FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCCJIS

CJIS Security Policy, Law Enforcement Data, and AI Tools

By Basel IsmailMay 12, 2026

CJIS Security Policy, Law Enforcement Data, and AI Tools

The FBI's Criminal Justice Information Services Division quietly updated its Security Policy to version 5.9.2 in late 2023, and if you are a vendor selling AI tools to law enforcement or adjacent agencies, the compliance surface just got more interesting. CJIS governs access to some of the most sensitive data in the federal ecosystem: National Crime Information Center (NCIC) records, the Interstate Identification Index (III), the National Instant Criminal Background Check System (NICS), and a range of other criminal justice information (CJI) repositories. If your AI product touches any of this data, even indirectly, you are in CJIS territory whether you planned to be or not.

What CJIS Actually Requires

The CJIS Security Policy is a 250-plus page document that reads like someone merged NIST 800-53 with a very specific paranoia about data leakage. It covers 13 policy areas, but for AI vendors, the ones that matter most are:

Policy Area 4: Auditing and Accountability. Every access to CJI must be logged. Every query, every retrieval, every modification. If your AI model is ingesting CJI for training or inference, those interactions need audit trails that are tamper-resistant and retained for a minimum of one year.
Policy Area 5: Access Control. Role-based access, least privilege, and the requirement that only authorized personnel (who have passed fingerprint-based background checks) can access CJI. This is where most AI vendors stumble. If your cloud infrastructure means an engineer in another country could theoretically access the data, you have a problem.
Policy Area 6: Identification and Authentication. Advanced authentication (multi-factor) is required for all personnel accessing CJI. This extends to service accounts and API connections, which means your AI pipeline's authentication model matters.
Policy Area 10: System and Communications Protection. FIPS 140-2 encryption (or 140-3, increasingly) for data in transit and at rest. No exceptions. Your model weights trained on CJI? Encrypted. Your inference outputs containing CJI? Encrypted.
Policy Area 12: Personnel Security. Everyone with access to unencrypted CJI must undergo a state and national fingerprint-based background check. This includes contractors, subcontractors, and, yes, the DevOps team managing your AI infrastructure.

The enforcement mechanism is straightforward. The FBI CJIS Division conducts triennial audits of state agencies, and those agencies in turn audit their local agencies and vendors. Fail an audit and you risk losing access to NCIC and related systems entirely. For a law enforcement agency, that is roughly equivalent to having your electricity shut off.

Where AI Vendors Keep Getting It Wrong

The fundamental tension is this: modern AI development practices assume broad data access, elastic cloud infrastructure, and iterative model training. CJIS assumes tight perimeter control, personnel vetting, and rigid data handling. These two paradigms do not naturally coexist.

Training Data Contamination

If you train a model on CJI, the model itself may constitute CJI under the policy. The CJIS Security Policy defines CJI broadly to include "the terms, conditions, or provisions for handling or safeguarding CJI." Model weights derived from criminal history records arguably fall within that definition. Several state CJIS Systems Agencies (CSAs) have taken exactly this position, including California's and Texas's, which means your trained model needs the same protections as the raw data.

Cloud Infrastructure

AWS GovCloud and Azure Government both have CJIS-compliant regions, and both have executed CJIS Security Addendums with multiple states. But running your AI workload in GovCloud is necessary, not sufficient. You still need to ensure that your specific architecture, including model serving endpoints, logging infrastructure, and data pipelines, meets every policy area. Microsoft published a CJIS implementation guide for Azure Government in 2022 that runs over 100 pages on its own, which gives you a sense of the complexity.

Google Cloud Platform has been slower to the CJIS table. As of mid-2024, GCP has CJIS agreements with a limited number of states compared to AWS and Azure. If your AI stack is built on GCP, check your specific state's CSA agreements carefully before assuming compliance.

Third-Party Models and APIs

This is where it gets genuinely tricky. If you are using OpenAI's API, Anthropic's API, or any third-party LLM service, and you are sending CJI to that API for processing, you need that third party to meet CJIS requirements. As of this writing, none of the major commercial LLM API providers have published CJIS Security Addendums. OpenAI's enterprise terms reference SOC 2 Type II compliance, which is a good start but not the same thing. Anthropic's security documentation similarly does not address CJIS specifically.

This means that if your "AI-powered law enforcement tool" is making API calls to a commercial LLM with CJI in the prompt, you are almost certainly out of compliance. The workaround is self-hosted models running in CJIS-compliant infrastructure, but that requires significant investment in GPU compute within a controlled environment.

The Personnel Problem

Policy Area 12 creates a staffing constraint that most tech companies are not prepared for. Every person with unencrypted access to CJI needs a fingerprint-based background check adjudicated by a government agency. Typical turnaround is 4 to 8 weeks. If your AI startup has 30 engineers and you need 10 of them to have CJI access for development and debugging, you are looking at a multi-month onboarding process before they can touch production data. Some states, notably Florida and Virginia, have additional state-level requirements layered on top of the federal CJIS policy.

This also affects incident response. If your on-call engineer at 2 AM has not been fingerprinted and adjudicated, they cannot access the systems containing CJI to diagnose a production issue. You need to plan your rotation accordingly.

Recent Enforcement and Audit Trends

The FBI CJIS Division audited 52 CSAs in fiscal year 2023, and the most common findings involved encryption gaps and inadequate audit logging. These are exactly the areas where AI tools introduce new risk. An agency that was previously CJIS-compliant can fall out of compliance simply by deploying an AI tool that creates new, unencrypted data flows or bypasses existing audit mechanisms.

In 2022, the Texas Department of Public Safety flagged several vendor contracts for renegotiation after discovering that AI analytics tools were transmitting CJI to processing endpoints outside of CJIS-compliant boundaries. No public enforcement action resulted, but the contracts were suspended pending remediation. This is the pattern to expect: quiet contract suspensions rather than headline-grabbing fines, but with real operational consequences for the vendors involved.

Practical Recommendations

Map every data flow where CJI could enter your AI pipeline, including training, fine-tuning, inference, logging, and error reporting.
Self-host models whenever CJI is involved in prompts or outputs. Do not rely on third-party LLM APIs until those providers execute CJIS Security Addendums.
Deploy in AWS GovCloud or Azure Government with CJIS Security Addendums in place for every state you serve.
Build your personnel pipeline early. Fingerprint-based background checks take time, and you cannot shortcut them.
Implement FIPS 140-2 (or 140-3) validated encryption modules, not just FIPS-compatible ones. The distinction matters during audits.

How FirmAdapt Addresses CJIS Compliance for AI

FirmAdapt's architecture was designed for exactly this kind of regulatory constraint. The platform processes data within defined compliance boundaries, supports FIPS-validated encryption for data at rest and in transit, and maintains granular audit logs that satisfy CJIS Policy Area 4 requirements. Because FirmAdapt does not route sensitive data through third-party model APIs, agencies and vendors avoid the compliance gap that comes with commercial LLM services.

FirmAdapt also supports the personnel and access control requirements of Policy Areas 5 and 12 through role-based access controls that can be mapped directly to CJIS authorization levels. For organizations navigating the overlap between AI adoption and CJIS compliance, this removes a significant amount of architectural guesswork.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free