CJIS Security Policy v6.0 – Key Updates You Need to Know

The Criminal Justice Information Services (CJIS) Security Policy v6.0, released on December 27, 2024, introduces significant modernization efforts aimed at enhancing security, compliance, and risk management in handling Criminal Justice Information (CJI). As technology and cyber threats evolve, the Federal Bureau of Investigation (FBI) has revised the CJIS Security Policy to address critical areas such as assessment, authorization, monitoring, personnel security, supply chain risk management, and system acquisitions. The following information outlines the key updates and their implications for criminal justice agencies and stakeholders.

Key Updates in CJIS Security Policy v6.0

1. Assessment, Authorization, and Monitoring (CA)

Security assessment and monitoring have been significantly revised in v6.0 to improve compliance and real-time threat detection. The updates include:

• Updated policies and procedures for security assessments, ensuring agencies align with modern cybersecurity standards.
• Control Assessments to enhance transparency and accountability in security implementations.
• Information Exchange protocols refined to protect data transfers between agencies, reducing exposure to cyber threats.
• Plan of Action and Milestones (POA&M) strategies implemented to guide security improvements and remediation efforts.
• Continuous Monitoring established as a standard requirement, leveraging automation and AI-based security tools for enhanced oversight.
• Internal System Connections updated with new encryption standards and security measures for interconnected government networks.
• Independent Assessors: CA-2(1) mandates the use of independent assessors to evaluate security controls. Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations.

2. System and Services Acquisition (SA)

System acquisition and service procurement have been modernized to prioritize security throughout the technology lifecycle. Enhancements include:

• Comprehensive acquisition policies mandating security considerations at every stage of system procurement and deployment.
• System Development Lifecycle (SDLC) revisions, integrating security checkpoints throughout development and maintenance.
• External System Services oversight reinforced to ensure compliance among third-party vendors and cloud providers.
• Developer Configuration Management requires rigorous testing and version control to mitigate vulnerabilities.
• Security and Privacy Engineering Principles embedded into software and infrastructure procurement to align with federal security guidelines.
• Mandated system documentation for all acquired technologies, ensuring transparency and traceability of security measures.

3. Personnel Security (PS)

With an increasing reliance on digital access, personnel security measures have been strengthened to minimize insider threats. Changes include:

• Position Risk Designation defining security access levels based on role sensitivity and clearance requirements.
• Enhanced Personnel Screening introducing updated background check procedures and biometric verification.
• Personnel Termination and Transfer controls implemented to promptly revoke access upon departure or reassignment.
• Access Agreements standardized across agencies to ensure adherence to CJIS security protocols.
• External Personnel Security oversight expanded to include contractors, ensuring non-agency personnel adhere to security guidelines.
• Personnel Sanctions guidelines refined to enforce accountability for security violations and misuse of CJI.

4. Supply Chain and Risk Management (SR)

Recognizing vulnerabilities in supply chains, CJIS v6.0 strengthens risk management in technology and service acquisitions. Updates include:

• Supply Chain Risk Management Plans mandated for all agencies handling CJI, ensuring secure procurement and vendor management.
• Acquisition Strategies, Tools, and Methods enhanced to prevent compromised or insecure products from entering agency systems.
• Notification Agreements requiring vendors to report security incidents or breaches affecting government systems.
• Inspection of Systems and Components instituted to detect vulnerabilities before deployment.
• Secure Component Disposal guidelines updated to ensure proper data sanitization and asset decommissioning.

5. Enhanced Authentication and Security Measures

Authentication and security management enhancements include:

• Password Management Enhancements: Agencies must now implement an annually updated "banned password" list and require periodic authenticator changes to prevent compromised credentials.
• Multi-Factor Authentication (MFA): Expanded adoption of MFA for all personnel accessing sensitive systems.
• Elimination of Redundant Appendices: Appendices J and K have been removed to streamline the policy and reduce redundant security provisions.

Implications and Benefits

The updates introduced in CJIS Security Policy v6.0 ensure that law enforcement, government agencies, and third-party contractors operate within a more secure and controlled environment.

Key benefits include:

• Strengthened cybersecurity measures to mitigate evolving threats and cyberattacks.
• Enhanced oversight and accountability in system security and personnel management.
• Improved compliance with federal cybersecurity mandates and best practices.
• Greater operational efficiency through clear security protocols and streamlined processes.
• More secure supply chain partnerships reducing exposure to vulnerabilities in third-party services and products.

Conclusion

The CJIS Security Policy v6.0 represents a crucial modernization effort aimed at strengthening security, risk management, and compliance across criminal justice agencies. By adopting enhanced authentication methods, continuous monitoring, robust acquisition standards, and personnel security improvements, agencies can better protect sensitive criminal justice information while minimizing cyber threats. To ensure full compliance, agencies must evaluate and update their security policies, personnel screening processes, and system acquisition procedures in accordance with these latest guidelines. Through proactive adaptation, stakeholders can maintain a high level of security integrity and operational resilience in an evolving digital landscape.

Compass IT Compliance specializes in helping organizations navigate the complexities of CJIS compliance. Our team of cybersecurity and compliance experts provides tailored assessments, policy development, security training, and continuous monitoring solutions to ensure your organization meets the stringent requirements of CJIS Security Policy v6.0. Contact us today to learn how we can support your CJIS compliance efforts and enhance your overall security posture.