Originally published Sept 22, 2017. Refreshed Jan 9, 2024.
Aligning your organization’s practices with CJIS standards presents continual challenges. Time, resources, and budget approval are just a few difficulties you may encounter as you prepare for your next CJIS audit.
Agencies often bring in an outside consultancy to help with this process. But how do you identify the most qualified partner to assist with your CJIS audit preparations?
In this article, we’ll give you 3 essential qualifications to look for.
But first, let’s cover the basics.
Why engage an outside vendor in your CJIS audit preparations?
Budgets are tight in today’s economic environment. It’s rare that an organization has the internal resources it needs to cover all preparations for a CJIS audit.
A third-party vendor brings in the firepower you need to get this done. Specifically, a vendor can help:
- Assess your current security stance against CJIS standards
- Formulate an airtight game plan for closing gaps
- Supplement your processes with services provided by CJIS-compliant vendors
Is there such a thing as Federal CJIS Certification?
Just as there is no CJIS certification for criminal justice organizations (it’s either pass or fail the tri-annual audit), there is no federal CJIS certification for vendors.
Stephen Exley, information security analyst within the CJIS Information Security Officer Program, says, “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS…are in regard to facial recognition and fingerprint capture standards…We do not certify, nor endorse any product, solution, or vendor.”
It’s a red flag when any vendor claims to be “CJIS Certified”—unless the state in which you reside uses the term “certified” to recognize vetted vendors.
That said, finding a CJIS vendor doesn’t have to be hard.
The quickest way to find a qualified vendor: Ask the FBI!
Many states have established a list of approved and verified vendors to help you pass your federal CJIS compliance audits. The easiest way to engage a qualified vendor is to request a list from your state’s branch of the FBI. This can greatly shorten the process of identifying an affordable, reliable vendor.
Of course, you should still evaluate any vendor you’re considering. Here are the top 3 qualifications you’ll find in a good CJIS vendor.
3 Essential Qualifications for CJIS Certification
Vendors must maintain compliance to the 13 areas of the FBI’s CJIS Security Policy to be qualified to handle Criminal Justice Information (CJI).
If your prospective IT and/or cyber security partner has communicated that they are CJIS Compliant, here are the 3 essential qualifications to look for. (You should be able to verify these quickly, but we’ve also provided a shortcut at the end of this article to help you speed up the process.)
1. Their Auditors Have an Intimate Knowledge of CJIS Policy
This is an obvious one but the most difficult to verify. The fact that third-party auditors do not need access to CJI information (and therefore do not require fingerprint-based background checks) throws additional confusion into the mix.
Though auditing staff ideally do have a background check in place, the essential qualification for this role is a deep understanding of CJIS Policy—they must know how a federal auditor would assess your security landscape and be able to replicate that process to uncover any gaps that may be exposed during the “real” audit.
Because there is no test or certification to verify CJIS knowledge, look instead for these similar certifications: CISSP, CISA, CISM, and GSNA credentials, which are 8570 IA Baseline Certifications for the DOD and as stated by ISACA. (The U.S. Department of Defense (DoD) 8570.01-M. Information Assurance Workforce Improvement Program)
2. Their Employees Have Met the Requirements Set Forth in Section 5.12.1
After a third-party audit or assessment, you may identify areas of weakness, such as employee security training or data encryption, that you wish to partner with an outside team to solve.
The minimum screening requirement for any individuals with access to CJI is a fingerprint-based background check performed at the state level. Each employee of the vendor with access to CJI at any touch point must have documentation of a passed background check.
Vendor employees from out of your state must undergo the background check for the state in which you are located.
3. Their Solutions Have Undergone the FICAM or FedRamp Certification Process
The government sets program and procedure standards through the Federal Risk and Authorization Management Program (FedRAMP). Security assessments, authorization, and continuous monitoring, among other SaaS solutions, should be FedRamp ready.
Request Proof of These Qualifications From Your Vendor Today
A prospective vendor will have to submit documentation verifying their good standing for your audit. Why not get an early start?