Information Exchange Agreements: When and How

I'm going to apologize now for this long post. In trying to address the agreements required by the CJIS security policy, I couldn’t come up with a good way to address one type of agreement without covering the others or leaving the reader with unanswered questions.  To try to make all of this more consumable, I’ve broken it down by agreement type.

In most cases, agencies sharing information are aware of who they share with and why.  It’s also very easy to fall into not believing these agreements are important when everything is working well and is stable, but the purpose of any agreement is to provide continuity when things aren’t working well.  A change in administration at one or more of the involved organizations can create a situation where responsibilities aren’t well understood.  Verbal agreements depend on the people who made the agreement remaining in their existing position where they are. Once a member of the verbal agreement leaves, a new agreement is needed. Written agreements are enduring. Even if a person who signed a written agreement moves on, another individual can be placed in the same position and can continue using the existing documented arrangement.  This is why the CJIS Security Policy requires documented, signed, information exchange agreements: they can endure change without creating risk to operations where security is required.

Trying to maintain verbal agreements gets complicated, agreements that are meant to last should be in writing!

Information Exchange Agreements between Criminal Justice Agencies

When to use it:

Sharing information between criminal justice agencies. Examples:
1.       Police reports are sent to District Attorneys for case filing
2.       investigative files are transferred between agencies on partnered investigations
3.       Detention facilities request records for inmate classification
4.       Dispatch centers provide CJI to patrol officers

What it does:

Defines who is responsible for CJIS controls on information shared between criminal justice agencies.

The easy way to do it:

We don’t have a template, but add a statement like this in an existing interagency agreement or as a standalone one-page agreement:
“Regional Dispatch Center X will provide criminal justice information to listed partnered agencies to assist in police patrol and investigative operations. Information accessed by personnel in each participating agency; and information stored in each participating agencies’ physical boundaries or information systems are under the management control, and will be protected pursuant to the CJIS Security Policy by that agency.”
The agreement identifies the participants, why information is being shared, and delineates responsibilities. In this case, it states each agency is responsible for securing the data in their possession.

Management Control Agreements between a Criminal Justice Agency and a Non-Criminal Justice Agency

When to use it:

When support services are provided by personnel who are not under the employment of the criminal justice agency. Examples:
1.       Using a county/municipal consolidated IT department
2.       Using a county/municipal centralized HR department
3.       Using county/municipal centralized Janitorial/Maintenance departments

What it does:

Clarifies all decisions related to criminal justice information must be approved by the criminal justice agency.

The easy way to do it:

Management control agreements are super easy to draft. Simply go to the CJIS Security Policy here, navigate to appendix D.2 (page 113 of the PDF version), copy the text and paste into Word or whatever word processing program you prefer.  Then, modify the few bits of text in parenthesis and have the agency Chief/Sheriff and the CEO of the non-criminal justice agency (e.g. the CIO, HR Director, or similar) sign it.
Please note: The management control agreement can also be part of a broader document, like a service level agreement or an interagency agreement. Please be sure the language from the management control agreement in the CJIS Security Policy is present in some form.

Agreements with Private Businesses

When to use it:

When support services are provided by personnel work for a private company:
1.       Using a vendor-supported Records Management System (RMS)
3.       Using vendor-supported cloud services

What it does:

Obligates the contractor to comply with the CJIS Security Policy.

The easy way to do it:

  1. Incorporate the CJIS Security addendum in contracts by specifically referencing it.
  2. Have the vendor sign the CJIS Security Addendum 

Whenever CJI is supported, stored, managed, or otherwise accessible to a private contractor, the CJIS security policy requires the contractor formally accept their CJIS responsibilities by signing the CJIS Security Addendum. The document can be found at, navigate to appendix H (page 192 of the PDF version).
The FBI also requires criminal justice agencies incorporate the CJIS security policy as a standard within the contract with the business.  Because providers of software for criminal justice agencies may also have customers in other lines of business, it should never be assumed that CJIS compliance is understood or assumed. The assurance that the contractor is aware and capable of meeting CJIS policy can only come from the individual contract.

CBI’s CJIS Vendor Management Program

When to use it:

When support services are provided by personnel work for a private company:
1.       Using a vendor-supported Records Management System (RMS)
2.       Using a vendor for janitorial services
3.       Using vendor-supported cloud services

When your business provides support services to criminal justice agencies:
1.       Providing a vendor-supported Records Management System (RMS)
2.       Providing a vendor for janitorial services
3.       Providing vendor-supported cloud services

What it does:

Simplifies the process of fingerprinting and CJIS policy enforcement when using vendor services. It augments the security addendum and agency contract, it does not replace them.

What it doesn’t do:

The program is designed to streamline CJIS compliance, enrollment in the program does not guarantee CJIS compliance.  Vendors in the program have signed agreements with CBI that they will abide by CJIS policy, however the CBI leverages our Audit program to provide periodic validation of compliance. 

Why don’t we guarantee compliance? The CJIS security policy is a living document, and information security is a dynamic environment.  Because of that, security compliance is more like sailing a ship than building a monument: It is a process of constant adjustment and course correction, there is no true point of completion.

The easy way to do it:

The Terminal Agency Coordinator can check whether a business is part of the program through CCIC. To be fully in compliance, the Coordinator must also notify CBI through CCIC they are using the enrolled vendor.

Agencies considering adding the CJIS Vendor program to bid requests, RFP’s, etc. should add a statement like this:
“Vendor shall be enrolled in the CBI CJIS Vendor Program or shall enroll within 30 days of contract signing.”

Vendors interested in the program can find more information here: To submit fingerprints, the vendor must have an existing contract with a criminal justice agency.

And in conclusion...

Agreements are important.  They're the first chapter in the CJIS Security Policy requirements because they ensure the other twelve chapters can be covered.  Is a good agreement going to log password change attempts or ensure adequate network controls?  Nope. However, it's the first step in making sure all the other things that are required in securing information still get done. Especially in an environment where there's more than one entity partnering to ensure all those necessary security controls are in place.

 Dangerously Austin Powers - I see you have no CJIS agreements I also like to live dangerously

Additional CJIS Questions?


Popular posts from this blog

Just Dropped: CJIS Security Policy 5.6

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

How an Auditor Looks at Your Network Diagram