Understanding CJIS Compliance Formal Audits

Read Time: 2 minutes

Part 11

In the previous blog, we explored system & communications protection and information integrity. In this post, we will discuss the next policy area- CJIS Compliance Formal audits. In the process of ensuring agencies’ compliance with applicable policies, statutes, and regulations, formal audits are conducted periodically.

Audits by the FBI CJIS Division

FBI CJIS Division conducts compliance audits as well as security audits to ensure the compliance with the applicable regulations and other parameters.

a) Triennial Compliance Audits by the FBI CJIS Division

FBI CJIS Division is authorized to carry out audits triennially to check if an agency is compliant with the policies, statutes, and regulations. Each CJIS Systems Agency (CSA) will be subject to triennial audit by CJIS Audit Unit (CAU) to verify compliance. This audit shall include CJAs, in cooperation with Noncriminal Justice Agency (NCJA) and State Identification Bureau (SIB). The frequency of the audit may be increased as per the requirement in case the audit reveals that the agency hasn’t complied with the regulations. The FBI CJIS Division also has the authority to carry out unannounced audits and security inspections.

b) Triennial Security Audits by the FBI CJIS Division

Just as with the compliance audits conducted by the FBI CJIS Division, the Division is also authorized to conduct security audits of the SIB and CSA systems and networks once in every three years to check for compliance. The audits may be conducted on a more frequent basis if the agency fails to comply with the regulations and CJIS security policy.

Audits by the Each CJIS Systems Agency (CSA)

Each CSA should:

a) An audit, at least triennially, all NCJAs and CJAs that have direct access to the state system. This should be done in order to ensure their compliance with regulations, statutes, and policies.

b) Coordinate with the SIB and establish a specific process to periodically audit all NCJAs that have access to Criminal Justice Information (CJI) to ensure compliance

c) Have the authority to conduct scheduled audits of Contractor facilities and unannounced inspections to check the level of security maintained.

Special Security Inquiries and Audits

Additionally, all the agencies having access to Criminal Justice Information need to permit inspection teams to conduct appropriate audit and inquiry of any alleged violations of security norms. The said team would be appointed by CJIS Advisory Policy Board (APB) and should include at least one representative from the CJIS Division. Furthermore, all the results of the audit and inquiry should be reported to the APB along with all the recommendations.

This brings us to the close of CJIS Compliance Formal Audits and in the next blog we will discuss the final policy area – CJIS Compliance Personnel Security

DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based in Austin, Texas. DoubleHorn is capable of offering CJIS Compliant Cloud Solutions; contact us at solutions@doublehorn.com to learn more.