top of page

Larry Coffee

Jan 28, 2025

It's Done!

It’s Done….well it is, sorta kinda. The FBI CJIS ISO has released Version 6.0 of the CJIS Security Policy (CJISSECPOL), and in doing so made me a complete liar. From my previous experience with administration changes, i.e., new presidents, I wasn’t expecting to see this until late spring. They went ahead and sent it out.


When I say “it’s done”, I’m talking about the modernization of the CJISSECPOL. We should not see major changes for the foreseeable future, but I could be made a liar once again. My expectations are that we will see “clean-up”. Those should be little tweaks here and there, but nothing like we’ve been going through for the past few years.  


With this release, we have some new control families Systems and Services Acquisition (SA) and Supply Chain Risk Management (SR), and updates to a couple of old ones, Personnel Security (PS) and the old Formal Audits (Section 5.11) is now Assessment, Authorization, and Monitoring (CA).


Also, most of the old Section 5.1 Information Exchange Agreements has been moved to other parts of the policy. So, it is somewhat smaller.


Then finally, they’ve reorganized the layout. Only section 5.1 and the old 5.13 Mobile Devices are identified by a section number. Section 5.1 is the same, but 5.13 is now 5.20.  All of the other control families (sections) are now in alphabetical order by the control family acronym. So there is no 5.2, 5.3, 5.4, etc. Its Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), etc. It might be a little confusing to start with, but y’all will get the hang of it.


If you’ve been following these newsletters you’ve seen us mention CJIS Insight. That’s CJIS ACE’s interactive compliance tracking software for the CJISSECPOL and it is perfect for your system security and privacy plan (SSPP.) Part of an SSPP is to document how you comply with the controls. CJIS Insight has all of the controls in a single application, purpose-built for the CJISSECPOL unlike other applications that can be adapted for that purpose.


Whether you have us go through the policy with you through a CJIS ACE Assessment or you want to try it yourself, CJIS Insight can help you document how you comply with all of the CJISSECPOL controls.  


You can always learn more about what we at CJIS ACE can do for you on our website and I’d enjoy a chance to talk with you, gimme a call or send us an email at info@cjisace.com.


Y'all take care,

Larry Coffee

bottom of page