Signing the Security Addendum: A How-To

During audits and when answering questions, CBI encounters a lot of confusion about how to properly sign the CJIS Security Addendum. This can range from asking which employees at the contracting business needs to sign the agreement, to asking about how to properly store the signed agreements.

So how is the CJIS Security Addendum supposed to be signed? Like this:
Signed Security Addendum


Here are a list of common mistakes with the CJIS Security Addendum and the correct handling of each:

OOPS! Sales representative signs this “for the whole company”
FIXED IT: Each employee working on your system must sign one of these!

OOPS! CCIC Coordinator signs the second line.
FIXED IT: As shown above, this form is only signed by vendor personnel. There should be no criminal justice agency personnel signing this form.

OOPS! Agency struggles to assemble a process and find space to store all these documents.
FIXED IT: Again, the form is not agency or customer specific, and copies can be maintained by the vendor and available on request by your agency. There is no need to create a duplicate file at the agency and maintain it.

OOPS! This company is in the CJIS Vendor program; I don’t need to bother with this.
FIXED IT: Being a member of the vendor program does not eliminate the need for each employee of the company to sign this document. For a criminal justice agency, the fact that the company is in the CJIS Vendor program means they probably already have these on file. The agency is responsible for verifying with the vendor these documents are signed and available for the agency's inspection upon request.

OOPS! My county or municipal IT department is signing these documents because they joined the vendor program.
FIXED IT: There's nothing to fix here. Although there's no mandate that government IT staff sign this agreement, it does give the employee a chance to understand and acknowledge the expectations - good job!  Also, be sure that a management control agreement exists between any supported criminal justice agencies and the county or municipal IT department.

What if I Have More Questions?

Questions regarding the CJIS Security Policy or the Security Addendum can be emailed to CBI at:; or


Popular posts from this blog

Just Dropped: CJIS Security Policy 5.6

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

How an Auditor Looks at Your Network Diagram