The CJIS Security Policy written and maintained by the Federal Bureau of Investigation is the standard by which all criminal justice agencies nationwide must protect the sensitive data they possess and share with authorized entities.
The CBI CJIS Vendor Management Program is designed to help vendors and criminal justice agencies achieve and maintain compliance more easily by providing an easier fingerprinting/vetting process, assisting with the required training, sharing audit findings, and offering resources for questions about CJIS security.
To apply, please read through the content below.
Section 5.12.1 of the policy states that private contractors and vendors with access to criminal justice information (CJI) must submit a set of fingerprints for state and national fingerprint-based record checks. Previously, these vendors were required to submit fingerprints for each employee with physical, logical, or situational access to CJIS data, for each agency with which they contract. This occasionally proved to be cumbersome for vendors and contracting agencies, and was sometimes cost-prohibitive as each set of fingerprints requires a processing fee of $39.50.
The CJIS Vendor Management program consolidates the fingerprint background check process so that vendors only need to fingerprint their personnel once* for enrollment in the program. The program cuts the fingerprint processing fees down to a one-time payment of $39.50 (plus any fees collected by third-party fingerprinting vendors) per participating employee.
Vendors with access to CJI are also required to undergo routing CJIS Security Awareness Training, per section 5.2 of the CJIS Security Policy. The Vendor Management Program helps facilitate compliance with that requirement by getting your company set up in CJIS Online, a free training and testing tool.
Finally, as a participant in this program, your company can opt to be listed in the Vendor Directory on this website, which lets criminal justice agencies know that your company is mindful of CJIS security obligations.
*If an employee leaves a company and joins another company who is also in the Vendor Management Program, they will need to submit another set of fingerprints to re-enroll with the new company. If an enrolled employee undergoes a name change, another set of fingerprints will need to be submitted to verify identity in order to change the name in our records. However, the fingerprint processing fee is waived.
Criminal justice agencies, when contracting with a participating vendor, can query for a list of approved personnel who are fingerprinted, reviewed, and authorized for CJIS access by CBI staff. This makes it very easy and quick for criminal justice personnel to tell if vendor staff are eligible for access to CJI.
Additionally, if the CBI learns of any compliance issues with a vendor, these findings can be communicated through criminal justice networks to help the agencies address any findings before their scheduled CBI/FBI audits.
CJIS Support Vendors are vendors who support criminal justice agencies in a way that puts them in areas where sensitive information is processed or stored. This could include custodial services, maintenance, construction, site security, vending machine maintenance, etc.
Review the chart below to see how the obligations differ between CJIS Access Vendors and CJIS Support Vendors:
CJIS Access Vendors
CJIS Support Vendors
Vendors with direct or indirect access to CJI (e.g., IT support, software, cloud storage, document shredding, media sanitization, etc.) require the Security Addendum (in whole or by reference) in contracts with criminal justice agencies.
If they access CJIS systems or media on purpose to do their jobs, they are an Access Vendor.
Vendors with situational, potential access to CJI (e.g., custodial, vending, maintenance, etc.) do not require the Security Addendum in contracts, but they are still required to submit a contract, purchase order, or similar as documented proof of supporting a Colorado criminal justice agency.
If they don't access CJIS systems or media on purpose (they just run the risk of seeing it in the room around them), they are a Support Vendor.
|Do they need to submit fingerprints?||Yes||Yes|
|Do they need to take Security Awareness Training?||Yes||Yes|
|Do their contracts with criminal justice agencies need the Security Addendum?||Yes||No|
|Does each employee need to each sign the Security Addendum Certification page?||Yes||No|
There are many requirements a vendor must meet to be compliant with all CJIS security standards, this program only satisfies a few of those obligations. Depending on the services provided, a vendor may be providing compliant solutions to one client, and non-compliant solutions to another.
Therefore, CJIS compliance can often be very fluid, and acceptance into this program does not automatically indicate compliance. Successfully completing a CBI-issued audit is the only way to determine full compliance with CJIS standards, but even then, the CBI does not provide a certification that a vendor is CJIS compliant.
However, participation does demonstrate a working knowledge of CJIS standards and a commitment to maintain these high standards.
Construing to customers that your company is CJIS-Certified by the CBI simply because of acceptance into the program may be considered a violation of the terms of this program.