Procurement, Purchasing, Contracting - CJIS from the Start

It is very important for individuals working on procurement, purchasing and contracting of new information systems to be aware of when CJIS policy may apply to new purchases of products or services.  Because the CJIS security policy can increase costs to these purchases it is always better to address it as early as possible to ensure the costs of the project are reasonable and expected.  Trying to add it as an additional requirement after contracts are signed can lead to increased costs and potentially to failure of a project.

CJIS Policy can impact Cost

The main cost drivers to the CJIS security policy are technical controls for IT projects, and personnel controls for both IT and other projects.  Let's say the agency has quoted and contracted for an off-site document storage solution.  If, after the project is started, the agency has to request the contractor enhance event logging to include all password-related actions and add storage for one year, and also has to request at-rest encryption which challenges the contractor's ability to support the system, these two items will significantly increase cost of that system.  On the personnel security side, imagine the agency is having a large remodeling project completed and then informs the contractor that all personnel must undergo fingerprinting. That contractor must then send each of their personnel for a background check, which will be labor costs that are not put toward completion of the project. Additionally, depending on the outcome of the background checks, it could send the contractor scrambling for more personnel.  By addressing CJIS policy from the very beginning, the project's odds of success are improved, actual costs are more accurately estimated and the business relationship is better for all involved.

Preventing Surprises - Be Aware of Where the Policy Could Apply

For people working in these fields in law enforcement agencies, it will be easier as it can be reasonably guessed that any project involving technology or work performed at the agency will involve CJIS policy.

For non-criminal justice agencies, individuals working on purchasing and contracting will need to be aware of where in the business CJIS information is used.  Typically, these non-criminal justice agencies are using the information for licensing or certification. Therefore, any new purchase or project involving a licensing system or licensing facility could involve CJIS policy.

The CBI doesn't expect purchasing specialists to be experts in CJIS, our goal is to ensure that the question is asked as early as possible, preferably during the bid and procurement process.  This can only occur through collaboration between technology personnel, operational personnel and purchasing personnel.  Though this may seem like a chore at first, it will quickly become a minor checkpoint and a routine part of the process of purchasing new equipment.

Questions and Comments:


Popular posts from this blog

Just Dropped: CJIS Security Policy 5.6

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

How an Auditor Looks at Your Network Diagram