Compared with just a few years ago, CJIS audits now arrive at a different pace, with sharper scrutiny and higher expectations for documented, repeatable controls.

Agencies preparing for their next review quickly find that common FBI CJIS audit findings now center on identity, logging, mobile controls, and documented proof of enforcement across every system that touches criminal justice information. 

In the era of modernized security, passing a CJIS audit depends on demonstrating consistent control outcomes across users, devices, vendors, and data flows.

In This Article: We break down the most common CJIS audit findings under CJIS Security Policy v6.0, including MFA gaps, mobile device vulnerabilities, logging deficiencies, vendor agreement issues, and identity management weaknesses, along with practical steps law enforcement IT leaders can take to strengthen compliance before their next audit.

Maneuvering the Modern CJIS Audit Environment

The transition to CJIS Security Policy v6.0 reshaped how compliance is evaluated at the state level. Earlier audits often focused on whether a control existed, but modern audits ask for evidence that controls operate consistently and align with defined technical standards.

CJIS Security Policy v6.0 reflects a structure closely aligned with NIST control families, such as Access Control, Identification and Authentication, Audit and Accountability, and Media Protection. That alignment matters. 

Auditors now assess agencies based on specific security measures for CJIS 6.1 and related policy updates, using a system that requires clear documentation, written rules, and consistent outcomes.

State CJIS audit teams increasingly use structured tools that resemble a CJIS Security Policy v6.0 audit checklist. Agencies that rely on informal explanations or tribal knowledge often struggle when auditors request proof tied directly to control language.

High-Risk Technical Findings in CJIS Compliance

Technical findings tend to arise where security controls are partially deployed or inconsistently enforced across systems that process CJI.

Failures in Multi-Factor Authentication (MFA) Deployment

When reviewing a CJIS audit failure list for 2026, MFA-related gaps almost always appear near the top. Many agencies can demonstrate MFA for VPN or remote desktop access; problems surface when auditors trace identity from the initial login all the way to the CJI query.

Common gaps include:

• MFA enforced at the perimeter but not at internal workstations
• Legacy applications that bypass the identity provider
• Administrative jump boxes without consistent MFA
• Temporary exception accounts lacking documented approval
• Shared operational accounts without second-factor enforcement

The MFA requirements for CJIS compliance under v6.0 go beyond simply enabling a second factor by incorporating Authenticator Assurance Level concepts, including AAL2 criteria. 

That means replay resistance for at least one authenticator and approved cryptography for cryptographic authenticators. 

Agencies that rely on weaker SMS-based solutions or inconsistent factor types often receive findings when auditors evaluate alignment with modernized crypto-standards.

In practical terms, auditors want to see that every path to CJI, local or remote, meets the same authentication standard and that exceptions are documented with defined expiration dates and compensating controls.

Vulnerabilities in Mobile Device Management (MDM)

Mobile environments remain a predictable area for findings, particularly for agencies operating MDTs, handheld devices, and hybrid workstations. CJIS-compliant mobile device management requires enforceable technical controls across every device capable of storing or accessing CJI.

Frequent deficiencies include:

• Lack of centralized MDM enforcement
• Inconsistent patching across field devices
• No documented validation of local device authentication
• Unverified encryption at rest on all storage partitions

CJIS v6.0 requires encryption of CJI at rest on systems and media outside physically secure locations. Auditors will ask agencies to demonstrate that encryption is enabled and technically enforced on representative devices.

Remote-wipe capability is another measurable requirement. Devices must support rapid response if lost or compromised; cryptographic keys used for device authentication must be protected against extraction and capable of remote deletion. 

During audits, reviewers often request live demonstrations or policy documentation showing that remote-wipe commands function as designed.

Administrative and Procedural Audit Deficiencies

Administrative gaps often surface when documentation fails to match actual system access and operational practices. Modern CJIS audits examine agreements, training records, and personnel vetting with the same scrutiny applied to technical controls.

Incomplete Information Exchange Agreements (IEA)

Information Exchange Agreements are often overlooked until audit week. Agencies may have contracts in place; issues arise when agreements are outdated, unsigned, or incomplete.

Common findings involve:

• Missing agreements with subcontractors or managed service providers
• Absent CJIS Security Addendum documentation
• Undefined data-sharing boundaries: what CJI is accessed, transmitted, or stored
• No documentation of monitoring responsibilities for service providers

CJIS v6.0 requires formal agreements before exchanging CJI, with clear documentation of roles, responsibilities, and security controls. Auditors increasingly review vendor oversight processes and ask agencies to demonstrate ongoing monitoring of service provider compliance.

Lapses in Security Awareness Training and Personnel Screening

Instead of treating them as annual paperwork, evaluations should be guided by a framework that plans, tracks, and enforces training and screening. Expired certifications and inconsistent background-check documentation are frequently found during law enforcement IT audit preparation reviews.

Auditors look for:

• Proof of initial and annual role-based training
• Training tied directly to personnel with unescorted access to unencrypted CJI
• Documented fingerprint-based background checks where required
• Rescreening procedures aligned with risk designations

During an audit, agencies often find discrepancies between HR files and active system accounts. Automated tracking of personnel vetting and role-based security training can prevent mismatches between documented eligibility and access privileges.

Data Integrity and Audit Logging Requirements

Auditors want clear proof that every CJI transaction can be tracked to an individual user, preserved in tamper-resistant logs, and retained according to policy requirements.

Insufficient Traceability in Transaction Logs

Modern CJIS audits emphasize traceability. Event logging must capture successful and unsuccessful logons, privilege use, password changes, and attempts to access or modify audit logs.

Shared accounts create accountability gaps, as dispatch consoles, MDT shift accounts, or generic application credentials obscure individual activity. CJIS identification and authentication controls require the identification of users and the association of activities with those identities.

Centralized logging expectations have also changed over time, and now agencies must correlate audit records across systems to achieve organization-wide visibility. Logs should be protected against unauthorized modification and retained for at least one year, or longer if operational or legal needs require.

A simplified comparison illustrates common gaps:

Area	Common Finding	Modernized Expectation
User Accounts	Shared dispatch logins	Distinctive user identification tied to activity
Log Storage	Decentralized logs	Centralized, tamper-resistant logging
Retention	Short SIEM retention	Minimum one-year retention with documented policy

Improper Disposal of Physical and Electronic Media

Media sanitization findings often stem from weak documentation. Agencies may have disposal policies; auditors request evidence of execution.

Under CJIS v6.0, organizations must sanitize or physically destroy both electronic and physical media before it leaves control for disposal, so sensitive information cannot be recovered.

Approved methods include overwriting digital media multiple times, degaussing, or physical destruction such as crosscut shredding. Copiers with internal drives, retired MDTs, and external storage devices frequently appear in audit reports when disposal logs are incomplete or missing.

Keeping track of which assets had CJI and having proof of their destruction helps lower the number of repeated issues in this area.

Strengthening Your CJIS Audit Posture

Modern Common FBI CJIS audit findings often share a theme: fragmented identity, decentralized logging, and unclear data pathways. 

Centralized message switching reduces unknown CJI access points and standardizes transaction logging across agencies. At CPI OpenFox, we work with agencies that want a practical, evidence-driven approach to compliance. 

If your goal is to enter your next audit cycle with fewer surprises and clearer documentation, our specialists are ready to help. Reach out to our sales team today to learn more about how our state-of-the-art CJIS solutions can benefit your agency or firm.