CJIS Security Policy v6.0
Control Audit Matrix
An auditor-ready technical reference covering every security control in CJIS Security Policy v6.0, with FBI mandates, required audit evidence, and implementation details.
For the educational narrative guide, see The Public Defender's Guide to CJIS Compliance.
296 Controls
0 Implemented
0 In Progress
Updated February 2026
Compliance Progress
Implemented
0
0% of total
In Progress
0
0% of total
Evaluating
296
100% of total
N/A
0
0% of total
Total
296
controls tracked
By Implementation PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline.
P1 91 controls0/91 done (0%)
P2 139 controls0/139 done (0%)
P3 50 controls0/50 done (0%)
P4 16 controls0/16 done (0%)
By Pillar
5.1
Information Exchange Agreements
Pillar 1 · 8 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Formal Agreements Before exchanging CJI, agencies shall put formal agreements in place that specify security controls. | P1 | Required Now | Evaluating | |
Compliance Specification Agreements must specify the security controls and conditions described in the CJIS Security Policy. | P1 | Required Now | Evaluating | |
Documented Commitment Agreements shall be supported by documentation committing both parties to the terms of the exchange. | P1 | Required Now | Evaluating | |
Service Monitoring Services, reports, and records provided by the service provider shall be regularly monitored and reviewed by the agency. | P1 | Required Now | Evaluating | |
Visibility (Vulnerabilities & Incidents) The agency shall maintain sufficient overall control and visibility into security aspects, specifically identifying vulnerabilities and incident reporting. | P1 | Required Now | Evaluating | |
Incident Response Conformity The incident reporting/response process used by the provider shall conform to the specifications provided in this Policy. | P1 | Required Now | Evaluating | |
Change Management Any changes to services (provisioning, new services) shall be managed by the agency (CJA). | P1 | Required Now | Evaluating | |
Risk Evaluation Evaluation of risks to the agency shall be undertaken based on the criticality of the data and impact of the change. | P1 | Required Now | Evaluating |
AC
Access Control
Pillar 1 · 40 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an Access Control policy that addresses purpose, scope, roles, responsibilities, management, coordination, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Account Management The system must automate/govern the creation, modification, disabling, and removal of accounts. Must support account types (individual, group, system, etc.). | P1 | Required Now | Evaluating | |
Automated System Account Management The system must automatically audit account creation, modification, enabling, disabling, and removal actions. | P1 | Required Now | Evaluating | |
Temporary/Emergency Accounts The system must automatically remove or disable temporary and emergency accounts after a defined time period (e.g., 72 hours). | P1 | Required Now | Evaluating | |
Disable Inactive Accounts The system must disable accounts after a defined period of inactivity (e.g., 90 days). | P1 | Required Now | Evaluating | |
Automated Audit Actions The system must automatically audit account actions (create, disable, modify). | P1 | Required Now | Evaluating | |
Inactivity Logout The system must automatically log out users after a period of expected inactivity (distinct from session timeout, often refers to specific application inactivity). | P1 | Required Now | Evaluating | |
High-Risk Disablement The system must have the capability to disable accounts of high-risk individuals (e.g., terminated hostile employees) immediately. | P1 | Required Now | Evaluating | |
Access Enforcement The system must enforce approved authorizations for logical access to information and system resources (ACLs). | P1 | Required Now | Evaluating | |
Individual Access The system must limit access to CJI to authorized individuals. | P1 | Required Now | Evaluating | |
Information Flow Enforcement The system must enforce approved authorizations for controlling the flow of information within the system and between interconnected systems. | P1 | Required Now | Evaluating | |
Separation of Duties The system must separate duties of individuals to prevent malevolent activity without collusion. (e.g., Admin vs. Auditor). | P1 | Required Now | Evaluating | |
Least Privilege The system must employ the principle of least privilege, allowing only authorized accesses for users (and processes) which are necessary to accomplish assigned tasks. | P1 | Required Now | Evaluating | |
Authorize Access to Security Functions The system must explicitly authorize access to security functions (auditing, account management) to a limited group of personnel. | P1 | Required Now | Evaluating | |
Non-Privileged Access for Non-Security Functions The system must require that users of information system accounts, or roles, with access to security functions, use non-privileged accounts or roles, when accessing non-security functions. | P1 | Required Now | Evaluating | |
Privileged Accounts The system must restrict the use of privileged accounts to specific authorized personnel and tasks. | P1 | Required Now | Evaluating | |
Review of User Privileges The system must review user privileges annually to ensure they are still necessary and aligned with the principle of least privilege. | P1 | Required Now | Evaluating | |
Log Use of Privileged Functions The system must audit the execution of privileged functions. | P1 | Required Now | Evaluating | |
Prohibit Non-Privileged Execution The system must prevent non-privileged users from executing privileged functions. | P1 | Required Now | Evaluating | |
Unsuccessful Logon Attempts The system must lock the account after 5 consecutive invalid logon attempts within 15 minutes and automatically lock the account/delay the next login. | P3 | Required Now | Evaluating | |
System Use Notification The system must display a privacy warning message before granting access (on the login screen). | P2 | Required Now | Evaluating | |
Device Lock The system (or OS) must lock the device/session after a period of inactivity. | P4 | Due Oct 2027 | Evaluating | |
Pattern-Hiding Displays The system must conceal information on the display when the device is locked (e.g., no CJI in the screensaver). | P4 | Required Now | Evaluating | |
Session Termination The system must automatically terminate a user session after a defined condition (e.g., inactivity). | P3 | Due Oct 2027 | Evaluating | |
Permitted Actions without ID The system must identify specific user actions that can be performed without identification/authentication (e.g., reading the warning banner) and document them. | P4 | Due Oct 2027 | Evaluating | |
Remote Access The system must authorize, monitor, and control all remote access connections. | P1 | Required Now | Evaluating | |
Automated Monitoring / Control The system must monitor and control remote access methods. | P1 | Required Now | Evaluating | |
Encryption (Confidentiality/Integrity) The system must use encryption (FIPS 140) to protect the confidentiality and integrity of remote access sessions. | P1 | Required Now | Evaluating | |
Managed Access Control Points The system must route all remote access through managed control points (e.g., Jump Host, VPN Gateway, Load Balancer). | P1 | Required Now | Evaluating | |
Privileged Commands via Remote Access The system must authorize the execution of privileged commands via remote access only for compelling operational needs and document the rationale. | P1 | Required Now | Evaluating | |
Wireless Access The system must protect wireless access to the information system (if applicable). | P2 | Required Now | Evaluating | |
Wireless Authentication & Encryption The system must enforce strong authentication and encryption for wireless access. | P2 | Required Now | Evaluating | |
Disable Wireless Networking The system must disable wireless networking capabilities when not intended for use (e.g., on servers). | P2 | Required Now | Evaluating | |
Access Control for Mobile Devices The system must establish usage restrictions and implementation guidance for mobile devices. | P2 | Required Now | Evaluating | |
Full Device / Container Encryption The system must employ full-device encryption or container-based encryption for mobile devices. | P2 | Required Now | Evaluating | |
Use of External Systems The system must restrict the use of external information systems (e.g., public cloud, personal devices) to process/store CJI. | P1 | Required Now | Evaluating | |
Limits on Authorized Use The system must limit authorized use of external systems to approved individuals and devices. | P1 | Required Now | Evaluating | |
Portable Storage Devices The system must restrict/control the use of portable storage (USB) for CJI. | P1 | Required Now | Evaluating | |
Information Sharing The system must facilitate information sharing while protecting CJI (e.g., redacted sharing). | P3 | Required Now | Evaluating | |
Publicly Accessible Content The system must ensure CJI is not included in publicly accessible content. | P4 | Due Oct 2027 | Evaluating |
IA
Identification & Authentication
Pillar 1 · 20 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Use of Originating Agency Identifiers in Transactions and Information Exchanges The system must use originating agency identifiers in transactions and information exchanges. | P1 | Required Now | Evaluating | |
Policy and Procedures The agency must develop, document, and disseminate an IA policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Identification and Authentication (Org Users) The system must uniquely identify and authenticate organizational users (or processes acting on behalf of users). | P1 | Required Now | Evaluating | |
MFA for Privileged Accounts The system must implement Multi-Factor Authentication (MFA) for all privileged accounts (Admins) for all access (local and remote). | P1 | Required Now | Evaluating | |
MFA for Non-Privileged Accounts The system must implement MFA for non-privileged accounts if they access CJI. | P1 | Required Now | Evaluating | |
Access to Accounts - Replay Resistant The system must use replay-resistant authentication mechanisms (e.g., OTP, Kerberos, nonces). | P1 | Required Now | Evaluating | |
Acceptance of PIV Credentials The system must accept PIV (Personal Identity Verification) credentials (smart cards) where feasible/mandated. | P1 | Required Now | Evaluating | |
Device Identification and Authentication The system must uniquely identify and authenticate devices before establishing a connection (for specific high-security flows). | P2 | Due Oct 2027 | Evaluating | |
Identifier Management The organization must manage information system identifiers (User IDs) by ensuring uniqueness, preventing reuse for a defined period, and disabling after inactivity. | P2 | Required Now | Evaluating | |
Authenticator Management The organization must manage authenticators (passwords, tokens, biometrics) including distribution, revocation, and protection. | P1 | Required Now | Evaluating | |
Authenticator Types (Passwords) The system must enforce minimum password complexity/strength (per NIST SP 800-63B). | P1 | Required Now | Evaluating | |
Memorized Secret Authenticators Passwords must be "salted and hashed" using a suitably strong algorithm. | P1 | Required Now | Evaluating | |
Cryptographic Authenticators For high assurance, use cryptographic authenticators (keys/tokens). | P1 | Required Now | Evaluating | |
PKI-Based Authentication For privileged access or non-org users, support PKI (Public Key Infrastructure) where required. | P1 | Required Now | Evaluating | |
Protection of Authenticators Authenticators must be protected from unauthorized disclosure and modification. | P1 | Required Now | Evaluating | |
Authentication Feedback The system must obscure feedback of authentication information (e.g., masking characters). | P3 | Required Now | Evaluating | |
Cryptographic Module Authentication The system must use mechanisms for authentication to cryptographic modules that meet FIPS 140 requirements. | P2 | Due Oct 2027 | Evaluating | |
Identification and Authentication (Non-Org Users) The system must uniquely identify and authenticate non-organizational users (e.g., the public, external counsel). | P2 | Due Oct 2027 | Evaluating | |
Re-Authentication The system must require re-authentication when roles change, authenticators change, or after a specific period. | P2 | Due Oct 2027 | Evaluating | |
Identity Proofing The organization must employ identity proofing (verifying the human exists) before issuing credentials. | P2 | Due Oct 2027 | Evaluating |
PS
Personnel Security
Pillar 1 · 9 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a Personnel Security policy. | P2 | Due Oct 2027 | Evaluating | |
Position Risk Designation Assign a risk designation (Low, Moderate, High) to all positions based on the potential for harm from misuse. | P2 | Due Oct 2027 | Evaluating | |
Personnel Screening All personnel with physical or logical access to CJI must undergo a state and national fingerprint-based background check within 30 days of assignment. | P2 | Required Now | Evaluating | |
Personnel Termination Disable access immediately (or within a specified timeframe) upon termination of employment. | P2 | Due Oct 2027 | Evaluating | |
Personnel Transfer Review and adjust access rights when personnel transfer to a different position within the organization. | P3 | Due Oct 2027 | Evaluating | |
Access Agreements Personnel must sign access agreements (e.g., NDA, Rules of Behavior) before being granted access. | P4 | Due Oct 2027 | Evaluating | |
External Personnel Security Contractors must be subject to the same (or more stringent) screening and security requirements as agency employees. | P2 | Required Now | Evaluating | |
Personnel Sanctions The organization must establish a formal sanctions process for personnel who fail to comply with security policies. | P4 | Due Oct 2027 | Evaluating | |
Position Descriptions Security and privacy responsibilities must be documented in position descriptions. | P4 | Due Oct 2027 | Evaluating |
AT
Awareness & Training
Pillar 1 · 7 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an Awareness and Training policy that addresses purpose, scope, roles, responsibilities, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Literacy Training & Awareness All personnel with access to CJI must receive basic security awareness training within 6 months of assignment and at least once every two years thereafter. | P2 | Required Now | Evaluating | |
Insider Threat Training must explicitly include modules on recognizing and reporting potential indicators of insider threat. | P2 | Required Now | Evaluating | |
Social Engineering & Mining Training must include recognizing and reporting social engineering attempts (e.g., phishing) and data mining. | P2 | Required Now | Evaluating | |
Role-Based Training Personnel with specific security roles (admins, developers) require specialized training tailored to their duties. | P2 | Due Oct 2027 | Evaluating | |
Processing PII Personnel handling PII must be trained on strict rules for collection, use, and retention, including penalties for misuse. | P2 | Due Oct 2027 | Evaluating | |
Training Records The agency (and vendor) must document and monitor individual training activities, retaining records for audit (typically 3+ years). | P4 | Required Now | Evaluating |
SC
System & Communications Protection
Pillar 2 · 23 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency shall develop, document, and disseminate an SC policy. | P2 | Due Oct 2027 | Evaluating | |
Separation of System and User Functionality The system must separate user functionality from information system management functionality. | P2 | Required Now | Evaluating | |
Information in Shared System Resources The system must prevent unauthorized and unintended information transfer via shared resources. | P2 | Required Now | Evaluating | |
Denial-of-Service Protection The system must protect against or limit the effects of Denial-of-Service (DoS) attacks. | P2 | Due Oct 2027 | Evaluating | |
Boundary Protection The system must monitor and control communications at the external boundary and at key internal boundaries. | P1 | Required Now | Evaluating | |
Access Points The organization must limit the number of external network connections. | P1 | Required Now | Evaluating | |
External Telecom Services The system must protect the confidentiality and integrity of communications with external telecom services. | P1 | Required Now | Evaluating | |
Deny by Default - Allow by Exception The system must enforce "Deny All" for network traffic and only allow authorized traffic. | P1 | Required Now | Evaluating | |
Split Tunneling The system must prevent split-tunneling for remote devices. | P1 | Required Now | Evaluating | |
Route Traffic to Proxy Servers The system must route all external traffic through authenticated proxy servers. | P1 | Required Now | Evaluating | |
Personally Identifiable Information The system must protect PII at the boundary. | P1 | Required Now | Evaluating | |
Transmission Confidentiality and Integrity The system must protect the confidentiality and integrity of transmitted information. | P2 | Required Now | Evaluating | |
Cryptographic Protection The system must use cryptographic mechanisms to prevent unauthorized disclosure of info during transmission. | P2 | Required Now | Evaluating | |
Network Disconnect The system must terminate the network connection at the end of a session or after a period of inactivity. | P3 | Due Oct 2027 | Evaluating | |
Cryptographic Key Establishment and Management The organization must establish and manage cryptographic keys using automated mechanisms. | P2 | Required Now | Evaluating | |
Cryptographic Protection The system must use FIPS-validated cryptography to protect information. | P2 | Due Oct 2027 | Evaluating | |
Collaborative Computing The system must prohibit remote activation of collaborative computing devices (e.g., cameras, mics) except for authorized sessions. | P2 | Due Oct 2027 | Evaluating | |
Public Key Infrastructure Certificates The organization must issue and manage PKI certificates. | P2 | Required Now | Evaluating | |
Mobile Code The organization must establish usage restrictions for mobile code (e.g., JavaScript, ActiveX). | P3 | Due Oct 2027 | Evaluating | |
Session Authenticity The system must protect the authenticity of communications sessions (e.g., preventing session hijacking). | P2 | Due Oct 2027 | Evaluating | |
Protection of Information at Rest The system must protect the confidentiality and integrity of information at rest. | P2 | Required Now | Evaluating | |
Cryptographic Protection (At Rest) The system must use cryptographic mechanisms to protect information at rest. | P2 | Required Now | Evaluating | |
Process Isolation The system must maintain a separate execution domain for each system process. | P2 | Required Now | Evaluating |
MP
Media Protection
Pillar 2 · 6 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency shall develop, document, and disseminate a media protection policy that addresses purpose, scope, roles, responsibilities, and compliance. | P2 | Required Now | Evaluating | |
Media Access The agency shall restrict access to media containing CJI to authorized personnel. | P2 | Required Now | Evaluating | |
Media Storage The agency shall physically control and securely store media within controlled areas. | P2 | Required Now | Evaluating | |
Media Transport The agency shall protect and control information system media during transport outside of controlled areas. | P2 | Required Now | Evaluating | |
Media Sanitization The agency shall sanitize information system media prior to disposal, release out of organizational control, or release for reuse. | P2 | Required Now | Evaluating | |
Media Use The agency shall restrict the use of removable media on information systems. | P2 | Required Now | Evaluating |
PE
Physical & Environmental Protection
Pillar 2 · 19 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a PE policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Physical Access Authorizations The organization must develop and maintain a list of personnel with authorized access to the facility where the system resides. | P2 | Required Now | Evaluating | |
Physical Access Control The organization must enforce physical access control at entry/exit points and verify individual identity before granting access. | P2 | Required Now | Evaluating | |
Access Control for Transmission The organization must control physical access to information system output devices and transmission lines. | P2 | Required Now | Evaluating | |
Access Control for Output Devices The organization must control physical access to information system output devices (printers, monitors) to prevent unauthorized viewing. | P3 | Required Now | Evaluating | |
Monitoring Physical Access The organization must monitor physical access to the facility to detect and respond to physical security incidents. | P2 | Required Now | Evaluating | |
Alarms and Surveillance The organization must use physical intrusion alarms and surveillance equipment to monitor physical access. | P2 | Required Now | Evaluating | |
Visitor Access Records The organization must maintain visitor access records to the facility for at least one (1) year. | P4 | Due Oct 2027 | Evaluating | |
Limit PII Elements The organization must limit PII collected in visitor logs to only what is necessary. | P4 | Due Oct 2027 | Evaluating | |
Power Equipment and Cabling The organization must protect power equipment and cabling from damage and destruction. | P2 | Due Oct 2027 | Evaluating | |
Emergency Shutoff The organization must provide the capability to shut off power to the system in an emergency. | P2 | Due Oct 2027 | Evaluating | |
Emergency Power The organization must provide a short-term emergency power source (UPS) to allow for an orderly shutdown. | P2 | Due Oct 2027 | Evaluating | |
Emergency Lighting The organization must provide emergency lighting that activates upon power failure. | P2 | Due Oct 2027 | Evaluating | |
Fire Protection The organization must employ fire suppression and detection systems. | P2 | Due Oct 2027 | Evaluating | |
Detection Systems Fire detection systems must provide automatic notification to personnel/authorities. | P2 | Due Oct 2027 | Evaluating | |
Environmental Controls The organization must maintain temperature and humidity levels within acceptable ranges for the system. | P2 | Due Oct 2027 | Evaluating | |
Water Damage Protection The organization must protect the system from water damage. | P2 | Due Oct 2027 | Evaluating | |
Delivery and Removal The organization must authorize, monitor, and control information system components entering/exiting the facility. | P3 | Required Now | Evaluating | |
Alternate Work Site The organization must establish security controls at alternate work sites (e.g., remote offices, telework). | P3 | Required Now | Evaluating |
MA
Maintenance
Pillar 2 · 8 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a Maintenance policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Controlled Maintenance The organization must schedule, perform, document, and review records of maintenance and repairs on information system components. | P3 | Due Oct 2027 | Evaluating | |
Maintenance Tools The organization must approve, control, and monitor maintenance tools (hardware/software) brought into the facility. | P4 | Due Oct 2027 | Evaluating | |
Inspect Tools The organization must inspect maintenance tools for malicious code/unauthorized software before use. | P4 | Due Oct 2027 | Evaluating | |
Inspect Media The organization must check media containing diagnostic/test programs for malicious code before the media is used. | P4 | Due Oct 2027 | Evaluating | |
Non-local Maintenance The organization must approve and monitor non-local (remote) maintenance and diagnostic activities. | P3 | Due Oct 2027 | Evaluating | |
Maintenance Personnel The organization must establish a process for authorization and supervision of maintenance personnel. | P3 | Due Oct 2027 | Evaluating | |
Timely Maintenance The organization must obtain maintenance support and/or spare parts within a specific timeframe (SLA). | P3 | Due Oct 2027 | Evaluating |
5.20
Mobile Devices
Pillar 2 · 9 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Wireless Protocols Pre-802.11i protocols (WEP, WPA) are prohibited as they do not meet FIPS 140-2. Managed APs must use strong passwords, non-identifiable SSIDs, and FIPS-compliant management protocols. | P1 | Required Now | Evaluating | |
Service Abroad Cellular devices authorized for use outside the U.S. must be inspected before and after travel to ensure security controls are functioning. | P1 | Required Now | Evaluating | |
Mobile Hotspots Hotspots on devices approved for CJI must use encryption, non-identifiable SSIDs, and only allow agency-controlled device connections. | P1 | Required Now | Evaluating | |
MDM Enforcement Devices running limited-feature OS (iOS/Android) must be managed by an MDM that enforces remote locking, wiping, and disk-level encryption. | P1 | Required Now | Evaluating | |
Risk Mitigations Mobile devices must apply critical patches immediately, use local device authentication, and encrypt all resident CJI. | P1 | Required Now | Evaluating | |
Personal Firewall Full-featured mobile OS (Laptops/Windows Tablets) must employ a personal firewall that filters incoming traffic and maintains logs. | P1 | Required Now | Evaluating | |
Incident Reporting Agencies must have enhanced procedures for mobile device loss or compromise, including reporting within 1 hour. | P1 | Required Now | Evaluating | |
Local Device Auth Mobile devices must be locked and require authentication (meeting IA standards) to unlock for use. | P1 | Required Now | Evaluating | |
Device Certificates Certificates used for auth must be protected from extraction and configured for remote wipe on demand. | P1 | Required Now | Evaluating |
AU
Audit & Accountability
Pillar 3 · 17 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an Audit and Accountability policy that addresses purpose, scope, roles, and compliance. | P2 | Required Now | Evaluating | |
Event Logging The system must generate audit records for:
1. Successful/Unsuccessful logons.
2. Access to CJI (Query/View).
3. Permission changes.
4. Admin actions. | P2 | Due Oct 2027 | Evaluating | |
Content of Audit Records Audit records must contain:
1. Date/Time.
2. Type of Event.
3. Data Subject (if applicable).
4. User Identity.
5. Outcome (Success/Failure). | P2 | Required Now | Evaluating | |
Additional Audit Information The system must generate audit records containing details to facilitate the reconstruction of events if needed. | P2 | Required Now | Evaluating | |
Limit PII Elements The system must limit the PII elements included in audit records to those necessary (avoid logging the full criminal history in the log itself). | P2 | Due Oct 2027 | Evaluating | |
Audit Log Storage Capacity The agency must allocate audit record storage capacity sufficient to retain records for the required period. | P2 | Due Oct 2027 | Evaluating | |
Response to Audit Failures The system must alert authorized personnel in the event of an audit logging process failure. | P2 | Required Now | Evaluating | |
Audit Record Review The agency must review/analyze audit records at least weekly for indications of inappropriate or unusual activity. | P2 | Required Now | Evaluating | |
Automated Process Integration The system must integrate audit review with automated mechanisms (e.g., SIEM) to alert on suspicious activity. | P2 | Due Oct 2027 | Evaluating | |
Correlate Audit Repositories The system must correlate audit records across different repositories (e.g., App logs + DB logs + OS logs). | P2 | Due Oct 2027 | Evaluating | |
Audit Record Reduction/Reporting The system must provide an audit reduction and report generation capability. | P3 | Due Oct 2027 | Evaluating | |
Automatic Processing The system must provide the capability to automatically process audit records for events of interest. | P3 | Due Oct 2027 | Evaluating | |
Time Stamps Information system clocks must be synchronized to an authoritative time source (e.g., USNO, NIST). | P2 | Required Now | Evaluating | |
Protection of Audit Information The system must protect audit information and tools from unauthorized access, modification, and deletion. | P2 | Required Now | Evaluating | |
Access by Subset of Privileged Users Access to management of audit functionality must be limited to a subset of privileged users (e.g., Auditors). | P2 | Due Oct 2027 | Evaluating | |
Audit Record Retention Audit records must be retained for at least one (1) year. Once retention expires, they must be destroyed. | P4 | Required Now | Evaluating | |
Audit Record Generation The system must provide audit record generation capability for the list of events defined in AU-2. | P2 | Due Oct 2027 | Evaluating |
SI
System & Information Integrity
Pillar 3 · 21 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency shall develop, document, and disseminate an SI policy. | P2 | Due Oct 2027 | Evaluating | |
Flaw Remediation The organization must identify, report, and correct system flaws. It must install security-relevant software and firmware updates within a defined period. | P1 | Required Now | Evaluating | |
Automated Flaw Remediation Status The organization must employ automated mechanisms to determine the status of system components with regard to flaw remediation. | P1 | Required Now | Evaluating | |
Malicious Code Protection The organization must employ malicious code protection (Antivirus/EDR) at system entry/exit points and on workstations/servers. | P1 | Required Now | Evaluating | |
System Monitoring The organization must monitor the system to detect attacks and indicators of potential attacks. | P1 | Required Now | Evaluating | |
Automated Analysis The organization must employ automated tools for real-time analysis of events to detect attacks. | P1 | Required Now | Evaluating | |
Inbound and Outbound Communications The organization must monitor inbound and outbound communications traffic for unusual or unauthorized activities. | P1 | Required Now | Evaluating | |
System-Generated Alerts The system must generate alerts when specific security-relevant events occur. | P1 | Required Now | Evaluating | |
Security Alerts, Advisories, and Directives The organization must receive security alerts/advisories from external sources and take appropriate action. | P2 | Required Now | Evaluating | |
Software, Firmware, and Information Integrity The organization must employ integrity verification tools to detect unauthorized changes to software and information. | P1 | Required Now | Evaluating | |
Integrity Checks The system must perform integrity checks of software, firmware, and information at a defined frequency. | P1 | Required Now | Evaluating | |
Integration of Detection and Response The organization must integrate the detection of unauthorized changes with the incident response process. | P1 | Required Now | Evaluating | |
Spam Protection The system must employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages | P3 | Required Now | Evaluating | |
Automatic Updates The system must update spam protection mechanisms automatically at least daily. | P3 | Due Oct 2027 | Evaluating | |
Information Input Validation The system must validate the integrity of information inputs (e.g., checking for malicious code or format errors). | P1 | Required Now | Evaluating | |
Error Handling The system must generate error messages that provide information necessary for corrective actions without revealing sensitive information. | P3 | Due Oct 2027 | Evaluating | |
Information Management/Retention The organization must manage and retain information in accordance with laws and regulations. | P3 | Required Now | Evaluating | |
Limit PII Elements The organization must limit the PII elements contained in system outputs to those necessary. | P3 | Required Now | Evaluating | |
Minimize PII in Testing, Training, and Research The organization must obfuscate and anonymize PII in testing environments to prevent accidental exposure. | P3 | Due Oct 2027 | Evaluating | |
Information Disposal The organization must dispose of information in accordance with laws and regulations. | P3 | Required Now | Evaluating | |
Memory Protection The system must employ memory protection to prevent unauthorized code execution. | P2 | Due Oct 2027 | Evaluating |
IR
Incident Response
Pillar 3 · 15 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an Incident Response policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Incident Response Training The agency must provide incident response training to users with specific IR roles (e.g., handling evidence, reporting). | P3 | Required Now | Evaluating | |
Training - Breach Training must specifically cover "Breach" scenarios (loss of control/compromise of data), not just "Incidents" (service interruption). | P3 | Due Oct 2027 | Evaluating | |
Incident Response Testing The agency must test the IR capability for the information system annually (e.g., simulations). | P3 | Due Oct 2027 | Evaluating | |
Coordination with Related Plans IR testing must be coordinated with related plans (Contingency Planning, Crisis Management). | P3 | Due Oct 2027 | Evaluating | |
Incident Handling The agency must implement an incident handling capability that includes preparation, detection, analysis, containment, eradication, and recovery. | P2 | Required Now | Evaluating | |
Automated Incident Handling The system must employ automated mechanisms to support the incident handling process. | P2 | Required Now | Evaluating | |
Incident Monitoring The agency must track and document information system security incidents (even those that don't result in a breach). | P2 | Required Now | Evaluating | |
Incident Reporting The agency must report security incidents to the appropriate authorities (CSA ISO / FBI) within a specified timeframe. | P2 | Due Oct 2027 | Evaluating | |
Automated Reporting The system must employ automated mechanisms to assist in the reporting of security incidents. | P2 | Required Now | Evaluating | |
Supply Chain Coordination The agency must coordinate incident reporting with supply chain entities (e.g., Cloud Provider, Software Vendors). | P2 | Due Oct 2027 | Evaluating | |
Incident Response Assistance The agency must provide an incident response support resource (help desk) that offers advice and assistance to users. | P3 | Required Now | Evaluating | |
Automation Support for Availability The organization must employ automated mechanisms to increase the availability of incident response information and support (e.g., chatbots, knowledge base). | P3 | Due Oct 2027 | Evaluating | |
Incident Response Plan The agency must develop an IRP that provides a roadmap for implementing the incident response capability. | P2 | Required Now | Evaluating | |
Breaches The IRP must explicitly address "Breaches" (involving PII/CJI) distinct from general incidents, including specific legal reporting requirements. | P2 | Due Oct 2027 | Evaluating |
CP
Contingency Planning
Pillar 3 · 23 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a Contingency Planning policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Contingency Plan The agency must develop a contingency plan that identifies essential missions, recovery strategies, and roles. | P2 | Due Oct 2027 | Evaluating | |
Coordinate with Related Plans The contingency plan must be coordinated with related plans (e.g., Incident Response, Crisis Management). | P2 | Due Oct 2027 | Evaluating | |
Resume Mission Functions The plan must provide for the resumption of essential mission functions within a specified time period (RTO). | P2 | Due Oct 2027 | Evaluating | |
Identify Critical Assets The plan must identify critical assets (hardware, software, data) supporting essential functions. | P2 | Due Oct 2027 | Evaluating | |
Contingency Training The organization must provide contingency training to personnel with DR roles. | P3 | Due Oct 2027 | Evaluating | |
Contingency Plan Testing The organization must test the contingency plan to determine the effectiveness of the plan and the readiness to execute it. | P3 | Due Oct 2027 | Evaluating | |
Coordinate with Related Plans (Testing) Testing must be coordinated with related plans (e.g., checking if IRP works during a disaster). | P3 | Due Oct 2027 | Evaluating | |
Alternate Storage Site The organization must identify an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. | P2 | Due Oct 2027 | Evaluating | |
Separation from Primary Site The alternate storage site must be separated from the primary site to reduce susceptibility to the same threats (e.g., different flood zone). | P2 | Due Oct 2027 | Evaluating | |
Accessibility The alternate storage site must be accessible for recovery operations within the RTO. | P2 | Due Oct 2027 | Evaluating | |
Alternate Processing Site The organization must identify an alternate processing site that provides for recovery of operations. | P2 | Due Oct 2027 | Evaluating | |
Separation from Primary Site (Processing) The alternate processing site must be separated from the primary site (same logic as CP-6). | P2 | Due Oct 2027 | Evaluating | |
Accessibility (Processing) The alternate processing site must be accessible to necessary personnel. | P2 | Due Oct 2027 | Evaluating | |
Priority of Service The organization must ensure that the alternate processing site provides priority of service provisions in accordance with availability requirements (SLAs). | P2 | Due Oct 2027 | Evaluating | |
Telecommunications Services The organization must identify primary and alternate telecommunications services to support the system. | P2 | Due Oct 2027 | Evaluating | |
Priority of Service (Telecom) Primary and alternate telecom services must have priority of service provisions (e.g., GETS/WPS for gov). | P2 | Due Oct 2027 | Evaluating | |
Single Points of Failure The organization must identify and eliminate single points of failure for telecom. | P2 | Due Oct 2027 | Evaluating | |
System Backup The organization must conduct backups of user-level and system-level information. | P2 | Due Oct 2027 | Evaluating | |
Testing for Reliability/Integrity The organization must test backup information to verify media reliability and information integrity. | P2 | Due Oct 2027 | Evaluating | |
Cryptographic Protection The organization must implement cryptographic mechanisms to prevent unauthorized disclosure/modification of backup information. | P2 | Due Oct 2027 | Evaluating | |
System Recovery and Reconstitution The organization must provide for the recovery and reconstitution of the information system to a known state after a disruption. | P2 | Due Oct 2027 | Evaluating | |
Transaction Recovery The system must implement transaction recovery for systems that are transaction-based (e.g., Databases). | P2 | Due Oct 2027 | Evaluating |
CM
Configuration Management
Pillar 4 · 20 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a Configuration Management policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Baseline Configuration The agency must develop, document, and maintain under configuration control, a current baseline configuration of the information system. | P1 | Required Now | Evaluating | |
Automation Support The organization must employ automated mechanisms to maintain the integrity of the baseline configuration. | P1 | Required Now | Evaluating | |
Retention The organization must retain previous versions of baseline configurations to support rollback. | P1 | Required Now | Evaluating | |
High-Risk Areas The organization must configure systems to provide only essential capabilities and prohibit use of functions not necessary for operation. | P1 | Required Now | Evaluating | |
Configuration Change Control The organization must enforce strict change control (approve, document, test, validate) for all changes to the system. | P2 | Due Oct 2027 | Evaluating | |
Test/Validate/Document The organization must test, validate, and document changes before implementing them in production. | P2 | Due Oct 2027 | Evaluating | |
Security Representative A security representative must be a member of the Change Control Board (CCB). | P2 | Due Oct 2027 | Evaluating | |
Impact Analyses The organization must analyze changes to the system to determine potential security impacts before implementation. | P3 | Due Oct 2027 | Evaluating | |
Access Restrictions for Change The organization must define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. | P1 | Required Now | Evaluating | |
Configuration Settings The organization must establish and document mandatory configuration settings (e.g., security hardening) using standard checklists (NIST/CIS). | P1 | Required Now | Evaluating | |
Least Functionality The organization must configure the system to provide only essential capabilities (ports, protocols, services). | P1 | Required Now | Evaluating | |
Periodic Review The organization must review the system's functionality annually to ensure it is providing only essential capabilities. | P1 | Required Now | Evaluating | |
System Component Inventory The organization must develop and document an inventory of information system components that accurately reflects the current system. | P1 | Required Now | Evaluating | |
Updates The inventory must be updated as part of the component installation/removal process. | P1 | Required Now | Evaluating | |
Unauthorized Component Detection The organization must employ automated mechanisms to detect the presence of unauthorized hardware/software/firmware. | P1 | Required Now | Evaluating | |
Configuration Management Plan The organization must develop, document, and implement a CM plan that addresses roles, responsibilities, and processes. | P2 | Due Oct 2027 | Evaluating | |
Software Usage Restrictions The organization must use software/tools only in accordance with copyright laws and contract agreements. | P3 | Due Oct 2027 | Evaluating | |
User-Installed Software The organization must enforce policies governing the installation of software by users. | P2 | Due Oct 2027 | Evaluating | |
Information Location The organization must identify and document the location of information system components and the specific info processed. | P2 | Due Oct 2027 | Evaluating |
RA
Risk Assessment
Pillar 4 · 9 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency shall develop, document, and disseminate a Risk Assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, and coordination. | P2 | Due Oct 2027 | Evaluating | |
Security Categorization Categorize the information and system in accordance with applicable federal laws, executive orders, and directives. | P2 | Due Oct 2027 | Evaluating | |
Risk Assessment Conduct an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, or destruction of the system and info. | P2 | Due Oct 2027 | Evaluating | |
Vulnerability Monitoring and Scanning Monitor and scan for vulnerabilities in the system and hosted applications at a defined frequency (e.g., weekly). | P1 | Required Now | Evaluating | |
Update Vulnerabilities to Be Scanned Update the vulnerabilities to be scanned when new vulnerabilities are identified and reported. | P1 | Required Now | Evaluating | |
Privileged Access The system shall require privileged access for vulnerability scanning. | P1 | Required Now | Evaluating | |
Public Disclosure Program Establish a public disclosure program to receive vulnerability information from the security community. | P1 | Required Now | Evaluating | |
Risk Response Respond to risk in accordance with the organization's risk tolerance. | P2 | Due Oct 2027 | Evaluating | |
Criticality Analysis Identify critical system components and functions that are essential to the mission. | P2 | Due Oct 2027 | Evaluating |
SA
System & Services Acquisition
Pillar 4 · 17 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an SA policy that addresses purpose, scope, roles, responsibilities, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Allocation of Resources The organization must determine and document the information security and privacy resources required to support the system. | P2 | Due Oct 2027 | Evaluating | |
System Development Life Cycle (SDLC) The organization must manage the system using a documented SDLC that incorporates information security and privacy. | P2 | Due Oct 2027 | Evaluating | |
Acquisition Process The organization must include security and privacy requirements in the acquisition contract for the system/service. | P2 | Due Oct 2027 | Evaluating | |
Functional Properties The organization must require the developer to provide a description of the functional properties of the security controls. | P2 | Due Oct 2027 | Evaluating | |
Design/Implementation Info The organization must require the developer to provide design and implementation information for security controls. | P2 | Due Oct 2027 | Evaluating | |
Functions, Ports, Protocols, and Services The organization must require the developer to provide a list of all functions, ports, protocols, and services intended for use. | P2 | Due Oct 2027 | Evaluating | |
System Documentation The organization must obtain and maintain administrator and user documentation for the system. | P3 | Due Oct 2027 | Evaluating | |
Security Engineering Principles The organization must apply security and privacy engineering principles in the specification, design, development, and implementation of the system. | P2 | Due Oct 2027 | Evaluating | |
Minimization The organization must apply minimization principles to the design of the system (e.g., collecting only the PII required). | P2 | Due Oct 2027 | Evaluating | |
External System Services The organization must require that providers of external system services comply with organizational security requirements. | P2 | Due Oct 2027 | Evaluating | |
Identify Functions, Ports, Protocols, Services The organization must identify the functions, ports, protocols, and services provided by external system services. | P2 | Due Oct 2027 | Evaluating | |
Developer Configuration Management The organization must require the developer to perform configuration management during system development, implementation, and operation. | P2 | Due Oct 2027 | Evaluating | |
Developer Testing and Evaluation The organization must require the developer to perform security testing and evaluation. | P2 | Due Oct 2027 | Evaluating | |
Development Process, Standards, and Tools The organization must require the developer to use a documented process, standard, and tools for development. | P3 | Due Oct 2027 | Evaluating | |
Criticality Analysis The organization must perform a criticality analysis to identify components that are critical to system security. | P3 | Due Oct 2027 | Evaluating | |
Unsupported System Components The organization must replace system components when support for the components is no longer available. | P2 | Due Oct 2027 | Evaluating |
SR
Supply Chain Risk Management
Pillar 4 · 7 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an SR policy that addresses purpose, scope, roles, and compliance . | P2 | Due Oct 2027 | Evaluating | |
SCRM Plan The organization must develop a plan for managing supply chain risks associated with the design, acquisition, and operations of systems used to process CJI. | P3 | Due Oct 2027 | Evaluating | |
Establish SCRM Team Establish a coordinated, team-based approach (including IT, Legal, and Security) to identify and manage supply chain risks. | P3 | Due Oct 2027 | Evaluating | |
Acquisition Strategies Employ procurement methods to protect against supply chain risks, such as using preferred suppliers who provide attestation of compliance. | P2 | Due Oct 2027 | Evaluating | |
Notification Agreements Establish agreements with supply chain entities for the notification of compromises to systems used to process CJI. | P3 | Due Oct 2027 | Evaluating | |
Inspection of Systems or Components Inspect systems/components upon procurement and periodically to detect tampering. | P3 | Due Oct 2027 | Evaluating | |
Component Disposal Dispose of CJI-containing components using techniques described in the Media Protection (MP) section. | P3 | Due Oct 2027 | Evaluating |
PL
Planning
Pillar 4 · 8 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate a Planning policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
System Security and Privacy Plans (SSP) The organization must develop, document, and maintain an SSP that describes security requirements and controls in place. | P2 | Due Oct 2027 | Evaluating | |
Rules of Behavior (RoB) The organization must establish and make readily available a set of rules that describe individual responsibilities and expected behavior for users. | P3 | Due Oct 2027 | Evaluating | |
Social Media and External Sites Rules of Behavior must include restrictions on using social media and external sites while accessing the information system. | P3 | Due Oct 2027 | Evaluating | |
Security and Privacy Architectures The organization must develop a security/privacy architecture that describes the system boundary and high-level design. | P2 | Due Oct 2027 | Evaluating | |
Central Management The organization must centrally manage the security and privacy requirements/controls for the system. | P4 | Due Oct 2027 | Evaluating | |
Baseline Selection The organization must select a security control baseline based on the system's categorization. | P3 | Due Oct 2027 | Evaluating | |
Baseline Tailoring The organization must document any decisions to "tailor" the baseline (e.g., opting out of a control due to a specific technical constraint). | P3 | Due Oct 2027 | Evaluating |
CA
Assessment, Authorization & Monitoring
Pillar 4 · 10 controls| Control ID | Requirement | PriorityCJISSECPOL v6.0 § 1.4Sanctionable now: [Existing] controls & P1 modernized controls (since Oct 1, 2024)Zero-cycle: P2–P4 non-existing controls become sanctionable Oct 1, 2027Priority (P1–P4) indicates recommended implementation order, not deadline. | Sanctionable | Status |
|---|---|---|---|---|
Policy and Procedures The agency must develop, document, and disseminate an Assessment, Authorization, and Monitoring policy that addresses purpose, scope, roles, and compliance. | P2 | Due Oct 2027 | Evaluating | |
Control Assessments The organization must assess the security controls periodically to determine if they are implemented correctly and operating as intended. | P3 | Due Oct 2027 | Evaluating | |
Independent Assessors The organization must employ independent assessors or assessment teams (impartial to the system development/operation) to conduct control assessments. | P3 | Due Oct 2027 | Evaluating | |
Information Exchange The organization must authorize all connections to external systems and document the interface characteristics (ports, protocols, security). | P2 | Required Now | Evaluating | |
Plan of Action and Milestones (POAM) The agency must document strictly how remedial actions (fixing bugs/vulns) are tracked and when they will be completed. | P4 | Due Oct 2027 | Evaluating | |
Authorization (ATO) A senior official (Authorizing Official) must explicitly authorize the system to operate before operations begin. This authorization must be updated if significant changes occur. | P3 | Due Oct 2027 | Evaluating | |
Continuous Monitoring The organization must develop a continuous monitoring strategy that includes ongoing metrics, control effectiveness, and automated monitoring of configuration. | P1 | Required Now | Evaluating | |
Independent Assessment (Monitoring) The organization must employ independent assessors or assessment teams to monitor the security controls on an ongoing basis. | P1 | Required Now | Evaluating | |
Risk Monitoring The organization must monitor risk to the system on an ongoing basis (e.g., new threat intelligence). | P1 | Required Now | Evaluating | |
Internal System Connections Authorize and document connections between the information system and other internal systems (e.g., Database to Analytics engine). | P3 | Due Oct 2027 | Evaluating |
Questions about our compliance posture?
Walk through our CJIS implementation with a member of our team.
Schedule a WalkthroughOr read the CJIS Compliance Guide for the full narrative.