CJIS Compliance IT Provider California: MSP Readiness and Audit Support | Eaton & Associates

Estimated Reading Time

Estimated reading time: 9–12 minutes

Key Takeaways

• CJIS Security Policy v6.0 is now in effect with 1,578 controls aligned to NIST SP 800-53 Rev. 5, creating a more detailed, evidence focused compliance model for California public agencies.
• Audits for agencies begin October 2025, with full implementation required by October 1, 2027, so cities and counties must start assessments and remediation planning now.
• Key focus areas include MFA everywhere, encryption at rest and in transit, supply chain risk management, continuous monitoring, and identity lifecycle management.
• CJIS v6.0 shifts from checklist compliance to continuous governance, significantly increasing documentation and proof requirements across IT, public safety, and vendors.
• Eaton & Associates (AIXTEK) helps California agencies build CJIS v6.0 roadmaps, modernize infrastructure, and stay audit ready without disrupting police and fire operations.

Table of Contents

• Introduction: CJIS v6.0 is no longer future work
• What CJIS v6.0 Looks Like in Real Bay Area Municipal Environments
• CJIS v6.0 and Upcoming v6.1: What Changed and Why It Matters
• Timeline: When CJIS v6.0 Audits and Full Compliance Hit
• 2026 Compliance Landscape: What’s Changed Since v6.0 Dropped
• Who Is Affected and What Counts as CJI
• What Happens If Agencies Fall Behind
• From Checklist Compliance to Continuous Governance
• Practical Impacts on 2026–2027 Municipal IT Budgets
• How CJIS v6.0 Aligns With NIST and What That Means
• CJIS, Public Records, and California Local Government Realities
• Action Plan for Municipal IT and City Leadership
• How Eaton & Associates (AIXTEK) Helps California Agencies
• Next Steps: Schedule a CJIS v6.0 Municipal IT Assessment
• CJIS-Qualified Partner vs. General MSP: What to Look For
• How to Evaluate a CJIS IT Partner: Questions Every Agency Should Ask
• Municipal Ransomware Readiness Under CJIS v6.0
• FAQ: CJIS v6.0, v6.1, and California Local Governments

Introduction: CJIS v6.0 is no longer “future work” for California agencies

CJIS Compliance Updates (v6.0 and Upcoming v6.1) are no longer “future work” for California cities, counties, police departments, fire departments, and the municipal IT teams that support them.

With the FBI’s CJIS Security Policy v6.0 released on December 27, 2024, local governments are facing the most significant CJIS change in more than a decade, moving from familiar checklist style requirements to a far more detailed, evidence driven model aligned to NIST SP 800-53 Rev. 5.

For public agencies that handle Criminal Justice Information (CJI) such as criminal histories, biometrics, dispatch and incident data, and certain video or surveillance workflows, this is a leadership issue as much as a technical one. The shift affects identity and access management, encryption, mobile devices, physical security, vendor management, and continuous monitoring, and it will impact day to day police and fire operations if not managed carefully.

At Eaton & Associates (AIXTEK), our team has spent 35+ years supporting municipal and public safety IT across California, helping city leadership, IT directors, and public safety command staff modernize infrastructure while meeting CJIS compliance, public records obligations, and California’s evolving cybersecurity expectations. We have worked with 15+ California cities and public agencies, and one lesson is consistent: the agencies that plan early protect uptime, reduce audit stress, and avoid last minute, costly remediation.

Below is what is changing in CJIS v6.0, how audits are shifting, what we know (and do not yet know) about v6.1, and the practical steps municipal leaders can take now to stay on track.

What CJIS v6.0 Looks Like in Real Bay Area Municipal Environments

For California municipalities — particularly in the Bay Area — CJIS v6.0 compliance doesn’t happen in a vacuum. It intersects with the realities of municipal IT operations that most compliance guides never address.

Over 35 years of supporting public agencies across California, we’ve seen consistent patterns in how CJIS requirements collide with day-to-day municipal operations:

Shared infrastructure, segmented obligations

Many mid-sized California cities run police, fire, public works, and administrative departments on shared network infrastructure. A single Active Directory domain may serve both the city clerk’s office and the investigations unit. CJIS v6.0’s segmentation and access control requirements mean these agencies can’t treat network architecture as a one-size-fits-all problem anymore. The CJI “hot zone” needs to be clearly defined, segmented, and independently auditable — even when it shares physical infrastructure with non-CJI city systems.

We’ve helped agencies work through this exact challenge: identifying where CJI flows cross general city networks, implementing logical segmentation that satisfies auditors without requiring a complete infrastructure rebuild, and documenting the architecture in a way that’s defensible during an audit.

24/7 public safety operations vs. maintenance windows

Dispatch centers don’t close. Officers in the field need CAD and RMS access at 3 AM. Implementing MFA rollouts, encryption upgrades, or endpoint hardening in a 24/7 public safety environment requires a fundamentally different approach than a standard corporate deployment. We’ve learned — through decades of municipal engagements — that phased rollouts coordinated with shift schedules, fallback procedures for authentication failures, and tested emergency access paths are non-negotiable. Agencies that skip this planning end up with officers locked out of critical systems during active incidents.

Lean IT teams carrying heavy loads

Many California municipalities operate with IT teams of 2-5 people serving the entire city — police, fire, public works, parks, finance, and city administration. Asking those teams to map 1,578 CJIS controls to their environment while also keeping the lights on is unrealistic without outside support. This is one of the most common patterns we see: capable, dedicated municipal IT staff who simply don’t have the bandwidth for a compliance program of this scale alongside their operational responsibilities.

For agencies in this position, our municipal IT services are designed to augment — not replace — internal teams, handling the compliance heavy lifting while city staff focus on operations.

CJIS v6.0 and Upcoming v6.1: What Changed and Why It Matters

CJIS v6.0: The biggest update in over a decade

The FBI released CJIS Security Policy v6.0 on December 27, 2024, describing a comprehensive new structure that includes 1,578 detailed controls aligned with NIST SP 800-53 Rev. 5 across 20 policy areas, expanded from 13 in prior versions.

This alignment is a major shift for agencies that already leverage NIST based cybersecurity programs, but it also raises the bar on documentation, enforcement evidence, and ongoing governance.

You can review public summaries and analysis from organizations such as the National Association of Counties, NuHarbor Security, and Compliance Manager GRC, and the official policy in the FBI published PDF hosted by the Louisiana State Police at CJIS Security Policy v6.0.

Key enhancements you should expect to implement and prove

Across public research and v6.0 summaries, several themes appear repeatedly as priorities for enforcement:

• Expanded multi factor authentication (MFA) expectations, moving toward MFA for almost all CJI access paths, not only for remote access.
• Password bans and banned password lists with stronger authentication controls to reduce weak or reused credentials.
• Encryption for data at rest and in transit, with an end to end mindset where applicable.
• Supply chain risk management for vendors, integrators, hosted platforms, and devices that touch CJI.
• Continuous monitoring and real time threat detection expectations, including logging, alerting, and incident handling.
• Identity proofing and tighter lifecycle controls for accounts and access, from onboarding to termination.
• Lifecycle security from design to decommissioning, including media sanitization and asset handling.

More detail on these themes is available from sources such as Imprivata’s CJIS v6.0 overview, Apptega’s CJIS v6.0 summary, and Vanta’s CJIS policy guide.

For municipal environments, these are not abstract controls. They directly touch CAD and RMS access, mobile data terminals, body worn camera ecosystems, evidence management, dispatch workflows, and the broader city network segments those systems rely on.

Timeline: When CJIS v6.0 Audits and Full Compliance Hit

Audit pressure starts in October 2025

Multiple sources highlight that audits for agencies begin in October 2025, and critically, that agencies, not vendors, are primarily responsible for audit outcomes. Even if a vendor hosts or processes CJI, the city, county, or department must still demonstrate governance, oversight, and contract controls.

This is emphasized by organizations including the National Association of Counties, NuHarbor Security, and Imprivata.

Full implementation date: October 1, 2027

While some summaries circulate “September 30, 2027,” the referenced research clarifies that full implementation is required by October 1, 2027. The National Association of Counties CJIS v6.0 update explicitly calls out this timing.

What about “CJIS v6.1 in spring 2026”

It is reasonable to expect updates. Some sources note that CJIS policy updates may occur every 6 to 12 months. However, the research also notes no confirmed details for v6.1 in currently available sources, and the specific “spring 2026” date lacks supporting evidence.

Practical takeaway: agencies should plan around v6.0 now, and monitor official FBI and state level channels for future revisions rather than waiting for v6.1.

2026 Compliance Landscape: What’s Changed Since v6.0 Dropped

As of early 2026, the CJIS v6.0 compliance landscape has matured significantly since the policy’s December 2024 release. Here’s what California agencies should know about where things stand right now:

Audit cycles are actively underway

The October 2025 audit start date wasn’t theoretical — agencies are now receiving audit notifications and scheduling assessments. Early reports from the field indicate that auditors are paying particular attention to MFA coverage gaps, encryption implementation evidence, and vendor management documentation. Agencies that treated these as “future work” are now scrambling.

California-specific considerations

California agencies face a unique compliance environment. State-level cybersecurity requirements from Cal-CSIC (California Cybersecurity Integration Center), CCPA/CPRA data protection obligations, and the state’s public records laws all layer on top of federal CJIS requirements. Agencies that approach CJIS in isolation often duplicate work — or worse, create conflicting policies. The most effective approach we’ve seen is building a unified compliance framework that addresses CJIS, state requirements, and NIST simultaneously.

The ransomware threat hasn’t slowed down

Municipal ransomware attacks continue to escalate nationally, and California agencies remain high-value targets. We’ve seen firsthand what happens when security controls aren’t in place — we once rebuilt an entire Active Directory infrastructure across multiple offices in 72 hours after ransomware traveled wide and fast through an environment that lacked proper segmentation and controls. That experience reinforced what CJIS v6.0 now codifies: continuous monitoring, network segmentation, and encryption aren’t optional. They’re the difference between a contained incident and a catastrophic one.

For agencies evaluating their current posture, our comprehensive municipal IT services include CJIS-aligned security assessments that account for California’s unique regulatory landscape.

Who Is Affected and What Counts as CJI in Municipal Operations

CJIS v6.0 applies broadly to federal, state, and local agencies, as well as to third party vendors that process or store CJI. It explicitly impacts police and fire departments, courts, municipalities, and any entity handling CJI such as criminal history data, biometrics, and certain surveillance related records.

Summaries from Compliance Manager GRC, Apptega, and Vanta highlight the breadth of coverage.

In the real world, this often includes municipal IT systems beyond just “the PD network,” such as:

• Identity systems (AD, Azure AD, IdP) used citywide but granting PD access.
• Email and collaboration platforms used for investigations where policy allows.
• File shares, records systems, and retention solutions that store or reference CJI.
• Network core, firewall logging, endpoint protection, and SIEM tooling that monitor CJI environments.
• Mobile device management (MDM) across phones and tablets used by public safety personnel.

This is why CJIS compliance is rarely solved by a single tool purchase. It is a comprehensive program that combines technology + policy + proof.

What Happens If You Fall Behind

CJIS non compliance carries direct operational and financial consequences. Research highlights risks including:

• Loss of access to FBI databases and related information sharing systems.
• Potential fines, contract losses, and funding cuts.
• In some circumstances, potential criminal penalties.
• Increased scrutiny on vendors through supply chain requirements and audits.

These concerns are documented by sources such as Imprivata and Apptega.

City leadership impact: the most tangible risk is operational disruption. If CJIS access is restricted, investigations, dispatch coordination, and interagency collaboration can be delayed. That, in turn, affects public safety outcomes and community trust.

The Biggest Operational Shift: From Checklist Compliance to Continuous Governance

CJIS v6.0 represents a move away from point in time assessments toward ongoing risk management and governance. Audits are expected to emphasize:

• Continuous risk tracking and prioritization.
• Documented remediation progress.
• Real time threat detection and response capabilities.

This direction is highlighted in materials from the National Association of Counties, NuHarbor Security, and Imprivata.

Documentation burden will increase because v6.0 expands to 20 policy areas, including media sanitization, intrusion detection, and more detailed physical and logical controls. That documentation burden often falls on already lean municipal teams.

Sources such as Apptega, Vanta, and NuHarbor Security all stress the importance of maintaining living documentation rather than static binders.

Practical Impacts Municipal IT Leaders Should Plan for in 2026–2027 Budgets

Based on the research, several CJIS v6.0 driven changes are likely to affect municipal operations and budget planning in the next two fiscal cycles.

1) “MFA everywhere” and stronger authentication enforcement

Expect broader MFA requirements across CJI access paths, including privileged administration, remote access, and potentially internal access patterns depending on architecture and policy interpretation.

This may require:

• Modern identity provider (IdP) integrations for police, fire, and administrative staff.
• MFA rollout for sworn and non sworn personnel, dispatch operators, and shared workstations, with careful design for usability in 24×7 environments.
• Process redesign for shift work, emergency access, and account recovery.

These expectations are reflected in resources like the NACo CJIS v6.0 brief and Compliance Manager GRC guidance.

2) Encryption at rest and in transit becomes non negotiable

CJIS v6.0 makes encryption baseline expectations much more explicit. In practice, agencies should plan for:

• Full disk encryption for endpoints, laptops, and mobile data terminals.
• Database and storage encryption for CJIS related systems.
• TLS enforcement, certificate management, and secure protocols for all CJI flows.
• Backup encryption and robust key management processes.

These requirements are consistently highlighted in resources from Compliance Manager GRC and Apptega.

3) Mobile device hardening and improved device lifecycle controls

CJIS environments frequently include mobile workflows for officers, investigators, and field staff. Expect deeper scrutiny of:

• MDM baselines, device compliance reporting, and enforcement of security settings.
• Patch cadence, OS support, and version standards for smartphones, tablets, and MDTs.
• Application control, data leakage protections, and containerization where appropriate.
• Clear offboarding and remote wipe processes for lost, stolen, or reassigned devices.

These areas are described in detail by Imprivata and the National Association of Counties.

4) Physical security and facility controls will be tested

CJIS v6.0 reinforces physical security controls such as visitor logs, facility access restrictions, and recurring security verification activities.

In practice, agencies should expect to document and, where required, test physical protections quarterly for:

• Server rooms and network closets with CJI systems or connectivity.
• Dispatch centers and public safety answering points.
• Evidence rooms and secure workspaces handling CJI related media.

This emphasis is called out in the NACo CJIS update.

5) Supply chain risk management: vendors become part of your audit story

Municipalities rely on integrators, managed services providers, CAD and RMS vendors, cloud platforms, and body worn camera ecosystems. CJIS v6.0’s emphasis on supply chain risk management makes vendor controls a central part of agency audit readiness.

Agencies should expect auditors to ask for:

• Contract language that embeds CJIS requirements and security expectations.
• Vendor attestations and independent assurance where available.
• Tight vendor access controls, monitoring, and logging.

These expectations are reflected in resources such as Compliance Manager GRC and Imprivata’s CJIS v6.0 guidance.

How CJIS v6.0 Aligns With NIST and What That Means for Your Program

CJIS v6.0’s mapping to NIST SP 800-53 and overlap with frameworks such as NIST SP 800-171 can help agencies that already use NIST style controls and risk management. However, the research is clear: it is not enough to have a written policy. Agencies must show evidence of enforcement.

This includes updated and living System Security Plans (SSPs) and clearly documented role based responsibilities.

CJIS v6.0 also clarifies responsibilities for roles such as CSO, TAC, LASO, and CSA ISO, which often require explicit assignment and documentation in municipal governance structures. Guidance from NuHarbor Security, Compliance Manager GRC, and Vanta all reinforce the importance of role clarity.

For city leadership, this is a key governance point: CJIS compliance is not “owned by the vendor” or “owned by the PD.” It requires coordinated accountability across IT, police and fire administration, HR for background checks and identity proofing where applicable, and procurement or contracts for vendor control.

For agencies that want to unify CJIS with their broader security efforts, partnering with a provider focused on NIST aligned cybersecurity and CJIS compliance services can reduce duplicate work and streamline evidence collection.

Where CJIS Intersects With Public Records and California Local Government Realities

California cities and special districts operate at the intersection of cybersecurity, transparency, and operational continuity.

• Public records requirements demand disciplined data handling, retention, and retrieval, while CJIS requirements demand tightly controlled access and security for CJI.
• Technology decisions must support continuity of operations during incidents such as ransomware, outages, and regional emergencies.
• State and regional expectations for cyber readiness continue to rise, making NIST aligned governance and CJIS v6.0 controls increasingly relevant to funding and interagency cooperation.

CJIS v6.0’s focus on encryption, auditability, monitoring, and lifecycle security can actually strengthen public trust by reducing breach risk in sensitive public safety systems. The research notes positive impacts including stronger defenses against cyberattacks targeting CJI, preservation of operational continuity, community trust, and funding eligibility amid rising threats. These benefits are highlighted in resources from Imprivata and Apptega.

For many California agencies, aligning CJIS work with broader municipal IT modernization provides an opportunity to upgrade aging infrastructure, clarify records practices, and improve resilience at the same time.

Action Plan: What Municipal IT Teams and City Leadership Should Do Now

The most successful agencies treat v6.0 as a structured program with milestones, not a last minute scramble. Based on the research, below are concrete next steps.

1) Assess immediately: map your current state to v6.0 controls

Start with a CJIS v6.0 readiness assessment that:

• Maps existing controls to the 1,578 requirements using NIST SP 800-53 mappings.
• Updates your System Security Plan (SSP) and supporting policies.
• Verifies role definitions and ownership, explicitly assigning LASO, CSO, and related responsibilities.

Templates and mapping guidance can be informed by public resources from NuHarbor Security, Compliance Manager GRC, and Vanta.

Leadership takeaway: this is an ideal time to sponsor a cross department CJIS steering group (IT, PD or FD, administration, procurement) so decisions do not stall and ownership is clear.

2) Prioritize high impact controls that reduce risk quickly

The research consistently calls out several “must do” priorities:

• MFA implementation and expansion across CJI access points.
• Encryption at rest and in transit for CJI systems and data flows.
• Banned password lists and stronger authentication controls.
• Supply chain risk assessments for vendors and devices handling CJI.
• Physical protection testing where required, including quarterly testing of key controls.

These priorities are echoed in guidance from the National Association of Counties, Compliance Manager GRC, and Apptega.

Practical approach: if resources are limited, implement these controls first in the CJI “hot zone” (CAD or RMS, dispatch, evidence systems, CJIS network segment), then expand outward into supporting city systems.

3) Build continuous processes because audits will not reward “one time” work

CJIS v6.0 emphasizes ongoing risk management. Agencies should deploy processes and tools that support:

• Risk tracking and remediation workflows with owners and deadlines.
• Centralized evidence collection such as configuration baselines, screenshots, logs, and access reports.
• Automated reporting and dashboards where feasible, especially for monitoring and MFA coverage.

This continuous approach is reinforced in resources from the National Association of Counties, NuHarbor Security, and Imprivata.

Leadership takeaway: budgeting for continuous monitoring and governance is not overhead. It is what prevents failed audits and emergency, unplanned remediation projects.

4) Prepare for audits with mock audits and staff training starting now

With agency audits beginning in October 2025, waiting until 2025 to start preparation is risky.

Recommended steps include:

• Conduct internal or partner led mock audits in advance.
• Train staff on lifecycle security, incident response expectations, and new authentication practices.
• Document enforcement evidence, not just written intent, across systems and departments.

These steps are backed by recommendations from NuHarbor Security, Imprivata, and Apptega.

5) Put vendor management into contracts and access design

CJIS v6.0’s supply chain emphasis means procurement and IT must work closely together. Research recommends that agencies:

• Require third parties to attest CJIS compliance where applicable.
• Integrate CJIS requirements into contracts and service level agreements.
• Tighten vendor access controls, monitoring, and offboarding processes.

These practices are endorsed by sources such as Compliance Manager GRC and Imprivata.

Practical tip: maintain a vendor inventory specifically for CJI touchpoints (hosting, support access, integrations, endpoint devices) and map each to contractual obligations and technical controls.

6) Set milestones: mid 2026 checkpoints, full compliance by October 2027

A realistic timeline approach highlighted in the research looks like:

• Establish interim milestones and major remediation projects by mid 2026.
• Drive full compliance by October 1, 2027.
• Monitor the FBI and state level communications for future policy updates, including potential v6.1, through official channels.

This timing is supported by the National Association of Counties and the official CJIS Security Policy v6.0.

How Eaton & Associates (AIXTEK) Helps California Agencies Operationalize CJIS v6.0

CJIS v6.0 is achievable, but it requires coordinated execution across people, process, and technology. Eaton & Associates (AIXTEK) brings 35+ years of municipal IT experience in California, supporting city operations and public safety environments where uptime and audit readiness must coexist.

Across our work with 15+ California cities and public agencies, we commonly help clients:

• Perform CJIS v6.0 readiness assessments and remediation roadmaps that map directly to the 1,578 controls.
• Align CJIS controls with broader NIST based cybersecurity programs for efficiency and reduced overlap.
• Modernize identity and access management, including MFA rollouts, privileged access controls, and account lifecycle management.
• Implement encryption standards and key management practices for endpoints, servers, and backups.
• Strengthen network segmentation, logging, and continuous monitoring to meet CJIS expectations.
• Improve vendor management processes and contract language for CJIS obligations across hosted platforms and managed services.
• Prepare for audits with evidence collection, mock audits, and tailored documentation packages.

What 35 years of municipal IT teaches you about compliance

Compliance frameworks are written in offices. They’re implemented in server rooms at midnight, on shared workstations in dispatch centers, and on mobile data terminals during shift changes. The gap between policy and operations is where most agencies struggle — and where our experience matters most.

We’ve configured emergency network equipment from off-the-shelf hardware at midnight when vendor SLAs couldn’t keep pace with operational needs. We’ve designed MFA rollouts that account for the fact that three officers share a workstation across rotating shifts. We’ve built documentation packages that satisfy auditors while actually being useful to the IT teams who maintain them daily. These aren’t hypothetical capabilities — they’re patterns we’ve refined across hundreds of municipal engagements over three decades.

That operational depth is why we approach CJIS v6.0 differently than firms that specialize only in compliance paperwork. We understand that a technically perfect security architecture that disrupts dispatch operations isn’t compliant — it’s a liability.

Most importantly, we translate controls into operational reality. Dispatch can still dispatch, officers can access systems in the field, and city leadership can demonstrate due diligence and governance to auditors, councils, and the community.

For agencies seeking long term operational support, our managed IT services can incorporate CJIS aligned processes into daily operations, monitoring, and incident response.

Next Steps: Schedule a CJIS v6.0 Municipal IT Assessment

CJIS Compliance Updates (v6.0 and Upcoming v6.1) are reshaping how California agencies secure CJI, manage vendors, and prove continuous compliance. With audits starting in October 2025 and full implementation required by October 1, 2027, the best time to build your roadmap is now, while you can still prioritize smartly and avoid disruptive, last minute changes.

If your city, police department, fire department, or joint powers agency needs a clear CJIS v6.0 readiness plan, Eaton & Associates (AIXTEK) can help. We offer municipal IT assessments focused on CJIS v6.0 gaps, remediation sequencing, vendor risk, and audit ready evidence that reflect the realities of public safety operations and California local government governance.

Call Eaton & Associates (AIXTEK) or contact us to schedule a CJIS v6.0 assessment and compliance roadmap tailored to your environment.

CJIS-Qualified Partner vs. General MSP: What to Look For

Not every managed service provider can support a CJIS environment, and the difference is not just certifications on a website. The gaps show up in contracts, audit responses, and incident calls at 2 AM. Here is what separates a CJIS-qualified IT partner from a general MSP in plain terms.

The table above is a buyer’s checklist, not a sales pitch. Any IT partner you evaluate for a CJIS environment should be able to answer concretely on each of these points. Vague answers on background checks or audit experience are a red flag worth taking seriously.

How to Evaluate a CJIS IT Partner: Questions Every Agency Should Ask

Choosing a CJIS IT partner is a procurement decision with real consequences: a wrong choice shows up in an audit, in an incident response, or in a contract that does not hold the vendor to the standards your agency needs. Here are the questions that separate qualified partners from ones who will learn on your dime.

Municipal Ransomware Readiness Under CJIS v6.0: What California Agencies Must Do Before the Next Incident

California municipalities are not hypothetical ransomware targets. They are active ones. Foster City declared a state of emergency in March 2024 after a ransomware attack disrupted city operations. Oakland and Hayward have both navigated serious cyber incidents in recent years. The pattern is consistent: under-resourced municipal IT, aging infrastructure, and insufficient segmentation create environments where ransomware travels fast and far. CJIS v6.0 has specific requirements for incident response and data recovery that directly address this pattern, and agencies that have not aligned their ransomware readiness to those requirements are carrying more risk than they realize.

What CJIS v6.0 Requires for Incident Response

CJIS v6.0 does not treat incident response as an afterthought. The policy requires agencies to maintain documented incident response plans that are tested, not just written. That means defined detection and containment procedures, clear escalation paths, notification timelines for the appropriate state CJIS Systems Agency, and documented recovery steps that account for CJI data integrity throughout.

The policy also requires that agencies maintain continuity of operations for systems handling CJI during and after an incident. In plain terms: you cannot have a ransomware event take down your CAD system and call it an unfortunate disruption. You need tested backup systems, recovery procedures, and the ability to demonstrate that CJI was protected, not exposed, during the incident. CISA’s guidance on critical infrastructure incident response, reinforced in NIST SP 800-61, frames this the same way: contain, eradicate, recover, and document each phase with evidence.

The FBI’s IC3 2024 report documented a 9% increase in ransomware complaints against government agencies, with local governments among the most frequently targeted. The agencies that weather these incidents without catastrophic data loss or extended outages are the ones that had tested recovery plans, not just documented ones.

What Municipal Ransomware Response Looks Like in Practice

We rebuilt an entire Active Directory infrastructure across seven offices in 72 hours after a ransomware attack moved through an environment that lacked adequate segmentation. No data loss. Full operational recovery within three days. That result did not happen because of luck. It happened because the backup architecture was clean, the recovery sequence had been thought through in advance, and the team executing the rebuild knew exactly what to do in what order.

What we learned from that incident, and from every municipal engagement since, is that the difference between a 72-hour recovery and a three-week recovery is not the size of the team or the sophistication of the tools. It is preparation: tested backups that are actually isolated from the production environment, network segmentation that limits blast radius, and a documented recovery sequence that does not require anyone to make critical decisions while under pressure at 3 AM.

California municipalities often find out their backup architecture is inadequate during an incident, not before one. And in a CJIS environment, that discovery comes with a compliance dimension. If CJI systems are compromised and you cannot demonstrate that CJI data was protected throughout, you have a CJIS problem on top of an operational one.

The 30/60/90-Day Path to CJIS-Compliant Ransomware Readiness

For a municipality starting from a typical posture (partial documentation, unverified backups, some segmentation gaps), a realistic 90-day readiness path looks like this:

Days 1-30: Assess and Harden

• Complete a CJIS v6.0 gap assessment focused specifically on incident response and recovery controls.
• Audit your backup architecture: verify backups are isolated (offline or air-gapped for at least one copy), test restoration from backup in a lab environment, and confirm backup coverage for all CJI systems.
• Map your network segmentation and identify where CJI systems have unnecessary connectivity to general city networks.
• Document your current incident detection tooling: are you running endpoint detection, centralized logging, and alerting? What is the escalation path when an alert fires at 11 PM?
• Assign and document CJIS incident response roles (who calls the state CJIS Systems Agency, who manages containment, who owns recovery).

Days 31-60: Build the Playbook and Patch the Gaps

• Close the highest-priority segmentation gaps. At minimum, ensure your CJI network segment cannot be fully traversed from a compromised general city endpoint.
• Write or update your incident response plan to align with CJIS v6.0 requirements: detection, containment, notification, recovery, and post-incident documentation.
• Implement or verify MFA for remote access and privileged accounts touching CJI systems. This is one of the most common attack entry points and one of the clearest CJIS v6.0 requirements.
• Run a tabletop exercise with your IT team and public safety leadership. Walk through a ransomware scenario. The goal is to find the gaps in your plan before an attacker finds them for you.
• Verify vendor contracts include incident notification timelines and CJIS compliance obligations.

Days 61-90: Test, Document, and Certify Readiness

• Run a full backup restoration test for at least one CJI system to verify recovery time meets operational requirements.
• Complete documentation for the evidence binder: incident response plan, network diagrams showing segmentation, backup verification records, tabletop exercise summary.
• Review the completed posture against CJIS v6.0 incident response and continuity requirements.
• Brief city leadership and public safety command on the current posture, gaps that remain, and the timeline for closing them.

What to Require From Your IT Partner Before an Incident Happens

If your IT partner cannot answer the following questions clearly, you need a different conversation before the next ransomware event:

• What is the documented recovery time objective (RTO) for your CAD and RMS systems, and when was it last tested against an actual restoration?
• Where are your backups stored, and can you demonstrate that at least one copy is isolated from the production network?
• What is the notification timeline if a ransomware event is detected at midnight? Who calls whom, and in what order?
• Have you participated in a CJIS incident response scenario with a law enforcement client? What did you learn?
• What is your role in producing CJIS incident documentation for the state CJIS Systems Agency after an event?

A qualified IT partner for a California municipal agency should be able to answer all of these from experience, not from theory. The Foster City incident and the broader pattern of California municipal ransomware events make this a practical question, not an academic one.

FAQ: CJIS v6.0, v6.1, and California Local Governments