← Back to blog
August 1, 2026

CJIS Audit Self-Assessment Checklist for Small Agencies

An assessor's job is to find gaps. Running your own self-assessment first means you find them - with time to fix them - instead of an auditor finding them for you. This isn't a substitute for walking all 20 CJIS v6.0 policy areas in full (see our CJIS v6.0 readiness checklist for that). It's a shorter list of the questions assessors tend to ask first, organized so a small agency can run through it in an afternoon.

How to use this

For each question, answer yes, no, or partial - and be strict about "partial." A policy that exists but isn't followed, or a technical control that's configured but unverified, is partial, not yes. Every "no" or "partial" is a finding. Write it down with a target date to close it, not just a mental note.

Access control and authentication

  • Is multi-factor authentication enforced - not just available - on every system that touches CJI?
  • Are user accounts reviewed on a schedule, with stale or unused accounts disabled?
  • Is access to CJI systems restricted to what each role actually needs, not granted by default?
  • Do you have a documented process for revoking access when someone leaves or changes roles?

Audit logging and accountability

  • Are logs being generated for access to CJI systems - not just available, but actually retained?
  • Do you know how long your logs are retained, and does it meet your state's requirement?
  • Has anyone reviewed those logs in the last 90 days, or do they only get pulled after an incident?

Incident response

  • Do you have a written incident response plan specific to CJI, not a generic IT policy?
  • Does everyone who'd need to act on an incident know the plan exists and where to find it?
  • Has the plan been tested or walked through in the last year, even informally?

Personnel security

  • Are background checks current for everyone with access to CJI - not just completed once at hire?
  • Is CJIS security awareness training completed on the required cadence, with records to prove it?
  • Do contractors and vendors with CJI access have the same background check and training requirements as staff?

Media and physical protection

  • Is physical access to systems and media containing CJI restricted and logged?
  • Is media containing CJI - drives, backups, printed reports - disposed of in a way that meets CJIS sanitization requirements?
  • Are mobile data terminals and other field devices covered by the same protections as fixed systems?

Documentation and agreements

  • Do you have current, signed CJIS Security Addenda or user agreements with every agency and contractor you exchange CJI with?
  • Can you produce a policy document for each of the 20 CJIS v6.0 policy areas on request, not just the ones you remember writing?
  • If your state has its own overlay requirements on top of the federal baseline, do you have a current copy of that state document?

What to do with your results

Count your findings. A handful of "partial" answers concentrated in one or two categories tells you where to spend the next month. A long list spread across every category means it's worth stepping back and running the fuller policy-area-by-policy-area review before your actual audit date, not just patching individual items.

Either way, the value of this checklist is entirely in whether you write down what you find. A self-assessment that stays in your head isn't a self-assessment an auditor will believe you did.

If you're tracking findings in a spreadsheet today, ComplianceLattice turns each of these into a tracked control with a status, an owner, and evidence attached - so the next self-assessment is a five-minute review of what's already there instead of starting over.