Jump to navigation
The CJIS Security Policy written and maintained by the Federal Bureau of Investigation is the standard by which all criminal justice agencies nationwide must protect the sensitive data they possess and share with authorized entities.
The policy outlines requirements such as personnel security, training, encryption, physical security, media protection, access control, and more.
The CBI CJIS Vendor Management Program is designed to help vendors and criminal justice agencies achieve and maintain compliance more easily by providing an easier fingerprinting/vetting process, assisting with the required training, sharing audit findings, and offering resources for questions about CJIS security.
Before applying, please read through the content below.
CJIS Access Vendors are vendors who support criminal justice agencies in a way that involves a higher level of access to CJI. In short, they access CJIS systems or media intentionally as part of their job function. This would include vendors that provide services such as IT support, software solutions that process or store CJI, drive sanitation/destruction, encryption, cloud storage, etc.
Review the chart below to see how the obligations differ between CJIS Access Vendors and CJIS Support Vendors:
CJIS ACCESS VENDORS
CJIS SUPPORT VENDORS
Vendors with direct or indirect access to CJI (e.g., IT support, software, cloud storage, document shredding, media sanitization, etc.) require the Security Addendum (in whole or by reference) in contracts with criminal justice agencies.
If they access CJIS systems or media on purpose to do their jobs, they are an Access Vendor.
Vendors with situational, potential access to CJI (e.g., custodial, vending, maintenance, etc.) do not require the Security Addendum in contracts, but they are still required to submit a contract, purchase order, or similar as documented proof of supporting a Colorado criminal justice agency.
If they don’t access CJIS systems or media on purpose (they just run the risk of seeing it in the room around them), they are a Support Vendor.
Do they need to submit fingerprints?
Do they need to take Security Awareness Training?
Do their contracts with criminal justice agencies need the Security Addendum by reference?
Does each employee need to each sign the Security Addendum Certification page?
There are many requirements a vendor must meet to be compliant with all CJIS security standards; this program only satisfies a few of those obligations. Depending on the services provided, a vendor may be providing compliant solutions to one client, and non-compliant solutions to another.
Therefore, CJIS compliance can often be very fluid, and acceptance into this program does not automatically indicate compliance. Successfully completing a CBI-issued audit is the only way to determine full compliance with CJIS standards, but even then, the CBI does not provide a certification that a vendor is CJIS compliant.
However, participation does demonstrate a working knowledge of CJIS standards and a commitment to maintain these high standards.
Construing to customers that your company is CJIS-Certified by the CBI simply because of acceptance into the program may be considered a violation of the terms of this program.
If any required document is missing, the account application will be held open for 30 days, and retired if requirements are not met.
For more information, please contact the CJIS Vendor Management Program team at (303) 239-4222 or firstname.lastname@example.org.