I had the recent privilege of moderating a panel discussion on one of the most pressing topics in law enforcement technology today: modernizing compliance with the FBI’s Criminal Justice Information Services (CJIS) Security Policy.
Our panel featured key leaders in public safety and cybersecurity—including Chris Weatherly (FBI), Catherine Watson (FirstNet), and Gerard Gallant (AWS). Together, we explored the true meaning of modernization, how agencies are approaching the challenge, and actionable steps IT and agency leaders can take today to prepare for tomorrow. Here are the key takeaways:
The Drivers Behind Policy Modernization
In December 2024, the FBI released Version 6.0 of the Criminal Justice Information Services (CJIS) Security Policy, marking a significant update aimed at enhancing cybersecurity measures across agencies handling Criminal Justice Information (CJI). Agencies are now expected to update their policies, technologies, and audit preparation processes accordingly.
This update is more than just routine maintenance—it reflects a broader evolution in cybersecurity. The CJIS Security Policy now draws heavily from NIST SP 800-53 Rev. 5, integrating a control-based, standards-driven framework that mirrors other federal requirements like IRS 1075 and HIPAA. As one panelist shared, “This was a necessary update to align with other policies from the IRS to HIPPA. It’s both vendor and tech agnostic, future-proofing workloads as we increasingly move to the cloud”.
Emerging risks like phishing, deepfakes, and the potential of quantum computing are not theoretical anymore—they’re active concerns. The policy is evolving to meet these head-on, which means your compliance strategy must, too.
Common Challenges and Misconceptions
Documentation, particularly around information agreements, remains one of the largest audit findings to date. Many agencies also feel overwhelmed by the volume and complexity of the changes. One panelist put it best: “How do you eat the elephant?” The answer is: “One bite at a time”.
One of the most significant shifts is the adoption of multi-factor authentication (MFA) as a baseline requirement. Agencies should already have this in place, but if not, it’s priority number one.
Don’t start by diving into the full policy. Instead, look at the control families and align them with your current operations. There’s likely more overlap than you think. For example, many systems already use single sign-on or encryption at rest—you just need to document it.
Agencies should also pay attention to how controls are prioritized:
- Priority 1 controls (e.g., MFA, access control, encryption) must be implemented now.
- Priorities 2 to 4 have a longer runway, with a phased implementation window extending to September 30, 2027.
Critically, there is no such thing as a “CJIS-certified” vendor. Agencies should be wary of such claims. Also, being hosted in a government cloud—such as AWS GovCloud or Azure Government—does not automatically mean CJIS compliance.
Instead, ask your vendors about: Identity and access management, data encryption in transit and at rest, remote access policies and incident response, and patching procedures. If a breach occurs, your agency will be held accountable.
Remember, agencies are the ones audited—not vendors. Make sure your vendors are meeting compliance standards and that you’re holding them accountable.
Looking Ahead: 6.1 and Building Resilient Compliance
Version 6.1 of the CJIS policy is slated for release in spring of 2026, with an expected cadence of updates every 6 to 12 months. This update rhythm will allow agencies to plan iteratively rather than be caught off guard by sweeping changes.
Building an internal roadmap and involving your Information Security Officer (ISO) early is essential. Think of your compliance posture as an evolving process—not a one-time checklist.
Panelists also stressed the importance of automation to stay ahead. Automating system monitoring, access control, and audit documentation can make compliance not only easier but also more cost-effective.
Lastly, the rollout of the CJIS companion document—which translates NIST 800-53 controls into actionable guidance for law enforcement and IT teams—will be a game-changer. This document cuts through the complexity and highlights what needs to be done and in what order.
Action Starts with Community and Embracing Collaboration
CJIS modernization doesn’t happen in a vacuum. Whether it’s participating in working groups, leveraging IACP Learn podcasts, or just asking your neighboring agency how they’re handling a challenge, the community is one of your greatest resources.
As one panelist shared, “It’s a huge amount of change, but we will get there. Failures will happen, and we will go slow, but we will get there.” The key is to ask questions, stay informed, and take incremental action.
You don’t need to wait until you have all the answers. Start with what you already have, lean on your peers, and make a plan for what is next. Compliance is no longer just about checking a box—it’s about ensuring your systems are secure, resilient, and ready for the future.
Need Help?
The Mark43 Security Team is here to support your compliance journey—from documentation to vendor reviews to technical implementation. Our goal is to help agencies not only meet the CJIS standard but lead the way in secure, modern public safety technology. Connect with us today at www.mark43.com/platform/security-compliance/.
