TL;DR: 79% of public safety professionals rate CJIS compliance as a top or high priority, yet only 32% say their agencies are fully compliant, according to Imprivata and Lexipol's survey of 336 public safety professionals. Compliance programmes fail when identity controls slow operations instead of reducing friction, with 95% reporting access or security friction and 47% citing competing priorities and aging infrastructure as barriers.
NHIMG editorial — based on content published by Imprivata: CJIS Compliance in Focus, the identity security challenges facing public safety agencies
By the numbers:
- 79% of respondents rate CJIS compliance as a top or high priority within their cybersecurity strategy
- Only 32% report being fully compliant today
- 95% of respondents report experiencing some form of access or security friction when accessing critical systems
Questions worth separating out
Q: How should public safety agencies balance CJIS compliance with fast operational access?
A: They should design identity controls around critical workflows, not around idealised user journeys.
Q: Why do legacy systems make CJIS compliance harder to sustain?
A: Legacy systems often cannot consistently enforce modern authentication, attribution, or logging requirements across shared devices and mixed workflows.
Q: What should agencies measure to know if identity controls are supporting compliance?
A: They should measure more than login success.
Practitioner guidance
- Tie CJIS obligations to identity control evidence Map each CJIS requirement to a specific identity control, such as strong authentication, privileged access review, or session logging, so compliance can be demonstrated instead of inferred.
- Reduce login friction without weakening assurance Consolidate repeated sign-ins and slow authentication paths by using identity flows that preserve strong assurance while supporting rapid access in time-sensitive work.
- Separate emergency access from routine access Move high-risk administrative and investigative tasks into privileged access paths so elevated rights are granted only when needed and remain fully traceable.
What's in the full report
Imprivata's full report covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown across local, county, state, and federal public safety organisations.
- The full priority ranking of investment areas, including how agencies are weighing PAM and passwordless authentication.
- Additional context on the October 1, 2027 CJIS Security Policy deadline and how agencies are planning toward it.
- The complete set of access-friction findings, including multiple logins and slow authentication patterns.
👉 Read Imprivata's CJIS compliance research on public safety identity friction →
CJIS compliance and access friction: what public safety teams need?
Explore further
CJIS compliance exposes an access-friction problem, not just a policy gap. Public safety agencies know the requirement, but the survey shows that authentication delays, repeated logins, and legacy workflows are still undermining execution. That means identity governance is failing at the point where operational speed and evidence quality have to coexist. Practitioners should treat access friction as a control failure, not a user-experience nuisance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when identity friction blocks compliance progress?
A: Accountability sits with the organisation that owns the identity programme, the operational teams using the systems, and the compliance function that must evidence control effectiveness. For regulated environments like public safety, governance has to align these groups around one access model, or compliance will remain partial and inconsistent.
👉 Read our full editorial: CJIS compliance gaps show identity security friction in public safety