CJIS Brief: Are they a One, or a Nine? Does the contractor need to sign the CJIS Security Addendum?

The CJIS Security Addendum is required for contractors pursuant to chapter of the CJIS Security policy. However, it doesn't apply to every contractor. The easy way to determine whether you need to have the individual sign the security addendum is to jump a few chapters ahead to chapter 5.12.  Take a look at chapter 5.12 of the CJIS security policy. That policy separates individual requiring fingerprints into two groups: Under item 1, anyone who uses CJI in their job, or has responsibilities for information systems with access to CJI.Under item 9, anyone who has access to areas with CJI, but who does not use the CJIS information to perform their work.Now, jump back to section, the requirement for the security addendum is for: "All private contractors who perform criminal justice functions..." Which incorporates the first group, but not the second.  So that means the janitors, maintenance personnel, electrician, plumber, etc. do not need to…

How an Auditor Looks at Your Network Diagram

A question that comes up pretty often for our auditors is what they want to see in the agency's network diagram.  When that question comes up, the auditors generally assume that question means the agency wants to ensure the network diagram they have reflects all the appropriate details.  For the smaller agencies using only the CBI-provided OpenFox solution, the diagram can be very simple. For larger agencies, we anticipate a little more complexity when things like file servers, records management systems and computer aided dispatch are in the picture.
The CJIS Security Policy contains this standard for network diagrams: Network Diagram
The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix C for sample network diagrams.
The network topological drawing shall include the following:
All communications paths, circui…

Change to the CJIS Vendor Program

In order to alleviate confusion regarding the CJIS Vendor Program enrollment criteria, the CBI has made a change to the initial documents required for vendors to enroll in the CJIS Vendor Program. The CBI will require a signed contract be furnished along with the associated enrollment documents.

According to the CJIS Security Policy, section

"Private contractors designated to perform criminal justice functions for a CJA [Criminal Justice Agency] shall be eligible for access to CJI [Criminal justice Information accessed through State and Federal systems]. Access shall be permitted pursuant to an agreement which specifically identifies the agency’s purpose and scope of providing services for the administration of criminal justice. The agreement between the CJA and the private contractor shall incorporate the CJIS Security Addendum approved by the Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7)."

Since the CB…

Signing the Security Addendum: A How-To

During audits and when answering questions, CBI encounters a lot of confusion about how to properly sign the CJIS Security Addendum. This can range from asking which employees at the contracting business needs to sign the agreement, to asking about how to properly store the signed agreements.

So how is the CJIS Security Addendum supposed to be signed? Like this:

COMMON MISTAKES Here are a list of common mistakes with the CJIS Security Addendum and the correct handling of each: OOPS! Sales representative signs this “for the whole company”
FIXED IT: Each employee working on your system must sign one of these!

OOPS! CCIC Coordinator signs the second line.
FIXED IT: As shown above, this form is only signed by vendor personnel. There should be no criminal justice agency personnel signing this form.

OOPS! Agency struggles to assemble a process and find space to store all these documents.
FIXED IT: Again, the form is not agency or customer specific, and copies can be maintained by the vendor and a…

Procurement, Purchasing, Contracting - CJIS from the Start

It is very important for individuals working on procurement, purchasing and contracting of new information systems to be aware of when CJIS policy may apply to new purchases of products or services.  Because the CJIS security policy can increase costs to these purchases it is always better to address it as early as possible to ensure the costs of the project are reasonable and expected.  Trying to add it as an additional requirement after contracts are signed can lead to increased costs and potentially to failure of a project.

CJIS Policy can impact Cost The main cost drivers to the CJIS security policy are technical controls for IT projects, and personnel controls for both IT and other projects.  Let's say the agency has quoted and contracted for an off-site document storage solution.  If, after the project is started, the agency has to request the contractor enhance event logging to include all password-related actions and add storage for one year, and also has to request at-res…

Just Dropped: CJIS Security Policy 5.6

It just dropped and it's hot! The CJIS Security Policy, version 5.6 just came out:

Okay, maybe I'm over-hyping it. There really isn't much in the way of policy changes, the revisions to the policy are mostly clarifications and guidance which make it easier to use and understand.
Here's What's different:Authenticators (section This section now includes hard or soft tokens, also one-time passwords as examples of authenticators.
Encryption (section Three new subsections are added, clarifying encryption requirements. Now instead of having the use of FIPS 197 for CJI at rest as an exception, the standards for CJI at rest appear as their own section. Also, PKI rules were moved to their own section.  The result is a much more readable standard.
Not new, but noteworthy: One thing of note to LASO's is the password requirements for CJI at rest.  Although this is not new, just something that has been placed in a more prominent area in this version of the…

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

One of the challenges of working with information systems at criminal justice agencies is determining when the CJIS security policy applies. There are many occasions where agencies have questions about whether the CJIS security policy applies to a new project or system and how or why it applies.
One Simple Rule Any system that contains Criminal Justice Information (CJI) from CCIC, NCIC or Nlets is covered by the CJIS Security Policy.  CJI can include data from NCIC, CCIC, Nlets, as well as criminal history information from the FBI or any state.

...and therefore, the CJIS security policy applies.

The Minimum Standards How far does information have to be pared down to be excluded from the CJIS Security Policy? Anything more than a numeric identifier can be considered CJI.  For identifiers of property of for records, if they appear without personally identifying information, they are not considered CJI.  As soon as personal identifiers are added, it's CJI.  Additionally, any informat…