Jump to navigation
The CJIS Security Policy written and maintained by the Federal Bureau of Investigation is the standard by which all criminal justice agencies nationwide must protect the sensitive data they possess and share with authorized entities.
The CBI CJIS Vendor Management Program is designed to help vendors and criminal justice agencies achieve and maintain compliance more easily by providing an easier fingerprinting/vetting process, assisting with the required training, sharing audit findings, and offering resources for questions about CJIS security.
Before applying, please read through the content below.
CJIS Support Vendors are vendors who support criminal justice agencies in a way that puts them in areas where sensitive information is processed or stored. This could include custodial services, maintenance, construction, site security, vending machine maintenance, etc.
Review the chart below to see how the obligations differ between CJIS Access Vendors and CJIS Support Vendors:
CJIS ACCESS VENDORS
CJIS SUPPORT VENDORS
Vendors with direct or indirect access to CJI (e.g., IT support, software, cloud storage, document shredding, media sanitization, etc.) require the Security Addendum (in whole or by reference) in contracts with criminal justice agencies.
If they access CJIS systems or media on purpose to do their jobs, they are an Access Vendor.
Vendors with situational, potential access to CJI (e.g., custodial, vending, maintenance, etc.) do not require the Security Addendum in contracts, but they are still required to submit a contract, purchase order, or similar as documented proof of supporting a Colorado criminal justice agency.
If they don’t access CJIS systems or media on purpose (they just run the risk of seeing it in the room around them), they are a Support Vendor.
Do they need to submit fingerprints?
Do they need to take Security Awareness Training?
Do their contracts with criminal justice agencies need the Security Addendum by reference?
Does each employee need to each sign the Security Addendum Certification page?
Acceptance into this program does not automatically indicate compliance. Successfully completing a CBI-issued audit is the only way to determine full compliance with CJIS standards, but even then, the CBI does not provide a certification that a vendor is CJIS compliant.
However, participation does demonstrate a working knowledge of CJIS standards and a commitment to maintain these standards.
Construing to customers that your company is CJIS-Certified by the CBI simply because of acceptance into the program may be considered a violation of the terms of this program.
If any required document is missing, the account application will be held open for 30 days, and retired if requirements are not met.
For more information, please contact the CJIS Vendor Management Program team at (303) 239-4222 or firstname.lastname@example.org.