The Great CJIS Divide: How IT and Public Safety Can Build a Real Partnership

Industry News & Trends · Regulations & Compliance · Security Best Practices · Training & Awareness

ByCyberEye Staff March 17, 2026March 18, 2026

Same mission. Different rooms.

In most agencies, Public Safety and IT are operating in parallel — not in partnership. Public Safety owns the mission and the data access. IT owns the infrastructure and implements the security controls. CJIS compliance lives somewhere in between, and that gap is exactly where audit findings are born.

Public Safety is asking: “State audit in three months — do we even pass?” IT is asking: “We moved to a cloud-based RMS — are we more or less compliant?” Neither team has the full picture, and in most agencies, they’re barely in the same room when it matters most.

That’s the divide. And with CJIS Security Policy version 6.0 now in effect — expanding coverage from 13 to 20 policy areas and mandating continuous compliance aligned to NIST SP 800-53 — agencies can no longer afford to manage it informally. Full compliance is expected by October 2027. The clock is running.

What CJIS 6.0 actually changed

Version 6.0 wasn’t a revision. It was a fundamental shift in how compliance is defined and demonstrated.

Before 6.0, the model was point-in-time: annual self-reported reviews, check-the-box assessments, and a compliance posture that only had to look good on audit day. After 6.0, that model is gone. Agencies are now expected to demonstrate continuous compliance, prove controls are functioning — not just documented — and maintain ongoing risk assessment and monitoring across the environment.

And while agencies are still absorbing 6.0, version 6.1 is already on the horizon. The policy isn’t slowing down, and neither is the threat landscape it’s designed to address.

Where the divide hurts most

The organizational gap between Public Safety and IT shows up in predictable places — and auditors know exactly where to look.

Vendor decisions are signed by Public Safety and secured by IT, often without either side having a complete conversation before the contract is executed. Audit blame falls on IT to produce the evidence, while Public Safety owns the outcome — and neither team owns the process end-to-end. Cross-department gaps persist because Public Safety assumes IT handles compliance, and IT assumes Public Safety owns it. And policy versus practice mismatches — where documentation says one thing and the actual environment says another — are among the most common findings in CJIS audits.

There’s also a staffing reality that rarely gets named directly: if your CJIS compliance function is being carried by the same person managing your enterprise-wide IT environment, that’s not a staffing plan. That’s a gap — and it’s one your agency has likely been living with for longer than it should.

AI is already in your environment — is your compliance framework keeping up?

Drones. Body cameras. License plate readers. AI-assisted dispatch tools. These technologies are now commonplace in public safety operations, and most of them touch Criminal Justice Information in ways that haven’t been formally scoped, documented, or assessed against CJIS requirements.

The questions agencies need to be asking right now: Who is vetting AI tools for CJIS compliance before procurement? Where does the data go — and is that path documented? How is AI access to CJI being captured in your audit logs and access control policies? These aren’t hypothetical questions. They’re audit questions, and they’re coming.

What actually works: bridging the divide

Our webinar isn’t just a diagnostic — it’s going to walk through what agencies that have gotten this right are actually doing differently. That includes establishing a Joint CJIS Steering Committee that puts Public Safety and IT at the same table with shared accountability, building a Shared Responsibility Matrix that documents who owns what across the 20 policy areas, implementing Unified Vendor Vetting that evaluates both security requirements and operational needs before a contract is signed, and aligning both departments to a Single Compliance Roadmap with agreed milestones and evidence requirements.

These aren’t abstract best practices. They’re operational structures that work — and they’re the foundation of the 90-day readiness roadmap we’ll walk through in the session.

About the presenters

Kim Maurer, Founder and CEO of CyberEye Solutions, brings 20+ years of federal, state, and commercial cybersecurity consulting experience, including CJIS compliance work for agencies and vendors nationwide. Her background spans the State of Maryland, Prince William County, and Booz Allen Hamilton.

Kevin Winters, Senior Cybersecurity Analyst, has 25 years of military, federal, and commercial cybersecurity experience with deep expertise in CJIS compliance and Risk Management Framework strategy. A U.S. Marine Corps veteran, Kevin has worked at the U.S. Senate and Booz Allen Hamilton.

Jessica Rasmussen, Senior Cybersecurity Analyst, brings 13 years of federal cybersecurity consulting focused on security program implementation and compliance. A U.S. Navy veteran, Jessica has worked at the U.S. Senate and Oak Ridge National Laboratory.

Together, this team has worked CJIS compliance from every angle — agency, vendor, federal, and state. They speak both languages, and this session is designed to help IT and Public Safety professionals speak the same one.