CJIS Compliance for Fire and EMS: The Shared CAD Problem

I spent a decade running calls. For most of that time, the fire department and the EMS crew saw a different version of the CAD screen than law enforcement did, similar to the access segregation problem I wrote about in my article on crew phones and social media at the scene. There was a wall between the data sets. It was not elegant, but it meant nobody had to think about CJIS.

That wall is gone in most modern shared CAD deployments because the regional dispatch center upgraded to a unified platform. Everyone runs on the same screen now. The fire chief can see the NCIC caution flag on a domestic call. The EMS captain can pull up the criminal history attached to an address they are rolling to. The system is faster, and it gives responders better situational awareness. But it also means your agency just walked into a federal compliance framework you probably did not plan for.

This is not about whether your agency deserves to be regulated. It is about whether your state CJIS Information Security Officer is going to flag your next audit. The answer depends on three linked areas: personnel screening, authentication controls and data access limits by role. Most fire and EMS agencies are missing at least one of those.

The Scope Trigger Nobody Warned You About

The CJIS Security Policy does not care whether your agency has a badge. It cares whether a user in your system can see Criminal Justice Information. If your shared CAD environment displays NCIC data, state CHRI records, or partner law enforcement incident notes to any fire or EMS user, your agency is a CJIS agency under the policy.

The phrase the auditors use is "touching CJI." It does not matter if you only see a single caution flag. It does not matter if your access is read-only. It does not matter if you never asked for the access. Once the data is visible to your people, the full set of CJIS requirements applies to your agency. That means personnel screening, advanced authentication, FIPS 140-2 validated encryption, and audit logging for every access.

I have watched agencies learn this the hard way during a state audit. The fire chief sits down with the CJIS ISO expecting a conversation about law enforcement systems. The first question is about fingerprint-based background checks for his IT contractor. That is the moment the wall comes down.

Common CJIS Audit Failures for Fire and EMS Departments

The CJIS audit failures that hit fire and EMS agencies cluster in three areas. They are predictable and well-documented, and they keep happening because nobody warned the agency before the audit.

Personnel Screening Requirements for CJIS Users in Fire Departments

The most common miss is the background check since standard employment background screens do not meet the CJIS requirement. The policy demands fingerprint-based checks run through the state repository and the FBI for any individual with access to CJI. That includes your full-time staff and your volunteers. It also includes your IT administrator and any vendor who holds administrative credentials to the system.

I know a department that failed its audit because the county IT contractor who configured their CAD workstations had never been fingerprinted. The contractor had domain admin access to every workstation in the dispatch center and could have opened any record in the system. That finding ended the audit immediately and the fingerprint checks started the next week.

This is the single most common finding for non-law enforcement agencies because the assumption is always the same: "We hired through the county, so the county must have done the check." The county did a standard background check, but the policy requires a fingerprint-based CJIS check and those are different things.

MFA Requirements for CJIS Data Access in CAD Systems

The second common failure is authentication. The CJIS Security Policy requires multi-factor authentication for any remote access to CJI. Some agencies interpret this as a VPN requirement and stop there, but the policy requires the system that holds the data to require two factors, not just a network-level tunnel.

The operational tension is real because a firefighter rolling up to a structure fire does not have time to enter a six-digit TOTP code on a mobile data terminal. So dispatchers disable MFA on the CAD terminals in the apparatus with good intent, without documenting the exception. The auditor finds it and the agency fails.

The solution is not to fight the operational requirement but to build authentication that works within the operational constraint. SAML-based single sign-on with a hardware token that stays in the apparatus and authenticates to a session that times out when the ignition cuts, or push notification approval on a department-issued phone. The zero-option approach of just turning MFA off is what fails audits.

Data Segregation and the Shared CAD Problem

The third failure is role-based access control that is too broad. When a shared CAD system gives every firefighter the same view the police dispatcher has, the data is being shared beyond the "need to know" standard that CJIS requires. The policy expects granular RBAC that limits CJI access to users who have a specific operational reason for it.

This is a design issue more than a configuration issue, because if your CAD vendor wrote the system so that the NCIC query result displays on the same screen layout for every user type, you are fighting the architecture. You can mask fields conditionally and set viewing scopes by role, but it takes an audit to discover that the vendor's default configuration shares criminal history data with every EMS crew member who opens a call.

> Any individual who has access to CJI must be subject to a fingerprint-based state and national criminal history record check. This requirement applies regardless of the individual's employment status or agency type. -- CJIS Security Policy, Personnel Security section

Do EMS Agencies Need CJIS Compliance for a Shared CAD Deployment

If your EMS agency operates on a CAD system shared with law enforcement where CJI is visible, the policy applies to you. There is no carve-out for medical agencies or exemption for third-service EMS departments. The policy defines a CJI user as any individual with access to CJI, and that includes the paramedic who glances at a caution flag on the way to a call.

The practical question is whether your state CJIS ISO will audit you. That depends on the state and how your CAD deployment is structured. Some states run the audit against the primary dispatch agency and expect the dispatch agency to enforce compliance downstream. Others audit every agency that has a CJIS agreement. The safest assumption is that if your people can see the data, you are accountable for the security of that data.

The Vendor Promise Versus the Implementation Reality

Every CAD vendor will tell you their system is CJIS compliant. That statement is meaningless because software cannot be compliant on its own. An implementation can be compliant, but the vendor provides the tools and your agency provides the configuration. The vendor passes no audit.

I have read RFPs where the vendor Checklist of Compliance Features ran three pages and the agency scored them highly. Six months later, the same agency failed its audit because nobody had configured the session timeout policy or fingerprinted the backup vendor who comes in on weekends.

Treat vendor compliance claims as a starting point. The real work is in the implementation review. Verify that the controls actually turn on, that default settings do not over-share data, and check that internal processes match what the auditor will ask for.

CJIS Compliance as a Risk Management Exercise

The consequence of a CJIS audit failure is not just a report finding. The state can revoke or suspend your agency's access to NCIC and state criminal history databases. That means your dispatchers cannot check warrants on a traffic stop. Your medics cannot see the protection order attached to a patient's address. Your responders lose access to the data they rely on for scene safety.

Treat CJIS compliance as a risk management exercise. Map every point where a fire or EMS user can see CJI. Verify the personnel screening for every individual with access, including vendors. Lock down the authentication for remote and mobile access. Review the RBAC model against the principle of least privilege. Establish a monthly review cycle for CJI access logs.

Frequently Asked Questions

Does my fire department need to be CJIS compliant if we are not a law enforcement agency

Yes, if your agency has access to Criminal Justice Information through a shared CAD or other system. The CJIS Security Policy applies based on data access, not agency type. If your people can see NCIC records, state CHRI data, or law enforcement incident notes, the policy applies to your agency.

What is the most common reason fire and EMS agencies fail a CJIS audit

Inadequate personnel screening and missing multi-factor authentication. Fingerprint-based background checks through state and FBI repositories are required for anyone who can access CJI, including IT staff and vendors. MFA is required for any remote or mobile access to CJI systems.

Can our CAD vendor guarantee CJIS compliance

A vendor can deliver a product designed to support compliance, but the agency still has to handle the implementation. Vendors pass no audits.

Does a volunteer fire department need fingerprint-based background checks

Yes. The CJIS policy does not distinguish between paid and volunteer personnel. Anyone with access to CJI must undergo the same fingerprint-based check through the state repository and the FBI, regardless of employment status.

What happens if we fail a CJIS audit

The state can revoke or suspend your agency's access to NCIC and state criminal history databases. This directly impacts responder safety by removing access to warrant checks and protection orders and the caution flags that crews rely on.

The shared CAD system that lets your crew see the caution flag before they hit the scene is a good tool. The compliance obligations that come with it are not optional, and they are not the vendor's problem. They are yours. The agencies that prepare for this before the audit are the ones that keep their access. The ones that learn about CJIS requirements during the audit are the ones that get their access suspended. It is worth knowing which side you are on.

-- Steven