Close this search box.

3 Essential Certifications for a Third-Party CJIS Vendor

CJIS Certification - Third Party Vendor Qualifications - Corsica Technologies

Originally published Sept 22, 2017. Refreshed Jan 9, 2024.

Aligning your organization’s practices with CJIS standards presents continual challenges. Time, resources, and budget approval are just a few difficulties you may encounter as you prepare for your next CJIS audit.

Agencies often bring in an outside consultancy to help with this process. But how do you identify the most qualified partner to assist with your CJIS audit preparations?

In this article, we’ll give you 3 essential qualifications to look for.

But first, let’s cover the basics.

Why engage an outside vendor in your CJIS audit preparations?

Budgets are tight in today’s economic environment. It’s rare that an organization has the internal resources it needs to cover all preparations for a CJIS audit.

A third-party vendor brings in the firepower you need to get this done. Specifically, a vendor can help:

  • Assess your current security stance against CJIS standards
  • Formulate an airtight game plan for closing gaps
  • Supplement your processes with services provided by CJIS-compliant vendors

Is there such a thing as Federal CJIS Certification?

Unfortunately, no.

Just as there is no CJIS certification for criminal justice organizations (it’s either pass or fail the tri-annual audit), there is no federal CJIS certification for vendors.

Stephen Exley, information security analyst within the CJIS Information Security Officer Program, says, “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS…are in regard to facial recognition and fingerprint capture standards…We do not certify, nor endorse any product, solution, or vendor.”

It’s a red flag when any vendor claims to be “CJIS Certified”—unless the state in which you reside uses the term “certified” to recognize vetted vendors.

Download our CJIS Compliance Checklist >>

That said, finding a CJIS vendor doesn’t have to be hard.

The quickest way to find a qualified vendor: Ask the FBI!

Many states have established a list of approved and verified vendors to help you pass your federal CJIS compliance audits. The easiest way to engage a qualified vendor is to request a list from your state’s branch of the FBI. This can greatly shorten the process of identifying an affordable, reliable vendor.

Of course, you should still evaluate any vendor you’re considering. Here are the top 3 qualifications you’ll find in a good CJIS vendor.

3 Essential Qualifications for CJIS Certification

Vendors must maintain compliance to the 13 areas of the FBI’s CJIS Security Policy to be qualified to handle Criminal Justice Information (CJI).

If your prospective IT and/or cyber security partner has communicated that they are CJIS Compliant, here are the 3 essential qualifications to look for. (You should be able to verify these quickly, but we’ve also provided a shortcut at the end of this article to help you speed up the process.)

1. Their Auditors Have an Intimate Knowledge of CJIS Policy

This is an obvious one but the most difficult to verify. The fact that third-party auditors do not need access to CJI information (and therefore do not require fingerprint-based background checks) throws additional confusion into the mix.

Though auditing staff ideally do have a background check in place, the essential qualification for this role is a deep understanding of CJIS Policy—they must know how a federal auditor would assess your security landscape and be able to replicate that process to uncover any gaps that may be exposed during the “real” audit.

Because there is no test or certification to verify CJIS knowledge, look instead for these similar certifications: CISSP, CISA, CISM, and GSNA credentials, which are 8570 IA Baseline Certifications for the DOD and as stated by ISACA. (The U.S. Department of Defense (DoD) 8570.01-M. Information Assurance Workforce Improvement Program)

2. Their Employees Have Met the Requirements Set Forth in Section 5.12.1

After a third-party audit or assessment, you may identify areas of weakness, such as employee security training or data encryption, that you wish to partner with an outside team to solve.

The minimum screening requirement for any individuals with access to CJI is a fingerprint-based background check performed at the state level. Each employee of the vendor with access to CJI at any touch point must have documentation of a passed background check.

Vendor employees from out of your state must undergo the background check for the state in which you are located.

3. Their Solutions Have Undergone the FICAM or FedRamp Certification Process

The government sets program and procedure standards through the Federal Risk and Authorization Management Program (FedRAMP). Security assessments, authorization, and continuous monitoring, among other SaaS solutions, should be FedRamp ready.

Request Proof of These Qualifications From Your Vendor Today

A prospective vendor will have to submit documentation verifying their good standing for your audit. Why not get an early start?

Want to learn more about CJIS certification?

Reach out to schedule a security with our CJIS specialists.
Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

EDI Transactions and Document Types - Corsica Technologies

EDI Transactions: What It Takes To Win

EDI transactions are the lifeblood of processes like order placement, shipping, receiving, claims processing, and more. Across numerous industries, these transactions keep things moving in a way that no other technology can. In fact, you could say EDI solutions make

Read more
EDI 856 - Advance shipment notice - Corsica Technologies

EDI 856: Getting Your Advance Shipment Notices Right

Shipping and logistics get complicated when you have sensitive products and limited warehouse space. How do you ensure the warehouse is ready to receive a shipment—and ready to handle time-sensitive products appropriately? An EDI 856 document solves this problem. This

Read more
Cloud Data Integratoin: Power vs. ease of support - Corsica Technologies

Cloud Data Integration: Power vs Ease Of Support

It’s essential for cloud systems to talk to each other. If they don’t, data can become siloed, without widespread availability across the organization. But cloud systems introduce their own complexities that are different from on-premises systems. How do you choose

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.