Larry Coffee
Apr 22, 2017
Let’s Agree
Can we agree that “agreements” are a pain? Not having the proper or any agreement in place still ranks in the top ten of FBI and state tech audit issues. The requirement to have them has been around for years, and they’re still a problem.
If you have read the CJIS Security Policy (CJISSECPOL), or at least casually glanced at it, you know that there is a whole section (5.1) that defines the different types of agreements. It’s even number one in the “5” section of the policy (the “fives” are where most of the requirements are located), so it’s pretty important.
Most of y’all just asked the question “why should I care about agreements?”, and the answer is that access to criminal justice information (CJI) is governed by agreements. No agreement, no access. Even the states have an agreement with the FBI for access to CJI.
Let’s do a quick review of several agreements or instruments for sharing or allowing the sharing of CJI. For the purposes of the CJISSECPOL, “sharing” is akin to access. Like I said, access requires some type of agreement/instrument, and the type used will depend on the entity who is gaining access.
Those entities who are gaining or receiving access are 1) law enforcement/criminal justice agencies (CJA); 2) Non-criminal justice governmental entities or agencies (NCJA); and 3) vendors or private contractors supporting the administration of criminal justice (vendors.)
Who is accessing CJI will determine what agreement/instrument should be used.
I’m going to focus on the big three: 1) Information Exchange, 2) Management Control, and 3) the Security Addendum process. There are others, but let’s deal with these because here lies most of the problems come audit time.
The first, Information Exchange, is when CJI is shared or access is granted from one CJA to another CJA. This is a situation where a PD is sharing CJI with another PD.
The best way to identify a CJA is to have an FBI assigned, law enforcement or criminal justice agency ORI. Maybe in the future we can talk about ORIs. In the meantime, I’m going to point you to the ORI section of the NCIC Operations Manual.
Again, an Information Exchange Agreement is used between two (or multiple) “recognized” CJAs for the sharing or access to CJI.
The next is a Management Control Agreement (MCA). An MCA is used when one entity is a CJA and the other is a governmental NCJA, e.g., a city IT department. Most, but not all, MCAs are associated with data centers, IT support, or dispatch/communication centers.
An MCA would be used when a PD is required to move into a city data center, or when the county IT staff provides IT support for the Sheriff’s Office.
Under the Code of Federal Regulations, a non-criminal justice entity is not authorized access to criminal justice information, unless certain agreements or instruments are in place. An MCA provides the authority to allow an NCJA to access CJI to perform or support the administration of criminal justice.
The last instrument is the Security Addendum. Like I just said, an NCJA is not authorized access to CJI, and a private vendor is definitely a type of NCJA. Unlike the previous two instruments, the Security Addendum is a process, not an agreement or directive.
The Security Addendum is incorporated into the contract between the CJA and the vendor. It says that vendors will follow the CSP and grant the CJA certain oversight into vendor operations to ensure CSP compliance.
Many people confuse the Security Addendum Certification Page with a contract signature page. The Certification Page is not signed by the two parties, instead, all of the vendor’s employees who will be working on the contract and potentially accessing CJI must sign a copy.
There are a few more issues that go with the Security Addendum process, but for this newsletter, the focus is when the Security Addendum is needed.
So a quick recap as to “what” is needed, and “when.”
When the access/sharing is between recognized criminal justice or law enforcement agencies, use an Information Sharing Agreement.
When one is a criminal justice/law enforcement and the other is a non-criminal justice governmental entity, use a Management Control Agreement.
When the situation involves a contractor/vendor/company accessing criminal justice information in support of the administration of criminal justice, use the Security Addendum process.
There are ancillary processes that go with what I’ve described, but those too will have to wait for another day.
Y’all take care.