CJIS Audit Self-Assessment Checklist for Small Agencies
An assessor's job is to find gaps. Running your own self-assessment first means you find them - with time to fix them - instead of an auditor finding them for you. This isn't a substitute for walking all 20 CJIS v6.0 policy areas in full (see our CJIS v6.0 readiness checklist for that). It's a shorter list of the questions assessors tend to ask first, organized so a small agency can run through it in an afternoon.
How to use this
For each question, answer yes, no, or partial - and be strict about "partial." A policy that exists but isn't followed, or a technical control that's configured but unverified, is partial, not yes. Every "no" or "partial" is a finding. Write it down with a target date to close it, not just a mental note.
Access control and authentication
- Is multi-factor authentication enforced - not just available - on every system that touches CJI?
- Are user accounts reviewed on a schedule, with stale or unused accounts disabled?
- Is access to CJI systems restricted to what each role actually needs, not granted by default?
- Do you have a documented process for revoking access when someone leaves or changes roles?
Audit logging and accountability
- Are logs being generated for access to CJI systems - not just available, but actually retained?
- Do you know how long your logs are retained, and does it meet your state's requirement?
- Has anyone reviewed those logs in the last 90 days, or do they only get pulled after an incident?
Incident response
- Do you have a written incident response plan specific to CJI, not a generic IT policy?
- Does everyone who'd need to act on an incident know the plan exists and where to find it?
- Has the plan been tested or walked through in the last year, even informally?
Personnel security
- Are background checks current for everyone with access to CJI - not just completed once at hire?
- Is CJIS security awareness training completed on the required cadence, with records to prove it?
- Do contractors and vendors with CJI access have the same background check and training requirements as staff?
Media and physical protection
- Is physical access to systems and media containing CJI restricted and logged?
- Is media containing CJI - drives, backups, printed reports - disposed of in a way that meets CJIS sanitization requirements?
- Are mobile data terminals and other field devices covered by the same protections as fixed systems?
Documentation and agreements
- Do you have current, signed CJIS Security Addenda or user agreements with every agency and contractor you exchange CJI with?
- Can you produce a policy document for each of the 20 CJIS v6.0 policy areas on request, not just the ones you remember writing?
- If your state has its own overlay requirements on top of the federal baseline, do you have a current copy of that state document?
What to do with your results
Count your findings. A handful of "partial" answers concentrated in one or two categories tells you where to spend the next month. A long list spread across every category means it's worth stepping back and running the fuller policy-area-by-policy-area review before your actual audit date, not just patching individual items.
Either way, the value of this checklist is entirely in whether you write down what you find. A self-assessment that stays in your head isn't a self-assessment an auditor will believe you did.
If you're tracking findings in a spreadsheet today, ComplianceLattice turns each of these into a tracked control with a status, an owner, and evidence attached - so the next self-assessment is a five-minute review of what's already there instead of starting over.