Now that we’re unofficially done with Summer, temperatures have begun to drop, right? Not here in Florida, and on top of all that there’s a whole lot of new stuff that can be sanctionable starting next month that’ll definitely keep temperatures up.

Last month I reminded everyone that the new version 5.9.5 had been released for everyone’s reading (and compliance) pleasure. Don’t worry, nothing has come out since then, but there are some things that y’all really need to pay attention to.

If you go and look in the CJIS Security Policy (CJISSECPOL), all of the modernized controls have a caveat that says “Priority 1, 2, 3, 4, or Existing”. This is the prioritization that I mentioned last month and is extremely important information relating to audits.

The important thing to know is that if a control/control enhancement says “[Priority 1] or “[Existing]”, then that control/control enhancement is sanctionable starting October 1, 2024. That’s right, less than a month away. CJISSECPOL Section 1.4 explains this in a little more detail. 

What this means is that y’all are supposed to be doing all of those controls marked Priority 1 or Existing in less than a month. Your agency is still responsible for the Priority 2, 3, and 4 controls (you’re supposed to be doing those), however, those controls won’t be sanctionable for the first audit (from an FBI/APB point of view.) That is called a “zero-cycle”.

Likewise, your state audit programs are probably going to follow that same process, but they could enforce the Priority 2-4 controls just like the Priority 1. My experience has been that the states typically follow how the FBI does audits.

Y’all need to take a look. I don’t have enough room to identify all of these Priority 1 or Existing controls. If you’re being audited any time soon, you might already know. Just be prepared for a whole lot of new questions.

As always, if you have questions about these updates CJIS ACE is here to help you understand them in order to be compliant. For CJIS ACE Insight customers, we can go through this together as Insight gets updated. If you are interested, please reach out to us at info@cjisace.com.