With regard to security compliance the biggest challenges would be staffing and funding. There are several roles spelled out in Section 3 of the CJIS Security Policy that outline specific duties that each role is responsible for. In the case of rural police departments, they simply may not have adequate staff to fill those roles and carry out follow-up required to keep a law enforcement system in compliance with the particular areas of security they need.
My company sees agencies of all sizes using our hosted license plate reader and facial recognition solutions for this very reason. We have built our business around providing a level of security and infrastructure that most agencies, regardless of size, would find difficult to emulate. With that said, many agencies are moving to hosted solutions like ours to effectively outsource these requirements, allowing them to focus agency resources elsewhere. It is important to note, however, that the agency is still responsible for ensuring that these types of providers truly meet the requirements. I cover this topic in greater detail in my white paper.
There are also police agencies that rely on either state or county support for their IT needs. This may be a partial solution or may become problematic depending on what the service offerings are. An agency can incur additional needs or requirements that may not be able to be supported by the state or county, depending on the accepted responsibilities of the supporting entity. Where the funding came from could be a challenge as well; if a rural agency applies for and is granted funding from a specific source, there may be specific stipulations with regard to security or the programs’ use that may not be supported at the state or county level.
Lastly, rural agencies should consult with their allied law enforcement in consideration for the security model they choose to rely upon and there are several: National Institute of Standards and Technology (NIST), FBI-CJIS Security Policy, FIPS-140-2, Global Reference Architecture (GRA), just to name a few.
Ultimately whichever direction agencies choose to go regarding security, they need to be the ones comfortable with the standards and level of security that they choose for protecting their data.