How State and County Law Enforcement Use AccessPatrol to Meet CJIS and NIST 800-53 Requirements
The Data-Security Gap That No One Wants to Talk About
I spent nearly a decade in the U.S. Federal Government, including roles at the White House, the U.S. Department of Commerce, and the U.S. Senate. I later advised public sector clients on technology and strategic growth problems at Accenture. The same pattern showed up everywhere I went. Agencies invest in sophisticated network defenses. They architect robust identity programs and establish security operations centers, yet they often quietly overlook a glaring vulnerability: the unmonitored USB port on a standard workstation. It is the riskiest fragment of the environment, left entirely to chance.
For state police and county sheriffs, that gap matters more than almost anywhere else. The data moving across those endpoints is Criminal Justice Information (CJI): fingerprint records, NCIC queries, criminal histories, and investigative files. The rules governing that data just got a lot tougher.
What Changed with CJIS v6.0
The FBI released CJIS Security Policy v6.0 on December 27, 2024. It is the biggest update in over a decade. Industry analyses estimate the new version contains more than 180 primary controls and 1,300 subcontrols, all aligned to NIST 800-53 Rev. 5. Priority 1 controls are high priority and likely to draw closer audit attention. Full compliance is due October 1, 2027.
That sounds far away. It is not. The pressure points are clear: stronger Multi-Factor Authentication (MFA) for any environment touching CJI, removable media controls with real logging and encryption, endpoint configuration management, continuous monitoring with logs somebody actually reviews, and supply chain risk assessments for every technology acquisition.
The common thread is governance. CJIS v6.0 expects agencies to show that controls work over time, not just that they exist on paper.
What Nist 800-53 Expects at the Endpoint
Four NIST control families do most of the work on endpoint and removable media compliance:
- Media Protection (MP) covers the full lifecycle of any media holding or moving CJI. MP-7 specifically restricts how portable storage devices can be used.
- System and Communications Protection (SC) governs how data moves and how it stays segmented, including boundaries and data at rest.
- Access Control (AC) is the role-based and least-privilege layer. It includes which roles can read from or write to external devices.
- Audit and Accountability (AU) requires every relevant endpoint event to be logged, protected from tampering, and kept long enough to be useful.
CurrentWare designed AccessPatrol to solve these types of architectural and governance challenges, as it can - block unauthorized peripherals, control who can read or write to external storage, log every transfer, and give assessors the artifacts they need.
Where AccessPatrol Fits
Three capabilities tend to close the gaps assessors flag most often.
1. Device-level Enforcement
AccessPatrol uses allow and block lists across various storage and peripheral interfaces.. Agencies can approve specific encrypted devices by serial number or unique plug and play IDs and block everything else by default. That is the posture both CJIS v6.0 and NIST MP-7 point toward.
2. File Transfer logs Tied to Identity
Logs capture the user, the device, the file, the action, and the timestamp. They map directly to NIST AU-2 and AU-3, and they give you the evidence base for continuous monitoring under CA-7. Policy enforcement runs through Active Directory at the user and group level, which handles AC-3 and AC-6 at the endpoint.
3. Deployment That Fits the Environment
Architecture matters in law enforcement IT. Many state and county agencies run network enclaves that limit how endpoint telemetry can leave the environment, whether because of CJIS network segmentation, CSA guidance, or networks that were never built for cloud-first tools.
AccessPatrol supports a fully on-premise deployment, with the management console and database inside the agency’s environment. Cloud-based deployment is also possible for agencies whose architecture and policy allow it. Either way, the controls and the evidence trail look the same to an assessor.
Deploy Data Protection in Minutes, Not Weeks
Stop data loss from endpoints with AccessPatrol
Where to Start
Removable media is one of the rare CJIS gaps you can close quickly. A single deployment generates evidence across multiple control families at once. For a state police IT director or a county CIO deciding where to spend compliance budget, that is a strong place to begin.
CurrentWare specializes in helping state and local government agencies meet their security and compliance obligations, and we work with other agencies across the country on CJIS and NIST 800-53 readiness. That experience translates into faster deployments, cleaner audit evidence, and fewer surprises in the assessment cycle. If you are scoping an endpoint control project or preparing for an upcoming audit, I would welcome the conversation.
Frequently Asked Questions:
Full CJIS Security Policy v6.0 readiness is expected by October 1, 2027. However, while prior rules and controls under Priority 1 have been subject to sanctions for non-compliance, the greater modernization process allows for a "zero cycle" implementation of Priority 2, 3, and 4.
These include Access Control, Audit and Accountability, Configuration Management, Media Protection, Identification and Authentication, System and Communications Protection, and System and Information Integrity. In relation to the topic of USB/Peripheral Control, the importance of MP-7 cannot be understated; yet AC-3, AC-6, AU-2, AU-3, CM-7, and SI-4 cannot be ignored either.
The upgrade from CJIS v5.0 to CJIS v6.0 is not just a routine policy upgrade but is actually a move towards formalization and control-driven security for CJIS in line with NIST 800-53 Rev. 5. However, the biggest change in the new version pertains to evidence, where evidence must be provided regarding the effectiveness of controls on seven domains.
Controls for Priority 1 must be implemented as a top priority by organizations. Priority 1 covers important areas such as account management, access control, least privilege, remote access control, configuration management, system inventories, vulnerability assessment, perimeter protection, malware detection, and monitoring. These are the most relevant controls due to their relevance to imminent threats against CJI.
CJIS v6.0 includes over 180 main control items and over 1,300 sub-controls or specific requirements, based on how an agency or auditor measures control mappings. The lesson for IT executives is clear, such broad-scope needs to be addressed by means other than piecemeal spreadsheet data and outdated policies.
The CJIS version 6.0 framework uses the same terminology and structure as NIST Special Publication 800-53 Revision 5. In turn, this means that agencies will be able to find well-known control families such as AC, AU, CM, IA, MP, RA, SC, and SI. However, for the law enforcement information technology team, this means that CJIS becomes unsuitable for an audit.
MP-7 focuses on media use. In practical terms, agencies must restrict how digital and non-digital media are used on systems that store, process, or transmit CJI. For portable storage, that means controlling flash drives, external hard drives, writable media, and personally owned devices, especially when there is no clear owner or approved business need.
AU-2 is about logging the right events. AU-3 is about making those records useful. At the endpoint, agencies should be able to show who accessed what, when it happened, where it happened, whether the action succeeded or failed, what device or file was involved, and which user or system was tied to the event.
Because USB risk often looks small until someone asks for proof. Agencies may have a policy saying removable media is restricted, but no clean record of which devices were allowed, who used them, what files moved, and whether personally owned drives were blocked. That gap becomes painful during an audit or incident investigation.
AccessPatrol helps organizations control USB devices, external drives, peripherals, Bluetooth, Wi-Fi connections, printers, and other endpoint devices connected through different methods. The product facilitates CJIS compliance through helping IT professionals implement policies related to the proper use of devices, avoiding any unauthorized transfer of data, applying least privilege access policy, and logging endpoints' actions.
AC-3 is about enforcing approved access. AC-6 is about least privilege. Applied to USB and peripheral use, that means users should not be able to connect, read from, write to, or transfer files through devices unless their role genuinely requires it. “Everyone gets USB access by default” is exactly the kind of gap auditors question.
Start with the endpoints. Enumerate all workstations, laptops, shared terminals, and media pathways through which any of the identified entities could interface with CJIS. Next, map what controls you have for each of those entities to CJIS version 6.0 areas: access, auditing/logging, least privilege, devices, file transfer, and forensics/evidence preservation.
Yes, AccessPatrol can also be used as an on-site tool by organizations that require more control over their environment in terms of infrastructure and internal networks. This is more applicable to law enforcement organizations that do not have wide access to the cloud and need to control devices themselves.
AccessPatrol gives information security teams detailed documentation on device use, policy implementation, prohibited activities, authorized devices, users’ actions, and file transfers made using removable media. This can be used to document controls within several control categories, such as Media Protection, Access Control, Audit & Accountability, Configuration Management, and System & Information Integrity.
Author
Tony Lynn
Chief Operating Officer of CurrentWare
Tony Lynn is Chief Operating Officer at CurrentWare, a workforce intelligence platform serving government agencies and enterprises across regulated industries. He previously held management roles at the White House, the U.S. Senate, and the U.S. Department of Commerce, advised executive teams at Accenture, and led global business units at Meta. He holds an MBA from Yale School of Management.
