CJIS v6.0 Priority Controls (P1-P4): What's Already Enforceable Right Now
Most of what agencies hear about CJIS v6.0 centers on one date: October 1, 2027. That's the full-enforcement deadline, and it's real. But treating it as the only date that matters is a mistake - because a slice of CJIS v6.0 has already been enforceable for well over a year.
The policy isn't one deadline - it's four tiers
CJIS v6.0 sorts every control into one of four priority levels, P1 through P4, based on how critical it is and how quickly agencies are expected to implement it. That's a real shift from the old CJIS Security Policy, which treated its control set as a single flat checklist with one compliance date.
Here's what the tiers mean in practice:
- P1 - the highest-priority controls. Immediately auditable and sanctionable. These became subject to FBI CJIS sanctions on October 1, 2024 - not a typo, not a future date.
- P2, P3, P4 - phased in on a rolling basis, with full auditability for all four tiers required by October 1, 2027.
If your agency has been planning around "we have until 2027," that's true for P2 through P4. It has not been true for P1 since the fall of 2024.
What's actually in P1 today
Multi-factor authentication is the control most consistently called out as P1. If your agency's CJIS-connected systems - RMS, CAD, mobile data terminals, cloud services touching CJI - aren't enforcing MFA, that's not a 2027 gap. It's a gap that's been auditable and sanctionable for over a year already.
This matters for how you sequence the rest of your compliance work. Agencies triaging CJIS v6.0's 20 policy areas by effort (see our CJIS v6.0 readiness checklist) should treat P1 controls as the actual first priority, not just "the easy stuff to knock out first." They're the same category of control in most small agencies' cases - access control and authentication fundamentals - but the reason to start there isn't convenience. It's that the exposure is current, not future.
Why the tiered structure exists
CJIS v6.0's priority system reflects a broader shift in the policy itself: away from point-in-time checklist compliance and toward continuous governance and risk management, with the entire framework now mapped to NIST SP 800-53 at the moderate baseline. A flat, one-deadline checklist doesn't fit that model. Tiering lets the FBI treat the controls with the most immediate risk - authentication, access control - as non-negotiable now, while giving agencies a longer runway on lower-priority, higher-effort controls like formal audit programs and supply chain risk management.
What to do about it
If your agency hasn't specifically confirmed which of your implemented controls are P1 versus lower-priority, that's worth doing before anything else in your CJIS v6.0 work plan. A reasonable next step:
- Confirm MFA is enforced - not just available, but required - across every system that touches CJI
- Ask your assessor or state CSA which other controls in your agency's environment carry a P1 designation
- Document evidence for P1 controls now, since those are the ones an auditor can act on today, not in 2027
- Sequence everything else (P2-P4) against the 2027 deadline, but don't let it distract from what's already live
The October 2027 date is still the one that determines whether your agency keeps NCIC access. But for P1 controls, the clock already ran out once. If your agency hasn't checked, this is worth checking today - not adding to next year's to-do list.
If you're tracking this in a spreadsheet, ComplianceLattice structures all 20 CJIS v6.0 policy areas as an actionable checklist with evidence and status tracking, so a gap like unenforced MFA shows up clearly instead of getting buried in a 1,300-item list. Priority-tier tagging for individual controls is on our roadmap - if that would help your agency plan around P1 first, let us know.