CJIS Audit Ready?

When public safety leaders hear "CJIS compliance," many still think first about passwords, background checks, encryption, and access control.

Those things matter.

But one of the most important implications of the current CJIS Security Policy is often missed.

If your PSAP handles systems that process, store, or transmit Criminal Justice Information, CJIS is not just asking whether you locked the doors. It is also asking whether you can see trouble coming while it is happening.

I still talk with leaders surprised to learn this: by the end of 2024, around-the-clock monitoring was no longer just a cybersecurity best practice to admire. It had become something an auditor could reasonably expect your organization to prove in practice, and something that is very difficult to defend without a 24/7 security operations center or a comparable managed monitoring service.

Despite not using the exact phrase "24/7 SOC", it says enough to create that expectation for most real-world PSAP environments.

Version 6.0 of the FBI CJIS Security Policy, dated December 27, 2024, makes system monitoring a Priority 1 control. It requires agencies to monitor for intrusion detection and prevention, malicious code protection, vulnerability scanning, audit record monitoring, network monitoring, and firewall monitoring. It also requires automated tools that support near real-time analysis of events. Separately, it requires continuous monitoring as part of the system's ongoing security strategy. And it still requires weekly audit record review.

That distinction matters.

Weekly audit review is not the same thing as active monitoring.

If a PSAP is only looking at logs after the fact, once a week, that is not the same as being able to detect suspicious activity when it begins at 2:00 a.m. on a Sunday.

For public safety leaders, that is the practical takeaway. CJIS compliance has moved well beyond static controls. It now clearly expects operational visibility, and in most PSAP environments that is hard to make auditable without 24/7 human-backed monitoring coverage.

What the policy is really saying

The easiest way to understand the policy is this: CJIS expects agencies to protect criminal justice data in a way that matches the real risk of modern networks.

That means several things for PSAPs.

First, monitoring is not limited to one tool or one dashboard. The policy calls out multiple monitoring objectives, including intrusion detection, malicious code protection, audit monitoring, network monitoring, and firewall monitoring. In other words, this is not just "make sure your antivirus is on." It is a layered visibility requirement.

Second, the policy ties monitoring to speed. The near real-time analysis language is important because it shows the FBI is not thinking only in terms of historical review. The point is to detect, analyze, and respond early enough to matter.

Third, the policy treats monitoring as part of continuous risk management, not just compliance paperwork. CJIS 6.0 requires a continuous monitoring strategy and says agencies need ongoing awareness of their security posture at a frequency sufficient to support risk-based decisions.

That is a very different standard from annual checkbox compliance.

Why this matters so much for PSAPs

PSAPs are not ordinary business environments.

They operate in mission-critical conditions. They rely on high-availability systems. They often depend on remote access, vendor support, interconnected public-safety technologies, and networks that cannot simply be taken offline every time something looks suspicious.

That changes the consequences of cyber risk.

In a typical office environment, a security event may create inconvenience, lost time, or financial disruption.

In a PSAP environment, a cyber event can create delayed response, degraded visibility, interrupted dispatch operations, confusion during an active incident, or loss of confidence in critical systems during moments when clarity matters most.

That is why this policy shift deserves leadership attention.

The issue is not only whether an agency can pass an audit. The issue is whether the agency can identify abnormal behavior before it becomes an operational crisis.

If a malicious login appears after hours, if a remote access session behaves strangely, if firewall activity changes unexpectedly, or if network traffic suggests an attempted intrusion, public safety leaders should not want that discovered three or four days later in a routine review.

They should want it surfaced while someone still has time to contain it.

What "24/7 monitoring" means in practice

For most PSAPs, the policy implication is straightforward.

If the threat can arrive at any hour, and if the policy expects near real-time analysis and continuous monitoring, then business-hours-only visibility is hard to defend.

That is the point many agencies still underestimate. The policy may not literally say "you must buy a 24/7 SOC," but the auditable standard it creates is extremely difficult to satisfy without one or without a functionally similar service watching, triaging, and escalating events around the clock.

That does not necessarily mean every PSAP needs to build a full internal security operations center overnight.

It does mean the agency needs a credible, auditable answer to questions like these:

• Who is watching for suspicious network, firewall, endpoint, and remote-access activity after hours?

• How quickly are alerts triaged?

• Who gets notified when something needs human action?

• Is there documented escalation if the event threatens CJIS-connected systems or the PSAP's ability to operate?

• Can the agency show evidence that monitoring is active, consistent, and tied to response?

For some agencies, the answer will be internal staff operating a true 24/7 security function.

For many, it will be a managed security provider or a shared monitoring arrangement that delivers the same practical outcome.

Either can be acceptable, but the common thread is the same: someone has to be watching, someone has to be able to interpret what they are seeing, and someone has to be ready to escalate when the risk is real.

That is why "we review logs weekly" is no longer a strong answer on its own, and why many PSAPs will struggle to show an auditor they truly meet the monitoring expectation without a 24/7 SOC or equivalent service model.

The compliance mistake leaders should avoid

One of the biggest mistakes PSAP leaders can make is treating audit review and continuous monitoring as interchangeable.

They are not.

Weekly audit log review is still in the policy, and it remains important. Leaders should expect documented review, analysis, and reporting.

But weekly review is backward-looking.

Continuous monitoring and near real-time analysis are forward-looking. They exist to help agencies see signs of attack, unauthorized access, and risky changes while they are still unfolding.

In practice, that is exactly why a 24/7 SOC, or an equivalent around-the-clock monitoring service, becomes so important. Without that kind of coverage, many agencies are left trying to explain how they can claim near real-time awareness during nights, weekends, holidays, and staffing gaps.

Put simply, one helps you investigate what happened. The other helps you catch what is happening.

PSAPs need both.

Questions every PSAP director should be asking now

If your center touches CJIS-covered systems, this is a good time to ask:

1. Do we have documented continuous monitoring for the systems that matter most?

2. Are network, firewall, remote access, and audit events being monitored in a way that supports near real-time awareness?

3. Who owns after-hours alert triage and escalation?

4. Can we show an auditor evidence of monitoring, review, and response?

5. If we rely on a vendor or MSSP, is that responsibility clearly defined and tested?

6. If something suspicious starts tonight, would we know before the next business day?

Those are not only audit questions.

They are operational leadership questions.

The bigger message for public safety leaders

CJIS 6.0 is a reminder that cybersecurity in public safety is no longer just an IT support function.

It is part of operational readiness.

PSAP leaders do not need to become security engineers to lead well here. But they do need to understand the standard has moved. The expectation is no longer just to secure systems at rest. It is to maintain visibility into what those systems are doing, detect trouble early, and respond in a way that protects mission continuity.

For many agencies, that means the real leadership decision is no longer whether 24/7 security monitoring would be nice to have. It is whether the organization has any other credible way to satisfy an auditable monitoring expectation that does not stop at 5:00 p.m.

That is especially important in environments where people may depend on your systems on the worst day of their lives.

For PSAPs, the practical lesson is simple:

If you cannot see your network after hours, you may be more exposed than you think, less compliant than you assume, and increasingly unable to defend your monitoring posture without a 24/7 SOC or similar service.

Sources

FBI CJIS Security Policy v6.0, dated `12/27/2024`

About the Author

Devin served in the US Army as an officer in multiple roles over 14 years. He was responsible for the training and well-being of elements of varying size, scope, and mission over the years as an Infantryman, Field Artillery Officer, and Cyber-Electronic Warfare Officer. Between 2014 and 2021, he deployed to multiple combat and operational theaters and was awarded the Air Medal with Combat Device, Bronze Star, and Purple Heart medals for actions in Afghanistan. Since leaving the military, Devin has served as a leader of OTM Cyber, bringing his experience to bear in securing 9-1-1 critical networks across the nation. Under his leadership, OTM Cyber has grown to secure networks serving over 30 million Americans.