Acronis DRaaS for CJIS Audits: Why a Central Valley Dispatch Fails Over Before It Passes

An Acronis DRaaS rehearsal turns a CJIS-mandated contingency test into a normal Tuesday - you spin up CAD and RMS in the Acronis Cloud, run the auditor’s “are we really recoverable?” drill against live compute, and you only pay for the compute minutes the drill actually runs. The agency keeps uptime; the evidence file keeps its chain.

What goes sideways at 02:14 on a Stanislaus shift?

Picture the back room of a Stanislaus County PSAP. Two dispatchers, a supervisor, three mobile-data-computer tablets recharging on the bench, and an alarming silence where the CAD console should be pinging new calls. Central Square, the system the Stanislaus Regional 9-1-1 board is rolling out through 2025 and 2026, is not yet fully cut over¹. In an earlier incident, a neighboring agency’s mobile data network suffered a “Ransomware Attack” that overlapped a “Mobile MDC Outage (Ransomware)” for roughly two weeks in February 2023, and the patterns that scrambled that agency - encrypted servers, lost CAD history, mutual-aid traffic redirected through a paper log - are the same patterns that any Modesto-area or Merced-area dispatch could face tomorrow¹². The dispatcher who is supposed to type a unit onto a call is instead typing a hand-written card. The sheriff’s evidence custodian cannot reconcile property receipts against an encrypted RMS database. The county CIO is on the phone at 02:20, and the triennial CJIS cycle is six weeks out.

That is the operating situation we keep rehearsing for - the one where a backup file on a dusty NAS is not the same thing as a recovery.

What does CJIS actually require from your backup?

The FBI’s Criminal Justice Information Services Security Policy, version 5.9.5 (published 07/09/2024), is in force for every agency that touches Criminal Justice Information - which in practice means every Stanislaus, Merced, Fresno, and San Joaquin County dispatch³. The policy’s Contingency Planning section is unambiguous about backup testing: organizations must “Test backup information as required by the contingency plans to verify media reliability and information integrity,” and “organizations need assurance that backup information can be reliably retrieved”³. A valid test method the policy names explicitly is to “decrypt and transport (or transmit) a random sample of backup files from the alternate storage or backup site and compar[ing] the information to the same information at the primary processing site”³.

NIST’s Cybersecurity Framework 2.0 puts the same idea in plain English under the Recover function: RC.RP-03 requires that “the integrity of backups and other restoration assets is verified before using them for restoration,” with an example implementation of “check[ing] restoration assets for indicators of compromise, file corruption, and other integrity issues before use”⁴. CMS-aligned healthcare clinics in the Datapath footprint see the same shape in the HIPAA Security Rule’s data-backup and contingency-plan administrative safeguards. The point the regulator is making is the same either way: a backup file you have not actually restored from is a backup file you cannot actually trust.

How is Acronis DRaaS different from the backup you already have?

Most dispatch centers we work with already have an Acronis (or comparable) backup agent taking nightly images of the CAD server, the RMS database, and the body-cam evidence store. The piece they often do not have is the failover target. Acronis Disaster Recovery - the DRaaS module inside the same Cyber Protect console - turns the backup into a runnable environment in the Acronis Cloud⁵. Three things change on the day you turn it on:

• One console, one agent. Backup, anti-ransomware, and failover all run from the same Acronis Cyber Protect console the operations team already uses⁵. There is no second vendor to learn on a Sunday morning.
• Pay-as-you-go compute. Cloud DR in Acronis Cloud is billed “pay-as-you-go: pay for used DR cloud storage and for compute only during recovery or tests”⁵. The Azure Cold DR tier goes further and charges “only for compute if disaster occurs”⁵. A quarterly rehearsal therefore costs in compute minutes, not in capital outlay for a warm secondary site.
• Compliance-ready hosting. The Acronis Cloud data centers are documented to meet ISO 27001, SOC 2, HIPAA, and more⁵. For a CJIS-regulated agency that already has to defend its hosting data path to an auditor, that compliance posture is part of why we picked this platform - not an afterthought.

Add in incremental failback (only changed blocks move back while source systems keep running⁵), native networking that keeps the failover inside the city’s VNET and firewall policy⁵, and the ability to fail over from a clean, encrypted archival recovery point so a ransomware actor does not simply hop back in⁵, and the line between “backup” and “recovery” stops being a paragraph in a runbook and starts being a button you can press.

What does the drill have to actually cover?

Not every workload earns the same urgency. A CAD server is the highest tier because seconds on the clock translate into seconds of unsafe road for the citizen, the deputy, and the EMT. Body-cam evidence retention has different rules - hours of RPO are usually acceptable, but integrity verification is non-negotiable because the chain of custody must hold up in court.

Workload	RPO target	RTO target	Acronis DR tier	Rehearsal cadence
CAD (Computer-Aided Dispatch) server	< 5 minutes	< 30 minutes	Acronis Cloud, warm	Quarterly failover test
RMS / records management system	< 15 minutes	< 1 hour	Acronis Cloud, warm	Quarterly failover test
Mobile Data Computer (MDC) laptop fleet	1 hour	4 hours (rebuild image)	Local + cloud, hybrid	Quarterly restore sample
Body-cam and in-car video evidence vault	24 hours	Same-day integrity verification	Acronis Cloud, cold	Monthly restore + integrity check
9-1-1 telephony and logging recorder	< 1 minute (active session)	Failover to carrier B	Out of DRaaS scope - carrier redundancy	Annual table-top with vendor

Two notes on this table. First, we treat RPO and RTO as written commitments in the Datapath contract - not aspirational figures from a vendor brochure. Second, the rehearsal cadence is the part of the contingency plan an auditor is actually going to ask about; CJIS demands evidence that backup information is “reliably retrieved,” which implies it is “reliably retrieved on a schedule”³.

How long does a real test actually take, minute by minute?

A full CAD/RMS failover test on Acronis DRaaS, run by a Datapath engineer, looks like this in practice. The vendor’s own datasheet says DRaaS lets you “securely spin up full production environments in minutes with no extra hardware”⁵; the real-world hour-by-hour is shaped by the runbook and the agency, not the platform.

• T-60 min - Datapath and the dispatch supervisor confirm the test window, freeze non-critical writes, and pre-stage the auditor’s evidence template.
• T-30 min - Acronis management console is opened; the latest clean recovery point is selected and the runbook is reviewed for the third time.
• T-0 - “Failover” is invoked. The CAD and RMS servers boot in the Acronis Cloud inside the agency’s chosen region.
• T+5-15 min - Console connectivity, CAD-to-RMS sync, and user authentication are validated against the same Active Directory (or, for CJIS, the same FBI-styled identity control) the primary site uses.
• T+30 min - Dispatchers log in through the failover console and run two scripted calls: a routine unit-to-call dispatch and a multi-unit mutual-aid incident.
• T+45 min - Integrity check: a random sample of restored CAD records is decoded and compared against primary-site logs, satisfying the CJIS “compare the information” clause³.
• T+60 min - Failback is initiated. Because failback is incremental (only changed blocks move back⁵), the agency’s primary site is current within minutes, not hours.
• T+90 min - The audit packet - dated screenshots, run logs, attestation, RTO timing - is exported and filed.

The whole thing is roughly an hour of active disruption. For comparison, the publicly reported average downtime for a CAD-disabled dispatch center, after the kinds of attacks industry tracked in 2024, was about 15 days, with some extending toward six weeks². The ratio of effort is the entire argument.

What belongs in the audit packet?

A Datapath-prepared audit packet for a CJIS Contingency Planning review is a folder, not a paragraph. We hand the agency a structured bundle so the auditor’s question becomes a file lookup rather than an interview. At minimum, expect:

• A dated runbook - the same one used in the rehearsal, complete with named Datapath owners and named agency approvers.
• A test log showing the RPO and RTO actually observed in this drill, not the ones the procurement contract promised.
• Screenshots of the failover console at boot, at first dispatch, and at failback - timestamped.
• A random-sample integrity comparison between the failover environment and the primary site, mirroring the CJIS-prescribed test method³.
• Evidence that the recovery point was free of indicators of compromise - the NIST RC.RP-03 example implementation rather than a policy claim⁴.
• A signed attestation from the dispatch supervisor and the Datapath engineer of record.

That packet survives an audit. It also, more importantly, survives an incident.

What does it cost - and what does it not?

The honest framing for a county IT director is that Acronis DRaaS has three numbers to put in the budget:

• A flat per-workload license for the backup and DR protection of every workload you want to be recoverable.
• An Acronis Cloud storage footprint sized for your retention and RPO targets.
• A compute line item that only shows up when you rehearse or when you actually fail over, because the platform’s billing is pay-as-you-go for DR cloud storage and compute only during recovery or tests⁵.

That third line item is the one a board will appreciate. A quarterly test of three servers for ninety minutes each is not a six-figure capital project; it is a compute bill measured in hours. The same line item is also what keeps the agency’s posture honest - because the cheapest way to lose your DR readiness is to stop rehearsing, and the cheapest way to lose a CJIS audit is to show a contingency plan with no evidence behind it.

Where Datapath fits in

We operate Acronis as a managed service, not a self-serve subscription. The same Datapath engineers who build the backup and DR posture are the ones who show up at 02:00 in Modesto, Dublin, Fresno, Irvine, or anywhere else in our footprint when something actually fails over. Our Acronis practice sits inside our Managed IT Services and Cybersecurity tracks, and we size it from the ground up against an agency’s real workflow - CAD, RMS, clinical workloads, finance systems, K-12 SIS - rather than a vendor’s checkbox list. If you want to see how we would scope a rehearsal for your environment, the Modesto office and the Dublin office both run quarterly test windows we can put on your calendar, and our blog archive has the vertical-specific angles - healthcare, K-12, finance, public sector - if you want to read a sibling piece next.

Book the rehearsal before the auditor books it for you.

---

Footnotes

1. HIPAA Data Backup Requirements ↩ ↩²

2. What Are the HIPAA Data Backup Requirements? ↩ ↩²

3. HIPAA Security Contingency Plan: Disaster Recovery … ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶

4. HIPAA Security Data Management ↩ ↩²

5. HIPAA Data Backup Plan and Disaster Recovery Plan ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸ ↩⁹ ↩¹⁰ ↩¹¹