Aligning your criminal justice organization’s practices with CJIS standards has most likely presented continual challenges. Time, resources, and budget approval are just a few concerns we hear from agencies seeking to prepare for the next CJIS audit.
Rather than alleviating these challenges, the process of vetting outside consulting vendors and then locating additional IT and information security services can be time consuming at best.
To save you a few steps in the process, we’ve outlined a list of the 3 Essential Qualifications to look for when seeking to:
- Assess your current security stance against CJIS standards.
- Formulate an air-tight game plan for closing gaps.
- Supplement your processes with services provided by CJIS compliant vendors.
But Wait, Federal CJIS Certification is Not on This List?
Just as there is no CJIS certification for criminal justice organizations (it’s either pass or fail the tri-annual audit), there is no federal CJIS certification for vendors.
Stephen Exley, information security analyst within the CJIS Information Security Officer Program, says, “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS…are in regard to facial recognition and fingerprint capture standards…We do not certify, nor endorse any product, solution, or vendor.”
It’s a red flag when any vendor claims to be “CJIS Certified”—unless the state in which you reside uses the term “certified” to recognize vetted vendors.
3 Essential Qualifications
Vendors must maintain compliance to the 13 areas of the FBI’s CJIS Security Policy to be qualified to handle Criminal Justice Information (CJI).
If your prospective IT and/or cyber security partner has communicated that they are CJIS Compliant, here are the 3 essential qualifications to look for. (You should be able to verify these quickly, but we’ve also provided a shortcut at the end of this article to help you speed up the process.)
1. Their Auditors Have an Intimate Knowledge of CJIS Policy
This is an obvious one but the most difficult to verify. The fact that third-party auditors do not need access to CJI information (and therefore do not require fingerprint-based background checks) throws additional confusion into the mix.
Though auditing staff ideally do have a background check in place, the essential qualification for this role is a deep understanding of CJIS Policy—they must know how a federal auditor would assess your security landscape and be able to replicate that process to uncover any gaps that may be exposed during the “real” audit.
Because there is no test or certification to verify CJIS knowledge, look instead for these similar certifications: CISSP, CISA, CISM, and GSNA credentials, which are 8570 IA Baseline Certifications for the DOD and as stated by ISACA. (The U.S. Department of Defense (DoD) 8570.01-M. Information Assurance Workforce Improvement Program)
2. Their Employees Have Met the Requirements Set Forth in Section 5.12.1
After a third-party audit or assessment, you may identify areas of weakness, such as employee security training or data encryption, that you wish to partner with an outside team to solve.
The minimum screening requirement for any individuals with access to CJI is a fingerprint-based background check performed at the state level. Each employee of the vendor with access to CJI at any touch point must have documentation of a passed background check.
Vendor employees from out of your state must undergo the background check for the state in which you are located.
3. Their Solutions Have Undergone the FICAM or FedRamp Certification Process
The government sets program and procedure standards through the Federal Risk and Authorization Management Program (FedRAMP). Security assessments, authorization, and continuous monitoring, among other SaaS solutions, should be FedRamp ready.
Request Proof of These Qualifications from Your Vendor Today
A prospective vendor will have to submit documentation verifying their good standing for your audit. Why not get an early start?
Tip: Request a List of Approved Vendors from Your State’s Branch of the FBI
In order to help you pass your federal CJIS compliance audits, many states have established a list of approved and verified vendors. Request a list from your state’s branch and shorten the process of identifying an affordable, reliable vendor.