In the previous blog, we saw an overview of what CJIS is and what are different policy areas and in this blog we will elaborate on the first policy area - Information Exchange Agreements.
Under the first policy area Information Exchange Agreements, it is mentioned that the information shared through communication mediums should be safely protected using appropriate security safeguards. Information exchanged can take many forms such as instant messages, electronic mail, hard copy, facsimile, web services and also information systems sending, receiving and storing CJI. It is to be noted that the agencies, before exchanging criminal justice information, should put formal agreements in place that specify the security controls. Information Exchange Agreements helps in understanding the roles, responsibilities and data ownership between agencies and other external parties.
Understanding CJIS Compliance – Information Exchange Agreements
1. 1
Understanding CJIS Compliance – Information
ExchangeAgreements
In the previous blog, we saw an overview of what CJIS is and what are different policy areas
and in this blog we will elaborate on the first policy area - Information Exchange Agreements.
Under the first policy area Information Exchange Agreements, it is mentioned that the
information shared through communication mediums should be safely protected using
appropriate security safeguards. Information exchanged can take many forms such as instant
messages, electronic mail, hard copy, facsimile, web services and also information systems
sending, receiving and storing CJI. It is to be noted that the agencies, before exchanging
criminal justice information, should put formal agreements in place that specify the security
controls. Information Exchange Agreements helps in understanding the roles, responsibilities
and data ownership between agencies and other external parties.
Information Exchange
There are multiple things that one needs to know to have a clear understanding of the
information exchange agreements. Firstly we need to understand Information exchange at
different levels and they are as listed below
2. 2
Information Handling
Properhandling of criminal justice information is of primary importance and the agencies
should establish procedures for handling and storage of information to protect it from
unauthorized disclosure, misuse or alteration. These procedures should be followed in handling,
processing, communication and storing of CJI. Furthermore, the policies for handling and
protecting information also apply to using CJI that is shared with or received from FBI CJIS for
non-criminal justice purposes also.
State and FederalAgency User Agreements
For the state and federal agency user agreements, each Special Intelligence Bureau (SIB) chief
or a CJIS Systems Agency (CSA) head should execute a signed written user agreement with the
FBI CJIS division by stating their willingness to conform to the Information Exchange policy
even before accessing and participating in the CJIS records information programs. All the
agreements with the FBI CJIS division would be coordinated with the CSA head and the
interface agency should allow FBI to periodically test the ability to penetrate the FBI’s network
through external network connection.
Criminal Justice Agency User Agreements
Any criminal justice agency receiving access to CJI shall enter into an agreement in a written
form from a signatory authority of the CSA that is providing the access. The agreement would
need to have clear specifications of all the FBI CJIS services and systems that the agency would
have access to. These agreements should include audit, dissemination, quality assurance (QA),
security and validation among others.
Interagencyand ManagementControlAgreements
National Criminal Justice Association (NCJA) that is designated to perform criminal justice
functions for CJA can also have access to Criminal Justice Information. There is a need of an
inter-agency agreement, statute, executive order or regulation to authorize such an organization
to have access to information. CJA and NCJA would need to execute a management control
agreement (MCA) that clearly stipulates that the management controlof the criminal justice
function would remain with CJA only.
Private ContractorUser Agreements and CJIS Security Addendum
CJIS security addendum is a uniform addendum to an agreement made between private
contractorand government agency. Private contractors designated to perform criminal justice
functions for CJA or on behalf of NCJA (government) shall have access to Criminal Justice
Information and the agreement needs to be executed defining the agency’s purposeand scopeof
providing services for the administration of criminal justice.
3. 3
Agency User Agreements
NCJAs (public and private) that are designated to request civil finger-print based background
checks for noncriminal justice functions are also eligible to access Criminal Justice Information.
However, they would receive access only after an approval is sought from the US attorney
general pursuant to federal law or a state statute. An example of NCJA (public) is a county
schoolboard while a NCJA (private) is a local bank. NCJA too have to execute a written
agreement with the appropriate authority of the CSA and should allow FBI to periodically test
the ability to penetrate the FBI’s network through external network connection. Channelers as
well as non-channelers that are designated to perform ancillary functions on behalf of NCJAs
are eligible to access CJI.
Monitoring, Review and Delivery of Services
As specified in the MCAs, inter-agency agreements and contractual agreements with private
contractors, there should be a continuous monitoring and review of the services, records and
reports provided by the service providers. Authorized agency, FBI or CJA will maintain overall
visibility and controlinto all security aspects and would also identify vulnerabilities and other
flaws. Also, any changes made by a service provider would be managed by CJA or FBI.
This broadly discusses the various provisions in the Policy Area -1 and in the next blog we will
discuss the Policy Area-2 – Security Awareness Training.
DoubleHorn is a leading Cloud Solutions Provider founded in January. We, along with our
strategic partners are able to design and offer CJIS Compliance capable solutions. We were
awarded the Cloud Services Contract for the State of Texas (DIR-TSO-2518) and Oklahoma
(ITSW1022D) covering Cloud Services Brokerage, Cloud Assessment and Cloud
Infrastructure-as-a-Service (IaaS). Contact us for a complimentary initial assessment.