Hi all,

One of the newer control families in the CJIS Security Policy (CJISSECPOL) is Risk Assessment (RA).

While a Priority 2, RA-3 requires that you conduct a risk assessment that includes:

• Identifying threats to and vulnerabilities in the system;

• Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

• Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information

Once that risk assessment is completed, you’ll also have to

• Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

• Document risk assessment results in a risk assessment report;

• Review risk assessment results at least quarterly;

• Disseminate risk assessment results to organizational personnel with risk assessment responsibilities and organizational personnel with security and privacy responsibilities; and

• Update the risk assessment at least quarterly or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

While this requirement won’t be sanctionable until October 2027, it doesn’t mean you should wait until then to take action. To start you on the compliance path, our CJIS ACE team has put together a mini risk assessment quiz you can take to determine your current risk level based on some heavy hitters from the CJISSECPOL that only takes a few minutes to complete.

Our CJIS ACE Assessment can further help your risk level decrease as we identify which requirements from the CJISSECPOL are non-compliant and provide mitigation strategies for you. You can reach us at info@cjisace.com for further information.

Talk soon,

Edith Kowalik