The most prominent example of security compliance rules is the FBI's CJIS (Criminal Justice Information Services) Security Policy. The policy applies to any agency that requires access to the FBI's criminal justice information database, whether at the international, Federal, State, or local level. It provides the minimum level of information technology (IT) security requirements determined acceptable for the transmission, processing, and storage of criminal justice data. This article describes the security mechanisms agencies must put into place in order to be compliant with these security requirements. One security requirement is VPN software, preferably a mobile VPN that secures any communication to and from a nonsecure location. In addition, all data must be sent over the air encrypted. Further, user authentication is required to validate mobile users attempting to log onto the network. There must also be an additional two-factor security methodology for validating user identity. In addition to the aforementioned general security requirements, agencies must ensure that CJIS-related data are sent on a separate VLAN from the one sent for other agencies. Similarly, administrators without the credentials to access CJIS information should not be able to manage these areas. The article also outlines the security requirements when multiple groups share the common system and are potentially subject to other rules. The article concludes with descriptions of policy management capabilities within mobile VPN, which are the key for agencies to better control and manage their mobile data environment. These capabilities include high-level routing policies, group policy management, and user-specific rules.