Sep 16, 2014
When Do I Need A FBI CJIS Security Addendum? The Answer REVEALED…
Hello, it’s me again. I bet you were just saying, “Hey, it’s been a while since I saw a CJIS ACE Newsletter.” I have to explain.
Between keeping up with our friends at the FBI’s Advisory Policy Board (APB) and NLETS, it’s been very busy lately. But as we all know, being busy is good and leads to more information coming your way!
Before we get into the FBI CJIS Security Addendum, I wanted to give you a sneak peak of our new CJIS ACE video. In the future everyone will be able to see it on our website, but because you’re a loyal reader here’s a first look: http://www.youtube.com/watch?v=beLD_aXSamI
Now on to the CJIS Security Addendum….
You might remember a few issues ago we discussed the Management Control Agreement (MCA), what it was, who it applied to, and when it was needed.
In short, the MCA applies to non-criminal justice governmental agencies performing defined functions for a criminal justice agency.
The MCA’s close cousin is the FBI CJIS Security Addendum (SA) which is a “uniform” addendum to an agreement between a government entity (e.g. police department or a county IT department) and a private contractor.
The FBI CJIS SA specifically authorizes the contractor access to Criminal History Record Information (CHRI), limits the use of the information to the purpose for which it is provided, provides for sanctions, and attaches the CJIS Security Policy and other regulations/provisions, as required by the Attorney General of the United States.
The Attorney General of the United States?
Yes, that was the purpose of my bolding the word “uniform” in the above description.
The FBI CJIS SA is a “uniform” addendum approved by the Attorney General of the United States and needs to be part of any contract your agency may have with a vendor where they may have access to CJIS data.
It is important that the SA be included in its entirety and not modified in any way.
If the SA is not included as part of the contract or is modified, it’s not considered “uniform” and therefore, not compliant with the requirements of the CJIS Security Policy.
It may seem like I am making a big deal of not making changes to the SA, but trust me, some vendors (or their lawyers) will try to send back the security addendum with all sorts of red-lines, additions and/or modifications. I know this because when I was the CSO for NY, I saw these attempts often.
I cannot tell you how many times vendors and/or their lawyers tried to change or add to the language of the SA as part of the contracting or negotiation process.
It can’t be done folks!
At least not by the vendor or their lawyers.
Modifications to the CJIS Security Addendum can only be enacted by the Director of the FBI, acting for the U.S. Attorney General.
Now that we have some the background, here are the CJIS Security Addendum facts:
The FBI CJIS Security Addendum shall be executed pursuant to an agreement (contract) between a government entity and a contractor when that contractor needs access to CJI to perform their contractual duties. The government entity can be either a criminal justice (e.g. police department) or non-criminal justice (e.g. county IT department running criminal justice systems for a police department per an MCA) agency.
Each private contractor employee who works pursuant to the contract/engagement shall acknowledge, by signing the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum.
Private contractors who perform criminal justice functions and have access to CJI shall meet the same training and certification criteria required of governmental agencies performing a similar function and are subject to audit to the same extent as are local agencies.
Modifications to the CJIS Security Addendum shall be enacted only by the Director of the FBI, acting for the U.S. Attorney General. Remember, accept no changes, additions or deletions from the vendor (of course, you can’t make any either).
Well, that about sums up the FBI CJIS Security Addendum, when it’s needed, who it applies to and its purpose.
The CJIS Security Policy can be confusing with respect to what agreements are needed when. We know this is true because the lack of properly executed Management Control Agreements and CJIS Security Addenduma are always top compliance issues found during FBI and State audits.
The CJIS ACE team can help you and your agency navigate this and any CJIS-related policy or compliance issue. To further discuss how we can help, drop me a line at: firstname.lastname@example.org or give me a call at 850-778-3207.
Until next time, be safe