Bill Tatun
May 23, 2014
What Charlie Brown's Teacher Taught Me About Control Agreements
Is it a surprise to anyone that Charlie Brown’s teacher made Time magazine’s list of 10 Bad Teachers?
It makes sense that when all you hear is “Wah wah woh wha wha,” there isn’t a whole lot of learning due to a lack of understanding.
Today we’re going to look into Management Control Agreements (MCAs). My goal is to get past the “wah wah woh wha wha” of the CJIS Security Policy and achieve a useful understanding of MCAs.
One of the easiest ways to illustrate the requirements of MCAs is to step through the “who, what, where, when, why and how” formula for analyzing and answering tough questions.
Who: Any non-criminal justice governmental agency that performs criminal justice functions for a criminal justice agency.
This includes entities such as non-criminal justice 911 centers and county/city IT departments providing services to a police department.
This does NOT include contractors or vendors performing criminal justice functions. They need to execute and abide by the CJIS Security Addendum (future topic).
What: The Management Control Agreement, MCA or sometimes referred to as “that thing.”
Where: Not really applicable, but to keep with the theme, we can say, “in the locality where the criminal justice functions are being performed.”
When: Whenever a non-criminal justice agency (e.g. 911 center, county IT department) is designated to perform criminal justice functions as authorized by executive order, statute, regulation or inter-agency agreement.
Why: To set policies, procedures and processes associated with the non-criminal justice agency’s access to criminal justice information and to stipulate that management control of the criminal justice functions (and information) remain solely with the criminal justice agency.
How: An MCA may be a separate document or included within the language of the inter-agency agreement between the criminal justice agency and the non-criminal justice governmental agency.
In either case, it needs to be a formally-executed agreement between the criminal justice agency and the non-criminal justice agency performing criminal justice functions.
As you can see by breaking down the policy into its parts it becomes clearer and easier to understand.
Even so, MCAs are one of the top areas of non-compliance during state and FBI CJIS audits.
It’s been my experience that the majority of non-compliance cases can be traced to a lack of understanding in that if your county/city/town IT department provides your agency IT services, you need an MCA. This is just an example, but a prevalent one.
Breaking down the policy, for understanding purposes, is one thing. Drafting and executing an MCA between two governmental agencies can be a time consuming and tiring process.
Getting two or more governmental agencies on the same page with differing internal policies and politics can be a struggle and sometimes feel like an exercise in futility.
I know this because I’ve done this before, several times.
After helping to author and tirelessly pursue the initial execution of the MCA between the NYS Office for Technology and the Integrated Justice Advisory Board (consisting of the NYS Division of State Police, Division of Criminal Justice Services, Division of Parole and the Department of Correctional Services), I became an instant expert in inter-agency bureaucratic diplomacy.
With this “expertise” I’ve been asked to and have presented my experiences and tips on the process at several events (e.g. FBI CJIS Information Security Officer Symposium, NYS NYSPIN Advisory Committee and the NYS Government Local IT Directors Association). I also became a resource for the FBI CJIS Division by fielding their referrals of agencies that were attempting to craft MCAs in their localities.
Crafting MCAs doesn’t have to seem like an endless struggle nor do your stress levels need to rise. The CJIS ACE proactive services suite includes MCA development, review and/or execution assistance. There’s no need to reinvent the wheel, we can help.
For more information, email me directly at: wtatun@diversecomputing.com or give me a call at: 850-656-3333 ext. 283 and we can talk more about MCAs or anything else we can help you with.
Until next time……
Be safe,