL2 requirement.
Role-based access controls configured centrally, so officers, dispatchers, and administrators see only the data relevant to their function.
Comprehensive audit logging that records every query, login, access event, and user action in a single, exportable system.
Signed FBI Security Addendum with PsPortals, establishing the contractual compliance framework.
24/7 technical support from a team with over 30 years of experience serving law enforcement agencies.

For agencies currently running installed portal software and managing CJIS compliance across individual endpoints, Portal XL consolidates those controls into a single, server-managed architecture. The compliance posture improves while the IT maintenance burden goes down.

Live Demo

Book a Demo

See how Portal XL meets every CJIS policy area through browser-based, zero-footprint deployment. Schedule a live demo with the PsPortals compliance team and review the security architecture for your agency.

Book a Demo →

No commitment required

Frequently Asked Questions

Q1: Does the CJIS Security Policy allow law enforcement agencies to use browser-based portals for CJI access?

Yes. The CJIS Security Policy (v5.9.5) does not prohibit browser-based or vendor-hosted access to CJI. Appendix G.3 specifically addresses cloud and hosted computing environments and outlines the conditions under which CJI can be processed, stored, and transmitted through third-party infrastructure, provided all security controls are in place.

Q2: What encryption standards does the CJIS Security Policy require?

The policy requires FIPS 140-2 or FIPS 140-3 validated encryption modules for protecting CJI. Data must be encrypted in transit (TLS 1.2 or higher), at rest, and during processing. The agency must retain control over the cryptographic keys used to protect CJI.

Q3: Who is responsible for CJIS compliance when using a vendor-hosted portal?

Compliance is a shared responsibility. The agency is ultimately accountable for ensuring CJI is protected. The vendor must sign the CJIS Security Addendum and meet the technical security requirements. Both parties should document their respective responsibilities clearly before deployment.

Q4: How does zero-footprint architecture help with CJIS compliance?

Zero-footprint means no software is installed on local devices and no CJI is stored on endpoints. This reduces the attack surface, removes the need for per-device CJIS endpoint sanitization, and simplifies audit documentation because all user activity is logged centrally on the server.

Q5: Do vendor personnel need fingerprint-based background checks under the CJIS Security Policy?

It depends on the service model. If the vendor uses customer-managed encryption keys and the infrastructure prevents vendor personnel from accessing unencrypted CJI, the fingerprint-based check requirement may be adjusted per Appendix G.3. The specific applicability should be reviewed against the current version of the CJIS Security Policy.

Q6: What should agencies verify before selecting a CJIS-compliant portal vendor?

Confirm that the vendor has signed the CJIS Security Addendum, uses FIPS-validated encryption with agency-controlled keys, hosts infrastructure exclusively in the United States, provides audit-ready documentation on demand, and offers 24/7 support with law enforcement experience.

By submitting this form,you agree to our privacy policy