866.656.3338 sales@diversecomputing.com

So You’re About to Have a CJIS Audit… What to Expect.

Date Posted - 18th Mar 2014 |  Category - CJIS Security Policy, Newsletter

CJIS ACE Logo Full Color Blue Font Low-Res

Imagine for a moment……


You get into the office, everything about your day is looking great. That is, until you receive notice that your agency will be audited!


You immediately think that it’s time to take that long overdue vacation. Or maybe consider early retirement?


Nah, it doesn’t have to be that bad and here’s why.


Looking at an audit as a “good thing” is certainly better than viewing it as something terrible. It’s that old, “not looking at it as a problem but as an opportunity” adage.


The underlying purpose of any audit is based in “good” — ensuring compliance with standards and policies.


How is this good? It’s good because it’s very important to comply with standards and policies, especially in our line of work.


Compliance with standards and policies assist you in your job by helping to make sure you get accurate and secure information when you need it.  


In the practice of information security, we call this ensuring the confidentiality, integrity and availability of mission critical information.


Now that we have established that the audit concept is a good thing (really – it is!), let’s talk about what you can expect


CJIS policy requires that every agency that uses CJIS systems or data get audited minimally on a triennial basis by the CJIS Systems Agency (CSA), sometimes referred to as a “State Audit.”


In addition to the CSA audit, an agency could get selected to be audited by the FBI’s CJIS Audit Unit. Technically, this selection can be anytime, but usually matches up with when CSA gets audited by the FBI, which is also minimally on a triennial basis.  


For simplicity, I will be focusing on a typical FBI CJIS audit process, but any audit (e.g. State Audit) will follow a logical progression like this.


The FBI CJIS audit process will be similar for any CJIS program area (e.g. Information Technology Security, NCIC, NDex, etc.) and consist of the following sequential steps:



1) Initial Contact and Notification of Audit

    • This is where an FBI audit staffer will reach out to you, usually by phone, to discuss point-of-contact information and logistics.


2) Pre-Audit Questionnaire

    • You will receive a pre-audit questionnaire specific to the type of audit you are going to go through. You may even receive multiple questionnaires if you are “lucky” enough to be audited on multiple programs.


    • This questionnaire needs to be completed and returned to the audit staff by a set deadline.


    • The pre-audit questionnaire serves several purposes by giving:
      • The FBI Auditor background about your agency and a sense of your agency’s policies and procedures
      • You an idea of what topics the audit is going to cover
      • You an idea on what type of documentation will be needed
      • You an idea as to what staff to have available to provide insight and additional documentation during the audit


3) On-Site Audit (A-DAY!!)


    • An administrative interview will be conducted with appropriate agency personnel. It is important to be prepared for this! Topics covered are, but not limited to:


      • NCIC
        • Data Quality (Entry, Packing, etc.)
        • Record Integrity
          • Second Party Checks
          • Extradition Limitations
          • Categories for Entry
          • Caution Indicators
        • Validation Procedures
        • Timely Entry and Hit Confirmations
        • Proper Use of III


      • IT Security
        • Network Diagram Review
        • Firewall Ruleset Review
        • Policy Review
        • Awareness Training Content/Records Review
        • Log Review
    • A physical security inspection will be conducted of the facility and anywhere the criminal justice information is processed, stored or accessed. Examples include, but are not limited to:


      • Terminal Areas
      • Communications / Dispatch Centers
      • Patrol / Squad Rooms
      • Records Area
      • Data Center / Network Equipment Areas
      • Patrol Vehicles



4) Audit Follow Up and Compliance Planning

    • At the conclusion of the On-Site Audit you will receive a policy assessment packet containing the agency’s compliance status with those areas assessed.


    • This policy assessment packet will be an input to the overall compliance report issued to the CJIS Systems Officer (CSO) responsible for your agency’s compliance.


    • The CSO will be following up on any deficiencies requiring that you submit a plan toward compliance. These follow ups are regularly reported to the FBI Audit Unit and further to the FBI’s Advisory Policy Board (APB) for further action as they deem appropriate. 

Whew!  That’s a whole lot of coordination, information gathering and time commitment, especially when resources are spread so thin. There goes the “good thing” of an audit!


Even if I have successfully convinced you that an audit, in concept, isn’t a bad thing – – who has the time needed to do it, right?


This is where I and the rest of the CJIS ACE team can help!


We’ve been in your shoes and understand the pressure and stress that an audit can cause.


But we’ve also been on the other side being the auditor, so we know exactly what things an auditor will be looking for.



The CJIS Security Policy can be confusing with respect to what agreements are needed when.  We know this is true because the lack of properly executed Management Control Agreements and CJIS Security Addenda are always top compliance issues found during FBI and State audits.  


The CJIS ACE team can help you and your agency navigate this and any CJIS-related policy or compliance issue.  To further discuss how we can help, drop me a line at:  wtatun@diversecomputing.com or give me a call at 850-778-3207.


Until next time, be safe.


Bill - Signature - New.png




e:  wtatun@diversecomputing.com


o:  850-778-3207


w:  www.diversecomputing.com/CJISACE



Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.

CJIS ACE Newsletter Subscribe Link


CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.

More info about CJIS ACE


Let us deal with your audit and compliance hassles…

You already have enough to worry about.