Are Your Vendors and Contractors CJIS Compliant? You’re Responsible. How To Make Sure They Are Compliant.
A few issues back we discussed the FBI CJIS Security Addendum. We went through what the Security Addendum was, when it was needed and all the particulars involved in its use. Today we will be discussing vendor/contractor (we’ll refer to them all as “vendors”) compliance with the CJIS Security Policy as a result of having an executed Security Addendum with your agency. Most importantly, we will highlight your responsibility, as the hiring authority, to ensure your vendors are compliant.
How do YOU know that YOUR vendor is abiding by the terms of the Security Addendum and is complying with the CJIS Security Policy?
In all likelihood, without auditing them yourself, you simply don’t!
You don’t know if they are compliant. You don’t know if they are secure in their practices. You don’t know how they conduct their employee background checks. You don’t know if they are doing what is required to protect access to critical criminal justice information (CJI) and related systems.
What normally happens is that an agency hires a vendor, obtains a signed Security Addendum and generally hopes for or assumes compliance. And you know what happens when assumptions are made.
This can be an issue, especially since your agency, the hiring authority, is responsible for their access to criminal justice information and related systems.
This is extremely important because these are the systems that process and store the critical information your agency relies on each and every day. Having your vendor be compliant with the applicable provisions of the CJIS Security Policy is critically important to your agency and necessary to help support your agency’s mission.
ANY vendor that provides products and/or services to a criminal justice agency (like your agency) where they have or may have access to criminal justice information and systems is required to comply with applicable sections of the CJIS Security Policy.
Examples of vendors that you may have working for your agency are your software vendor (CAD [computer-aided dispatch], records management, jail management, court functions, fingerprinting, etc), your technology vendor (networks, desktops, laptops, tablets, smartphones, etc), or a service provider (infrastructure, hosted software or criminal justice functions [background checks, permitting, etc.]).
So, now that we’ve established that you and your agency are responsible for your vendors’ compliance, what can you do about it?
Does your agency have the resources (money, staff or time) and expertise to perform comprehensive audits on each of your vendors? Is your agency going to go through the 200+ pages of the policy and 400+ requirements to determine which your vendor’s compliance?
No? You’re not alone — CJIS ACE can help!
When your vendor subscribes to the service, the CJIS ACE team works with them to help ensure initial and continued compliance with the CJIS Security Policy.
After a comprehensive assessment, the CJIS ACE team will provide the vendor with a Compliance Profile, which is a report-card type rating that shows their compliance state with respect to the CJIS Security Policy (and other applicable policies). From there, the provider can work with the CJIS ACE team toward initial or continuing compliance as an assurance to their customers.
This service allows the vendor’s clients (your agency) the freedom to focus on critical day-to-day tasks knowing that they (the vendor) take the security of your criminal justice information and systems seriously and value you as a client.
We created a quick video for you to share with your vendors highlighting the CJIS ACE for Providers service.
CJIS ACE for Vendors: https://www.youtube.com/watch?v=cacGZ3YPXuI
Like your agency, providers of criminal justice services and/or products are required to comply with applicable sections of the CJIS Security Policy.
Compliance with the minimum requirements set forth in the policy is essential to providing appropriate controls to protect the confidentiality, integrity and availability of critical criminal justice information.
Additionally, compliance contributes to maintaining the operational integrity and security of interconnected criminal justice information systems that allow all criminal justice and law enforcement agencies to carry out their respective missions.
Your vendors, like your agency, need to be compliant. What is your vendor’s CJIS ACE Compliance Profile?
For more information, just reach out to me or anyone at DCI.
That’s about it for this issue….
Make sure you know your vendor’s CJIS ACE Compliance Profile and get your speaker requests in….
Until next time, be safe.