CJIS v6.0 Readiness Checklist for Small Agencies
Most small agencies preparing for CJIS Security Policy v6.0 start the same way: they open the FBI's 250-page PDF, get through the first two policy areas, and set it aside. That's not a knock on anyone's diligence - it's a reasonable reaction to a document written for compliance teams, not for the records clerk or IT contractor who also happens to own compliance at a 20-officer department.
Here's a more workable starting point.
Start with an inventory, not the policy document
Before touching a single control, write down every system that touches Criminal Justice Information (CJI): your RMS, CAD, any state repository terminal, mobile data terminals in patrol vehicles, and anything in the cloud - email, file storage, backup services. CJIS v6.0's 20 policy areas all assume you know what you're protecting. Agencies that skip this step end up re-doing control work twice because they scoped it wrong the first time.
Triage the 20 policy areas by effort, not by document order
The policy document lists policy areas in a fixed order, but that's not the order you should tackle them in. A rough triage that works for most small agencies:
- Fast wins first: Identification & Authentication and Access Control - if you already require unique logins and are close to enforcing MFA, these areas are mostly documentation.
- Process work next: Incident Response, Awareness & Training, and Personnel Security - these need written procedures more than technical changes.
- Technical lift last: Audit & Accountability, Systems & Communications Protection, and Configuration Management - these usually require actual changes to how systems are configured and logged.
Don't wait on vendor confirmations to start documenting
A common stall point: waiting for your RMS vendor or IT provider to confirm a technical control before writing anything down. Start the policy and procedure work in parallel. Auditors want to see that your agency has ownership of its compliance posture, not just a vendor's compliance letter.
Evidence expires - plan for that from day one
Background check attestations, training completions, and technical configuration screenshots all have a shelf life. Building a habit of re-collecting evidence on a schedule - not just once before an audit - is the difference between a two-week audit scramble and a non-event.
The deadline is real, but it's not tomorrow
Full CJIS v6.0 enforcement begins October 1, 2027. That's enough time to do this right if you start now, and not nearly enough time if you wait until 2027 to open the PDF for the first time.
If your agency is still tracking this in a spreadsheet, ComplianceLattice structures all 20 policy areas as an actionable checklist built specifically for agencies without a dedicated compliance team.