the outsourcing of noncriminal justice administrative functions … · 2014. 11. 6. · states...

The National Crime Prevention and Privacy Compact Council

The Outsourcing of

Noncriminal Justice

Administrative Functions Guide

for State Agencies

The National Crime Prevention and Privacy Compact Council Email Address: [email protected]

Compact Council Website: www.fbi.gov/about-us/cjis/cc May 2015 Version 3.0

Table of Contents

Introduction............................................................................................................................................................................. 3 Background .............................................................................................................................................................................. 4 Outsourcing: Non‐Channeling versus Channeling............................................................................................. 5 Outsourcing Scenarios ....................................................................................................................................................... 8 Non‐Channeling:OutsourcingFitnessDeterminations/Recommendations ............................................ 8

Channeling:FingerprintSubmissions/Results/Dissemination ..................................................................... 8

Responsibility Table for Non‐Channeling ............................................................................................................... 9 Responsibility Table for Channeling........................................................................................................................25 Authorized Recipient’s Responsibilities................................................................................................................37 Examples of Non‐Channeling Documentation ....................................................................................................38 SampleAuthorizedRecipientRequestLetterforNon‐Channeling .............................................................38Sample Languagebetween the AuthorizedRecipientandContractor regardingNoncriminalJusticeOutsourcingFunctionsforNon‐Channeling ...........................................................................................39

Examples of Channeling Documentation...............................................................................................................40 Authorized RecipientSampleRequestLetterto UseaChanneler...............................................................40SampleFBIResponseLetter forChannelerRequest .........................................................................................41Sample Languagebetween the AuthorizedRecipientandChanneler regardingNoncriminalJusticeOutsourcingFunctions.....................................................................................................................................42

Outsourcing Audit Guidelines......................................................................................................................................43 SampleAuditMethodology ..........................................................................................................................................43

Sample90dayAuditChecklist foranAuthorized Recipient..........................................................................45

Non‐Channeling Flowchart for SCO/CA ..................................................................................................................48 Non‐Channeling Checklist for SCO/CA ....................................................................................................................49 Channeling Flowchart for SCO/CA.............................................................................................................................50 Channeling Checklist for SCO/CA ...............................................................................................................................51 Frequently Asked Questions.........................................................................................................................................52 Recommended Online Reference Materials ........................................................................................................54 Definitions ..............................................................................................................................................................................55 Appendices .............................................................................................................................................................................59 Interim FinalRule:OutsourcingofNoncriminalJusticeAdministrativeFunctions.....................................................................60FinalRule:OutsourcingofNoncriminalJusticeAdministrative Functions.............................................64

SecurityandManagementControl OutsourcingStandardforChannelers...............................................66

Securityand Management ControlOutsourcingStandard forNon‐Channelers............................................................................................................80

2 | P a g e O u t s o u r c i n g G u i d e f o r S t a t e A g e n c i e s

V e r s i o n 3 . 0

Introduction Noncriminaljusticeoutsourcingincorporatestheprocessofathirdpartycontractortoperformnoncriminaljusticeadministrative functions(i.e.makingfitnessdeterminations/recommendations,obtainingmissingdispositions,archivaland off‐sitestorage offingerprintsubmissionsand correspondingcriminalhistoryrecord results,orthesubmissionoffingerprintsandthereceiptofcorrespondingcriminalhistoryrecords)relatedtothe processingofcriminalhistoryrecordinformation (CHRI)maintainedin the Interstate Identification Index (III) System,subject to appropriatecontrols,whenactingon behalfof the governmental or authorizedagency. The IIIisthesystemoffederalandstate criminalhistoryrecordsmaintainedbytheFederalBureauofInvestigation(FBI). TheOutsourcingof NoncriminalJusticeAdministrativeFunctions Guide forState Agencies (State Guide)wasdevelopedby theNational CrimePrevention andPrivacyCompact Council(Council)in consultationwiththeFBI'sCriminalJusticeInformationServices (CJIS) Division. The StateGuideis designedtoprovideresourcesto state agencies thatengageinandauthorizetheoutsourcingofnoncriminaljusticeadministrativefunctions.Theinformation containedin theStateGuidemay beusedasaresource.Statesare encouragedtocontinuetobuild uponthisinformation to enhanceitsoutsourcingprogram.Federalor regulatoryagenciesshouldcontacttheFBICompactOfficerforinformationpertaining to theoutsourcingof noncriminaljusticeadministrativefunctions. TheStateGuideisbroken downintoseveralsections.Topicsincludeanoutlineof responsibilitiesforengaginginacontractoragreementfor Non‐Channelingand Channeling;samplesofcontractlanguageandoutsourcingrequests; auditmethodologies; and avariety ofchecklists.The State Guidealsocontains alist offrequently asked questions, commondefinitionsrelating to theoutsourcingofnoncriminaljusticeadministrativefunctions,andadditionalon‐lineresources.


V e r s i o n 3 . 0

Background The National Crime Prevention andPrivacy CompactActof 1998 (Compact)(Title42,UnitedStates Code [U.S.C.], Sections 14611‐14616)provides a legal framework forthecooperative exchange of criminalhistoryrecordsbetween federalandstateentitiesfor noncriminal justicepurposes.The Compact wassigned byPresident Clintonon October9,1998,and became effective on April28, 1999,when ratifiedby twostates.As ofDecember 2014,30statesandthefederalgovernmenthave ratified the Compact.Statesthat haveratified theCompact arereferredtoas “partystates.” The Compactestablisheda fifteen‐memberCouncil,whosemembers are appointed bythe United States(U.S.)Attorney General(AG),topromulgate rules,procedures,andstandardsgoverning the useof the III System and CHRIfor noncriminaljusticepurposes andtoensure theprotectionof anindividual’s privacywhilefacilitatingthenationwideautomated exchange of CHRI. Pursuantto theCompact, eachpartystateisrequiredto appoint a StateCompactOfficer(SCO)whoshallensurethatthe Compactprovisions,rules,procedures,and standardsestablishedbytheCouncilarecompliedwithinhis/her respectivestate. TheCouncilpublishedthe"OutsourcingofNoncriminalJusticeAdministrativeFunctions"InterimFinalRule (IFR)and two "Security and ManagementControlOutsourcingStandards"(Outsourcing Standards)inthe Federal Register on December 16,2004. The IFRis attachedas Appendix A.TheCounciladoptedtheIFR asaFinalRule(Rule)andpublisheda combinedOutsourcingStandardintheFR on December15,2005,whichisattachedas Appendix B. The Rulepermitsan AuthorizedRecipient(AR)ofCHRItooutsourcenoncriminal justiceadministrativefunctionsrelatingto the processingofCHRI to athirdparty,subjectto appropriatecontrols. The Outsourcing Standard establishedminimumrequirements toensurethatsecurityandprivacycontrolsareinplacewhenconductingnationalcriminalhistory recordchecksfornoncriminal justicepurposes.The contractingpartiesmay not reducethese minimum standards;however, morerestrictiverequirements may be adoptedby thecontracting parties.Additionally,theOutsourcingStandardidentifiedresponsibilitiesforadequatesecuritycontrolsbetweentheARandtheContractorinorder to maintainthesecurityandintegrity ofthe III System andCHRI.Thesecurityprogramshalladdresssitesecurity,dissemination restrictions,personnelsecurity,systemsecurity,and guidelinesfordocumentation ofsecurityevents. To ensure agencies followthe minimumstandards,theRulestatesthatcontractsoragreementsprovidingforauthorizedoutsourcing"shallincorporatebyreferenceasecurityandmanagementcontroloutsourcingstandardapprovedbytheCompactCouncilafterconsultationwith theUnited StatesAttorneyGeneral."InNovember2009,toclarify theroles,theCouncilbifurcatedtheOutsourcingStandardto createone strictlyforChanneling(OutsourcingStandardforChannelers) [Appendix C]andtheotherforNon‐Channeling(OutsourcingStandardforNon‐Channelers)[Appendix D]. The Council periodicallyupdatesthe Outsourcing Standards andthemostcurrentversionsmaybefoundontheweb at.


V e r s i o n 3 . 0

Outsourcing: Non‐Channeling versus Channeling There aretwovery separate anddistinctpartsto theoutsourcingofnoncriminaljusticeadministrativefunctionsassociatedwithnational criminalhistoryrecords.ThefirstisNon‐Channeling.Inthisscenario,theContractorreceivesaccessto theCHRI directlyfrom the AR.TheARmayengagetheContractorto performavarietyof noncriminaljusticeadministrativefunctions, suchas,but notlimitedto,obtaining missingdispositions,makingfitnessdeterminations/ recommendations,orthe off‐site storage andarchivalof fingerprintsubmissionsand correspondingcriminalhistoryrecord results.In thisarrangement,theContractorsdonothavea directconnectiontotheFBI’s CJIS WideAreaNetwork(WAN). The ARprovidesthe resultsofthe nationalcriminalhistoryrecord checkdirectlyto theContractor.The Contractorperformsthe desirednoncriminaljusticeadministrativefunction(s).Figure 1‐1depictsaNon‐Channelingarrangement. Itisimportanttonotethatin orderto fullycomplywithfootnote4oftheOutsourcingStandardforNon‐Channelers,whichprovidesthatifanationalcriminalhistoryrecordcheckofgovernmentpersonnelhavingaccessto CHRIis mandatedor authorizedby a statestatuteapproved bythe U.S.AGunder PublicLaw(Pub.L.)92‐544,theSCOor ChiefAdministrator(CA)ofnon‐partystatesmustensureContractorpersonnelaccessing CHRI are eithercovered by existinglaworthatthe existing lawbe amendedtoinclude nationalcriminalhistoryrecordchecksforContractorspriortoauthorizingtheoutsourcinginitiatives.For example,ifNorth Carolinahasa statutethat permitsits governmentaland contractedemployeeswho performonlynoncriminaljusticeadministrative functions tobebackgrounded,thentheARrequestingtheoutsourcingwill berequiredtobackgroundtheContractor’semployeeshavingaccesstoFBI‐providedCHRIwhileperformingnoncriminaljusticeadministrative functions.Whereas,ifCaliforniahasenacteda statutethatonly authorizesthebackgrounding of its governmental employees performingonlynoncriminaljusticeadministrativefunctions,thentheoutsourcingapprovalwillnotbegranteduntilsuchauthoritytobackgroundthecontractedemployeesisinplace.


V e r s i o n 3 . 0

Theotherpartofnoncriminaljustice outsourcing is Channeling,whichcreatesaconduit for an ARtosubmitfingerprintsvia anFBI‐approvedChannelerdirectlytothe FBI,the Channeler receivesthe CHRIon behalfofthe AR,andpromptly distributes theCHRIto the AR. The Channeler isaContractorthathasadirectconnectionto theFBI’sCJIS WANfortheelectronicsubmissionoffingerprintsonbehalf oftheAR.TheFBIelectronicallyreturns thecorrespondingresults of each fingerprint‐basednationalcriminalhistoryrecordchecktothe Channeler and theChannelerexpeditiouslydisseminatesthecriminalhistoryrecordcheckresultstothe AR.Figure 1‐2illustratestheChannelingarrangement. In 2011,the FBIreleased aRequest forProposal(RFP)tosolicitContractorstoprovideprocessingservicesforauthorizednational noncriminaljusticefingerprintsubmissionsfromARs.Inresponse tothe RFP,theFBIselectedmultiple Contractors toact asChannelers.Foracurrent listofFBI‐approvedChannelers,visitorcontact theFBI Compact Office at .PursuanttotheOutsourcingStandardforChannelers,theFBIis requiredtoconductcriminal historyrecord checksofChannelingpersonnelhavingaccessto CHRI.Thus,inthisarrangement, theARis not responsibleforconductingbackgroundchecksoftheContractor’spersonnelhavingaccesstoCHRI. Asamatterofinformation,iftheContractorispostingnationalcriminalhistoryrecordcheckresultstoa website,the FBI CJIS Division’sInformationSecurityOfficer mustreviewandapprovetheproposedtechnicalconfigurationpriortothe FBICompact Officer’sdecisiontoapprovethe request.

ItispossibleforthesameContractortoprovidebothChanneling andNon‐Channelingnoncriminal justiceadministrativefunctions.Ifthisoccurs,theremust beadistinctseparationbetweenthe Channelingandtheperformance oftheothernoncriminaljustice administrativefunctions(Non‐Channeling). A Channeler mustpromptlyforwardthecriminal historyrecordcheckresultstotheAR,whichendsthe“Channeling” outsourcingprocess.Then,the ARwould beresponsibleforselectingandforwardingthecriminalhistoryrecordcheckresultsback totheContractorforthe performanceofapproved Non‐Channelingnoncriminaljusticeadministrativefunctions,suchasobtainingmissingdispositions, outsourcedbythe ARincompliancewith the Outsourcing Standard forNon‐Channelers.Suchprocedureswillestablishadistinct beginning and endto eachofthe 6 | P a g e O u t s o u r c i n g G u i d e

f o r S t a t e A g e n c i e s V e r s i o n 3 . 0

outsourcingcontracts(i.e.,acontract forChanneling andacontractforothernoncriminaljusticeadministrativefunctions).Additionally,thisprocesswillfacilitateanefficientaudit process.Essentially,aChanneler isan “expediter”or“conduit”rather thanauserofcriminalhistoryrecordresults.TheContractorprovidingtheNon‐Channelingfunction istheuser oftheinformation.Figure 1‐3 displaysthe sameContractorperformingboththe ChannelingandNon‐Channeling functions.


V e r s i o n 3 . 0

Outsourcing Scenarios Non‐Channeling: Outsourcing Fitness Determinations/RecommendationsNewHampshire(NH),aparty‐state, enacts aPub.L.92‐544 statutethat authorizesthestateto conductfingerprint‐basedbackground checkson prospectivefosterparents.The NHDepartmentofHealthandHumanServices(DHHS)submitsawrittenrequesttotheSCO(ortheCAoftheStateCriminalHistoryRepositoryfor non‐partystates) tooutsource noncriminaljusticeadministrativefunctions toaContractor. Thespecific functionthatwillbe outsourcedtothe Contractorismaking fitnessdeterminations/recommendationsusing the applicant’scriminalhistoryinformation.AsampleNon‐Channelingrequest letter maybefound underthe ExamplesofNon‐ChannelingDocumentationsection. UponwrittenapprovalbytheSCO (or theCA),theNHDHHS,asthe AR, mayutilize a Contractor toperformthespecificnoncriminal justiceadministrativefunction.Therefore,inthisinstance,uponexecution of thenecessary outsourcing agreementsbythe NH DHHSandtheContractor,theNH DHHSmayuseaContractortomake fitnessdeterminations/recommendations. Channeling: Fingerprint Submissions/Results/DisseminationWisconsin(WI),anon‐partystate,enactsaPub.L. 92‐544statutethat authorizesthestatetoconductfingerprint‐basedbackground checkson licensedhealth careprofessionalsandunlicensed healthcarefacilitypersonnel. The WI DepartmentofChildren andFamilies (DCF) submitsawrittenrequesttothe CA atthe WI StateCriminal HistoryRepository(orSCOina party state) touseanFBI‐approvedChannelerto performnoncriminaljusticefunctions.Thespecific functionsthattheChannelerwillperformaresubmittingfingerprintsto theFBI,receivingCHRIon behalfoftheDCF,andexpeditiouslyproviding theCHRI totheDCF.A sampleChannelingrequestlettermay befoundundertheExamplesof Channeling Documentation section. TheCAattheWIStateCriminal HistoryRepository (ortheSCO) submitsawrittenrequesttothe FBICompactOfficer tooutsource theDCF’s fingerprint submissionsforanationalbackgroundcheckto an FBI‐approved Channeler.Uponwrittenapprovalbythe FBI CompactOfficer,theDCF may utilize anFBI‐approvedChannelertoperformspecific noncriminaljusticeadministrativefunctions.Therefore,inthisinstance,uponexecutionof the necessaryoutsourcingagreements amongtheWIState CriminalHistoryRepository,theChanneling Contractor,andtheWIDCF,the DCF mayuse an FBI‐approvedChannelertosubmit fingerprints to the FBI,receiveCHRI onbehalf of andexpeditiouslyprovidethe CHRI tothe DCF. Disclaimer: The statesandagencies usedinthe examplescenarioswere randomlyselected.


V e r s i o n 3 . 0

Responsibility Table for Non‐Channeling Security and Management Control Outsourcing Standard (OS) for Non‐ChannelersOSdated11/06/2014,tableupdated 12/17/2014

Outsourcing Standard (OS) Section #

Section 2.0 ‐Responsibiliti2.01 ‐Outsourcing Request

(See Section 11.01)

Footnote 2 ‐Audit Requirements

Footnote 3 ‐Outsourcing Approval

Authorized Recipient (AR)

es of the AR AR shall: (1)If State orLocalAR’s basedonStateor FederalStatutes, requestand receive permission from SCO/CA. (2) Providethe SCO/CAcopies of the specific authority fortheoutsourcedwork, criminalhistory recordcheckrequirements,and/oracopyofrelevantportionsof thecontractasrequested.

Contractor

State Compact Officer (SCO); FBI Compact Officer (FBI CO); Chief Administrator (CA); CJIS Systems Agency (CSA)

(1) SCO/CA shall approve/disapproverequestinwriting. (2) SCO/CAmay notgrant suchpermission unlesshe/she has implementeda combinedstate/federalauditprogramto,ataminimum, trienniallyauditarepresentative sampleoftheContractorsand ARsengaginginoutsourcing withthefirstofsuch auditstobe conductedwithin one yearof the datetheContractorfirstreceivesCHRIunder the approved outsourcingagreement. (3) SCO/CA will review copies of the specific authority fortheoutsourcedwork, criminalhistory recordcheckrequirements, and/or a copy ofrelevant portions ofthe contractifrequested.

FBI CJIS Division (CJIS); Compact Council (CC); United States Attorney

General (US AG)

2.02 ‐Contract 2.03(c) & 7.01 & 9.02 – OS and CJIS Security Policy

AR shall:

(1) Executecontractoragreementprior to providingaContractoraccesstoCHRI. (2) Ensure the mostupdated versions areincorporatedbyreferenceatthetimeofcontract,contractrenewal,orwithin the60calendardaynotificationperiod,whicheveris sooner. (3) Notify the Contractorwithin60calendardays(unlessotherwise directed)ofFBI notification regarding changesor updatestotheOS and/or CJIS Security Policy.

(1) Ensure thatthemostcurrent version ofboth theOSandthe CJIS Security Policy areincorporatedbyreferenceat thetimeof thecontract,contractrenewal,orwithin60calendardays(unlessotherwisedirected) of notification ofsuccessor versions ofthe OSand/or CJIS Security Policy,whicheverissooner.

(1) SCO/CA shall makeavailablethemostcurrentversionof both theOSandthe CJIS Security Policy to theAR within60calendar days(unless otherwise directed)ofnotificationof successorversions,whicheverissooner.


V e r s i o n 3 . 0

Responsibility Table for Non‐Channeling

10 | P a g e

Outsourcing Standard (OS) Section # Authorized Recipient (AR) Contractor



General (US AG)

2.03 ‐Access to CHRI When Contractorwillhaveaccessto CHRI, the AR shall: (1) Specifyterms andconditionsofaccess. (2) Limittheuse oftheinformationtothepurposesforwhichprovided. (3) Limittheretention of theinformationtoaperiodoftimenotto exceed that period oftimethe ARis permittedtoretainsuchinformation. (4) Prohibitdisseminationexceptas authorizedbyfederalandstatelaws,regulations,andstandards aswellas withrules, procedures,andstandardsestablished bytheCCandtheUS AG. (5) Ensure securityandconfidentialityoftheinformationtoincludeconfirmationthat theintendedrecipientis authorizedtoreceiveCHRI. (6) Provide forauditsand sanctions. (7) Provideconditionsforterminationof thecontract. (8) Ensure Contractorpersonnel comply with OS.

2.03(a) & Footnote 4 ‐Criminal History Record (CHR) Checks

(See Section11.03)

(1) Conductcriminal historyrecordchecksof Contractorpersonnel having accesstoCHRIif suchchecksof theAR’spersonnel are requiredorauthorizedunder anexistingstatestatute approvedbytheU.S.AGunderPub.L.92‐544,federalstatuteor ExecutiveOrder. (2) Maintainupdatedrecordsof Contractor personnelwhohaveaccess to CHRI andupdatethoserecordswithin24hours whenchangestothataccessoccur,andifacriminalhistory recordcheckisrequired, maintain alistofContractorpersonnel whosuccessfullycompletedthecriminalhistory recordcheck. (3) Thenational criminalhistory recordchecksofContractorpersonnel withaccesstoCHRIcannotbeoutsourced and mustbe

(1) SCO/CAprocesscriminalhistory recordcheckofContractorpersonnel havingaccessto CHRI if suchchecksarerequiredorauthorizedofAR’spersonnel havingsimilaraccess. (2) Ifa nationalcriminal historyrecordchecksof ARpersonnelhaving accesstoCHRIismandatedorauthorizedbyafederalstatute,executiveorder,orstate statuteapprovedbytheU.S. AG underPublicLaw 92‐544,theSCO/CAand/ortheFBICOmust ensure Contractorpersonnel accessingCHRI areeithercovered by theexistinglaworthat the existinglawisamendedtoincludesuchContractorpersonnel priortoauthorizing outsourcinginitiatives.

O u t s o u r c i n g G u i d e f o r S t a t e A g e n c i e s

V e r s i o n 3 . 0


11 | P a g e




General (US AG)

performedby the AR.

2.03(b) ‐Site Security See CJIS Security Policy

(1) Ensure Contractormaintains site(s) security.

(1) Maintainsite(s)security.

2.03(c) ‐See 2.02 ‐OS & CJIS Security Policy

See2.02 See2.02 See2.02 See2.02

2.03(d)‐Access to Contract

(See Section 11.02)

(1) Makeavailable totheSCO/CAtherelevantportionsof the currentand approvedcontractrelatingtoCHRI,uponrequest.

(1) Makeavailable totheSCO/CAtherelevantportionsof the currentandapproved contract relatingtoCHRI, upon request.

See11.02

2.04 – Records and Topological Drawings

(See Section 11.04)

(1) Understandthecommunications andrecordcapabilitiesof the Contractorwhichhasaccess tofederalorstaterecords through, orbecause of, its outsourcingrelationshipwith theAR. (2) Requestandapproveatopologicaldrawingwhichdepictsthe interconnectivityofthe Contractor’snetworkconfiguration as itrelates to theoutsourced functions. (3) TheAR, ifrequired, shallcoordinatethe approvalswith theSCO/CA.

(1) Provide updatedtopologicaldrawingstoAR.

(1) TheSCO/CAshall approveatopologicaldrawingwhichdepictsthe interconnectivityoftheContractor’s network configuration as itrelates totheoutsourcedfunctions.

2.05 ‐90 Day Compliance Review

(See Section 11.05)

(1) Responsible for theactionsof Contractor and monitoringthe Contractor’s compliance tothetermsand conditionsoftheOS. (2) TheAR in conjunction withtheSCO/CAwillconductanauditof the Contractorwithin 90daysof thedate theContractorfirstreceivesCHRIunder the approvedoutsourcingagreement. TheAR shall certifyto the SCO/CAthattheaudit was conducted.

(1) TheSCO/CA willreviewandmaintain AR’s certificationforcompletionof90daycompliancereview..

2.06 – Contract Termination

(See Section 8.02)

(1) Provide writtennoticeof anyearlyvoluntaryterminationof contracttothe SCO/CA.

2.07 ISO Appointment (1) AppointanInformationSecurity Officer (ISO)to:

(a) Serve asthe securityPOCforthe FBICJISDivisionISO;

(b) DocumenttechnicalcompliancewiththeOS; and

(c) Establish a security O u t s o u r c i n g G u i d e f o r S t a t e A g e n c i e s

V e r s i o n 3 . 0


12 | P a g e




General (US AG)

3.0 ‐Responsibilities of the 3.01 ‐Regulation Compliance

incidentresponse andreportingproceduretodiscover,investigate,document,andreportonmajorincidentsthatsignificantlyendangerthe security orintegrityoftheNCJagencysystemstotheCJISSystemsOfficer andthe FBICJISDivisionISO. Contractor

(1) Comply with allfederalandstate laws, regulations,andstandards(includingthe CJIS Security Policy) as wellas withrules,procedures,andstandardsestablishedbytheCCandtheUS AG.

3.02 ‐Security Program (1) Reviewand providewrittenapproval/disapprovalof the Contractor’s SecurityProgramtothe SCO/CA.

(1) TheContractorshalldevelop,document,administer,and maintain aSecurityProgram(Physical,Personnel,andIT)tocomplywith themostcurrentOS andmostcurrent CJIS Security Policy. (2) TheSecurity Programshall describetheimplementation ofthesecurity requirements outlined inthis OSandthe CJIS Security Policy. (3) Responsible to set,maintain,and enforcethestandards for selection,supervision, andseparation ofpersonnelwho haveaccess to CHRI.

(1) TheSCO/CAto ensurethe ARisin compliancewiththe CJIS Security Policy.

3.03 ‐Security Requirements

See CJIS Security Policy

(1) Reviewand providewritten approval/disapprovalof the Contractor’s SecurityProgram.

Requirements for aSecurityProgram shouldinclude,ata minimum: (a) Description of theimplementation ofthesecurity requirementsdescribedintheOSandthe CJIS Security Policy. (b) Securitytraining. (c) Guidelines fordocumentationof securityviolationsto include: (i) Developand maintainawrittensecurity incidentreportingplanto addresssecurity events,toincludeviolationsandincidents. (ii) Haveaprocessin


V e r s i o n 3 . 0


13 | P a g e




General (US AG)

placeforreportingsecurity violations. (d) Standards for theselection, supervision,andseparation ofpersonnelwithaccess toCHRI. *Ifusing acorporatepolicy,itmust meettherequirements outlinedin theOS and the CJIS Security Policy. If thecorporatepolicyisnotthisspecific,it mustflowdownto alevel wherethedocumentationsupportsthese requirements.

Section 3.04 – Security Training Program

(1) Reviewand providetotheContractorwrittenapproval/disapprovaloftheContractorsSecurityTrainingProgram.Iftraining requirementisretainedby AR: (1) Develop a SecurityTrainingProgram forallContractorpersonnel withaccesstoCHRI priortotheirappointment/assignment. (2) Providetrainingpriortoappointment/assignmentandupon receiptof noticefromtheSCO/CAon any changes tofederalandstatelaws,regulations,andstandards aswellas withrules, procedures,andstandardsestablished bytheCCandtheUS AG. (3) Provideannualrefreshertraining,not later thantheanniversarydate ofthecontract,may certifyinwritingtothe FBIthatannualrefreshertraining wascompletedforthoseContractorpersonnel withaccesstoCHRI.

(1) Except when thetraining requirementisretainedby the AR,Contractor shall developaSecurityTrainingProgramforall Contractorpersonnel with accessto CHRIprior totheirappointment/ assignment. (2) Providetraininguponreceipt of notice from theSCO/CAon any changes tofederalandstatelaws,regulations,andstandardsaswell as withrules,procedures,andstandardsestablishedbytheCCandtheUS AG. (3) Provideannualrefreshertraining, notlaterthan the anniversarydateofthecontract,certifyinwritingtothe ARthatannualrefreshertrainingwascompleted forthoseContractorpersonnel withaccesstoCHRI.

3.05 ‐Security Inspection

(See Section 11.07)

(1) Perform announcedandunannouncedauditsandsecurity inspections.

(1) Makeitsfacilitiesavailableforannouncedandunannouncedauditsandsecurityinspectionsperformed by the AR, thestate,or the FBIon behalf of the CC.

(1) Statemay performannouncedand unannouncedauditsandsecurityinspections.

(1) FBI onbehalf ofCCmayperformannouncedandunannouncedauditsandsecurity inspections.

3.06 –Security Program Review

(See Sections 3.02 &11.06)

(1) Reviewand approveContractor’s SecurityProgram.

(1) Contractor’s SecurityProgramissubject toreviewby the AR, SCO/CA,FBI CO,andCJIS.

(1) May review Contractor’sSecurityProgram.



V e r s i o n 3 . 0





General (US AG)

(2) Duringthisreview,provisionswillbe madetoupdatethe SecurityProgramtoaddresssecurity violationsand toensurechangesinpolicesandstandards aswellaschangesin federal andstatelaware incorporated.

3.07 ‐Maintenance of CHRI

(1) MaintainCHRIonly forperiodoftime necessarytofulfillitscontractualobligationsbutnottoexceedthe period oftimethattheAR isauthorizedtomaintain and does maintain the CHRI.

3.08 ‐CHRI Logging

4.0 ‐Site Security 4.01 – Physically Secure Location

5.0 ‐Dissemination 5.01 – Dissemination Authority

(1) Ensure Contractorsite(s)isaphysically securelocationtoprotectagainst anyunauthorizedaccesstoCHRI.

(1) Authorize anydissemination of CHRI by theContractortoensurethat thedissemination falls within the guidelines offederaland statelaws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG.

(1) Maintainlogofanydissemination of CHRIforaminimum of365 days.

(1) Ensure site(s) isaphysicallysecurelocationtoprotectagainst anyunauthorizedaccesstoCHRI.

(1) Ensure CHRI isnotdisseminated without theconsentof the AR, andas specifically authorizedbyfederalandstatelaws,regulations,andstandardsaswell as withrules,procedures,andstandardsestablishedbytheCCandtheUS AG.

5.02 – Dissemination Log (1) Maintainanup‐to‐datelogconcerningdissemination of CHRIforaminimum ofoneyear. (2) Logmustidentify: (a) The AR and thesecondaryrecipientwithuniqueidentifiers, (b) therecorddisseminated, (c) thedate ofdissemination, (d) thestatutory authorityfordissemination,and (e) themeansofdissemination.


V e r s i o n 3 . 0


15 | P a g e




General (US AG)

5.03 – Unauthorized Access

6.0 ‐Personnel Security 6.01 ‐Personnel CHR Check

(See Section 11.03)

(1) Ensure any disseminationofCHRIdataby theContractorisforofficialpurposesonly.

(1) Process CHR checksonContractor (andapprovedSub‐Contractor) personnelhaving unescortedaccessto CHRI if alocal, state,orfederalwritten standard requires orauthorizes aCHR check. (2) CHR checks of Contractor (andapproved Sub‐Contractor)personnel, ataminimum,willbenolessstringent thanCHR checksthatare performed on the AR’spersonnel performingsimilarfunctions. (3) CHR checks mustbecompletedpriortoaccessingCHRI under the contract.

(1) IfCHRIis storedordisseminated inanelectronicformat, theContractorshall protectagainstunauthorizedaccessto theequipmentandanyofthedata. (2) In no event shallresponses containingCHRIbedisseminated otherthan asgoverned bythisOSormorestringentcontractrequirements.

(1) Priorto performingworkunderthecontract,obtainand submitrelevantinformationof employees(and Sub‐Contractors)requestingaccess toCHRIforCHR checksandwaitforapproval. (2) CHR checks mustbecompletedpriortoaccessingCHRIunderthecontract.

(1)SCO/CAshall conductCHRchecksofContractorpersonnelhaving accessto CHRI,ifauthorized.

6.02 ‐Requirements (1) Ensure thateachemployeeperformingworkunder thecontractisawareofthe requirementsof the OSandthe stateandfederallawsgoverningthesecurity andintegrityof CHRI. (2) Confirminwritingthateachemployee hascertifiedin writing thathe/she understandsthe OSrequirements and lawsthatapply tohis/herresponsibilities. (3) Maintainthe employeecertificationsin a filethatissubjectto reviewduringaudits. (4) Employees shallmakesuchcertification priortoperforming work underthecontract.

6.03 – Updated Personnel Records with Access to CHRI

Recommendation based on good business practice:

(1) Maintainupdatedrecordsofpersonnelwhohaveaccess to CHRI,


V e r s i o n 3 . 0





General (US AG)

(1) MaintainupdatedrecordsofpersonnelwhohaveaccesstoCHRI, updatethoserecords within 24hours when changes tothat accessoccur. (2) IfCHR checkis required, maintain list ofpersonnel whohavesuccessfullycompletedCHRchecks.

updatethoserecordswithin 24hours whenchanges tothataccessoccur. (2) IfCHR checkisrequired,maintain list ofpersonnel whohavesuccessfullycompletedCHRchecks. (3) Notify AR’s within24hours whenpersonneladditions or deletions occur.

(1) Ensure securitysystemcomplieswith CJIS Security Policy in effect at thetime theOS isincorporatedintothecontract and withsuccessor versions ofthe CJIS Security Policy.

7.0 ‐System Security 7.01 ‐CJIS Security Policy – See 2.02 ‐OS & CJIS Security Policy

7.01(a) – Firewall (1) Ensure encryption is usedappropriately inaccordancewiththe CJIS Security Policy.

(1) Implement afirewall‐typedeviceforall systemsthatcan beaccessedviaWAN/LAN or Internet as specifiedin the CJIS Security Policy.

7.01(b) ‐Encryption (1) Ensure encryption is usedappropriately inaccordancewiththe CJIS Security Policy.

(1) EncryptCHRI thatispassedthrougha sharedpubliccarriernetwork.

7.02 – CHRI and Media Storage and Disposal

(1) Provide for the securestorage& disposal ofallhardcopyandmediaassociatedwithsystemtopreventaccessbyunauthorizedpersonnel. (a) Physicallysecurelocation. (b) Sanitizeproceduresforallfixedandnon‐fixedstoragemedia. (c) Storageprocedures forallfixedandnon‐fixedstoragemedia.

7.02(a) – CHRI Storage (1) Store CHRI in aphysicallysecurelocation.

7.02(b) ‐Media Sanitization

(1) Ensure aprocedureis inplacefor sanitizing allfixedstoragemediaat completionofcontractand/or beforeitisreturnedformaintenance,disposal, or re‐use.

(1) Establish aprocedureforsanitizingall fixed storagemediaatcompletionofcontractand/or before it isreturnedformaintenance,disposal, or re‐use.Sanitizationproceduresincludeoverwritingthemediaand/or degaussing


V e r s i o n 3 . 0

Responsibility Table for Non‐Channeling State Compact Officer (SCO); FBI CJIS Division (CJIS);


FBI Compact Officer (FBI CO); Chief Administrator (CA);

Compact Council (CC); United States Attorney

CJIS Systems Agency (CSA) General (US AG)

themedia. 7.02(c) – Disposal Procedure

(1) Ensure thata procedureisinplace forthedisposaland return ofall non‐fixedstoragemedia.

(1) Establish aprocedure fordisposal and return ofallnon‐fixedstoragemedia.

7.03 ‐Identification Requirement

(See Section 11.08)

8.0 – Security Violations 8.01 – Security Violation Policy

(See Sections 2.07 & 3.03)

(1) BeassignedauniqueidentifyingnumberbytheContractor.

(1) Develop & maintain a written policyfor discipline ofContractoremployeeswhoviolatethesecurity provisions of the contract, includingthe OS. (2) Developandmaintain awritten incident reportingplanforsecurityevents,toincludeviolations andincidents. (3) Immediately(withinfourhours) notifySCO/CAand FBICOofanysecurityviolation or terminationof contract. (a) Providewrittenreport ofanysecurity violationtothe SCO/CA,if applicable,andtheFBI CO, within 5calendardaysofreceiptofwrittenreportfrom Contractor. (b) WrittenreportmustincludecorrectiveactionstakenbyContractorandARtoresolvesecurity violation.

(1) IdentifyeachARandsub‐contractorbyauniqueidentifyingnumber.

(1) Pendinginvestigation,upondetection orawareness,suspendanyemployeewhocommitsasecurity violation fromassignmentswith accesstoCHRI under the contract. (2) Immediately(withinfour hours)notify ARofanysecurity violationorterminationof thecontract,toincludeunauthorizedaccesstoCHRI. (3) Within 5calendardaysofnotification, provideAR written reportdocumenting securityviolation,anycorrectiveactionstaken byContractor,andthedate,time,and summaryofpriornotification.

8.02 ‐Contract Termination

(See Section 2.06)

(1) Terminate thecontract,when necessary, forsecurity violations: (a) InvolvingCHRIobtainedpursuant tothecontract. (b) FortheContractor’sfailuretonotify the ARofany securityviolation or toprovide awritten reportconcerning suchviolation. (c) If the Contractorrefuses toorisincapableof takingcorrectiveactions tosuccessfullyresolveasecurityviolation.


V e r s i o n 3 . 0





General (US AG)

8.03(a) ‐ CHRI Suspension or Termination

(See Section 11.10 (a))

(1) IfAR fails to provideawritten report notifying theSCO/CAortheFBICOofasecurity violation, orrefuses toorisincapableof takingcorrectiveactiontosuccessfullyresolvea security violation, the CCor US AGmay suspendorterminatetheexchangeof CHRIwithAR pursuant to28CFR906.2(d).

(1) IfAR fails to provideawritten report notifying theSCO/CAortheFBICOofasecurity violation, orrefuses toorisincapableof takingcorrectiveactiontosuccessfullyresolvea security violation, the CCor US AGmay suspendorterminatetheexchangeof CHRIwithAR pursuant to28CFR906.2(d).

8.03(b) – Exchange of CHRI Reinstatement

(See Section 11.10(b))

(1) IftheexchangeofCHRI issuspended, itmaybereinstated after satisfactorywritten assuranceshavebeenprovidedbytheSCO/CA,FBICO,theAR andthe ContractortotheCC Chairman orthe USAGthatthesecurityviolationhas been resolved. (2) IftheexchangeofCHRI isterminated,inform theContractorwhethertodeleteorreturnrecords (includingmedia)containingCHRIinaccordancewiththeprovisionsandtimeframespecified.

(1) IftheexchangeofCHRIissuspended,it maybe reinstated aftersatisfactory writtenassuranceshave beenprovidedbytheSCO/CA,FBI CO, the AR and theContractortotheCCChairman ortheUSAGthatthesecurityviolationhasbeen resolved. (2) IftheexchangeofCHRIisterminated,deleteorreturn records(includingmedia)containingCHRI,inaccordancewiththeprovisionsandtimeframeasspecifiedbyAR.

(1) May reinstate aftersatisfactory writtenassuranceshavebeenprovidedtothe CCChairandUSAG.

(1) IftheexchangeofCHRI issuspended, itmaybereinstatedaftersatisfactory writtenassuranceshave beenprovidedbythe SCO/CA, FBICO, theAR,andtheContractortothe CCChairman orthe USAG thatthe security violation hasbeenresolved.

8.04 ‐Security Violation Notification

(See Section 11.11)

(1) Provide writtennotice(through SCO/CAifapplicable) to FBICOof thefollowing: (a) Contract terminationfor security violations. (b) Security violationsinvolvingunauthorizedaccesstoCHRI. (c) Contractor’s name anduniqueID number,nature ofsecurity violation, whetherviolationwasintentional,andnumberoftimesviolationoccurred.

(1) SCO/CA,ifapplicable,shallforwardwritten noticetotheFBI CO. (2) SCO/CAto ensureContractoraccess to CHRI isterminated. (3) SCO/CArecord datecontractterminatedanddateContractoraccess to CHRI isterminated.

8.05 – Investigation Rights of Unauthorized Access to CHRI

(See Section 11.12)

(1) SCO/CAreservesrighttoinvestigate ordeclinetoinvestigate any reportofunauthorizedaccesstoCHRI.

(1) CC andthe US AGreservesrighttoinvestigate ordecline toinvestigate any reportofunauthorizedaccesstoCHRI.

8.06 ‐Audits (1) SCO/CAreservethe right toauditAR andContractor’soperationsandproceduresatscheduled orunscheduledtimes. (2) Stateauthorizedtoperform a final audit of the Contractor’ssystemsafter terminationofcontract.

(1) CC and USAG reservetherighttoaudit AR andContractor’soperationsandproceduresatscheduledorunscheduledtimes. (2) CC and USAG authorizedto performa final auditofContractorsystemsafterterminationof contract.


V e r s i o n 3 . 0



9.0 ‐Miscellaneous Provisi9.01 – OS

Authorized Recipient (AR)

ons (1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersons otherthan theContractor,theAR,CO/CA(whereapplicable),andtheFBI.

Contractor

(1) This OSdoes notconfer,grant, orauthorizeanyrights, privileges,orobligationstoany personsother than the Contractor,theAR, CO/CA (whereapplicable),andtheFBI.


(1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersonsother than theContractor,theAR,CO/CA(whereapplicable),and the FBI.


General (US AG)

(1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersonsother than theContractor,theAR,CO/CA(whereapplicable),and the FBI.

9.02 – CJIS Security Policy

(1) The CJIS Security Policy isincorporatedbyreferenceandmadeapart of thisOS.

(1) The CJIS Security Policyisincorporatedbyreferenceandmadeapartof this OS.



9.03 & Footnote 5 – OS Stringency

(1) TheCC, AR, andthe CO/CAhavetheexplicit authoritytorequiremore stringentstandards thanthosecontainedintheOS.

(1) Comply with anyadditional conditions asrequiredby the CC,AR,ortheCO/CA.

(1) TheCC, AR, andthe CO/CAhavetheexplicit authoritytorequiremore stringentstandards thanthosecontainedinthe OS.

(1) TheCC, AR, andthe CO/CAhavetheexplicit authoritytorequiremore stringentstandards thanthosecontainedinthe OS.

9.04 – OS Modification (1) Theminimum security measures as outlinedin thisOSmayonlybemodifiedby theCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OS without the consent of theCCin consultationwith the USAG.

(1) Theminimum security measures as outlinedinthisOSmay only bemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbeless stringentthanstatedin thisOS withouttheconsentof the CCinconsultation withthe US AG.

(1) Theminimum security measures as outlinedin this OSmayonlybemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OSwithout the consent ofthe CCinconsultationwith theUS AG.

(1) Theminimum security measures as outlinedin this OSmayonlybemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OSwithout the consent ofthe CCinconsultationwith theUS AG.

9.05 ‐OS Modification (1) This OSmay onlybemodifiedbytheCC andmaynotbemodifiedbythe parties to theappendedcontractwithout theconsentoftheCC.

(1) This OSmay onlybemodifiedbytheCC andmaynotbe modifiedbythepartiesto theappendedcontractwithout theconsentoftheCC.

(1) This OSmay onlybemodifiedbytheCC andmay not bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

(1) This OSmay onlybemodifiedbytheCC andmay not bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

9.06 ‐FBI CO Address (1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto: FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306

(1)Appropriatenotices,assurances, andcorrespondenceto the FBICO,CC,andtheUSAGrequiredbySection8.0ofthisOSshall beforwardedbyFirstClass Mailto: FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306

(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306

(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306


V e r s i o n 3 . 0



10.0 – Exemption from Above Provisions 10.01

Authorized Recipient (AR) Contractor



General (US AG)

AnITcontractneedonlyincludeSections1.0,2.01,2.02,2.03,3.01,6.0,8.0, and 9.0ofthisOSwhen allof thefollowingconditionsexist: (1) Access to CHRI bytheIT contractor’s personnelislimitedsolely for thedevelopmentand/ormaintenanceoftheAR’scomputersystem; (2) Access to CHRI isincidental, butnecessary, totheduties beingperformedby theIT contractor. (3) Thecomputer systemresideswithin theAR’s facility: (4) TheAR’spersonnelsuperviseor workdirectlywiththe ITcontractorpersonnel; (5) TheAR maintainscomplete,positivecontroloftheIT contractor’saccesstothecomputer systemandCHRIcontainedtherein;and (6) TheARretainsall thedutiesandresponsibilitiesfortheperformance ofitsauthorizedNCJA functions, unlessit executes aseparatecontracttoperformsuch NCJAfunctions, subject to allapplicablerequirements,including the OS.

AnAR’scontractwhereaccessto CHRIis limited solely forthe purposes ofthefollowing: (a) storage(referredtoasarchiving insomestates) oftheCHRIat the Contractor’sfacility; (b) retrievaloftheCHRIbyContractorpersonnelonbehalf oftheAR withappropriate securitymeasuresin placeto protect the CHRI;and/or (c) destructionof theCHRIbyContractorpersonnel whennotobservedbytheARneed

AnITcontractneedonlyincludeSections1.0,2.01,2.02,2.03,3.01, 6.0,8.0,and 9.0ofthisOS whenall ofthefollowingconditions exist: (1) Access to CHRI bytheIT contractor’s personnelislimitedsolely for thedevelopmentand/ormaintenanceoftheAR’scomputersystem; (2) Access to CHRI isincidental, butnecessary, totheduties beingperformed bythe ITcontractor. (3) Thecomputer systemresideswithin theAR’s facility: (4) TheAR’spersonnelsuperviseor workdirectlywiththe ITcontractorpersonnel; (5) TheAR maintainscomplete,positivecontrolofthe ITcontractor’s accesstothecomputer systemandCHRI containedtherein; and (6) TheARretainsall thedutiesandresponsibilitiesforthe performanceofitsauthorizedNCJA functions, unlessit executes aseparatecontract toperformsuchNCJAfunctions, subject to allapplicablerequirements,including the OS. AnAR’scontract whereaccesstoCHRI is limitedsolelyfor the purposesofthefollowing (a‐c)needonlyincludeSections1.0,2.01,2.02,2.03,3.01,4.0,6.0,8.0,and9.0 ofthisOSwhen allof thefollowing conditionsexist (i‐vii): (a) storage(referredtoasarchiving insomestates) oftheCHRIat the Contractor’sfacility; (b) retrievaloftheCHRIbyContractorpersonnelonbehalf oftheAR withappropriatesecuritymeasures in place to

10.02 – Exemption


V e r s i o n 3 . 0

http:2.02,2.03,3.01


21 | P a g e




General (US AG)

onlyincludeSections1.0,2.01,2.02,2.03,3.01, 4.0,6.0,8.0, and9.0ofthis OS when allofthefollowingconditionsexist: (i) Access to CHRI bytheContractoris limitedsolely forthepurposes of: (i)(A) storage (referredtoasarchiving insomestates) oftheCHRIat the Contractor’sfacility; (i)(B) retrievalof theCHRIbyContractorpersonnelonbehalf oftheAR withappropriate securitymeasuresin placeto protect the CHRI;and/or (i)(C) destruction oftheCHRIbyContractorpersonnel whennotobservedbytheAR; (ii) Access to CHRI isincidental, butnecessary, totheduties beingperformedbytheContractor; (iii) TheContractorisnotauthorizedto disseminateCHRI to any other agency orcontractoronbehalfof the AR; (iv) The Contractor’spersonnel are subjecttothe sameCHR checks asthe AR’spersonnel; (v) TheCHR checksof theContractorpersonnel arecompletedpriorto workonthecontract oragreement; (vi) The AR retainsallotherdutiesandresponsibilitiesfortheperformance ofitsauthorizedNCJA functions, unlessit executes aseparatecontracttoperformsuch NCJAfunctions, subject to allapplicablerequirements,including the OS; and (vii) The ContractorstorestheCHRIin aphysicallysecurelocation.

SCO/CA

protectthe CHRI; and/or (c) destructionof theCHRIby Contractor personnelwhen not observedbythe AR. (i) Access to CHRI bytheContractoris limitedsolelyforthe purposes of: (i)(A) storage (referredtoasarchivinginsomestates)ofthe CHRI attheContractor’sfacility; (i)(B) retrievalof theCHRIby Contractor personnel onbehalf oftheAR withappropriatesecuritymeasures in place toprotectthe CHRI; and/or (i)(C) destruction oftheCHRIbyContractorpersonnel when notobservedbytheAR; (ii) Access to CHRI isincidental, butnecessary, totheduties beingperformed bythe Contractor; (iii) TheContractorisnotauthorizedto disseminateCHRI to any other agency orcontractoronbehalfof theAR; (iv) The Contractor’spersonnel are subjecttothe sameCHR checks astheAR’spersonnel; (v) TheCHR checksof theContractorpersonnel arecompletedpriorto workonthecontract oragreement; (vi) The AR retainsallotherdutiesandresponsibilitiesforthe performanceofitsauthorizedNCJA functions, unlessit executes aseparatecontract toperformsuchNCJAfunctions, subject to all applicablerequirements,including the OS; and (vii) The ContractorstorestheCHRIin aphysicallysecurelocation.

(1) Reviewlegal authorityandrespondin writing tothe AR’s

Section 11.0 – Duties of the 11.01 – Outsourcing Request


V e r s i o n 3 . 0



(See Section 2.01)

11.02 – Access to Contract

(See Section 2.03(d))

11.03 – Criminal History Record (CHR) Checks

(See Section 2.03(a), 6.01 and Footnote 4)

11.04 – Records and Topological Drawing

(See Section 2.04)

11.05 – 90 Day Compliance Review

(See Section 2.05)

11.06 – Security Program Review

(See Section 3.06)

Authorized Recipient (AR) Contractor


request tooutsourcenoncriminal justiceadministrative functions. (1) Reservesthe righttoreviewrelevant portionsoftheoutsourcing contract relatingtoCHRIthroughouttheduration ofthecontractapproval. (1) Ensure criminalhistoryrecordcheckson approvedContractorand Sub‐ContractoremployeeswithaccesstoCHRIarecompletedby theAR, ifsuchchecksarerequiredorauthorizedoftheARpersonnelbyfederal statute, orexecutiveorder,orstatestatuteapprovedbytheU.S.AGunderPub.L.92‐544. Criminalhistory recordchecksshouldbeno lessstringentthan thechecksperformed ontheARpersonnel. Criminal historyrecordchecksmustbecompletedpriortoaccessCHRIunder the contract. (1) Coordinate with the ARforthereviewandapprovalof theContractor’s TopologicaldrawingwhichdepictstheinterconnectivityoftheContractor’s networkconfiguration as itrelates totheoutsourcingfunction(s). (1) Work in coordination with theAR to conduct anauditoftheContractorwithin90 daysof the datetheContractorfirstreceivesCHRI undertheapproved outsourcingagreement. (2) ReviewtheAR’sauditcertificationtoensurecompliancewiththeOS. (i) Addressconcernswith theARresultingin non‐compliancewith the90dayauditof the Contractor. (ii) Havetherighttoterminatean AR’s outsourcing approvaltoaContractor(s) forfailureor refusaltocorrect anon‐complianceissue(s). (1) Coordinate with the AR toreviewtheContractor’sSecurityProgram. (2) Theprogram shall describe


General (US AG)


V e r s i o n 3 . 0





General (US AG)

theimplementationofthesecurity requirementsoutlined inthe OS andthe CJIS Security Policy. (3) Duringthereview,provisionswillbe madetoupdatethe SecurityProgramtoaddresssecurity events andtoensurechangesinpoliciesandstandards, as well as changesinfederalandstatelaw, areincorporated.

11.07 – Security Inspection

(See Section 3.05)

(1) Auditthe AR and/orContractor’soperationsandprocedures.Thismaybedoneatscheduledandunscheduledtimes.

11.08 – Identification Requirement

(See Section 7.03)

(1) Assignauniqueidentifyingnumberto each AR, Contractor,or sub‐Contractor to ensuresystemsecurity.

11.09 – Security Violation Policy

(See Section 8.01)

(1) Requireimmediate(withinfour hours)notification bytheARofany securityevent,toincludeunauthorizedaccesstoCHRImadeavailablepursuanttothecontract. (2) Receiveawrittenreportfrom the AR of any securityevent(toinclude unauthorizedaccessto CHRI by theContractor)within fivecalendardaysofreceiptofthewritten report fromtheContractor,that mustincludeanycorrective actionstaken bytheContractorand ARtoresolvesuchsecurityevent.

11.10 (a) – CHRI Suspension or Termination

Suspension orterminationoftheexchange ofCHRIfor security events.

(See Section 8.03(a)) (1) May suspend orterminatetheexchange ofCHRIfor security eventsor refusalor incapability totakecorrectiveaction to successfully resolve asecurity event.

11.10 (b) – Exchange of CHRI Reinstatement

(See Section 8.03(b))

(1) May reinstate accesstoCHRI between the AR and the Contractorafter receivingthewritten assurance(s)ofcorrectiveaction(s)fromtheARand/ortheContractor.

11.11 – Security Violation Notification

(See Section 8.04)

(1) Provide writtennotificationto the FBICOofthetermination ofacontractforsecurityeventstoinclude:


V e r s i o n 3 . 0





General (US AG)

(a) thesecurity eventsinvolvingaccessto CHRI (b) theContractor’s nameanduniqueidentificationnumber (c) the nature of thesecurity event; (d) whether theeventwas intentional (e) and the numberof timestheeventoccurred.


(See Section 8.05)

(1) Reservesthe righttoinvestigate ordeclinetoinvestigate any reportofunauthorizedaccesstoCHRI.

11.13 – Audits

(See Section 8.06)

(1) Is Authorized toperforma finalaudit of the Contractor’s system following terminationof contract.


V e r s i o n 3 . 0

Responsibility Table for Channeling Security and Management Control Outsourcing Standard (OS) for ChannelersOS dated 11/06/2014, table updated12/17/2014


Section 2.0 ‐Responsibiliti2.01 ‐Outsourcing Request

Footnote 2 ‐Audit Requirements

Footnote 3 ‐Outsourcing Approval

Authorized Recipient (AR) State Identification Bureau on behalf of the Local/State Agency

es of the AR AR shall:

(1)Request and receivewritten permission fromthe FBI CO. (2) Provide FBI COcopiesofthespecificauthorityfor theoutsourcedwork, criminalhistory recordcheckrequirements,and/oracopyofrelevantportionsof thecontractasrequested. (3) ConductauditsofContractor,as necessary. (4) Reviewaudit reportsandimposesanctionsasnecessary.

Contractor State Compact Officer (SCO); Chief Administrator (CA); CJIS Systems Agency (CSA)

FBI CJIS Division (CJIS); FBI Compact Officer (FBI CO);


General (US AG)

FBI CO shall:

(1) approve/disapproverequest in writing. (2) FBI COmaynotgrant suchpermission unlesshe/she hasimplementeda federalauditprogramto,at aminimum,trienniallyauditarepresentativesampleoftheContractorsand ARsengaginginoutsourcing withthefirstofsuch auditstobe conductedwithin one yearof the datethe Contractor firstreceivesCHRIunder the approved outsourcingagreement. (3) FBI CO willreviewcopiesofthespecificauthorityfor theoutsourcedwork, criminalhistory recordcheckrequirements, and/or a copy ofrelevant portions ofthe contractifrequested. CJIS Audit Unit shall: (1) Conductrequiredaudits ofARandContractorandaudit onbehalfoftheCC. (2) CJIS/CCto reviewauditreportsandimposesanctionsasnecessary.

2.02 ‐Contract 2.03(c) & 7.01 & 9.02 – OS and CJIS Security Policy

(1) Executecontractoragreementprior to providingaContractoraccesstoCHRI. (2) Ensure thatthemostupdatedversions ofboththeOSand/or the CJIS Security Policy areincorporatedbyreferenceat thetimeof thecontract,contractrenewal,orwithin60calendar daysof thenotificationperiod,whicheveris sooner.

(1) Ensure thatthemostcurrent versionsof boththeOS and the CJIS Security Policy areincorporatedbyreferenceandappendedtothecontractatthetimeoftheinitialcontract,contractrenewal, and/or Option renewal.

(1 FBI COshallmakeavailablethemost current versionof both theOS and the CJIS Security Policy totheARwithin60calendardays(unlessotherwisedirected) of notification ofsuccessor versions. (2) Within 60calendardaysofchangesandupdatestotheOSandtheCJIS SecurityPolicy,CJISshall notify Contractorsofsuch changesor updates.

2.03 ‐Access to CHRI When Contractorwillhaveaccessto CHRI, the AR shall: (1) Specifyterms andconditionsofaccess. (2) Limittheuse ofthe

(1) CJIS Audit Unit shallconduct90‐day, oneyear, andtriennial auditsof Contractors.


V e r s i o n 3 . 0

Responsibility Table for Channeling

26 | P a g e






General (US AG) informationtothepurposesforwhichprovided. (3) Prohibitdisseminationexceptas authorizedbyfederalandstatelaws,regulations,andstandards aswellas withrules, procedures,andstandardsestablished bytheCCandtheUS AG. (4) Ensure securityandconfidentialityoftheinformationtoincludeconfirmationthat theintendedrecipientis authorizedtoreceiveCHRI. (5) Provide for auditsand sanctions. (6) Provideconditionsforterminationof thecontract. (7) Ensure Contractorpersonnel comply with OS. (8) Mayconduct90‐day,oneyear, and triennial audits of Contractors.

2.03(a) – Criminal History Record (CHR) Checks

Recommendation based on good business practice:

(1) MaintainupdatedrecordsofpersonnelwhohaveaccesstoCHRI, updatethoserecords within 24hours when changes tothat accessoccur.

(1) Provide personnelinformationrelevantfor aCHRcheck. (2) Provide updatesofpersonnel changestoCJISwithin 24hours ofchanges.

(1) CJIS shallconductCHRchecksofContractorpersonnelhaving accesstoCHRI. (2) CJIS shallmaintainupdatedrecordsofContractorpersonnelwho haveaccess to CHRI andupdatethoserecordswithin24hours whenchangesto thataccessoccur. (3) CJIS shallmaintainlistofContractorpersonnel who havesuccessfully completedCHR checks.

2.03(b) ‐Site Security (1) May ensurethataContractormaintainssite(s)security.

(1) Maintainsite(s)security.

(1) FBI shallensurethatContractormaintainsite(s)security.

2.03(c) ‐OS and CJIS Security Policy

See2.02 See2.02

2.03(d) & 3.02 ‐Security Program

AR may:

(1) Ensure thattheContractorestablishes and administers an ITSecurityProgram. (2) Provide writtenapprovalof a Contractor’s SecurityProgram. However, thisapprovalis notinlieuof the

Contractor shall:

(1) Develop,document,administer,and maintain aSecurityProgram(Physical,Personnel,andIT)tocomplywith themostcurrentOS andmostcurrent CJIS Security Policy.

FBI shall:

(1) Ensure thattheContractorestablishesandadministers aSecurityProgram. (2) Providethewrittenapprovalof aContractor’sSecurityProgram.


V e r s i o n 3 . 0


27 | P a g e



’




General (US AG) FBI s writtenapproval. (2) Provide written

security program toFBIforapproval and ifrequested tothe AR. (3) Security Programshalldescribetheimplementation ofthesecurity requirementsdescribedinthisOSandthe CJIS Security Policy. (4) Set,maintain,andenforcethestandardsforselection, supervision,andseparation ofpersonnelwho haveaccess to CHRI.

2.03(e) ‐Penetration Testing

(1) Shall allow theFBItoperiodicallytesttheabilitytopenetrate the FBI’snetworkthroughtheexternalnetworkconnectionorsystem.

(1) CJIS may testabilityto penetrate network through the external network connectionor system.

2.03(f) – Access to Contract

(1) Makeavailable tothe FBI COthe relevantportionsof the current and approvedcontractrelatingto CHRI, uponrequest.

(1) Makeavailable totheFBI COtherelevant portionsof the currentandapproved contract relatingtoCHRI, upon request.

(1) CJIS mayrequestrelevantportionsof the currentandapprovedcontract relatingto CHRI.

2.04 – Records and Topological Drawing

(1) Understandthecommunications andrecordcapabilitiesof the Contractorwhichhasaccess tofederalorstaterecords through, orbecause of, its outsourcingrelationshipwith theAR. (2) May maintain anupdatedtopologicaldrawingwhichdepictsthe interconnectivityofthe Contractor’snetworkconfiguration.

(1) Provide updatedtopologicaldrawingsdepictingtheinterconnectivityofthenetworkconfigurationtothe FBI and, if requested, to theAR.

(1) FBI shall maintain anupdatedtopologicaldrawingwhichdepictstheinterconnectivityoftheContractor’s networkconfiguration.

2.05 ‐90 Day Compliance Review

(1) Responsible for theactionsof Contractor and monitoringthe Contractor’s compliance tothetermsand conditionsoftheOS.

(1) CJIS Audit Unit shall certifytothe FBI CO that anaudit was conductedwith theContractor within 90days of thedate theContractor firstreceivesCHRIunder the approved outsourcingagreement.

2.06 – Contract Termination

(1) Provide writtennoticeof anyearlyvoluntaryterminationof thecontractto the FBI CO.

2.07 ‐ISO Appointment (1) AppointanInformationSecurity Officer (ISO)to: (a) Serve asthe securityPOCforthe FBICJIS DivisionISO; (b) DocumenttechnicalcompliancewiththeOS; and


V e r s i o n 3 . 0


28 | P a g e






General (US AG)

3.0 ‐Responsibilities of the 3.01 ‐Regulation Compliance

(c) Establish a securityincidentresponse andreportingproceduretodiscover,investigate,document,andreportonmajorincidentsthatsignificantlyendangerthe security orintegrityoftheNCJagencysystemstothestate’sCJISSystems OfficerandtheFBI CJISDivision ISO. Contractor

(1) Contractoranditsemployeesshall complywithall federalandstatelaws, regulations, andstandards (includingtheCJIS Security Policy)as well aswithrules, procedures,andstandardsestablishedbythe CCand the USAG.

3.02 ‐Security Program – See 2.03(d)

See2.03(d) See2.03(d)

3.03 ‐Security Requirements

(1) Requirements foraSecurityProgram should include, ata minimum: (a) Description of theimplementation ofthesecurity requirementsdescribedintheOSandthe CJIS Security Policy. (b) Securitytraining. (c) Guidelines fordocumentationof security violations. (d) Standards for theselection, supervision,andseparation ofpersonnelwithaccess toCHRI. *Ifusing acorporatepolicy,itmust meettherequirements outlinedin theOS and the CJIS Security Policy. If thecorporatepolicyisnotthisspecific,it mustflowdownto alevel wherethedocumentationsupportstheserequirements.

3.04 – Security Program Management

Shall be:

(1) Accountable forthemanagementoftheSecurityProgram. (2) Responsible for reportingall security


V e r s i o n 3 . 0







General (US AG) violationsof the OStotheAR.

3.05 ‐Security Training Program

Iftraining requirementretainedby AR: (1) Develop a SecurityTrainingProgram forallContractorpersonnel withaccesstoCHRI priortotheirappointment/assignment. (2) Providetraininguponreceipt of notice from the FBI COonanychangesto federalandstate laws, regulations,andstandards aswellas with rules, procedures, andstandards establishedby theCCandtheUSAG. (3) Provideannualrefreshertraining,not later thantheanniversarydate ofthecontract,and maycertifyinwritingto the FBI that annual refreshertraining wascompletedforthoseContractorpersonnel withaccesstoCHRI.

(1) Except when thetraining requirementisretainedby the AR,theContractor shall developaSecurity TrainingProgramforall Contractorpersonnel with accessto CHRIprior totheirappointment/assignment. (2) Providetraininguponreceipt of notice from theFBI COor SCO/CA onany changestofederal andstatelaws, regulations,andstandards aswell aswithrules, procedures, andstandards establishedbytheCCandtheUS AG. (3) Provideannualrefreshertraining, notlaterthan the anniversarydateofthecontract,andcertifyin writing tothe FBIthatannual refreshertraining was completedforthoseContractorpersonnel with accessto CHRI.

FBI shall:

(1) Reviewand providetoaContractorwrittenapproval/disapprovaloftheContractor’s SecurityTrainingProgram(unless retainedby theAR). (2) Ensure thatannualrefreshertraining wascompletedbythoseContractorpersonnel with accesstoCHRI.

3.06 ‐Security Inspection

(1) May perform announcedandunannouncedaudits andsecurity inspections.

(1) Makeitsfacilitiesavailableforannouncedandunannouncedauditsandsecurityinspectionsperformed by the AR or the FBI on behalf of the CC.

(1) FBI, on behalf of CC, shall performannouncedandunannouncedauditsandsecurity inspections.

3.07 ‐Security Program Review


(1) CJIS shallreviewContractor’s SecurityProgram.

(See Sectin 3.02) (2) Duringthisreview,provisionwillbe madetoupdatethe SecurityProgramtoaddress security violationsandtoensurechangesinpoliciesand standardsas wellaschangesinfederaland statelaware incorporated.

(2) Duringthisreview,provisionwillbe madetoupdatethe SecurityProgramtoaddresssecurity violationsandtoensurechangesinpoliciesandstandards aswellaschangesin federal and state lawareincorporated.

3.08 ‐Maintenance of CHRI

(1) Mannerof and timeframeforCHRI disseminationby theContractor shallbe specified inthecontract oragreement.

(1) MaintainCHRIonly forperiodoftime necessarytofulfillitscontractualobligations. (2) CHRIdisseminatedbya Contractor toan AR viaanauthorizedWebsiteshall remain onsuchWebsiteonly for the timenecessary to meet the AR’srequirements but inno


V e r s i o n 3 . 0


30 | P a g e






General (US AG) eventshall thattimeexceed30calendardays. (3) DestroyCHRIimmediatelyafterconfirmationofsuccessfulreceiptbytheAR. (4) Mannerof and timeframefor CHRIdissemination toan ARshall bespecifiedinthecontractoragreement.

3.09 ‐CHRI Logging (1) MaintainlogofanyCHRI dissemination for aminimumof365days.

3.10 – Access to Contract

4.0 ‐Site Security 4.01 ‐Physically Secure Location

See2.03(f) See2.03(f)

(1) Maintainaphysicallysecure site(s).

See2.03(f)

FBI shall:

(1) Ensure thata Contractor’ssiteis aphysically securelocation to protect against anyunauthorizedaccesstoCHRI.

4.02 ‐Visitor Escort (1) Onlyauthorizedpersonnel shall escortallvisitorstocomputercentersand/orterminalareas.

4.03 – Contractor with Direct Access

5.0 ‐Dissemination 5.01 ‐System Access (1) Ensure thataccessto the

systemisprovided toemployeesofthe Contractor,employeesofthe AR,andsuchotherpersons as authorizedbythe ARfor official purposes consistent withtheappended contract.

(1) AnyContractorwithdirectaccesstoCHRIshallallowtheFBI toconductperiodicpenetrationtesting.

(1) Ensure thataccesstothesystemisprovidedtoemployeesoftheContractor,employeesoftheAR, and such otherpersons asauthorizedbytheAR for official purposes consistentwiththeappendedcontract.

(1)FBI may conductperiodic penetration testing.

(1) CJIS will ensurethat accesstothe system isprovidedtoemployeesofthe Contractor,employeesofthe AR,andsuchotherpersons as authorizedbythe ARfor official purposes consistent withtheappended contract.

5.02 – Official Use of CHRI

(1) Ensure access to thesystemisavailableonly forofficialpurposes consistentwiththe appended contract. (2) Ensure any disseminationof CHRI data to authorizedemployeesofthe Contractoristobeforofficialpurposes only.

(1) Ensure access to thesystemisavailableonly forofficialpurposesconsistent withtheappendedcontract. (2) Ensure anydissemination of CHRIdatatoauthorizedemployeesoftheContractoris tobeforofficialpurposes only.

CJIS will: (1) Ensure access to the systemisavailableonlyforofficialpurposes consistentwith the appendedcontract. (2) Ensure any dissemination ofCHRI data to authorizedemployeesofthe Contractoristobeforofficialpurposes only.


V e r s i o n 3 . 0


31 | P a g e


5.03 ‐CHRI Dissemination

5.04 ‐Dissemination Authority

5.05 – Dissemination Log

5.06 – Unauthorized Access

5.07 ‐Access Attempts

5.08 ‐Contingency Plan


(1) Ensure informationcontainedin or aboutthesystemwill notbe providedtoagenciesother thantheARor another entity whichis specifically designatedin thecontract. (1) Authorize anydissemination by the Contractor ofCHRI that are within the guidelinesof federalandstate laws, regulations,andstandards aswellas with rules, procedures, andstandards establishedby theCCandtheUSAG.

Contractor

(1) Ensure informationcontainedin or aboutthesystemwill notbeprovidedtoagenciesotherthan the AR or anotherentitywhichis specificallydesignatedinthecontract. (1) Not disseminateCHRIwithout theconsentoftheAR,andasspecificallyauthorizedby federalandstatelaws, regulations,andstandards aswell aswithrules, procedures, andstandards establishedbytheCCandtheUS AG. (1) Maintainanup‐to‐datelogofCHRIfora minimumoneyearretention periodthatmust clearly identify: (a) ARand the secondaryrecipientwith uniqueidentifiers, (b) Recorddisseminated, (c) Date of dissemination, (d) Statutory authority fordissemination,and (e) Means ofdissemination

(1) IfCHRI is storedordisseminated inanelectronicformat, protectagainstunauthorizedaccessto theequipmentandanyofthedata. (2) In no event shallresponses containingCHRIbedisseminated otherthan asgoverned bythisOSormorestringentcontractrequirements. (1) Shall not attemptaccessforinappropriateorillegalactivities. (2) Recordandreviewaccessattempts todetectinappropriate orillegalactivity. (1) Establish adocumentedcontingencyplanasdefinedin the CJIS Security Policy andapprovedbytheFBI.

State Compact Officer (SCO); Chief Administrator (CA); CJIS Systems Agency (CSA)



General (US AG)

(1) CJIS will ensureinformationcontainedin or aboutthesystemwill notbe providedtoagenciesother thantheARor another entity whichis specifically designatedin thecontract. (1) CJIS will ensurethat theContractordoes notdisseminate CHRI withoutthe consentof the AR, andas specifically authorizedbyfederallaws, regulations, andstandards establishedby the CCandtheUS AG.

(1) CJIS will ensurethat theContractorwill maintain anup‐to‐datelogofCHRIforaminimumoneyear retentionperiodthat must clearlyidentify: (a) AR and the secondaryrecipientwith uniqueidentifiers, (b) Recorddisseminated, (c) Date of dissemination, (d) Statutory authority fordissemination,and (e) Means ofdissemination CJIS will: (1) Protectagainstunauthorizedaccesstotheequipment andanyofthe dataifCHRIis storedor disseminatedinan electronic format.

(1) CJIS may recordandreviewaccessattempts for detection ofinappropriate orillegalactivities.

(1) FBI shallapproveaContractor’sdocumentedcontingencyplan asdefinedin the CJIS Security Policy.


V e r s i o n 3 . 0


32 | P a g e


6.0 ‐Personnel Security 6.01 ‐Personnel CHR Check


Contractor

(1) Priorto performingworkunder thecontract, obtainand submitrelevantinformationof Contractor (andapproved Sub‐Contractor)personnelrequestingaccess toCHRIforCHR checksandwaitforapproval.

State Compact Officer (SCO); Chief Administrator (CA); CJIS Systems Agency (CSA)



General (US AG)

(1) The FBI shall processCHRchecksonContractor(andapproved Sub‐Contractor)personnel having accesstoCHRI. CHR checksmustbecompletedpriortoaccessingCHRI under the contract. (2) The FBI shall notifyContractorofCHRcheckdecision.

6.02 ‐Requirements (1) Shall ensure thateachemployeeperformingworkunder thecontractisawareofthe requirementsof the OSandthe stateandfederallawsgoverningthesecurity andintegrityof CHRI. (2) Shall confirm inwritingthat eachemployeehascertifiedinwritingthat he/sheunderstands the OSrequirements and lawsthatapply tohis/herresponsibilities. (3) Shall maintain theemployeecertificationsinafilethat issubjecttoreviewduringaudits. (4) Employees shallmakesuchcertification priortoperforming work underthecontract.

(1) The CJIS Audit Unit shall reviewconfirmationcertificationsduringaudits.

6.03 – Updated Personnel Records with Access to CHRI

7.0 ‐System Security 7.01 ‐CJIS Security Policy ‐See 2.02 ‐OS & CJIS Security Policy

(1) May requestandmaintainupdatedrecords ofpersonnelwithaccess toCHRI.

See2.02

(1) Shall maintain updatedrecordsofpersonnelwhohaveaccess to CHRI,updatethoserecordswithin 24hours whenchanges tothataccessoccur,and maintainalistofpersonnelwhohavesuccessfully completed CHRchecks. (2) Shall notify FBIwithin24hours whenadditionsordeletionsoccur.

(1) Ensure securitysystemcomplieswith CJIS Security Policy in effect at thetime theOS isincorporatedintothecontract and withsuccessor versions ofthe CJIS Security Policy.

(1) CJIS shallmaintainlistofpersonnel whosuccessfullycompletetheCHR check. (2) CJIS shall updatethe list ofContractorpersonnel whenadditionsordeletionsoccur.

7.01(a) – Firewall (1) ProtecttheCHRIwith (1) CJIS will ensurefirewall‐O u t s o u r c i n g G u i d e f o r S t a t e A g e n c i e s

V e r s i o n 3 . 0


33 | P a g e






General (US AG) firewall‐typedevicestopreventsuch unauthorizedaccessifCHRIcanbeaccessedbyunauthorizedpersonnel via WAN/LAN orthe Internet.

typedevices areimplemented to ensure unauthorized access to CHRIas specifiedinthe CJIS Security Policy.

(2) Implementaminimumfirewall profile as specified bythe CJIS Security Policyinordertoprovideapointof defenseand acontrolledandauditedaccesstoCHRI,both frominsideandoutsidethenetworks.

7.01(b) ‐Encryption (1) EncryptCHRI thatispassedthrougha sharedpubliccarrier network.

7.02 – CHRI and Media Storage and Disposal

(1) Provide for the securestorage& disposal ofallhardcopyandmediaassociatedwithsystem.

7.02(a) – CHRI Storage (1) Store CHRI in aphysicallysecurelocation.

7.02(b) ‐Media Sanitization

(1) Ensure aprocedureis inplacefor sanitizing allfixedstoragemedia(e.g.,disks,drives,backupstorage)atthecompletionofthe contractand/orbefore itisreturnedformaintenance,disposal,orreuse.

(1) Establish aprocedureforsanitizingall fixedstoragemediaatcompletionofcontractand/or before it isreturnedformaintenance,disposal, or re‐use.Sanitizationproceduresincludeoverwritingthemediaand/or degaussing themedia.

7.02(c) – Disposal Procedure

(1) Ensure aprocedureis inplaceforthedisposalorreturnofallnon‐fixedstoragemedia(e.g., hardcopies, print‐outs).

(1) Establish aprocedure fordisposal and return ofallnon‐fixedstoragemedia.

7.03 ‐Identification Requirement

8.0 – Security Violations 8.01 – Security Violation Policy

(1) Be assignedauniqueidentifyingnumberbyCJIS ortheContractor.

(1) Immediately(withinfour hours) notifyFBI COofany security violation orterminationof contract. (2) Provide writtenreport ofanysecurity violationtotheFBI CO, within 5calendardaysofreceiptofwrittenreportfrom Contractor. (3) WrittenReportmustincludecorrectiveactionstakenbyContractorandARto

(1) IdentifyeachARandSub‐Contractorbyauniqueidentifyingnumber.

(1) Develop & maintain a written policyfordisciplineofemployeeswhoviolate securityprovisionsofthecontract,including this OS. (2)Upon detection orawareness,suspendanyemployeewhocommitsasecurity violation fromassignmentsin which he/she has access to CHRI,pendinginvestigation.

(1) CJIS shall assign a unique identifier toeachContractor. (2) CJIS may assigna uniqueidentifyingnumbertothe AR.


V e r s i o n 3 . 0


34 | P a g e






General (US AG) resolvesecurity violation. (3) Immediately(within

four hours)notify ARandtheFBI ofanysecurityviolationtoincludeunauthorizedaccesstoCHRI. (4) Within 5calendardaysofnotification, provideARandtheFBI awrittenreportdocumentingsecurity violation, anycorrectiveactions takenbyContractor,andthedate,time,and summaryofpriornotification.

8.02 ‐Contract Termination

(1) TerminateContract, whennecessary,for securityviolations: (a) InvolvingCHRIobtainedpursuant tothecontract. (b) FortheContractor’sfailuretonotify the ARofany securityviolation or toprovide awritten reportconcerning suchviolation. (c) If the Contractorrefuses toorisincapableof takingcorrectiveactions tosuccessfully resolveasecurity violation.

8.03(a) ‐ CHRI Suspension or Termination

(1) IfAR fails to provideawritten report notifying the FBICOofa security violation,orrefusestoor isincapableoftakingcorrective actiontosuccessfully resolveasecurity violation,the CC or US AG maysuspendor terminatetheexchange ofCHRI with ARpursuantto28CFR906.2(d).

8.03(b) – Exchange of CHRI Reinstatement

(1) TheAR andContractorshall provideto theCCChairman ortheUSAGsatisfactory written assurances that the security violationhasbeen resolved. (2) IftheexchangeofCHRI isterminated,inform theContractorwhethertodeleteorreturnrecords (includingmedia)containingCHRIinaccordancewiththeprovisionsandtimeframespecified.

(1) TheAR andContractorshall provideto theCCChairman ortheUSAGsatisfactory written assurances that the security violation hasbeenresolved. (2) IftheexchangeofCHRIisterminated,deleteorreturn records(includingmedia)containingCHRI,inaccordancewiththeprovisionsandtimeframeasspecifiedbyAR.

(1) IftheexchangeofCHRI issuspended, itmaybereinstatedaftersatisfactory writtenassuranceshave beenprovidedtothe CC Chairman or the US AG,bytheAR and theContractorthatthesecurityviolationhasbeen resolved.

8.04 ‐Security Violation Notification

(1) Provide writtennoticetothe FBI COof the following:


V e r s i o n 3 . 0


35 | P a g e






General (US AG) (a) Contract terminationfor security violations. (b) Security violationsinvolvingunauthorizedaccesstoCHRI. (c) Contractor’s name anduniqueID number,nature ofsecurity violation, whetherviolationwasintentional,andnumberoftimesviolationoccurred.


(1) SCO/CA,CCandthe US AG reserves right toinvestigate ordeclinetoinvestigateany reportofunauthorizedaccesstoCH

the outsourcing of noncriminal justice administrative functions … · 2014. 11. 6. · states...

Documents