Call Us: (737) 392-1211. Trusted by Agencies Nationwide

Contact Team

What Is 28 CFR Part 23? Requirements, Compliance Rules, and Why It Matters for Criminal Intelligence Units

28 CFR Part 23

Introduction

28 CFR Part 23 is a federal regulation that governs how law enforcement agencies collect, store, and manage criminal intelligence information when using federal funding.

If an agency operates a criminal intelligence unit, gang database, or any system tracking individuals based on suspected criminal activity, this regulation almost certainly applies.

Most agencies are aware of it. Far fewer actually enforce it through their systems.

The Core Requirement: Reasonable Suspicion

The foundation of 28 CFR Part 23 is the reasonable suspicion standard.

Before any individual can be entered into a criminal intelligence system as a subject:

  • There must be reasonable suspicion of criminal involvement
  • The suspicion must be documented
  • The documentation must be linked directly to the record

On paper, this sounds simple.

In real-world systems, it is often not enforced structurally.

Many systems allow officers or analysts to add individuals without requiring proper documentation at the time of entry. This creates compliance gaps that are difficult to fix later.

Why This Becomes a Legal Risk

When a record is challenged—especially in court—the key question becomes:

Was there documented reasonable suspicion at the time the record was created?

If documentation is missing or incomplete:

  • The agency may not be able to justify the record
  • After-the-fact reconstruction is often not accepted
  • The credibility of the entire database can be questioned

This creates serious legal and operational exposure for agencies.

Retention and Purge Requirements

28 CFR Part 23 also requires agencies to actively manage how long intelligence records are kept.

Key rules include:

  • Records must be reviewed periodically (often within 1 year)
  • Information without ongoing relevance must be purged
  • Retention must follow defined schedules
  • Permanent records must be explicitly justified and maintained

The problem in practice:

Most agencies rely on manual processes or administrator memory.

When staff changes occur or reviews are missed, records often remain in systems far longer than allowed, creating compliance violations without anyone realizing it.

Structural Compliance vs Policy Compliance

This is the most important distinction in 28 CFR Part 23 compliance.

Policy Compliance

  • Written rules exist
  • Procedures are documented
  • Staff are trained
  • Compliance depends on humans following steps

Structural Compliance

  • The system enforces rules automatically
  • Reasonable suspicion is required before entry
  • Retention schedules trigger alerts or automated actions
  • Every action is logged in an immutable audit trail

Why it matters:

Policy compliance can fail silently.

Structural compliance prevents failure at the system level.

Agencies that have faced audits, lawsuits, or DOJ scrutiny typically learn this distinction the hard way.

What to Look for in a Compliant Criminal Intelligence System

If you are evaluating criminal intelligence software, the system should support:

1. Mandatory Reasonable Suspicion Entry

The system should not allow indexing of a subject without documented predicate.

2. Automated Retention Controls

Records should be flagged, reviewed, or purged based on defined timelines.

3. Full Audit Trail

Every access, edit, print, and deletion must be logged.

4. Separation of Data Types

Criminal intelligence data should be separated from case management and RMS data.

5. Access Controls

Only authorized personnel should be able to view or modify intelligence records.

If any of these are missing, the system is not structurally compliant.

Conclusion

28 CFR Part 23 is not just a policy requirement—it is a system design requirement.

Agencies that rely on manual enforcement of compliance are exposed to legal, operational, and reputational risks.

True compliance happens when the system itself enforces:

  • Reasonable suspicion rules
  • Retention schedules
  • Auditability
  • Access control

Without structural enforcement, compliance exists only on paper.

FAQ Section

What is 28 CFR Part 23?

It is a federal regulation that governs how law enforcement agencies collect, store, and manage criminal intelligence data using federal funding.

What is reasonable suspicion under 28 CFR Part 23?

It is the documented belief, based on facts, that a person is involved in criminal activity before they can be added to an intelligence system.

Who must comply with 28 CFR Part 23?

Any law enforcement agency operating a federally funded criminal intelligence system, gang database, or similar data system.

What happens if an agency does not comply?

Non-compliance can lead to legal challenges, loss of credibility, audit findings, or funding-related issues.

Stay Updated

Read More Similar Blogs

Explore the latest news, tips, and expert insights designed for investigators and law enforcement professionals.

See All Posts

Get Started

Book a Demo

Discover how Case Closed Software™ streamlines investigations with secure, modern, and CJIS-compliant technology. Schedule a personalized demo today and see why agencies nationwide trust our platform.

Thanks! We’ll get in touch soon.