Understanding CJIS Compliance – Information Exchange Agreements

In the previous blog, we saw an overview of what CJIS is and what are different policy areas and in this blog we will elaborate on the first policy area - Information Exchange Agreements. Under the first policy area Information Exchange Agreements, it is mentioned that the information shared through communication mediums should be safely protected using appropriate security safeguards. Information exchanged can take many forms such as instant messages, electronic mail, hard copy, facsimile, web services and also information systems sending, receiving and storing CJI. It is to be noted that the agencies, before exchanging criminal justice information, should put formal agreements in place that specify the security controls. Information Exchange Agreements helps in understanding the roles, responsibilities and data ownership between agencies and other external parties. 

Information ExchangeThere are multiple things that one needs to know to have a clear understanding of the information exchange agreements. Firstly we need to understand Information exchange at different levels and they are as listed below 

1

Information HandlingProper handling of criminal justice information is of primary importance and the agencies should establish procedures for handling and storage of information to protect it from unauthorized disclosure, misuse or alteration. These procedures should be followed in handling, processing, communication and storing of CJI. Furthermore, the policies for handling and protecting information also apply to using CJI that is shared with or received from FBI CJIS for non-criminal justice purposes also. State and Federal Agency User AgreementsFor the state and federal agency user agreements, each Special Intelligence Bureau (SIB) chief or a CJIS Systems Agency (CSA) head should execute a signed written user agreement with the FBI CJIS division by stating their willingness to conform to the Information Exchange policy even before accessing and participating in the CJIS records information programs. All the agreements with the FBI CJIS division would be coordinated with the CSA head and the interface agency should allow FBI to periodically test the ability to penetrate the FBI’s network through external network connection. Criminal Justice Agency User AgreementsAny criminal justice agency receiving access to CJI shall enter into an agreement in a written form from a signatory authority of the CSA that is providing the access. The agreement would need to have clear specifications of all the FBI CJIS services and systems that the agency would have access to. These agreements should include audit, dissemination, quality assurance (QA), security and validation among others. Interagency and Management Control AgreementsNational Criminal Justice Association (NCJA) that is designated to perform criminal justice functions for CJA can also have access to Criminal Justice Information. There is a need of an inter-agency agreement, statute, executive order or regulation to authorize such an organization to have access to information. CJA and NCJA would need to execute a management control agreement (MCA) that clearly stipulates that the management control of the criminal justice function would remain with CJA only. Private Contractor User Agreements and CJIS Security AddendumCJIS security addendum is a uniform addendum to an agreement made between private contractor and government agency. Private contractors designated to perform criminal justice functions for CJA or on behalf of NCJA (government) shall have access to Criminal Justice Information and the agreement needs to be executed defining the agency’s purpose and scope of providing services for the administration of criminal justice. 

2

Agency User AgreementsNCJAs (public and private) that are designated to request civil finger-print based background checks for noncriminal justice functions are also eligible to access Criminal Justice Information. However, they would receive access only after an approval is sought from the US attorney general pursuant to federal law or a state statute. An example of NCJA (public) is a county school board while a NCJA (private) is a local bank. NCJA too have to execute a written agreement with the appropriate authority of the CSA and should allow FBI to periodically test the ability to penetrate the FBI’s network through external network connection. Channelers as well as non-channelers that are designated to perform ancillary functions on behalf of NCJAs are eligible to access CJI. Monitoring, Review and Delivery of ServicesAs specified in the MCAs, inter-agency agreements and contractual agreements with private contractors, there should be a continuous monitoring and review of the services, records and reports provided by the service providers. Authorized agency, FBI or CJA will maintain overall visibility and control into all security aspects and would also identify vulnerabilities and other flaws. Also, any changes made by a service provider would be managed by CJA or FBI.This broadly discusses the various provisions in the Policy Area -1 and in the next blog we will discuss the Policy Area-2 – Security Awareness Training. DoubleHorn is a leading Cloud Solutions Provider founded in January. We, along with our strategic partners are able to design and offer CJIS Compliance capable solutions. We were awarded the Cloud Services Contract for the State of Texas (DIR-TSO-2518) and Oklahoma (ITSW1022D) covering Cloud Services Brokerage, Cloud Assessment and Cloud Infrastructure-as-a-Service (IaaS). Contact us for a complimentary   initial assessment .

3