866.656.3338 sales@diversecomputing.com

What Charlie Brown’s Teacher Taught Me About Understanding Management Control Agreements

Date Posted - 12th Jun 2014 |  Category - CJIS Security Policy, Newsletter

CJIS ACE: The CJIS Audit and Compliance Experts - get your CJIS certification

Is it a surprise to anyone that Charlie Brown‘s teacher made Time magazine’s list of 10 Bad Teachers?


It makes sense that when all you hear is “Wah wah woh wha wha,” there isn’t a whole lot of learning due to a lack of understanding.


Today we’re going to look into Management Control Agreements (MCAs). My goal is to get past the “wah wah woh wha wha” of the CJIS Security Policy and achieve a useful understanding of MCAs.


CJIS Security Policy can be very confusing. CJIS ACE is here to help.

One of the easiest ways to illustrate the requirements of MCAs is to step through the “who, what, where, when, why and how” formula for analyzing and answering tough questions.


Who: Any non-criminal justice governmental agency that performs criminal justice functions for a criminal justice agency.

This includes entities such as non-criminal justice 911 centers and county/city IT departments providing services to a police department. 

This does NOT include contractors or vendors performing criminal justice functions. They need to execute and abide by the CJIS Security Addendum (future topic).


What: The Management Control Agreement, MCA or sometimes referred to as “that thing.”


Where: Not really applicable, but to keep with the theme, we can say, “in the locality where the criminal justice functions are being performed.”


When: Whenever a non-criminal justice agency (e.g. 911 center, county IT department) is designated to perform criminal justice functions as authorized by executive order, statute, regulation or inter-agency agreement.


Why: To set policies, procedures and processes associated with the non-criminal justice agency’s access to criminal justice information and to stipulate that management control of the criminal justice functions (and information) remain solely with the criminal justice agency.


How: An MCA may be a separate document or included within the language of the inter-agency agreement between the criminal justice agency and the non-criminal justice governmental agency.

In either case, it needs to be a formally-executed agreement between the criminal justice agency and the non-criminal justice agency performing criminal justice functions.


As you can see by breaking down the policy into its parts it becomes clearer and easier to understand.


Even so, MCAs are one of the top areas of non-compliance during state and FBI CJIS audits. 


It’s been my experience that the majority of non-compliance cases can be traced to a lack of understanding in that if your county/city/town IT department provides your agency IT services, you need an MCA. This is just an example, but a prevalent one.


Breaking down the policy, for understanding purposes, is one thing. Drafting and executing an MCA between two governmental agencies can be a time consuming and tiring process. 


Getting two or more governmental agencies on the same page with differing internal policies and politics can be a struggle and sometimes feel like an exercise in futility.


I know this because I’ve done this before, several times.


After helping to author and tirelessly pursue the initial execution of the MCA between the NYS Office for Technology and the Integrated Justice Advisory Board (consisting of the NYS Division of State Police, Division of Criminal Justice Services, Division of Parole and the Department of Correctional Services), I became an instant expert in inter-agency bureaucratic diplomacy. 


With this “expertise” I’ve been asked to and have presented my experiences and tips on the process at several events (e.g. FBI CJIS Information Security Officer Symposium, NYS NYSPIN Advisory Committee and the NYS Government Local IT Directors Association).  I also became a resource for the FBI CJIS Division by fielding their referrals of agencies that were attempting to craft MCAs in their localities.  


Crafting MCAs doesn’t have to seem like an endless struggle nor do your stress levels need to rise.  The CJIS ACE proactive services suite includes MCA development, review and/or execution assistance.  There’s no need to reinvent the wheel, we can help.


For more information, email me directly at: wtatun@diversecomputing.com or give me a call at: 850-656-3333 ext. 283 and we can talk more about MCAs or anything else we can help you with.


The CJIS Security Policy can be confusing with respect to what agreements are needed when.  We know this is true because the lack of properly executed Management Control Agreements and CJIS Security Addenda are always top compliance issues found during FBI and State audits.  


The CJIS ACE team can help you and your agency navigate this and any CJIS-related policy or compliance issue.  To further discuss how we can help, drop me a line at:  wtatun@diversecomputing.com or give me a call at 850-778-3207.


Until next time, be safe.

Bill Tatun- Our Lead CJIS Audit and Compliance Expert


e:  wtatun@diversecomputing.com

o:  850-778-3207

w:  www.diversecomputing.com/CJISACE


Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.

CJIS ACE Newsletter Subscribe Link

CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.

More info about CJIS ACE


Let us deal with your audit and compliance hassles…

You already have enough to worry about.