Our team works with numerous agencies and CJIS vendors nationwide and I thought it would be fun to share with you some of the common things we hear about CJIS Compliance that aren’t quite right. I hope by the end of this you will have a better idea of how you can learn to speak confidently about CJIS Compliance.
If you work for an agency, be aware that most of these phrases come from vendors -- which could lead to a problem for your agency. If you are a vendor, stop saying these things!
1. “We are CJIS Certified.”
Unfortunately, this is something that a lot of vendors advertise and if, as an agency, you hear this...RUN! We all know that there is no certifying body approved by the FBI for CJIS. Which means there is no CJIS Certification and the vendor probably doesn’t know what they are talking about when it comes to CJIS compliance.
2. “Oh yeah, we’ve passed a background check so our people are CJIS Compliant.”
While fingerprint based background checks are a part of the vetting process for access to CJI, it is not the only part. Personnel screening, according to the CJIS Security Policy, includes the fingerprint based background check AND Security Awareness Training AND incorporation of the signed CJIS Security Addendum.
3. “We don’t have to worry about CJIS because we are FedRAMP Compliant.”
In some cases, this might be true and there is nothing wrong with FedRAMP or the other compliance standards. However, if your company, product, or services interact or have the potential to interact with CJI you have to also be compliant with the CJIS Security Policy.
4. “We are cleared for state X, so we are cleared for your state.”
Every state’s CSA has the authority to implement requirements for vendor approval that go above and beyond the CJIS Security Policy. These are practically never the same between states. So the best thing to do, as a vendor, is to make sure you are working within the CJIS requirements for EACH state you plan to expand into.
5. “We were fine on our last audit.”
CJIS audits commonly occur once every three years and the CJIS Security Policy updates every year. That being said, lots can change in between audits. Your CJIS compliance is something that you will have to stay on top of.
Bonus: To Auditor - “Oh crap, you’re here already?”
This one is probably my favorite because everyone says it as the auditor is walking through their door. The best advice I can give on this: know your agency’s compliance level and be prepared to show the auditor how you are meeting the CJIS requirements.
One quote that you can’t go wrong with:
“The CJIS ACE team was here!”
Our main goal at CJIS ACE is to make sure you, vendors and agencies, are doing everything you can to comply with the CJIS Security Policy. We sit down with each of our clients and go over all the rules and requirements in the policy until you know which aspects apply to your situation, what they mean, and how to comply with them. After an engagement with CJIS ACE, you will never find yourself saying these quotes again, either to auditors or potential clients.
If you have said any of our five common phrases, or even our bonus phrase, and want to know more about how CJIS ACE can help you confidently speak about CJIS Compliance, visit our website or reach out to us for a quick chat.
Until next time, take care!
-Brooke Lynn Siracusano