TL;DR: 79% of public safety professionals rate CJIS compliance as a top or high priority, yet only 32% say their agencies are fully compliant, according to Imprivata and Lexipol's survey of 336 public safety professionals. Compliance programmes fail when identity controls slow operations instead of reducing friction, with 95% reporting access or security friction and 47% citing competing priorities and aging infrastructure as barriers.
At a glance
What this is: This survey shows that public safety agencies see CJIS compliance as critical, but identity and access friction, legacy systems, and staff constraints are keeping many from getting fully compliant.
Why it matters: For IAM teams, it shows that security controls for human identity and privileged access must support operational speed, or compliance programmes will stall in the environments that need them most.
By the numbers:
- 79% of respondents rate CJIS compliance as a top or high priority within their cybersecurity strategy
- Only 32% report being fully compliant today
- 95% of respondents report experiencing some form of access or security friction when accessing critical systems
- 40% cite limited IT or security staff as a key obstacle
👉 Read Imprivata's CJIS compliance research on public safety identity friction
Context
CJIS compliance is a human identity and access governance problem as much as a policy requirement. Public safety agencies must verify who can reach sensitive systems, from where, and under what conditions, while still preserving fast access in time-sensitive work.
The survey shows that the gap is not a lack of awareness. It is the tension between secure access, legacy infrastructure, limited staff, and operational friction across shared devices, mobile users, and multiple systems. That combination makes compliance hard to sustain, not just hard to start.
Key questions
Q: How should public safety agencies balance CJIS compliance with fast operational access?
A: They should design identity controls around critical workflows, not around idealised user journeys. That means reducing repeated logins, using stronger but lower-friction authentication where appropriate, and reserving elevated access for tightly governed privileged paths. The goal is to preserve accountability without slowing emergency response or investigative work.
Q: Why do legacy systems make CJIS compliance harder to sustain?
A: Legacy systems often cannot consistently enforce modern authentication, attribution, or logging requirements across shared devices and mixed workflows. That creates gaps between policy and evidence, which is exactly where compliance programmes fail. Agencies then rely on manual compensating controls that are brittle and difficult to audit at scale.
Q: What should agencies measure to know if identity controls are supporting compliance?
A: They should measure more than login success. Useful signals include how often users hit repeated-authentication friction, whether privileged actions are fully attributable, how quickly access can be provisioned and revoked, and whether audit logs can reconstruct who accessed sensitive systems under time pressure.
Q: Who is accountable when identity friction blocks compliance progress?
A: Accountability sits with the organisation that owns the identity programme, the operational teams using the systems, and the compliance function that must evidence control effectiveness. For regulated environments like public safety, governance has to align these groups around one access model, or compliance will remain partial and inconsistent.
Technical breakdown
CJIS compliance depends on identity assurance, not just policy intent
CJIS Security Policy compliance requires agencies to prove that access to criminal justice information is controlled, auditable, and tied to the right identity at the right time. In practice, that means authentication, access logging, least privilege, and session governance have to work together across users, systems, and locations. Where agencies still rely on fragmented sign-ins, shared devices, or inconsistent access controls, compliance becomes a paper exercise rather than an enforceable state. The technical issue is not simply access management; it is whether the identity layer can produce reliable evidence under operational pressure.
Practical implication: map CJIS control expectations to identity proof, authentication strength, and audit evidence across every access path.
Legacy systems and shared devices create control gaps across access workflows
Older infrastructure often cannot support modern identity controls cleanly, especially when users move between workstations, mobile environments, and mission-critical applications. Shared devices and legacy workflows tend to break assumptions about session continuity, user attribution, and step-up authentication. That matters because compliance relies on being able to show who accessed what and under which conditions, not just that access was possible. If the identity stack is bolted onto systems that cannot consistently enforce or record those controls, agencies end up compensating with manual processes that do not scale.
Practical implication: identify where legacy access paths prevent consistent authentication, attribution, or logging, then isolate them for remediation.
Privileged access management is central when speed and accountability must coexist
Public safety environments need fast access during incidents, but elevated access also carries the highest audit and misuse risk. Privileged access management gives agencies a way to narrow standing privilege, control escalation, and preserve traceability when operational staff need temporary elevated rights. In this context, PAM is not a separate control family, but the mechanism that keeps emergency access from becoming permanently overexposed access. The challenge is to make privileged access available without turning every urgent workflow into an exception.
Practical implication: move high-risk roles into tightly governed privileged access paths with clear approval, logging, and review.
NHI Mgmt Group analysis
CJIS compliance exposes an access-friction problem, not just a policy gap. Public safety agencies know the requirement, but the survey shows that authentication delays, repeated logins, and legacy workflows are still undermining execution. That means identity governance is failing at the point where operational speed and evidence quality have to coexist. Practitioners should treat access friction as a control failure, not a user-experience nuisance.
Shared devices and aging infrastructure make attribution harder than the compliance language suggests. When multiple users, endpoints, and systems share the same operational environment, it becomes harder to prove who accessed what and under which conditions. This is especially relevant to CJIS because the programme depends on auditable identity assurance, not just network reachability. The practitioner takeaway is that identity proof has to survive messy real-world workflows, or the control set will not hold.
Privileged access governance is the most direct way to reduce the compliance-versus-speed tradeoff. The article shows agencies are already investing in PAM and passwordless authentication because they need secure access that does not slow critical work. That aligns with NIST CSF and NIST 800-63 thinking: strong identity controls only matter if they remain usable in operational settings. The conclusion for the field is that compliance programmes will keep stalling until access governance is designed for incident-paced work.
Identity security is becoming the operating layer for public safety compliance. The survey makes clear that security and compliance objectives are converging around access control, auditability, and workforce enablement. That is a broader pattern across government and regulated environments: identity is no longer a supporting function, but the mechanism that determines whether policy can be executed. Practitioners should expect CJIS-style expectations to influence wider IAM roadmaps, not just one compliance project.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- For adjacent identity governance context, see NHI Lifecycle Management Guide for how lifecycle controls change when access must be provisioned, reviewed, and retired consistently.
What this signals
Access friction is now a governance signal, not a usability complaint: when 95% of respondents report friction and only 32% are fully compliant, the control problem is no longer theoretical. Agencies should expect identity programmes to be judged on whether they can prove access and still support field operations, which is exactly where legacy estates tend to fail.
Privileged access will keep moving from exception handling to core compliance architecture. The survey shows 24% already plan PAM investment, which is a strong indicator that emergency access and auditability are becoming the same design problem. Public safety teams that cannot separate routine access from high-risk elevation will keep paying for it in manual review effort and delayed response.
Identity governance in public safety is converging with broader regulated-sector expectations. For teams building roadmaps, that means stronger authentication, better attribution, and faster revocation are no longer isolated controls. They are the baseline for any programme that has to satisfy compliance and operational readiness at the same time.
For practitioners
- Tie CJIS obligations to identity control evidence Map each CJIS requirement to a specific identity control, such as strong authentication, privileged access review, or session logging, so compliance can be demonstrated instead of inferred.
- Reduce login friction without weakening assurance Consolidate repeated sign-ins and slow authentication paths by using identity flows that preserve strong assurance while supporting rapid access in time-sensitive work.
- Separate emergency access from routine access Move high-risk administrative and investigative tasks into privileged access paths so elevated rights are granted only when needed and remain fully traceable.
- Target legacy systems that break attribution Prioritise systems and shared-device workflows that cannot consistently record user identity, source location, and access conditions, then remediate or isolate those paths.
Key takeaways
- CJIS compliance is failing less from lack of intent than from identity friction, legacy systems, and limited staff capacity.
- The survey data shows a large gap between priority and execution, with 79% calling CJIS a top concern and only 32% fully compliant.
- Agencies that want to close the gap need access controls that are both auditable and fast enough for mission-critical work.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | CJIS access control depends on verifying identities before granting system access. |
| NIST SP 800-63 | Public safety access needs assurance levels that fit regulated identity proofing and authentication. | |
| NIST CSF 2.0 | PR.AC-4 | Privileged access and access restrictions are central to the article's compliance gap. |
Strengthen identity proofing and authentication so access is granted only to verified users.
Key terms
- CJIS compliance: The process of meeting the FBI Criminal Justice Information Services Security Policy requirements for protecting criminal justice information. In practice, it means proving that access is controlled, attributable, and auditable across systems, users, and operational workflows, not just documented in policy.
- Identity friction: Any authentication or access step that slows legitimate users enough to affect security operations or compliance execution. In regulated environments, friction becomes a governance issue when it drives workarounds, repeated logins, or inconsistent enforcement that weakens auditability.
- Privileged access management: A set of controls for governing high-risk access, especially administrative or elevated rights. It limits standing privilege, controls escalation, and preserves traceability so urgent work can be performed without leaving permanent overexposure behind.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: CJIS Compliance in Focus, the identity security challenges facing public safety agencies. Read the original.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org