What should a CJIS incident response plan include?
A strong CJIS incident response plan should define reportable incidents, assign roles and responsibilities, require immediate internal reporting, establish containment and recovery procedures, explain evidence handling, coordinate with executive leadership and outside agencies, and include testing, training, and annual review requirements.12
That matters because public sector teams handling Criminal Justice Information cannot rely on a generic breach checklist. The FBI CJIS Security Policy expects agencies to build an incident response capability that fits their mission, size, structure, and legal obligations.1 In practice, that means the plan has to work for real-world public-sector conditions: shared services, law-enforcement coordination, legacy infrastructure, third-party vendors, public accountability, and the need to protect sensitive criminal justice data during a fast-moving event.
For most city, county, and agency IT teams, the practical question is not whether some policy document exists. It is whether the plan gives staff a roadmap they can actually follow when systems, evidence, communications, and leadership decisions are all moving at once.
Why is CJIS incident response different from a generic cyber plan?
Because CJIS is not just a general security framework. It is a specific operating and compliance standard for environments that process, store, or transmit Criminal Justice Information. When an incident affects that environment, the response has to protect confidentiality, integrity, and availability while also preserving evidence, meeting reporting requirements, and supporting agency operations.1
That makes CJIS response plans more demanding than a lightweight SMB incident checklist. Public sector teams often have to coordinate with:
- agency leadership
- legal and privacy stakeholders
- law enforcement or state CJIS contacts
- third-party IT and security providers
- communications staff
- continuity and disaster recovery owners
If your agency is also modernizing infrastructure or tightening broader public-sector governance, this post pairs well with our existing guidance on CJIS compliance checklists for city and county IT teams, city government IT modernization, and the broader Datapath resources library.
What does the FBI CJIS Security Policy require at a high level?
The CJIS Security Policy requires agencies to develop, document, and disseminate an incident response policy and supporting procedures, then maintain an operational incident handling capability around that policy.1 The plan should:
- provide a roadmap for incident response
- describe the structure of the response capability
- define reportable incidents
- fit the agency’s mission and operating model
- define resources and management support
- address information sharing and escalation
- be reviewed and approved by executive leadership annually1
That last point gets overlooked. A lot of teams have incident notes or technical runbooks, but not a formally maintained plan with executive approval and clear organizational ownership. Under CJIS, that gap matters.
What roles and responsibilities should the plan define?
A CJIS incident response plan should name the people or functions responsible for coordinating the response, not just the departments that might help.13
At minimum, the plan should define responsibilities for:
- incident response coordinator or lead
- IT/security operations staff
- executive sponsor or leadership approver
- legal or privacy review
- communications/public information support
- evidence handling and documentation
- third-party vendor contacts
- state or interface-agency reporting contacts
Public sector teams get into trouble when escalation depends on informal relationships. During a real event, nobody wants to ask who owns containment, who contacts the CSO or CJIS interface, who approves system isolation, or who speaks externally.
A practical plan should also include a current contact appendix covering internal leaders, outside counsel if relevant, managed service partners, cyber insurance contacts if applicable, law-enforcement or fusion-center contacts, and any state CJIS or ISO reporting contacts the agency depends on.
How fast do personnel need to report suspected incidents?
The CJIS Security Policy is explicit here: personnel should report suspected incidents immediately, and no later than one hour after discovery, to the organizational incident response capability.1
That requirement has operational consequences. A good plan should explain:
- what counts as a suspected incident
- who must be notified first
- which channel to use if email is affected
- how after-hours escalation works
- when the agency must involve state or CJIS-specific contacts
This is where training matters. A one-hour reporting requirement is meaningless if employees, dispatch-adjacent staff, or IT admins cannot recognize what needs to be escalated.
What incident lifecycle should the plan follow?
CJIS aligns well with the standard NIST incident response lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.12
Preparation
The plan should document what must already be in place before an incident happens:
- response team members and alternates
- logging and alerting sources
- privileged access controls
- secure communications paths
- backup and recovery procedures
- vendor and law-enforcement contact paths
- evidence preservation guidance
- tabletop exercise cadence
Detection and analysis
The plan should explain how the agency identifies and validates incidents, including review of logs, user reports, security alerts, physical access anomalies, suspicious account behavior, and vendor notifications.1
Containment
Containment steps should be specific enough to guide action under pressure. Examples include isolating affected systems, disabling compromised accounts, restricting network paths, preserving volatile data when appropriate, and documenting every major decision.
Eradication and recovery
The plan should distinguish between stopping the incident and safely returning to operations. That often means malware removal, credential resets, patching, configuration correction, validation testing, and staged restoration from known-good backups.23
Post-incident review
The agency should not stop at restoration. Post-incident work should include lessons learned, policy and control updates, leadership reporting, and follow-up actions assigned to named owners.23
What should count as a reportable incident under CJIS?
The plan should define reportable incidents in plain language, not just by reference to policy citations.1 Public sector teams usually benefit from examples such as:
- unauthorized access to CJI or systems that handle it
- malware or ransomware on CJIS-connected systems
- compromised credentials or privilege abuse
- suspicious data exfiltration or transfer
- lost or stolen devices with CJIS exposure
- firewall, endpoint, or logging failures that create exposure
- third-party incidents affecting agency systems or CJIS data
- physical security events that may expose CJIS systems or media
If the definition stays vague, underreporting becomes likely. If it is too broad with no triage process, teams burn out on noise. The plan should balance both.
How should the plan address evidence handling and chain of custody?
This is one of the biggest differences between a solid public-sector response plan and a generic IT checklist. The plan should explain how the agency preserves relevant logs, images, device state, and documentation in a way that supports investigations and legal requirements.3
A useful evidence section should address:
| Area | What the plan should define | Why it matters |
|---|---|---|
| Log preservation | Which logs are collected first and how long they are retained | Key evidence disappears quickly during active incidents |
| Device handling | Who can isolate, image, or reimage systems | Prevents accidental destruction of evidence |
| Documentation | How actions, timestamps, and decisions are recorded | Supports investigation and after-action review |
| Custody | Who receives, stores, and transfers evidence | Reduces disputes over integrity |
| Legal review | When counsel or agency leadership is involved | Some incidents trigger notice, investigation, or disciplinary steps |
Public sector teams should also avoid a common mistake: restoring systems too quickly without preserving the information needed to understand what happened.
How should CJIS response planning connect to continuity and recovery?
The CJIS Security Policy expects incident response testing and planning to coordinate with related plans such as business continuity, disaster recovery, continuity of operations, and crisis communications.1
That means a CJIS incident response plan should not pretend it stands alone. It should clearly reference:
- backup and recovery runbooks
- disaster recovery priorities
- continuity of operations requirements
- emergency communications processes
- physical-security escalation procedures
- third-party service restoration dependencies
For a city or county team, this matters because the affected systems may support dispatch-adjacent workflows, courts, records, public safety administration, or other services that cannot tolerate prolonged confusion. If the incident response plan does not connect to those operational realities, containment and recovery decisions become slower and riskier.
What testing and training requirements should the plan include?
The plan should require regular training and recurring exercises, not just annual policy acknowledgment.12
We recommend documenting:
- onboarding training for staff with CJIS-relevant responsibilities
- periodic security awareness refreshers
- role-based training for incident responders
- at least annual tabletop testing of the plan
- updates after exercises, audits, or real incidents
A tabletop exercise is especially useful because it exposes gaps that static documents hide. Teams discover outdated contact lists, unclear decision rights, conflicting vendor assumptions, and missing communications procedures before a real event does it for them.
If your organization wants to pressure-test broader resilience planning, our posts on ransomware incident response, disaster recovery testing, and business continuity vs disaster recovery are useful companion reads.
What should leadership review and approve annually?
Under CJIS, executive leadership should review and approve the incident response plan annually.1 That review should not be ceremonial. Leadership should understand:
- what the agency treats as a reportable incident
- who has authority to declare and escalate incidents
- which critical systems and data are in scope
- whether outside vendors play a response role
- what funding or staffing gaps limit readiness
- what major lessons came from prior events or exercises
This is where mature agencies separate policy from performance. A plan that leadership has never seen usually signals that incident response is treated as an IT-only issue instead of an organizational risk-management issue.
Why Datapath for public-sector incident response planning?
Public sector incident response is messy in the real world. The challenge is not writing a document that sounds compliant. It is building a response model that works when legal risk, operational continuity, evidence preservation, vendor coordination, and executive communications all collide.
That is the kind of problem Datapath is built to help untangle. If your agency wants a clearer operating model for public-sector security, start with the Datapath homepage, review our solutions overview, explore our city and county IT modernization guide, or talk with our team about where your current plan is likely to break under pressure.
Frequently Asked Questions
Does CJIS require a written incident response plan?
Yes. The CJIS Security Policy requires agencies to develop and document an incident response policy and procedures, and to maintain a formal incident response plan that supports the broader capability.1
How quickly do suspected incidents need to be reported?
Personnel should report suspected incidents immediately and no later than one hour after discovery to the organizational incident response capability.1
Should a CJIS incident response plan include disaster recovery references?
Yes. Incident response testing and planning should coordinate with related plans such as disaster recovery, continuity, and crisis communications.1
What is the biggest mistake agencies make?
Usually it is treating the plan like static policy paperwork. The better approach is to define named owners, real escalation paths, evidence handling, training, exercises, and recovery coordination that match the agency’s environment.
Sources
- FBI CJIS Security Policy v5.9.5
- NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide
- Example Incident Response Plan (FRCOG)
- MassCyberCenter Incident Response Plan Template and Checklist