Are Your Vendors and Contractors CJIS Compliant? You’re Responsible.
A few issues back we discussed the FBI CJIS Security Addendum. We went through what the Security Addendum was, when it was needed and all the particulars involved in its use.
Today we will be discussing vendor/contractor (we’ll refer to them all as “vendors”) compliance with the CJIS Security Policy as a result of having an executed Security Addendum with your agency. Most importantly, we will highlight your responsibility, as the hiring authority, to ensure your vendors are compliant.
How do YOU know that YOUR vendor is abiding by the terms of the Security Addendum and is complying with the CJIS Security Policy?
In all likelihood, without auditing them yourself, you simply don’t!
You don’t know if they are compliant. You don’t know if they are secure in their practices. You don’t know how they conduct their employee background checks. You don’t know if they are doing what is required to protect access to critical criminal justice information (CJI) and related systems.
What normally happens is that an agency hires a vendor, obtains a signed Security Addendum and generally hopes for or assumes compliance. And you know what happens when assumptions are made.
This can be an issue, especially since your agency, the hiring authority, is responsible for their access to criminal justice information and related systems.
This is extremely important because these are the systems that process and store the critical information your agency relies on each and every day. Having your vendor be compliant with the applicable provisions of the CJIS Security Policy is critically important to your agency and necessary to help support your agency’s mission.
ANY vendor that provides products and/or services to a criminal justice agency (like your agency) where they have or may have access to criminal justice information and systems is required to comply with applicable sections of the CJIS Security Policy.
Examples of vendors that you may have working for your agency are your software vendor (CAD [computer-aided dispatch], records management, jail management, court functions, fingerprinting, etc), your technology vendor (networks, desktops, laptops, tablets, smartphones, etc), or a service provider (infrastructure, hosted software or criminal justice functions [background checks, permitting, etc.]).
So, now that we’ve established that you and your agency are responsible for your vendors’ compliance, what can you do about it?
Does your agency have the resources (money, staff or time) and expertise to perform comprehensive audits on each of your vendors? Is your agency going to go through the 200+ pages of the policy and 400+ requirements to determine which your vendor’s compliance?
No? You’re not alone — CJIS ACE can help!
CJIS ACE for Providers.
When your vendor subscribes to the CJIS ACE for Providers service, the CJIS ACE team works with them to help ensure initial and continued compliance with the CJIS Security Policy.
After a comprehensive assessment, the CJIS ACE team will provide the vendor with a Compliance Profile, which is a report-card type rating that shows their compliance state with respect to the CJIS Security Policy (and other applicable policies). From there, the provider can work with the CJIS ACE team toward initial or continuing compliance as an assurance to their customers.
This service allows the vendor’s clients (your agency) the freedom to focus on critical day-to-day tasks knowing that they (the vendor) take the security of your criminal justice information and systems seriously and value you as a client.
We created a quick video for you to share with your vendors highlighting the CJIS ACE for Providers service.
CJIS ACE for Providers: https://www.youtube.com/
Like your agency, providers of criminal justice services and/or products are required to comply with applicable sections of the CJIS Security Policy.
Compliance with the minimum requirements set forth in the policy is essential to providing appropriate controls to protect the confidentiality, integrity and availability of critical criminal justice information.
Additionally, compliance contributes to maintaining the operational integrity and security of interconnected criminal justice information systems that allow all criminal justice and law enforcement agencies to carry out their respective missions.
Your vendors, like your agency, need to be compliant. What is your vendor’s CJIS ACE Compliance Profile?
For more information, just reach out to me or anyone at DCI.
SPECIAL NOTICE – Booking 2015 Speaking Engagements Now!
Do you need an experienced, knowledgeable and engaging speaker at your statewide user conference or association meeting?
Do you need an expert to speak about the FBI CJIS Security Policy (or specific parts thereof), compliance and/or audits?
We can help.
As part of our giving back to the criminal justice community, each year we offer a limited number of speaking engagements for free.
Interested? To have your event considered, forward the following information to firstname.lastname@example.org:
– Group/Organization (e.g. state CJIS user group, Chiefs Assn Mtg, Sheriffs Assn Mtg, etc.)
– Meeting Type (e.g. annual training conference)
– Expected Number Of Attendees
– Topic(s) Desired
– Point Of Contact Information (to further discuss particulars and specifics)
Due to consideration, planning and scheduling requirements, please make your request as early as possible.
That’s about it for this issue….
Make sure you know your vendor’s CJIS ACE Compliance Profile and get your speaker requests in….
Until next time, be safe.
William “Bill” Tatun
Chief Information Security Officer
Diverse Computing Inc.
Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.
CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.