Hey Y’all,

So, now that they’ve finished the modernization, what’s next? We’ve been on this journey for about the past five years, and it's pretty much completed. The APB has started making “tweaks” and cleaning up “stuff” that was left over from the modernization.

In the meantime, we gotta get to work on doing the compliance thing. The “good” thing is that the APB gave us a bit of a map of what to focus on first. They’ve marked all the “new” stuff with Priority and/or Existing annotations.

It’s pretty easy to figure out where to concentrate. Back in version 5.9.5, the CJISSECPOL said that as of October 1, 2024, all of the Priority 1 controls are sanctionable. So they are literally “Priority 1”. 

The Priority 2, 3, & 4 controls have been identified as “Zero-Cycle.” This means that the FBI auditors are not going to submit findings of non-compliance to the Compliance Evaluation Subcommittee.

I want to stress that this is not to say that your CSA won’t enforce those controls; they always have the last “say-so.” However, we do have some guidance on where we should be concentrating our resources.

Additionally, there’s the “Existing” annotation. These are ones that were already in place and have just had the “modernization” applied to them. Not new, just an update in language or location. These fall into the “need to focus on these now” category because you should have already been doing these.

Just a reminder, our application, CJIS Insight, was designed specifically to help your agency track compliance with the CJISSECPOL. It can also be an integral part of your agency’s System Security and Privacy Plan (SSPP), which is now required by PL-2 in the very same Security Policy, as it identifies all of the applicable controls that your agency must follow.

We believe that CJIS Insight can be a very helpful tool in your toolbox, especially around audit time. Let us show you how it and our team can help you? Give me a call or drop me an email at info@cjisace.com.

Y'all take care,

Larry Coffee