Records & Digital Evidence Management for Law Enforcement: CJIS & Retention
Law-enforcement records and digital evidence are governed by the FBI CJIS Security Policy, which sets the rules for physical access controls, audit logging, FIPS 140-2 encryption, and secure media handling for Criminal Justice Information — and it applies to vendors and contractors too. In Pennsylvania, 46 Pa. Code § 15.59 sets retention periods from 3 years for incident reports to 75 years for homicide files. Reynolds digitizes case files with Laserfiche under CJIS controls and builds the secure evidence storage the same policy demands, so chain of custody and the PA retention schedule are enforced together.
For a police records manager or evidence custodian, records and evidence are not two separate problems — they are one connected system. The physical secure area, the audit trail, and the retention clock all answer to the same rules. The FBI CJIS Security Policy decides how Criminal Justice Information is stored, logged, encrypted, and destroyed; Pennsylvania's police-records retention schedule decides how long each record must be kept. This guide walks through both, then explains how Reynolds approaches law-enforcement records the way an agency actually lives them — digitizing case files under CJIS controls while building the locked, climate-controlled evidence storage the same policy demands.
The CJIS Security Policy: the framework that governs CJI
The FBI CJIS Security Policy is the framework governing the creation, viewing, modification, transmission, dissemination, storage, and destruction of Criminal Justice Information (CJI). The current version is v6.0, issued December 27, 2024. Critically for any agency that uses an outside partner, the policy applies to every individual — including contractors and private vendors — with access to or operating in support of criminal justice services and information. That means a records-digitization or evidence-storage vendor is not exempt: it has to meet the same standard the agency does.
For records and digital evidence, the policy translates into a handful of concrete controls an agency has to be able to demonstrate at audit:
CJIS is not a one-time certification. The Requirements Companion Document specifies that an agency's information system must generate audit records for defined events, and that audit review and analysis must be conducted at a minimum once a week. Compliance is an ongoing operating discipline, not a box checked at install.
Media protection: storing and destroying CJI
The CJIS Media Protection Policy is the part most relevant to a physical evidence and records room. It requires that electronic and physical media containing CJI be securely stored within a physically secure or controlled area — a locked drawer, cabinet, or room — with access restricted to authorized individuals, and that CJI be physically protected until media end of life. When CJI is stored or transmitted outside the boundary of a physically secure location, the data must be protected using encryption, and the cryptographic module used must be certified to meet FIPS 140-2 standards.
Destruction is held to an equally specific standard. Media sanitization rules require agencies to overwrite electronic media at least three times or degauss it prior to disposal or reuse, destroy inoperable media, and maintain written documentation of the sanitization or destruction steps taken. The throughline is that secure storage and provable disposal are both part of the same policy — the locked room and the destruction log are two ends of one requirement.
| Record type | Retention period |
|---|---|
| Criminal investigation files — homicides, suspicious deaths, missing persons | 75 years |
| Criminal investigation files — other cases | 20 years after close of investigation |
| Property/evidence records (not part of a criminal history case file) | 10 years after property leaves custody |
| Summary-case files, traffic/nontraffic citations, accident reports | 5 years |
| Complaints, incident reports, or initial activity reports (not part of a case file) | 3 years |
These periods are set under the Municipal Records Act and administered through the PA Historical & Museum Commission (PHMC), whose Local Government Records Committee develops the retention and disposition schedules for municipal offices and holds approval authority over how those records are retained. The practical risk runs in both directions: destroy a record early and you have a disposition violation; keep everything forever and you carry liability and storage cost you do not have to. Automated retention scheduling tied to the § 15.59 clock is what keeps an agency on the right side of both.
Chain of custody for digital evidence
Chain of custody is the chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence, and it is critical in establishing the authenticity of evidence. For digital evidence — body-worn camera footage especially — that authenticity is what makes the recording admissible. The chain has to be unbroken across both the digital file and the physical media it may sit on.
When agencies contract third-party cloud storage of digital evidence, IACP guidance specifies that the vendor's system should be compliant with the FBI CJIS Security Policy and that the law enforcement agency should retain ownership of the data. That is the right test for any evidence-storage partner: CJIS-compliant handling, and the agency — not the vendor — owns the evidence.
The physical secure area, the audit trail, and the retention clock are one connected system. Chain of custody and the retention schedule have to be enforced end-to-end — not bolted on after an audit finding.
How Reynolds manages law-enforcement records and evidence
Reynolds approaches law-enforcement records as an implementer, not a software vendor — the way a records manager and evidence custodian actually live it. Reynolds states its law-enforcement records and evidence solutions are CJIS Security Policy compliant, designed to meet requirements including physical access controls, audit logging, and secure evidence-handling protocols. The work spans both the digital and physical sides of the same policy.
On the digital records side, Reynolds provides:
On the physical evidence side, Reynolds builds the secure storage CJIS demands:
Pairing the two is the point. CJIS-controlled Laserfiche digitization gives an agency court-admissible records with an automated retention clock; the physical evidence lockers and high-density shelving give it the locked, access-logged secure area the same policy requires — so chain of custody and the Pennsylvania retention schedule are enforced on both sides at once.
Where to go next
If your agency is planning a records or evidence project under CJIS and the Pennsylvania retention schedule, see Reynolds' law enforcement records and evidence solutions for CJIS-compliant case-file digitization, Laserfiche document management, and secure evidence storage.
To digitize legacy case files specifically, review case file digitization and scanning, or request a facility assessment to map your evidence room to the right secure storage and retention plan.
Sources Cited
9 REFS- FBI Criminal Justice Information Services Division
- FBI Criminal Justice Information Services Division
- FBI Criminal Justice Information Services Division
- FBI Criminal Justice Information Services Division
- Pennsylvania Code and Bulletin
- Pennsylvania Historical & Museum Commission
- U.S. DOJ Bureau of Justice Assistance
- U.S. DOJ Bureau of Justice Assistance
- Reynolds Business Systems
