Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker and CJIS Security Policy Compliance

8 min. readlast update: 01.26.2026

The Criminal Justice Information Services (CJIS) division of the Federal Bureau of Investigation (FBI) has provided the CJIS Security Policy to outline a set of minimum security requirements that must be implemented by agencies that access the FBI CJIS Division's systems. These requirements seek to ensure there are appropriate controls to protect Criminal Justice Information (CJI). For more information, please see the official Law Enforcement  CJIS Security Policy Resource Center: CJIS Security Policy Resource Center — LE

Disclosure: ThreatLocker does not provide legal or compliance advice and is not a certifying authority for CJIS compliance. The information provided represents ThreatLocker’s best-effort assessment of how its product capabilities may support certain CJIS version 5.9.4 requirements when properly configured. An organization’s compliance status is dependent on multiple factors beyond the ThreatLocker platform. Any CJIS controls or requirements not explicitly referenced below are not currently supported by ThreatLocker.

5.4 Audit and Accountability (AU)

AU-2 Event Logging

"Identify the types of events that the system is capable of logging in support of the audit 
function: authentication, file use, user/group management, events sufficient to establish 
what occurred, the sources of events, outcomes of events, and operational transactions 
(e.g., NCIC, III)..."

  • The ThreatLocker Unified Audit will display activities performed on protected devices, including file access in protected locations and executable actions using elevated permissions.

AU-3 Content of Audit Records

"Ensure that audit records contain information that establishes the following: 
a. What type of event occurred; 
b. When the event occurred; 
c. Where the event occurred; 
d. Source of the event; 
e. Outcome of the event; and 
f. Identity of any individuals, subjects, or objects/entities associated with the event"

  • The Threatlocker Unified Audit records will include logged-in user, date/time, and the hostname where the action occurred or was attempted. Logs will also include IP addresses of the source and destination for network activity. 

AU-7 Audit Record Reduction and Report Generation

"Provide and implement an audit record reduction and report generation capability that:
b. Does not alter the original content or time ordering of audit records."

  • The ThreatLocker Unified Audit logs cannot be altered or deleted by anyone.

AU-9 Protection of Audit Information

"Protect audit information and audit logging tools from unauthorized access, modification, and deletion;..."

  • The ThreatLocker Unified Audit logs can only be accessed by ThreatLocker Administrators. No one can modify or remove Unified Audit logs (data retention ranges from 30 days and up depending on purchased options).

5.5 Access Control (AC)

AC-6 Least Privilege

"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."

  • ThreatLocker Elevation Control can be leveraged to remove unnecessary local administrator accounts. Applications themselves can be set to elevate when required, helping to negate the need to provide users with admin credentials.  All elevated actions are recorded as such in the Unified Audit.

AC-7 Unsuccessful Logon Attempts

"a. Enforce a limit of five (5) consecutive invalid logon attempts by a user during a 15-minute time period..."

  • ThreatLocker Configuration Manager provides the ability to configure the number of failed login attempts before lockout, and how long the lockout will be on Windows devices.

AC-8 System Use Notification

"Display a system use notification message to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines..."

ThreatLocker Configuration Manager provides the ability to set a logon message that will be displayed before users can log onto Windows devices.

AC-17 Remote Access

"Employ automated mechanisms to monitor and control remote access methods."

  • ThreatLocker Network Control can be used to block RDP completely, or permit it only for specified users and devices.

5.6 Identification and Authentication (IA)

IA-3 Device Identification and Authentication

"Uniquely identify and authenticate agency-managed devices before establishing network 
connections. In the instance of local connection, the device must be approved by the agency and the device must be identified and authenticated prior to connection to an agency asset. "

  • ThreatLocker Network Control can be configured to only permit access to resources from devices with ThreatLocker installed. All devices with ThreatLocker installed are uniquely identified and cataloged in the ThreatLocker portal along with the last logged-in user on that device, and the last IP address that device connected to the ThreatLocker portal from. All actions are captured in the Unified Audit and can be traced back to the device of origin.

5.7 Policy Area 7: Configuration Management

5.7.1.1 Least Functionality

"The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services."

  • ThreatLocker Application Control can be used to limit who can access permitted applications and block all non-permitted applications by default. ThreatLocker Network Control can be used to block ports and protocols to and from protected devices.

5.8 Media Protection (MP)

MP-2 Media Access

"Restrict access to digital and non-digital media to authorized individuals."

  • ThreatLocker Storage Control can be leveraged to block unauthorized removable media and allow trusted media to be accessed by specified individuals who require access.

MP-7 Media Use

"Restrict the use of digital and non-digital media on agency owned systems that have been approved for use in the storage, processing, or transmission of criminal justice information by using technical, physical, or administrative controls (examples below); and
b. Prohibit the use of personally owned digital media devices on all agency owned or controlled systems that store, process, or transmit criminal justice information; and
c. Prohibit the use of digital media devices on all agency owned or controlled systems that store, process, or transmit criminal justice information when such devices have no identifiable owner."

  • ThreatLocker Storage Control can be leveraged to block unauthorized removable media and allow trusted media to be accessed by specified individuals who require access. Allows removable media based on serial number, and no unknown/unauthorized devices will be permitted. 

5.10 Systems and Communications Protections (SC)

SC-7 (5) Boundary Protection | Deny By Default- Allow By Exception

"Deny network communications traffic by default and allow network communications traffic by exception at boundary devices for information systems used to process, store, or transmit CJI."

  • ThreatLocker Network Control is a centrally managed firewall for endpoints and servers. Place a deny-all policy and build policies to permit only required connections to and from any managed devices above it.

5.15 System and Information Integrity (SI)

SI-3 Malicious Code Protection

"Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system at least daily and real-time scans of files from external sources at network entry and exit points and on all servers and endpoint devices as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. Block or quarantine malicious code, take mitigating action(s), and when necessary, implement incident response procedures; and send alert to system/network administrators and/or organizational personnel with information security responsibilities in response to malicious code detection;..."

  • ThreatLocker Application Allowlisting can restrict what executables can run in your environment, including scripts and libraries. 
  • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
  • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.
  • Configuration Manager provides the ability to disable downloaded Office macros.
  • ThreatLocker Detect can alert you of potentially malicious activity.

SI-4 System Monitoring

"Monitor the system to detect:
1. Attacks and indicators of potential attacks..."

  • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.

SI-7 Software, Firmware, and Information Integrity

"Employ integrity verification tools to detect unauthorized changes to software, firmware, and information systems that contain or process CJI;..."

  • Application Control can restrict what applications can run in your environment, who can use them, and when. It provides the ability to control and monitor all software installed in your environment. No user can install or make changes to software unless you have permitted it.

5.16 Maintenance (MA)

MA-3 Maintenance Tools

"Approve, control, and monitor the use of system maintenance tools;..."

  • Application Allowlisting can restrict what applications, including IT tools, can run in your environment, who can use them, and when.
  • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).
  • The Unified Audit will capture all activity.

5.19 Risk Assessment (RA)

RA-5 Vulnerability Monitoring and Scanning

"Monitor and scan for vulnerabilities in the system and hosted applications at least monthly and when new vulnerabilities potentially affecting the system are identified and reported;

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;..."

  • ThreatLocker Patch Management will automatically report out-of-date software, with the ability to build policies that will automatically update any out-of-date applications.
  • ThreatLocker Defense Against Configurations (DAC) scans protected endpoints daily and reports any misconfigurations to help identify potential vulnerabilities.

 

Was this article helpful?