For NCIC-related questions, please contact the appropriate state CSO, since access is gained first through the state. FBI-related questions can be referred to Kimberly K. Lough at: klough@leo.gov (copy to the CJIS Audit Unit's main e-mail address, acjis@leo.gov in case Kim is out of the office for an extended period of time). The recipient of the Unit's main e-mail account can obtain the answer and reply.

What happens if my agency isn’t ready to implement the security guidelines by the due date?

Section 8.3.2 of the CJIS Security Policy states that the CJIS systems data are sensitive information and security shall be afforded to prevent any unauthorized access, use, or dissemination of the information. Improper access, use and dissemination of CHRI and hot file information is serious and may result in the imposition of administrative sanctions including, but not limited to, termination of services and state and federal criminal penalties.

What if a repair person shows up that I am not familiar with (or who is not on my list of approved/backgrounded personnel) and needs access to the router room?

The first step should be to establish that the person has a true need to access the secure area and that they do indeed work for the company that provides support for the equipment.

Once you establish that the person is who and what they claim to be, access may be granted under section 4.5.1, paragraph H, of the CJIS Security Policy as long as they are escorted by authorized personnel at all times. “Authorized Personnel” are those persons who have passed a state and national fingerprint-based record check and have been granted access.

I am the TAC for my agency and my communications area is in the actual police department. Am I responsible for the CJIS guidelines?

Everyone that has access to the secure area, the criminal history records, and the equipment should have received Security Awareness training and be aware and responsible for the enforcement of the requirements of the CJIS Security Policy.

If, as part of your responsibilities as TAC, you are also the Agency Security Point of Contact, any security-related issues at the agency should be reported by you to the CJIS Systems Agency Information Security Officer.

Is my agency responsible for fingerprinting our vendors/contractors?

Yes. In section 4.5.1, paragraph H, the CJIS Security Policy states that support personnel, contractors, and custodial workers who access computer terminal areas shall be subject to a state of residency and national fingerprint-based record check, unless these individuals are escorted by authorized personnel at all times.

One of our contractors has indicated that one of their employees who are assigned to our agency has a felony conviction, but won’t disclose anything else about it. Can I compel them to give me the criminal history?

The fact that they have a felony conviction prevents them from having any access to CJIS data or any of the equipment the CJIS data passes through or is stored on. It is up to the agency granting system access to vet the criminal history of individuals being granted access – a vendor’s word that their employees have been screened is not adequate. If the vendor’s employees have fingerprint cards on file with another law enforcement agency, a new set of prints may not be required of the vendor if you can establish the means to share those fingerprints. As for a felony conviction, in section 4.5.1, paragraph H, the CJIS Security Policy states that support personnel, contractors, and custodial workers who access computer terminal areas shall be subject to a state of residency and national fingerprint-based record check, unless these individuals are escorted by authorized personnel at all times.

My IT vendor gave me a list that says all of their techs have been backgrounded, but I think one of them has a felony conviction. What happens if it comes up at the audit that I allowed them access?

It is up to the agency granting system access to vet the criminal history of individuals being granted access – a vendor’s word that their employees have been screened is not adequate. If the vendor’s employees have fingerprint cards on file with another law enforcement agency, a new set of prints may not be required of the vendor if you can establish the means to share those fingerprints. As for a felony conviction, in section 4.5.1, paragraph B, the CJIS Security Policy states that if a felony conviction of any kind exists, the hiring authority in the Interface Agency shall deny systems access. However, the hiring authority in the Interface Agency may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance.

What kind of physical security is considered adequate? Right now all we have is a locked door to the data room (unlocked door in a secure area).

Section 7.2.2 of the CJIS security Policy defines a physically secured location. In part it says, “A physically secure location is a criminal justice facility, an area, a room, a group of rooms, or a police vehicle that is/are subject to criminal justice agency management control/security addendum and which contain hardware, software, and/or firmware (e.g., information system servers, controlled interface equipment, associated peripherals or communications equipment, wire closets, patch panels, etc.) that provide access to the CJIS network. Law enforcement sensitive facilities and restricted/controlled areas shall be prominently posted and separated from non-sensitive facilities and non-restricted/controlled areas by physical barriers that restrict unauthorized access. Every physical access point to sensitive facilities or restricted areas housing information systems that access, process, or display CJIS data shall be controlled/secured.”

Do the vendors/contractors have to sign a CJIS letter?

Vendors/Contractors that have access to CHRI data must sign a Security Addendum.

My (civilian) Center director doesn’t run data, but (s)he does make personnel decisions and needs to look at criminal history. Do they need to sign the CJIS letter and/or be backgrounded also?

Anyone that has access to criminal history data must have passed a state and national fingerprint-based record check and have been granted access.

Would a sealed juvenile record, if there was a felony conviction, count as a disqualifier?

The CJIS Security Policy does not distinguish between juvenile and non-juvenile records. Section 4.5.1, paragraph B states, “If a felony conviction of any kind exists, the hiring authority in the Interface Agency shall deny systems access. However, the hiring authority in the Interface Agency may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance.

After we implement the CJIS guidelines, can we still have visitors to our comroom?

Yes, visitors are allowed by the CJIS Security Policy. It states in section 4.4.3 that, “All visitors to computer centers and/or terminal areas shall be escorted by authorized personnel at all times.” “Authorized Personnel” are those persons who have passed a state and national fingerprint-based record check and have been granted access.

Everyone is asking me for the CJIS policy, but I can’t find it on the CJIS homepage anywhere. Where can I get a copy?

The CJIS Security Policy is considered to be Sensitive But Unclassified (SBU) material. This policy shall not be posted to a public website and discretion shall be exercised in sharing the contents of the policy with individuals and entities who are not engaged in law enforcement or the administration of criminal justice.

The CJIS Security Policy is available on the LEO web site and your CJIS System Agency Information Security Officer should also be able to provide you with a copy of the policy.