Skip to content
Close
Get Started
Get Started
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipal Disaster Recovery Checklist

Download the guide for real-life scenarios, containing data backup lessons and a checklist to help ensure you are ready for a disaster. 

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

2025 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

Get the Guide
Get Started
CJIS Police Chief

From Hopefully to Definitely CJIS-Compliant: A Guide for Police Chiefs and Municipal Leaders

When you look at everything on your plate today, ensuring CJIS compliance is part of the heap. Through the help of an IT resource and your staff scrambling (often last minute) to pull everything together, you always manage to get through your audits mostly unscathed. As a result, you feel like you’re on top of CJIS compliance.

Quick question: Are you aware of the October 2024 MFA mandate, a major change to CJIS requirements, that directly impacts your department?

If you know the answer, great! If not, it’s possibly an indicator that you may not be on top of compliance as much as you think. While it’s only one question, it should lead you to wonder, “What else am I missing?"

True, maybe you won’t get fined today. Maybe your CJI access won’t get yanked tomorrow. But CJIS noncompliance is a slow reputational risk, one audit report or public council meeting away from damaging your career. More importantly, noncompliance threatens the ability of your police department to access and handle sensitive data in safe, secure ways.

When we talk to police chiefs at small and medium-sized municipalities about their CJIS compliance worries, we often hear the following:

  • “I’m worried about the consequences of noncompliance.” You know there are consequences beyond the rare fines and revoked data access. Public reports of audits circulate. You may need to explain to your city council why you failed an audit. And bad press can exacerbate your threatened leadership reputation.
  • “Compliance activities have become extremely burdensome.” Dealing with CJIS compliance on top of everything else forces you and your employees to scramble—such as pulling policies, logs, and access records the week before the audit.
  • “Truly, I’m not sure if I’m CJIS compliant.” A consequence of heavily delegating compliance activities to (usually) a single IT employee or small vendor/contractor is that you’re not 100% sure that they’re taking care of all your CJIS compliance requirements.

So, you may hope you pass an audit, and hope you’re compliant. But isn’t it better to ensure that you are definitely compliant—without worry?

What You’ll Learn in This Guide:

  • 1
    A quick review of CJIS requirements
    View
  • 2
    What you need to be compliant so that you can talk more substantially with your IT employee(s) or resource
    View
  • 3
    Why it’s essential to get extra help. (You don’t want to do this on your own.)
    View

Short on Time? Download the PDF! 👇

CJIS: A Quick Recap

With compliance requirements and audits nagging you, it’s easy to lose sight of why you must be CJIS-compliant in the first place. It’s not just to check a box and avoid fines. According to the FBI, it’s to protect “the sources, transmission, storage, and generation of Criminal Justice Information (CJI)” including “the full lifecycle of CJI.” CJIS “applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.”

At its heart, CJIS compliance ensures that sensitive and confidential information related to criminal justice data is secure—whether handled by the FBI, a state agency, or your own small or medium-sized police department. In other words, you are a link in the chain that helps protect CJI data—and it is an important link.

CJIS Compliance Control Families

CJIS has 13 control families—groups of related security requirements that work together to address a specific risk. At a high level, these include:

CONTROL FAMILY

WHAT’S REQUIRED

Information security policy

You must have a written policy explaining how you protect CJI.

Security awareness training

Officers and staff in your department (and at your municipality if they handle CJI) must receive regular training on how to recognize common cybersecurity threats and protect sensitive information.

Incident response

If you are hacked or your data is exposed, you need a documented plan that explains how you will respond.

Auditing and accountability

At core, this simply means you need to track who accesses CJI, and when.

Access control

Only authorized people should be able to access CJI, and they should only access what’s necessary to do their job.

Identification and authentication

All users must be verified before getting access to systems that contain CJI.

Configuration management

Configuration is technical, but this basically means that any IT systems must be set up securely and only changed through a controlled process (to prevent people from accidentally introducing weaknesses or purposely bypassing security measures).

Media protection

It’s easy to overlook USB drives, DVDs, and other storage media. Not only do they contain large amounts of sensitive data, but they are easy to lose or steal. They, too, must be protected (and disposed of) properly.

Physical protection

Whether through locks, surveillance, and other physical access safeguards, you need to protect CJI stored on and/or accessed on devices in your buildings and facilities.

Systems and communications protection

Because cybercriminals often attempt to intercept or manipulate data in transit, you must technically make sure that IT systems are configured properly and data is protected as it moves through your IT network.

Mobile device and remote access

Just like you would secure desktop computers, you need to make sure laptops, phones, tablets, mobile devices, and any remote devices accessing CJI are secured.

Personnel security

Background checks and other vetting for anyone handling CJI is essential.

Systems and services acquisition

Any vendors or cloud services that handle CJI must be CJIS-compliant or sign a CJIS Security Addendum.

 

Having a non-technical understanding of CJIS compliance requirements is helpful as reference for our discussion going forward—especially when we consider the audit process.

The CJIS control families might be easily explained at a high level, but each control family contains highly detailed requirements. Because most of these control families involve a lot of technical IT and cybersecurity, it’s tempting to heavily delegate to your IT resource.

Even with delegation, you probably find a lot of CJIS work still coming to your desk—especially when it’s not your area of expertise. When we talk to police chiefs and municipal leaders about what parts of a CJIS audit bother them the most, a few common pains include:

1. The surprise notification: While you’ll be notified in advance that you’ve been selected for an audit, CJIS audits are irregular and something you can’t plan around. It often turns into a scramble between notification and audit.

2. The pre-audit prep slog: A variety of to-dos can bog you and your team down.

  • The pre-audit questionnaire/checklist.
  • Requests for documentation (such as policies, procedures, equipment lists, etc.).
  • Getting your IT staff or vendor thoroughly involved.
  • Need to interview your staff in the middle of a workday.
  • Inspect IT systems, user logs, physical security, and how you handle CJI.
  • Ask how you ensure your staff follows CJIS rules or how you’ve trained your officers.

3. Onsite audit surprises: Despite your experience with CJIS audits, some items might disrupt your work or catch you off guard. Auditors may:

  • Need to interview your staff in the middle of a workday.
  • Inspect IT systems, user logs, physical security, and how you handle CJI.
  • Ask how you ensure your staff follows CJIS rules or how you’ve trained your officers.
GovernmentBuilding-katie-moum-623907-unsplash-e1610401340764-1

4. Expectations to fix gaps: Most issues the auditors find are not immediately penalized, but they must be fixed within a specific timeframe. It’s when you have repeated or unaddressed violations that you can risk losing your CJI access. Common gaps include:

  • No MFA on all systems accessing CJI—common after the October 2024 MFA CJIS mandate that took many people by surprise.
  • Missing background checks.
  • Weak password policies.
  • Lack of audit logs.
  • Noncompliant mobile device usage.
  • Lack of user training on data handling.  

5. Unexpected, unbudgeted funds: To fix gaps in compliance by the deadline after an audit, you may need to request unbudgeted funds. This can be difficult and potentially damage your reputation within your municipality.

As a police chief or municipal leader, it’s part of your role to make sure you have the right resources available to fix any issues, hold your staff accountable, and assist in any non-technical aspects of CJIS compliance.

Why It's Essential to Get Help

Managed IT services or a skilled IT resource can confidently get you about 20-30% of the way toward CJIS compliance. That means a lot of work remains on your plate. You, and not IT, are usually responsible for:

  • Policy creation and enforcement
  • Compliance documentation and reporting
  • Regular CJIS education (for you and your staff) to stay up-to-date and knowledgeable about compliance requirements
  • Incident response planning and oversight
  • Physical security oversight
  • Background checks and personnel oversight
  • Signoffs/approvals on important decisions

That’s a lot, especially as CJIS requirements evolve and update. This pressure also increases each year as mandates grow stricter, not looser, over time. And getting CJIS compliance wrong is just too risky in today’s environment.

If CJIS compliance is a critical pain point or ongoing problem for you, you may want to consider adding CJIS Compliance as a Service (CaaS) to augment your IT staff or MSP.

CJIS Compliance - Guide

What Is CJIS CaaS? 

If you’ve never heard of CJIS CaaS, you’re not alone. It’s only in the last few years that CJIS CaaS has become more common—and essential—as a service for municipalities.

Compliance as a Service (CaaS) has developed over the past 10 years to help many other industries—from healthcare (HIPAA) to companies wanting to work with the Department of Defense (CMMC). These industries have been forced to mature their compliance processes due to external pressures—not only from laws and regulations but also because of competitive forces. For-profit hospitals or Department of Defense supply chain manufacturers can lose business or go out of business if they are not compliant.

By contrast, less external pressures means that compliance support for police departments and municipalities has been handled in a piecemeal, scattershot approach. IT consultants, internal IT teams, and managed service providers might help with some technical requirements, but you and others on your staff (or sometimes IT resources taking on duties beyond their skillsets) tackled the non-technical tasks.

During the last five years or so, it’s become clearer that police departments and municipalities struggle more to keep up with CJIS audits, documentation, and changing requirements as compliance becomes more complex. This situation has intertwined with the onslaught of ransomware attacks on municipalities and the rise of cloud-based CJIS solutions—leading to much more scrutiny on CJI data security.

So, if meeting CJIS requirements each year seems harder than five or 10 years ago, it is. That’s why CJIS CaaS is starting to gain traction as a solution to help police departments and municipalities with a comprehensive, ongoing approach to meeting and maintaining CJIS requirements.

The solution typically involves the following:

  • Comprehensive Gap Assessment: CJIS CaaS will include a full review of your current policies, technologies, and operational practices against the CJIS Security Policy. This includes evaluating both IT systems and agency procedures to identify compliance gaps before they become audit findings.
  • Targeted Remediation Through Technology and Policy Updates: You’ll not only find out what’s missing but also get it fixed—including implementing the right security tools and creating or updating CJIS-compliant policies.
  • Audit Preparation and Representation: A CJIS CaaS partner will prepare your agency for CJIS audits by assembling required documentation, performing mock audits, and ensuring your team understands their roles and responsibilities.
  • Ongoing Compliance Monitoring: Compliance is not a one-time event. A CJIS CaaS partner will provide continuous oversight through regular reviews, policy refreshes, and technology checks so your agency stays compliant year-round—not just at audit time.
  • Documentation and Evidence Management: A CJIS CaaS partner will maintain a complete, organized record of policies, audit logs, system configurations, and compliance activities so you can quickly produce proof for an auditor or internal review.
CJIS Compliance - police

Below, we summarize the duties that you’re solely responsible for and show which ones can be helped by CJIS CaaS—taking even more off your plate than with an MSP alone.

CJIS REQUIREMENT

YOUR DUTIES

HOW CJIS CaaS LIGHTENS YOUR LOAD

Information Security Policy

Create policies, ensure agreements signed, and conduct periodic reviews.

Review, draft, and manage policy templates. Advise on what agreements contain.

Security Awareness and Training

Ensure all personnel complete training. Maintain training records.

Track training modules, manage schedules, and maintain documentation.

Incident Response

Develop plan, report incidents/breaches, and ensure team follows plan.

Offer plan templates, train staff on procedures, and assist with documentation/reporting during incident.

Auditing and Accountability

Ensure staff follows access and usage rules.

Run mock audits, explain reports, and advise you about upcoming audits.

Access Control

Approve access, enforce role-based access, and ensure staff follows policies.

Advise on access approval workflows and document decisions.

Identification and Authentication

Enforce policies and MFA compliance.

Document MFA compliance and advise on enforcement procedures.

Configuration Management

[No role for you.]

Ensure configurations meet compliance requirements.

Media Protection

Ensure removeable media is protected and not misused.

Advise on media handling policies, track compliance, and train staff.

Physical Protection

Oversee physical security and surveillance of facilities and systems.

Review physical access controls/policies to identify risks.

Systems and Communications Protection

Ensure proper use of systems by staff.

Document secure system use and flag risky behavior.

Mobile Device and Remote Access

Enforce mobile device and remote access policies.

Create/maintain policies, train staff, and track device compliance.

Personnel Security

Conduct background checks, provide regular training, and terminate access upon change/departure.

Help track background checks and provide policy templates.

Systems and Services Acquisition

Authorize purchases, approve IT systems, oversee procurement policies, and ensure vendors are CJIS-compliant.

Help vet vendors, secure CJIS Security Addenda, and document compliance.

 

In other words, an MSP plus CJIS CaaS will provide you nearly all the help you need so that you don’t need to devote hours and hours of valuable time digging deep into documentation, reports, and paperwork. Goodness knows you’ve got enough of that already!

Conclusion

It would be great if complying with CJIS simply meant ticking off an easy checklist. It’s not. More than a hundred scattered, cross-functional, and distributed tasks across your systems, staff, and vendors touch HR, police, IT, vendors, mobile devices, departmental policies, and so much more.

You can have a great IT employee, multiple IT employees, IT contractor, or even an MSP—and it’s likely that they will not be able to ensure 100% CJIS compliance without you rolling up your sleeves. And even if you pass your audits, you’re still doing a lot of work with policies, documentation, reports, and decisions in an unstructured way around your day job—likely involving scrambling and panic.

To help, this guide has given you:

  • A quick overview of CJIS requirements.
  • A sense of your overall non-technical CJIS compliance responsibilities.
  • Ways that a CJIS CaaS solution can augment your MSP or IT resource, taking most of your tedious CJIS responsibilities off your plate.

Reach out to us if you want to talk more about how an MSP can help you with CJIS compliance.

Let's talk about how VC3 can help you AIM higher.