CJIS Security Policy v6.0: what changed, and what to ask your cloud vendors
CJIS Security Policy v6.0, released December 27, 2024, is the largest update in over a decade: 180+ primary controls, an explicit cloud shared-responsibility model, U.S. data residency, CJIS-screened personnel for anyone with CJI access, and a tiered rollout in which Priority 1 controls are auditable now and the rest become fully auditable by October 1, 2027.
On December 27, 2024, the FBI released version 6.0 of the CJIS Security Policy, the largest single revision in more than a decade. If your agency is evaluating cloud or SaaS vendors in 2026, you are working under a meaningfully different rulebook than the one most procurement templates were written for. Here is what changed, what it means for vendor selection, and the timeline you are actually working against.
What changed in CJIS Security Policy v6.0
Version 6.0 is not a tweak. The policy was rebuilt around a modern control framework and now spans more than 180 primary controls and over 1,300 subcontrols. Four changes matter most for agencies buying cloud services:
- An explicit cloud shared-responsibility model. The policy now formally describes how obligations divide between an agency and its cloud providers, including responsibility matrices for IaaS, PaaS, and SaaS arrangements. What used to be an argument between your auditor and your vendor is now written down.
- U.S. data residency. Criminal Justice Information must reside within the United States. Where a vendor physically stores and processes data is now a direct policy question, not a preference.
- Personnel screening follows access. Anyone with access to CJI, including a vendor's engineers and support staff, must be CJIS-screened. If a SaaS company's on-call engineer can open a database holding your incident records, that person is in scope.
- A priority-tiered rollout. Every control carries a priority level. Priority 1 controls are auditable and sanctionable immediately; Priority 2 through 4 controls become fully auditable by October 1, 2027.
What does “shared responsibility” actually mean?
This is the part agencies most often get wrong, so it is worth being blunt: hiring a compliant vendor does not make your agency compliant. The shared-responsibility model splits the control set: the vendor implements and documents the controls that live in its infrastructure, and the agency keeps everything that lives on its side: who gets accounts, how access is granted and revoked, local device security, personnel screening, policies, training, and incident response.
Formally, the split is usually documented through the CJIS Security Addendum in the contract and a responsibility matrix that says, control by control, who does what. Under v6.0 you should expect an auditor to ask for that document. If a vendor cannot produce one, or waves the question off with “we're CJIS compliant,” that is itself the answer.
What is the v6.0 compliance timeline?
| Milestone | Date | What it means |
|---|---|---|
| v6.0 released | Dec 27, 2024 | Priority 1 controls auditable and sanctionable immediately |
| v6.1 expected | ~Spring 2026 | Start of a continuous 6–12 month update cadence |
| Full auditability | Oct 1, 2027 | Priority 2–4 controls fully auditable in CJIS audits |
Two practical consequences. First, October 2027 is not a start date. Priority 1 findings can already appear in an audit today, so triage against the P1 list now. Second, the FBI has signaled that updates will now arrive every 6 to 12 months rather than once a decade. Build a compliance program that absorbs change, not a binder built around a single policy version.
Questions to ask any cloud or SaaS vendor
Procurement is where you have the most pull. Once the contract is signed, the questions stop getting answered. Get them in writing first:
- Data residency. Where, physically, is our data stored and processed? Is every environment, including backups and support tooling, inside the United States?
- Personnel screening. Which of your staff can access our CJI, and are they CJIS-screened under our state's process? Will you sign the CJIS Security Addendum?
- Shared-responsibility documentation. Provide the responsibility matrix for your service model. Which controls are yours, which are ours, and which are split?
- Encryption. How is data encrypted in transit and at rest, and with what validated modules?
- Audit support. When our CSA audits us, what evidence will you produce, how fast, and at what cost?
- Data minimization. What CJI do you actually hold, and for how long? The less a vendor retains, the smaller the surface both of you have to defend.
How BabbarOps approaches CJIS under v6.0
BabbarOps does not claim a CJIS certification, because no such certification exists, for any vendor. What we do instead follows the model v6.0 formalizes: Incident Command is built to CJIS standards and hosted on AWS GovCloud (US), and compliance is implemented in coordination with each agency's IT and policy authorities, since the specific obligations depend on the deployment and the state CSA.
The architecture also leans on that last procurement question: data minimization. BabbarOps live video is live-only and never stored, so the video side of the platform generates no retained CJI at all. Nothing retained means less to protect, less to audit, and less to disclose. The incident data that Incident Command does hold gets the full treatment; the video deliberately never becomes data at rest in the first place.
The bottom line
Version 6.0 turned CJIS from a once-a-decade document into a living control framework with a real audit clock. For agencies, the work is twofold: triage your own posture against the Priority 1 controls now, and tighten vendor selection so every cloud contract comes with residency answers, screened personnel, and a written responsibility matrix. The agencies that treat 2026 and 2027 as a runway, rather than a deadline that arrives all at once, will be the ones that clear their audits without drama.
CJIS Security Policy v6.0 is the FBI's December 27, 2024 revision of the security rules governing Criminal Justice Information, the largest update in over a decade. It expands the framework to more than 180 primary controls and 1,300+ subcontrols, adds an explicit cloud shared-responsibility model, requires U.S. data residency, and requires CJIS screening for anyone with access to CJI, including vendor personnel.
Now, in part. Priority 1 controls became auditable and sanctionable immediately on release, while Priority 2 through 4 controls become fully auditable by October 1, 2027. Agencies should triage against the Priority 1 list first and use the remaining time as a runway for the rest, because audit findings are already possible today.
No. Under the shared-responsibility model formalized in v6.0, a vendor can implement and document the controls that live in its infrastructure, but the agency keeps its own obligations: access management, personnel screening, local device security, policies, and incident response. Accountability in a CJIS audit stays with the agency, which is why you should require a written responsibility matrix from every vendor.
No. The FBI does not certify or accredit products or vendors as CJIS compliant, so any flat claim of certification should be treated with caution. Compliance is established per deployment, between the agency, its state CJIS Systems Agency, and the vendor, typically formalized through the CJIS Security Addendum and a shared-responsibility matrix.
See how a live-only video layer and a CJIS-built incident workspace fit your agency's v6.0 posture.
This article is general information, not legal or compliance advice. CJIS Security Policy versions, control priorities, and audit expectations change over time and apply differently by state and deployment. Confirm your specific obligations with your CJIS Systems Agency, CJIS Systems Officer, legal counsel, and the FBI CJIS Division. BabbarOps is an independent commercial product and is not affiliated with or endorsed by the FBI, the CJIS Division, or any law enforcement agency.