For Oklahoma police departments, sheriff's offices and any agency that touches criminal justice information, the CJIS audit is a fact of life. In Oklahoma, the Oklahoma State Bureau of Investigation (OSBI) serves as the CJIS Systems Agency, which means OSBI is who audits your compliance with the FBI's CJIS Security Policy. Agencies that treat the audit as a once-every-three-years scramble tend to struggle; agencies that build the controls into daily operations tend to pass routinely. This guide explains how the OSBI audit works, what gets checked, the findings that trip agencies up most, and a realistic plan to get ready.
How the OSBI CJIS audit works in Oklahoma
OSBI is Oklahoma's CJIS Systems Agency (CSA), responsible for enforcing the FBI CJIS Security Policy across agencies in the state. On a recurring cycle, typically every three years, OSBI audits agencies that access criminal justice information (CJI) to confirm the required safeguards are in place. The FBI, in turn, audits OSBI, so the standard rolls downhill to every department.
The audit reviews both your technology and your paperwork: how CJI is accessed, stored and transmitted, who has access, how staff are vetted and trained, and whether you can produce the policies and records that prove it. Auditors don't just want to see that a control exists; they want evidence it has been operating consistently.
What auditors actually check
The CJIS Security Policy is organized into policy areas covering the full lifecycle of criminal justice information. An OSBI audit samples across them, with particular attention to access, encryption, personnel vetting and audit logging, because those are where exposure tends to be highest.
- Access control: unique user IDs, least-privilege permissions, no shared logins
- Advanced authentication: multi-factor authentication for access to CJI, now required
- Encryption of CJI in transit and at rest using validated, standards-based cryptography
- Personnel security: fingerprint-based background checks for anyone with CJI access
- Security awareness training, completed on hire and on a recurring basis
- Audit logging and the ability to review who accessed what, and when
- Physical security of areas and devices where CJI is handled
The most common findings (and why agencies fail)
Most flagged audits don't come from exotic gaps. They come from a short list of recurring, fixable issues, usually because no one owned them between audits.
- Shared or generic logins that make it impossible to attribute access
- Missing or unenforced multi-factor authentication on systems that touch CJI
- CJI emailed or transferred without proper encryption
- Lapsed or undocumented security awareness training
- Background checks that weren't completed, renewed or recorded
- No signed CJIS Security Addendum with IT vendors and contractors
- Audit logs that aren't enabled, retained or actually reviewed
Your LASO and the documentation that makes or breaks an audit
Every agency must designate a Local Agency Security Officer (LASO), the person responsible for CJIS security at your agency. Auditors will want to know who that is and that they're actually functioning in the role, not just named on paper.
Documentation is half the battle. If a control isn't written down and evidenced, auditors treat it as not done. That means current security policies, training records, background-check records, a vendor list with signed CJIS Security Addenda, network diagrams, and an incident-response plan. Agencies that keep these current sail through the paperwork portion; those that don't spend the audit reconstructing history under pressure.
A practical 90-day audit-prep plan
You don't need to boil the ocean before an audit. Work the highest-risk gaps first, in order, and document as you go.
Days 1 to 30, assess and lock down access: confirm unique logins everywhere, enforce multi-factor authentication on every system that touches CJI, and eliminate shared accounts. Days 31 to 60, close the data and people gaps: verify encryption in transit and at rest, confirm background checks and training are current and recorded, and get signed CJIS Security Addenda from every vendor. Days 61 to 90, prove it: enable and review audit logging, refresh your written policies and incident-response plan, confirm your LASO is active, and assemble the evidence the auditor will ask for.
- Enforce unique logins and multi-factor authentication on all CJI systems
- Verify encryption of CJI in transit and at rest
- Confirm and document fingerprint background checks and recurring training
- Get signed CJIS Security Addenda from every IT vendor and contractor
- Enable, retain and review audit logs
- Refresh policies, the incident-response plan, and your evidence documentation
Key Takeaways
- OSBI is Oklahoma's CJIS Systems Agency and audits agencies on a roughly three-year cycle.
- Auditors check access, authentication, encryption, vetting, training and audit logging.
- Most findings are basic and fixable: shared logins, missing MFA, lapsed training, no vendor addenda.
- Name an active LASO and keep evidence current; undocumented controls count as missing.
- Build the controls into daily operations and the triennial audit becomes routine.



