Change to the CJIS Vendor Program

In order to alleviate confusion regarding the CJIS Vendor Program enrollment criteria, the CBI has made a change to the initial documents required for vendors to enroll in the CJIS Vendor Program. The CBI will require a signed contract be furnished along with the associated enrollment documents.
Submit a copy of an existing contract with a Colorado criminal justice ageny.

 According to the CJIS Security Policy, section 5.1.1.5:

"Private contractors designated to perform criminal justice functions for a CJA [Criminal Justice Agency] shall be eligible for access to CJI [Criminal justice Information accessed through State and Federal systems]. Access shall be permitted pursuant to an agreement which specifically identifies the agency’s purpose and scope of providing services for the administration of criminal justice. The agreement between the CJA and the private contractor shall incorporate the CJIS Security Addendum approved by the Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7)."

Since the CBI CJIS Vendor program's inception, a contract with a criminal justice agency has been a listed requirement within the CJIS Vendor Agreement.  However, to further ensure compliance, the CBI has elected to verify a contract is in place prior to completing the enrollment of the vendor.  This will also affect the subsequent fingerprinting of personnel and security awareness training.  Agencies and vendors should also be prepared to furnish evidence of contracts between vendor and criminal justice agencies during the audit cycle.

As we have implemented this change, we have found that some agencies and companies were unclear on the reason for the contract requirement and have requested clarification, so here's an explanation: Until the contractor has an actual contract with a law enforcement agency, the contractor is not obligated to follow CJIS Security Policy. Therefore, mandating the fingerprinting of those potential contractors falls outside the federal mandate. While state law allows fingerprint based background checks for some licensing and certification, there is no Colorado law specific to CJIS Vendors that would allow fingerprinting prior to contracting with a criminal justice agency.

New Vendors and New Contracts

Because mandating enrollment in the CJIS vendor program could create a chicken-or-egg situation for new contracts with new vendors, agencies and businesses may choose to consider adjusting their requirements. Unless the agency is seeking to limit themselves to contractors who already have an existing contract with another criminal justice agency, consider mandating the vendor either be enrolled in the CJIS vendor program or complete enrollment within a specific time frame.  Agencies may still wish to require the vendor maintain enrollment for the duration of the contract.

Questions?

Contractors: cdps.cbi.cjisvendors@state.co.us
Criminal Justice Agencies: cdps.ccic.laso@state.co.us


Comments

Popular posts from this blog

Just Dropped: CJIS Security Policy 5.6

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

How an Auditor Looks at Your Network Diagram