Brooke Lynn Siracusano
Oct 2, 2018
Are Your Vendors CJIS Compliant?
My name is Brooke Lynn Siracusano and I am the newest member of Diverse Computing's CJIS ACE team.
Today we will be talking about your vendor or contractor’s (we'll refer to them all as "vendors") compliance with the CJIS Security Policy (CJISSECPOL) as a result of having an executed Security Addendum with your agency. Most importantly, we will highlight your responsibility, as the hiring authority, to ensure your vendors are compliant.
What normally happens is that an agency hires a vendor, they obtain a signed Security Addendum, and they generally hope for or assume compliance. And you know what happens when assumptions are made.
This can be an issue, especially since your agency, the hiring authority, is responsible for their access to criminal justice information and related systems.
ANY vendor that provides products and/or services to a criminal justice agency (like your agency) where they have or may have access to criminal justice information and systems is required to comply with applicable sections of the CJIS Security Policy.
So, now that we've established that you and your agency are responsible for your vendors' compliance, what can you do about it?
Does your agency have the resources (money, staff or time) and expertise to perform comprehensive audits on each of your vendors? Is your agency going to go through the 200+ pages of the policy and 500+ requirements to determine your vendor's compliance?
No? Well, you're not alone -- CJIS ACE can help!
CJIS ACE for Vendors.
Our CJIS ACE team will work with your vendors to create a CJIS ACE Compliance Profile and show them the necessary steps to reach CJIS compliance.
This service allows the vendor's clients (your agency) the freedom to focus on critical day-to-day tasks knowing that they (the vendor) take the security of your criminal justice information and systems seriously and value you as a client.
Compliance with the minimum requirements set forth in the policy is essential to providing appropriate controls to protect the confidentiality, integrity, and availability of critical criminal justice information.
Additionally, compliance contributes to maintaining the operational integrity and security of interconnected criminal justice information systems that allow all criminal justice and law enforcement agencies to carry out their respective missions.
Your vendors, like your agency, need to be compliant. What is your vendor's CJIS ACE Compliance Profile?
So, what can you do? Ask your vendor: “Are you CJIS compliant?” and send them our way if there are any doubts!
We’ve drafted up an email template for you to do just that. You can download it here.
Go ahead and contact your vendors. Then, visit our CJIS Audit & Compliance Experts page to learn more about how you can take control of your agency’s information security.