Skip to main content
close search
site logo
Sponsored

How public safety and justice agencies can simplify CJIS compliance without slowing operations

A former public safety official turned CJIS expert shares how agencies can make compliance requirements work in the real world.

Published Nov. 17, 2025
Multi-ethnic police officers (20s) standing in front of police car
kali9 via Getty Images

For many public safety and justice agencies, Criminal Justice Information Services (CJIS) compliance has become a daily balancing act. 

The policy now demands stronger safeguards — like multifactor authentication (MFA), continuous oversight and vendor accountability — across every system that touches criminal justice data. Yet the realities of the job haven’t changed: officers still share devices, move quickly between systems and need reliable access to do their work.

In 2024, the FBI introduced two major updates to the CJIS Security Policy. Version 5.9.5 required MFA for anyone accessing criminal justice data, and Version 6.0 expanded the scope even further — adding continuous monitoring, supply chain and third-party risk management, and lifecycle-based access controls.

The challenge is that many legacy systems weren’t built for modern authentication. Replacing them isn’t realistic. Yet leaving them unsecured isn’t an option. 

What agencies need is a modern access framework that layers identity and authentication controls across both old and new systems, without creating friction for users.

In this Q&A, Nick Stohlman, VP of CJIS Program Strategy at Imprivata, reflects on what it takes to keep pace with CJIS today — drawing on his unique experience as a former drug enforcement agent, chief deputy sheriff, and founder of a criminal justice technology company.

His insider perspective will help guide agencies on how they can bridge policy and operations while preparing for what’s next. 

Q: From your perspective, how has the role of CJIS compliance changed within public safety agencies over time?

A: When I started in law enforcement, compliance was something we checked off once a year, not something that drove operational change. Today, CJIS has become a catalyst for modernization. 

The policy now pushes agencies to adopt stronger identity controls, authentication, and monitoring that make their systems safer and more efficient.

Q: As those requirements expand — with MFA, continuous oversight and vendor accountability — what makes it hardest for agencies to keep up?

A: Many legacy systems in law enforcement and justice were not designed for MFA or identity federation. Agencies are trying to bolt modern security onto 20-year-old infrastructure while keeping officers operational. It is not a lack of will; it is a lack of integration.

The good news is that agencies do not have to replace what they already have. Instead, they can connect the old with the new, overlaying identity and access management across both legacy and cloud systems. 

In this way, they can comply with CJIS 6.0 requirements like MFA, continuous monitoring and vendor accountability, without interrupting daily workflows.

Q: From your time leading a department, what kinds of workflow challenges did you see when security tools didn’t fit smoothly into daily operations?

A: Password fatigue. Officers would often get locked out of systems or juggle multiple credentials during a shift. 

Another challenge is shared logins, which are common in dispatch and jail environments because they’re convenient. Until an incident occurs, and no one can trace who did what. That lack of accountability is dangerous in today’s environment.

The truth is that security only works if it fits with how officers actually operate. Their top concern is protecting the public's safety. If you make it harder for them to do that job, they’ll find workarounds or shortcuts, and that’s when security risk creeps in.

What I love about what we’re doing at Imprivata is that we’ve taken those pain points and built solutions around them. For example, single sign-on and badge-tap authentication let an officer securely log in and out of systems with a simple tap, not a dozen passwords. And, every login and system access is tied to a verified individual, even with shared workstations. 

That means compliance, auditability and convenience can finally all coexist.

Q: Audits are another major stress point. From your experience, what do agencies most often overlook when it comes to audit readiness?

A: Documentation and visibility are often the Achilles’ heel. Agencies may be compliant in practice but lack the records to prove it. Vendor access, account changes, and privileged logins need to be continuously monitored and documented.

A good way to stay audit-ready is by automating those processes. Capturing who accessed what, when and from where. That way, when an auditor shows up, agencies can provide a full access report in minutes instead of weeks. That automation eliminates one of the biggest sources of stress in compliance management.

Q: CJIS keeps moving forward. What does it take for agencies to stay ready and keep pace?

A: CJIS will continue to expand into every corner of the justice system — not just police, but with courts, corrections and probation. As agencies adopt more cloud-based tools, the focus will shift from securing systems to securing identities.

It’s critical to have a platform in place that keeps you ready for the future. That means supporting both hybrid and cloud environments and providing continuous identity assurance no matter where the data lives. 

The next generation of CJIS compliance will be about shared accountability. Agencies, vendors and cloud providers working together — and Imprivata is helping define that model.

Q: Bringing that to life, what does readiness look like in practice? What steps can agency leaders take now to modernize?

A: Start small. You don’t need to tackle CJIS modernization in one massive project. Identify your top risk areas, shared logins, MFA gaps or unmonitored vendor accounts, and fix those first.

Also, partner smart. Working with a partner like Imprivata gives agencies access to proven CJIS-aligned solutions that can scale as they grow. You’re not reinventing the wheel — you’re adopting a framework that’s already built to meet those CJIS requirements, saving time and reducing risk.

At Imprivata, our technology helps agencies turn compliance into an opportunity, not a burden. We do this by providing identity and access solutions that automate the hard parts of CJIS, like user verification, audit trails, and access logging. It is about transforming compliance from a checklist into an operational advantage.

Want to learn more about the latest updates to CJIS mandates? Download Imprivata’s free white paper, CJIS 6.0 compliance made practical.

Filed Under: Public Safety

Editors' picks

Editors' picks
Latest in Public Safety
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.