Company 
Team 
Local Government Partners 
Case Study
Company News 
Team Member Spotlight 
Managed IT Services
Co-Managed 
Managed Security Services 
Data Backup + Disaster Recovery 
Compliance as a Service 
SharePoint
Power BI
Web Design + Hosting
Application Development
Businesses 
Municipalities 
Local Government Services 
Healthcare
Manufacturing
Aerospace and Defense
Case Studies
Guides
News
Events
Municipalities
Healthcare
Managed IT Services
Compliance
Cybersecurity
You think you’ve got everything set for your CJIS audit. Your IT employee or vendor assures you you’re set. The audit happens and…you fail.
What happened?
We see many common mistakes that trip up municipalities that are attempting to pass their CJIS audit. Even well-intentioned police departments and IT specialists can overlook some of the many items needed to pass a CJIS audit.
Use this article to see if any of these 10 red flags indicate potential CJIS compliance issues at your municipality.
PEOPLE
1. Lack of up-to-date CJIS training records for all staff
CJIS compliance requires that all personnel with access to sensitive data complete regular training on how to protect Criminal Justice Information (CJI) and spot common social engineering tactics (such as phishing emails). If your records aren’t current or comprehensive, you’re at risk of lacking evidence to prove you’ve met this requirement.
It’s important to implement and use a centralized system to track training completion and renewal dates. Your IT resource should be able to help you with both conducting training and tracking your progress while you focus on other important tasks.
2. Physical security gaps, such as propped-open doors or unlogged visitors
Remember that CJIS compliance isn’t just digital. Physical vulnerabilities—such as propped-open doors or unlogged visitors—can lead to a serious incident. CJI is valuable, and people are good at socially engineering their way into a building to steal information. It’s important to conduct regular walkthroughs of your facilities and enforce strict visitor protocols.
3. Unrestricted or shared user accounts for CJIS systems
In many police departments, we often see situations where multiple people use the same computer or share their username and password when someone wants to quickly access information. Unrestricted accounts are also sometimes set up to make things “easy” by giving people unfettered access to any and all information.
While seemingly convenient, these actions open you up to massive risk. What if a disgruntled police officer accesses sensitive or confidential data that they don’t need as part of their job? What if an unlocked computer displays confidential information to a guest visiting your department?
Every user needs unique login credentials with access restrictions based on their role. And get rid of any shared accounts—there is no accountability associated with them and they increase the risk of unauthorized access. Audit your user accounts and eliminate any that don’t meet CJIS requirements.
4. Weak password policies or infrequent password changes
We’re human, and we want to make things easy. For some, that means easy to remember passwords using your favorite football team as the name. For others, it means using the same password for years and across all your applications.
According to NordPass, the most common password used at work is “123456”–and the other 199 in the Top 200 are no better. Hackers can hack these in milliseconds. But you might think, “My password is better than that!” However, did you know that:
- Any password with five characters is instantly cracked?
- Any password with seven characters takes seconds to minutes to crack?
Conversely:
- A password with 12 characters and at least a mix of upper and lowercase letters will take years to decades to crack.
- A password with 15 characters or more and at least a mix of upper and lowercase letters will take millions of years to crack.
Remember, passwords are your first line of defense. If your police department allows simple passwords or infrequent password changes, it’s time to strengthen your policy. Enforce password complexity requirements and force people to periodically update their password.
5. Staff unfamiliar with CJIS policies and their responsibilities
Even the best policies are useless if your team doesn’t understand, enforce, or follow them. Make CJIS awareness part of your employee onboarding and ongoing training. Enforce policies if they are neglected or ignored. Overall, you want to encourage a culture of compliance so that no one becomes a weak link on your staff.
TECHNOLOGY
6. Missing or incomplete access logs and user activity reports
Access control systems generate audit logs and maintain records of people’s access attempts and actions, which helps with security monitoring and investigations. Without detailed logs, it’s impossible to audit who accessed what systems and applications, and when.
Lacking this information violates CJIS standards because it leaves your police department vulnerable to undetected breaches. Your IT resource needs to configure, manage, and enforce access controls while maintaining, reviewing, and retaining audit logs. Ensure that you regularly review log reports to look for anomalies.
7. Outdated firewalls and unpatched software vulnerabilities
Many municipalities and police departments are unfortunately reactive with their software patching. You often have limited IT resources fighting fires all the time. They get to patching when they get to it.
Firewalls are also often a victim of neglect. Despite their essential role in protecting your systems, it’s easy to just assume they work—whether they are end of life or unpatched. But neglected firewalls may lack modern encryption standards, fail to detect modern cyberattacks, and increase your chance of a cyber incident by giving hackers one more way to get into your systems.
Cyberattackers now weaponize vulnerabilities at lightning speed. As soon as a vulnerability is known, hackers are probing systems for entry points. If your systems aren’t proactively patched and your firewalls aren’t current, you’re an easy target. Apply emergency patches immediately and review your firewalls to stay ahead of advanced threats.
PROCESS
8. Unvetted third-party vendors with access to sensitive systems
Third-party vendors are easy to overlook as a possible security vulnerability. You assume they are doing the right things, but you cannot know for sure. If they gain access to CJIS systems without proper vetting, your department is the one exposed to security risks and noncompliance.
It’s important to conduct background checks and ensure that every vendor meets CJIS security requirements that handles CJI—either proving CJIS compliance or signing a CJIS Security Addendum. Have your IT resource validate that vendors are compliant and that their tools are integrated securely with your systems. (This includes cloud vendors.)
9. Failure to document and test incident response plans
When a cybersecurity incident occurs, time is critical. Without a documented and tested incident response plan, your team may flail instead of act. Flailing deepens the damage of a hack, ransomware, or data breach when you cannot respond fast enough—leading to massive operational disruption, public safety risks, and noncompliance.
Develop, document, maintain, and regularly test your incident response procedures. You should be able to run your incident response plan like a drill. IT can support you by detecting, logging, and remediating incidents following documented response processess
10. Lack of regular review or updates to compliance documentation
We empathize with this one the most. CJIS audits require thorough documentation. You’re likely focused on public safety, policing, and day-to-day operational work. Spending hours on CJIS documentation is not a priority…until an audit looms and you start to scramble. In those moments, documentation neglect can really hurt you.
If your documentation is outdated or incomplete, you could fail your CJIS audit. Set a schedule to review and update your compliance records regularly. If you’re too overwhelmed to do it properly, get help!
---
By recognizing and addressing these red flags, your police department can strengthen its security posture and reduce significant risk. Don’t wait for an audit or incident to uncover these issues. Proactivity is the best policy.
