Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
5 min read

What Police Chiefs and Other Municipal Leaders May Not Realize About CJIS Compliance

Subscribe
What Police Chiefs and Other Municipal Leaders May Not Realize About CJIS Compliance

As a municipal leader, you may have passed a Criminal Justice Information Services (CJIS) audit or delegated the responsibility to someone on your staff. But in today’s cybersecurity environment, that surface-level awareness may not be enough.

CJIS compliance isn’t just an IT issue. It’s everyone’s responsibility. For leaders like police chiefs and city managers, understanding the broader scope of CJIS is critical to protecting your agency’s most sensitive information—and passing the next audit.

If you're relying solely on an overworked junior IT employee or a stretched-thin local IT vendor to manage CJIS, it's worth asking: Are you unintentionally overlooking major gaps in compliance?

This blog is your CJIS briefing. In plain language, it highlights areas where municipal leaders may be underinformed and offers a practical cheat sheet to help you strengthen your agency's security posture.

Understanding the Scope of CJIS

At its core, CJIS compliance is about securing Criminal Justice Information (CJI) such as fingerprints, criminal records, and personally identifiable information related to investigations. You likely already know this.

But here’s what you might not know: CJIS compliance doesn’t only apply to sworn officers or IT personnel. It extends to anyone who touches CJI—including administrative staff, contractors, and third-party vendors. If an employee answers the phone and takes a message about a case, they're handling CJI. If a vendor supports your records management system, they must also meet CJIS standards.

Even more importantly, the CJIS Security Policy isn’t static. It changes, and your department must adapt.

Bottom line: CJIS compliance spans your entire organization. If you're only looking at your IT infrastructure, you're only seeing part of the picture.

It’s a Shared Responsibility

A common misconception we hear from municipal leaders is this: "CJIS is IT’s job."

But here’s the truth: When the audit comes, it doesn’t fall on your IT vendor. It lands squarely on your department. Your name is on the line. Even if you’ve delegated CJIS, you're still the one the state auditor will expect to comply.

CJIS compliance requires participation from municipal leadership, particularly in these areas:

  • Policy Oversight: You must approve and maintain updated written policies on how your agency handles and protects CJI.
  • Vendor Vetting: You are responsible for ensuring any third-party vendor accessing CJI has a signed CJIS Security Addendum. This is not optional.
  • Budgeting for Compliance: Do your IT investments support secure storage, access control, logging, and modern authentication methods?
  • Audit Support: When the state comes knocking, are you prepared to demonstrate not just technical controls but also your leadership's involvement?

Many municipalities lose key personnel with CJIS knowledge and struggle to onboard new staff quickly. Without documentation and leadership-level visibility, that knowledge leaves with the employee.

Delegation is necessary. But abdication is risky.

CJIS Requirements Change—Often

The CJIS Security Policy is a living document that changes regularly. Staying compliant means keeping up.

In October 2024, a significant update made multifactor authentication (MFA) a requirement for all systems that access CJI. This is one of the most impactful changes in recent years—and it’s already in effect. If your department isn’t using MFA on every device that accesses CJI—from laptops to mobile phones—you’re out of compliance.

Additional recent CJIS changes include:

  • End-of-life software and hardware: CJIS requires that you are able to patch your systems. Using supported hardware or software (such as Server 2012 or an unpatched Windows 10 after October 14, 2025) risks noncompliance.
  • Cloud storage rules: Moving to the cloud? You need to ensure your provider follows CJIS standards and signs the proper agreements.
  • Mobile device and BYOD policies: Mobile devices, including BYOD phones used to access CJI, must be secured in accordance with CJIS standards.

What passed an audit five years ago won’t cut it today. In fact, holding onto legacy systems may be one of the fastest ways to fall out of compliance.

Ask yourself: Are you confident your department’s technology and policies reflect CJIS's latest updates?

A Quick CJIS Self-Check

Here are a few quick questions to assess your current readiness. If you can confidently answer all of these, you’re on the right track:

  • Who is our Local Agency Security Officer (LASO), and when was their last CJIS training?
  • Are MFA protocols in place for every device and user accessing CJI?
  • Have we signed CJIS Security Addendums with every vendor who handles our CJI?
  • When was our last internal CJIS compliance review? (Not the state audit.)
  • Are our written policies updated to reflect the latest CJIS Security Policy version?

If your answer to any of these is "I’m not sure," it’s time to take a closer look.

Steps You Can Take to Improve CJIS Compliance

You don’t need to become a CJIS expert overnight. But by taking a few proactive steps, you can shore up your department's compliance and reduce your risk.

1. Review Your Written Policies

Make sure your CJIS-related policies are not only documented but reflect current standards. Policies must be reviewed annually and updated when changes to CJIS occur.

2. Invest in Training

Regular, role-based training ensures everyone in your agency understands how CJIS affects their job. Don’t just rely on one-off onboarding sessions.

3. Conduct Internal Reviews

CJIS audits aren’t annual. But internal reviews should be. Set up a recurring schedule to self-audit against the latest CJIS Security Policy.

4. Consider CJIS Compliance-as-a-Service

Smaller municipalities often lack the time and bandwidth to manage CJIS compliance in-house, and so many are turning to partners who offer CJIS Compliance-as-a-Service. These experts can:

  • Conduct gap assessments
  • Manage documentation
  • Provide ongoing training
  • Help prepare for audits

They can also keep you informed about policy changes and ensure continuity when staff turns over.

CJIS Compliance Starts with Leadership

CJIS isn’t just a technical standard—it’s a leadership responsibility. Your IT team handles the technical execution. But the direction, priorities, and investment must come from the top.

By staying engaged, asking the right questions, and supporting your team with the right tools and resources, you position your agency for compliance success. You’re already doing the work. Let’s make sure it counts.

 

👉 Next Step: Download our CJIS Compliance Checklist for Municipal Leaders
Identify gaps, prioritize improvements, and swiftly enhance your compliance posture.
Aug 12, 2025

VC3

Let's talk about how VC3 can help you AIM higher.