Criminal Justice Information Services (CJIS) provides one of the most stringent compliance frameworks in state and local government. The challenges facing state, local, tribal, and territorial (SLTT) agencies are often complex and not easily overcome. Flat or minimally segmented networks, aging infrastructure and legacy applications, and an expanding attack surface (due to cloud migration, remote access, and third-party vendors) present significant headwinds to meet compliance objectives.
An effective way to solve these challenges is to use a tool called microsegmentation. Microsegmentation solutions enable agencies to enforce CJIS requirements continuously, not just document them for audits.
The CJIS Security Policy
The CJIS Security Policy is designed to ensure the confidentiality, integrity, and availability of criminal justice information (CJI), but in practice, auditors are less focused on specific technologies and more concerned with outcomes. The auditors want to see that access to CJI is tightly controlled, limited to authorized users and systems, and continuously enforced — not just documented on paper.
Core principles such as least privilege, boundary protection, accountability, and auditability consistently surface during assessments, especially in environments where CJIS systems coexist with broader state or local IT infrastructure.
Agencies that can clearly demonstrate how access is restricted, monitored, and logged are far better positioned to pass audits than those that rely on implicit trust within flat networks.
The problem with traditional network segmentation
Many organizations subject to CJIS compliance use traditional segmentation strategies. This methodology includes using VLANs, firewalls, and IP-based access control lists. Although these methods are certainly better than a totally flat network (in which all nodes can communicate with all other nodes), they often fall short in compliance use cases.
Traditional segmentation methods use coarse-grained controls, are difficult to maintain and audit, and can break easily during infrastructure changes. This can lead to law enforcement systems sharing infrastructure with non-CJIS workloads, and a limited ability to re-architect networks.
The result? Overtrusted internal networks and excessive access to critical systems that host CJI.
The solution: Microsegmentation
Contrast this with microsegmentation, in which the security perimeter is moved to the device level — meaning that each network host has its own security border. Zero Trust principles assume that a breach will occur, and microsegmentation can contain the blast radius to just the compromised device, preventing lateral movement.
Since microsegmentation is software defined, policy-driven enforcement can be achieved, along with role-based and workload aware access controls. Microsegmentation enforces explicit trust among systems, operates independently of the underlying network infrastructure, and applies consistently across the data center, cloud environments, and hybrid environments.
Microsegmentation is the cornerstone of Zero Trust architecture.
Mapping microsegmentation to CJIS requirements
The CJIS Security Policy is intentionally architecture independent and risk based, focusing on protecting CJI throughout its entire lifecycle — whether at rest, in transit, or in use. Although the policy does not prescribe specific technologies, it places strong emphasis on access enforcement, least privilege, information flow control, and boundary protection.
Microsegmentation directly supports these objectives by ensuring that the systems that process or store CJI can communicate only with explicitly authorized services, users, and workloads. Rather than relying on flat internal networks or broad trust zones, microsegmentation enforces an internal deny-by-default posture, limiting connectivity to what is operationally required and nothing more.
Strengthen security and simplify compliance validation
For CJIS-regulated agencies, this approach is especially valuable in environments that include legacy systems, third-party integrations, and hybrid or cloud infrastructure. Microsegmentation reduces the risk of unauthorized access and lateral movement if a device, account, or application is compromised — an increasingly important consideration as attackers shift from perimeter-based attacks to credential abuse and internal pivoting.
Microsegmentation makes internal system connections explicit, monitored, and enforceable, not only strengthening security but also simplifying compliance validation during CJIS audits. The result is a more defensible architecture that aligns with CJIS intent: protecting CJI through layered controls, minimizing risk exposure, and ensuring access is limited to authorized users and systems — no matter where they reside in the network.
The table illustrates how microsegmentation maps to CJIS Priority 1 controls.
CJIS control |
Control name |
CJIS control intent |
Microsegmentation implementation |
|---|---|---|---|
AC-3 |
Access enforcement |
Enforce approved authorizations for logical access to information systems |
Microsegmentation enforces explicit allow rules between authorized systems and services that process CJI. All other communications are denied by default, ensuring access is technically enforced. |
AC-4 |
Information flow enforcement |
Control information flows within and between systems |
Microsegmentation defines and enforces approved data paths for CJI, preventing information from traversing unauthorized systems or networks. |
AC-6 |
Least privilege |
Limit access to only what is necessary for authorized users and systems |
Network and application-level access is restricted to required communications only, preventing overprivileged system interactions even after authentication. |
AC-17 |
Remote access |
Control and monitor remote access to CJIS systems |
Remote users and devices are limited to specific CJIS resources through segmentation policies, preventing broad internal network access or lateral movement. |
AC-20 |
Use of external systems |
Restrict access from external or nonorganizational systems |
CJIS environments are isolated from external and non-CJIS systems; third-party access is limited to explicitly approved interfaces and services. |
SC-7 |
Boundary protection |
Monitor and control communications at system boundaries |
Microsegmentation extends boundary protection internally by establishing security boundaries between CJIS and non-CJIS workloads using a deny-by-default posture. |
SC-39 |
Process isolation |
Prevent unauthorized interactions among processes |
Segmentation restricts inter-process and inter-service communications, reducing the risk that compromised processes will impact CJIS systems. |
RA-5 |
Vulnerability monitoring and scanning |
Identify vulnerabilities and assess risk exposure |
While vulnerabilities are identified through scanning, microsegmentation limits exploit paths, reducing risk until remediation is completed. |
SI-2 |
Flaw remediation |
Identify and correct system flaws |
When immediate patching is not feasible, microsegmentation serves as a compensating control by reducing exposure during remediation windows. |
SI-3 |
Malicious code protection |
Detect and prevent the spread of malicious code |
Lateral movement restrictions limit the ability of malware to propagate between CJIS systems, reducing the blast radius. |
SI-4 |
System monitoring |
Monitor systems for attacks and anomalies |
Segmentation telemetry provides visibility into allowed and denied communications, supporting continuous monitoring and incident detection. |
SI-7 |
Software, firmware, and information integrity |
Protect against unauthorized modification |
Restricting unauthorized communications reduces opportunities for integrity compromise through lateral access or unauthorized system interactions. |
How microsegmentation maps to CJIS Priority 1 controls
Protecting legacy, hybrid, cloud and inter-agency architectures
State and local agencies often rely on legacy law enforcement applications and infrastructure. In many cases, resource constraints result in out-of-date hardware, unpatched operating systems, or applications that are vulnerable to modern attack vectors. Microsegmentation provides a practical way to protect these systems without touching the application itself by enforcing access policies externally at the workload or network layer.
Agencies can strictly limit which users, systems, and services are allowed to communicate with legacy CJIS systems, which effectively compensates for technical limitations while still meeting CJIS requirements. This approach allows agencies to improve security and compliance without disrupting mission-critical operations.
Consistent enforcement across diverse environments
Many agencies have adopted cloud services, resulting in CJIS data that is no longer confined to an on-premises data center. Some agencies operate hybrid environments that span on-prem infrastructure, cloud platforms, and shared or regional services.
Microsegmentation enables consistent enforcement of CJIS access controls across these diverse environments by applying identity and policy-based rules regardless of location. This consistency is especially valuable for inter-agency collaboration, when CJIS data must be shared securely without expanding trust boundaries or increasing compliance risk.
Tangible benefits with limited security staff and budgets
Beyond compliance, microsegmentation delivers tangible operational benefits for state and local governments with limited security staff and budgets. Centralized visibility into application dependencies and access paths simplifies day-to-day management and reduces reliance on complex, error-prone firewall rules.
Policy changes, such as onboarding a new system, responding to an incident, or preparing for an audit, can be implemented more quickly and with greater confidence. Over time, this reduces operational overhead while strengthening CJIS compliance.
A cohesive Zero Trust strategy
Microsegmentation aligns closely with CISA’s Zero Trust model and serves as a foundational control within a broader Zero Trust architecture. By eliminating implicit trust and enforcing explicit, least-privilege access between workloads, agencies move away from perimeter-based security.
When combined with identity controls, multi-factor authentication (MFA), Zero Trust Network Access (ZTNA), and endpoint controls, microsegmentation helps state and local governments build a cohesive Zero Trust strategy that naturally supports CJIS compliance requirements rather than treating them as a separate compliance exercise.
Getting started: Practical first steps for CJIS-aligned segmentation
Adopting microsegmentation does not require a disruptive “rip and replace” approach. Agencies can start by:
Identifying CJIS-in-scope systems
Gaining visibility into existing communication flows
Validating policy in monitoring or alert-only modes
Then, enforcement can be applied incrementally, beginning with the most sensitive systems or highest-risk pathways.
This phased approach allows agencies to improve security posture and CJIS alignment while minimizing operational risk.
Compliance is a byproduct of good security
Ultimately, CJIS compliance is strongest when it is the natural outcome of sound security practices rather than a checklist-driven effort. Microsegmentation helps state and local governments enforce the principle of least privilege, protect sensitive law enforcement systems, and limit the impact of breaches in real time.
By making access explicit, visible, and continuously enforced, agencies not only simplify audits but also build a more resilient security foundation for protecting CJI in an increasingly complex threat landscape.
When access is explicitly defined and continuously enforced, compliance follows naturally.
Tags
