This page provides a library of examples of certain policies required by the CJIS Security Policy. These resources apply to Criminal Justice Agencies (CJAs) as well as any vendors/private contractors who support them.
Essential Policy Links
Interagency Agreements
- Management Control Agreement (Appendix page D9 of the CJIS Security Policy)
- Intergovernmental Agreement between Two Agencies with a Shared Vendor (example; can be modified)
- Management Control Agreement between a Criminal Justice Agency and Government IT (example; can be modified)
CJIS Security Addendum
- CJIS Security Addendum (page H6 and H7 of the CJIS Security Policy)
- CJIS Security Addendum Certification Page (page H8 of the CJIS Security Policy)
- What's the Difference Between the Security Addendum and Security Addendum Certification?
- Contract Amendment Template for Including the CJIS Security Addendum
- Contract Amendment Template for Including the CJIS Security Addendum--with Instructions
Examples of Required Policies
- Acceptable Use Policy
- Media Sanitation and Disposal Policy
- Personally Owned Device Policy
- Physical Protection Policy
Considerations for CJIS Data and Cloud Computing
Personnel Security Requirements
- Fingerprinting through Colorado Applicant Background Services (CABS) (note: criminal justice personnel are still fingerprinted at the agency itself)
- Security Addendum Certification (to be signed by each contracted vendor employee with access to CJI/CHRI--not to be incorporated into contracts)
External Links
- NIST Cryptographic Module Validation Search (needed to demonstrate compliant encryption of CJI)
- Vendor Management Program (a program that consolidates the background check process for criminal justice vendors)
- CJIS Online (a free utility providing the required Security Awareness Training for those with access to CJI/CHRI)