HomeMy WebLinkAboutAgreements/Contracts - Juvenile2s'
K21-007
WSP Contract No. K16529
MEMORANDUM OF UNDERSTANDING
Between the
WASHINGTON STATE PATROL
And the
GRANT COUNTY JUVENILE COURT
PURPOSE
The parties to this Memorandum of Understanding (MOU) are the Washington State Patrol (WSP), and
the Grant County Juvenile Court (a non -criminal justice agency) known hereinafter as the NCJA. This
MOU sets forth the policy to ensure the protection of criminal history record information (CHRI)
between the WSP, the NCJA, and the Federal Bureau of Investigation (FBI). This MOU provides
guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction
of CHRI data. This policy applies to the NCJA and its contractors with access to, or who operate in
support of, non -criminal justice services and information.
H. ADMINISTRATIVE RESPONSIBILITIES
As participants in this MOU, the parties will develop mutually and separately appropriate procedures
for transmission, dissemination, storage, and destruction of CHRI data.
1. The Washington State Patrol shall ensure the NCJA complies with the Criminal Justice
Information Services (CJIS) Security Policy (Section X) which includes authorized use of CHRI,
dissemination of CHRI, statute authorization for civil applicant background checks conducted by
noncriminal justice agencies, applicant notification and record challenge, security of CHRI,
storage of CHRI, outsourcing of noncriminal justice administrative functions, and user fees. WSP
will conduct business and technical security audits every three years of the agency(ies) receiving
CHRI to ensure compliance to all state and federal standards.
2. The NCJA shall be responsible for ensuring:
a. The NCJA responds to requests for information by the FBI CJIS Division or the WSP in
the form of questionnaires, surveys, or similar methods, to the maximum extent possible,
consistent with any fiscal, time, or personnel constraints of the agency.
b. The NCJA has formalized written procedures for the following:
i. Non -criminal Justice Agency (NCJA) Misuse
ii. Non -criminal Justice Agency (NCJA) Physical Protection
iii. Fingerprint Process
iv. Password management
v. Disposal of physical and electronic media used to process CHRI
vi. Security Incident Reporting.
c. CHRI received as a result of licensing or employment purposes, pursuant to Public Law
92-544, Housing and Urban Development (HUD), and/or Purpose Code X/Emergency
Placement is solely used for the purpose for which the record was requested. Subject
fingerprints shall be submitted with all requests for CHRI for noncriminal justice
purposes. Terminal based access to CHRI using name -based inquiry and record request
messages is not permitted for noncriminal justice purposes, unless otherwise approved by
the FBI and WSP.
d. Access to CHRI by authorized officials is subject to cancellation if dissemination is made
outside the receiving departments, related agencies, or other authorized entities.
e. All fingerprint based applicant submissions must include in the `reason fingerprinted' field
an accurate representation of the purpose and/or authority for which the CHRI is to be
used.
f. The NCJA must notify the applicants fingerprinted that the fingerprints will be used to
check the crinunal history records of the FBI. The officials making the detennination of
suitability for licensing or employment shall provide the applicants the opportunity to
FBI MOU CHRI AAG APPROVED NCJA—Rev 12-21-20 Page 1 of 5
WSP Contract No. K16529
complete, or challenge the accuracy of, the information contained in the FBI identification
record. These officials also must advise the applicants that procedures for obtaining a
change, correction, or updating of an FBI identification record are set forth in Title 28,
C.F.R. 16.34. Official making such determinations should not deny the license or
employment based on information in the record until the applicant has been afforded a
reasonable time to correct or complete the record, or has declined to do so.
g. Appropriate administrative, technical, and physical safeguards to insure the security and
confidentiality of records and to protect against any anticipated threats or hazards to their
security or integrity.
h. The NCJA shall seek WSP permission prior to outsourcing noncriminal justice functions.
i. Outsourcing of noncriminal justice administrative functions requiring access to CHRI to
either another governmental agency or a private contractor acting as an agent for the
authorized receiving agency complies with the Security and Management Control
Outsourcing Standard for Non-Channelers.
j. The NCJA is responsible for compliance to technical standards set forth by WSP and the
CJIS Security Policy
k. The NCJA will conduct periodic self -audits to ensure compliance with the CJIS Security
Policy.
1. The NCJA will participate in WSP and FBI audits, provide plans for any compliance
issues, and follow through to resolution within identified timeframes.
m. The NCJA will ensure all appropriate staff members are trained according to the state and
federal requirements.
III. CRIMINAL HISTORY RECORD INFORMATION RESPONSBILITIES
The NCJA shall conform to system policies, as established by the FBI CJIS Division and WSP, before
access to CHRI is permitted. This will allow for control over the data and give assurance of system
security.
1. The rules and procedures governing access to CHRI shall apply equally to all participants in
the system.
2. All noncriminal justice agencies with access to CM data must designate a specific unit,
position, or personnel to access CHRI; noncriminal justice agencies must advise WSP of such
personnel and changes to such designation.
3. All noncriminal justice agencies with access to CHRI data from the system shall permit an
FBI CJIS Division or WSP audit team to conduct appropriate audits. The NCJA must
cooperate with these audits and respond promptly.
IV. SECURITY RESPONSIBILITIES
Technical Roles and Responsibilities
The NCJA must comply with and enforce system security. NCJA must have someone designated as
the IT Point of Contact (IT POC). IT POC's shall be responsible for the following:
1. Identify who is using the WSP approved hardware, software, and firmware and ensure no
unauthorized individuals or processes have access to the same.
2. Identify and document how the equipment is connected to the state system.
3. Ensure that personnel security screening procedures are being followed as stated in the CJIS
Security Policy.
4. Ensure the approved and appropriate security measures are in place and working as
expected.
5. Support policy compliance and ensure the WSP CJIS Information Security Officer is
promptly informed of security incidents.
Security Enforcement
The NCJA is responsible for enforcing system security standards for their agency, in addition to all of
the other agencies to which the NCJA provides CHRI information. Authorized users shall access and
FBI MOU CHRI AAG APPROVED NCJA Rev 12-21-20 Page 2 of 5
Professional Services Agreement re
Adult Drug Court Disoretionary Grant
Page 5 of 5
13. Sgy§ }, i , It is understood and agreed by the parties hereto that if any part, term or provision of
this Agreement is hold by the courts to be illegal, the validity of the remaining provisions shall
not be at`Iboted, and the rights And obligation of the parties shall be construed and enforced as if
the Agreement did not contain the particular provisions held to be Invalid, If it should appear that
any pmvision thereof is in conflict with the fbderat law, rule or regulation or.matutory provision
of the .State of Washingtoti, said provision which may conflict therewith shall be deemed
inoperative and null and void :insofar as it may be in conflict therewith, and shall be doemed
modified to +Conform to such statutory provision.
14. Ettore Qntract: The parties agree that this contract is the complete. expression `of the terms hereto
and any oral representations or understandings not incorporated herein are excluded,
DATED this __ l "` . day of -12021
CONTRACTOR
a4cj
Ellen Coodmain
1711 Camden Park IJrivd SW
Olympia, WA 98512
/-97•-aca1
Date
� BA J.
J, VAS
C1e o the Board
APPROVED AS TO FORM
I *� '—
Kevi J. Crae
Chief Civil Deputy Prosecutor
WSP Contract No. K16529
disseminate the CM data only for the purpose for which they are authorized. NCJA shall have a
written policy for the discipline of policy violators.
Technical Security Training
All Information Technology (IT) employees who have access to and those who have direct
responsibility to configure and maintain FBI CJIS systems must review security awareness training
within six months of their appointment or assignment.
Physical Security
A physically secure location is a facility, a criminal justice conveyance, or an area, a room, or a
group of rooms within a facility with both the physical and personnel security controls sufficient to
protect CJI and associated information systems. The perimeter of the physically secure location shall
be prominently posted and separated from non -secure locations by physical controls. Security
perimeters shall be defined, controlled, and secured.
Personnel Security
Only authorized personnel will have access to physically secure non-public locations. The agency
will maintain and keep current a list of authorized personnel. All physical access points into the
agency's secure areas will be authorized before granting access. The agency will implement access
controls and monitoring of physically secure areas for protecting all transmission and display
mediums of CHRI. Authorized personnel will take necessary steps to prevent and protect the
agency from physical, logical and electronic breaches.
All personnel with physical and/or logical access to CHRI and are not escorted must:
1. Meet the minimum personnel screening requirements prior to CHRI access (if allowed by
statute)
a. If statutorily allowed (i.e. a state or federal statute allows or requires personnel to be
fingerprinted)
i. To verify identification, state of residency and national fingerprint -based record
checks shall be conducted prior to granting access to CJI/CHRI for all personnel
who have unescorted access to unencrypted CJI/CHRI or unescorted access to
physically secure locations or controlled areas (during times of CJI/CHRI
processing).
2. Complete Security Awareness Training
a. All authorized personnel with physical or logical access to CHRI, will take the required
Security Awareness Training in CJIS Online within six months of being granted duties
that require CHRI access and every two years thereafter
The NCJA shall use the data supplied by WSP and the FBI under this MOU only for the authorized
purpose intended. NCJA shall not use this data for any other purpose and shall not disseminate this
data with any other parties unless required by law. The NCJA shall provide notice and a copy of any
public records requests or subpoenas regarding the data to the WSP within five business days after the
NCJA receives the request or subpoena.
Storage
When CHRI is stored, agencies shall establish appropriate administrative, technical and physical
safeguards to ensure the security and confidentiality of the information. These records shall be stored
for extended periods only when they are key elements for the integrity and/or utility of case files
and/or criminal record files.
The NCJA shall securely store digital and physical media within physically secure locations or
controlled areas. The agency shall restrict access to digital and physical media to authorized
individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per
the requirements of the CJIS Security Policy.
FBI MOU CHRI AAG APPROVED NCJA Rev 12-21-20 Page 3 of 5
WSP Contract No. K16529
V. IMMIGRATION ENFORCEMENT RESPONSIBILITIES
Under Washington's recently passed Keep Washington Working (KWW) law, the WSP is generally
prohibited from enforcing federal immigration law. See RCW 10.93.160. This prohibition is in
recognition of the fact that, standing alone, an individual's unauthorized presence in the United
States is not a violation of state or local law. Thus, neither WSP nor any of its members may contract
in any way to provide civil or non -criminal immigration enforcement assistance, including through
agreements for task force participation, mutual aid, data sharing, communications dispatch, or any
other agreement that shares resources and/or provides data as described herein.
V1.
Therefore, to comply with KWW, the NCJA shall not use or share WSP resources and/or data,
including any individuals' personal information ascertained by the WSP or its personnel, with any
third parties or to support or engage in civil or non -criminal immigration enforcement activities.
The prohibition on information sharing includes place of birth, present location, release date from
detention, if applicable, and family members' names, absent a court order, judicial warrant, or as
may be required by the Public Records Act (PRA), chapter 42.56 RCW. Incidents of disclosure of
such personal information shall be considered a breach of this agreement and shall be reported to a
designated WSP official.
LIAISON REPRESENTATIVES
For the Washington State Patrol:
Kevin L. Baird, CJIS Information Security Officer
PO Box 42619
Olympia WA 98504-2619
Phone: 360-534-2161
Fax: 360-534-2070
E-mail: kevin.baird(djwsp.wa.eov
For NCJA:
Suhail Palacios
PO Box 818
Ephrata WA 98823
Phone: 509-754-5690 ext 4430
E-mail: spalacios(u)-izrantcountywa.gov
VII. INDEMNIFICATION
To the extent permitted by law, each party shall defend, protect and hold harmless the other party from
and against all claims, suits and/or actions arising from any negligent or intentional act or omission of
that party's employees, agents, and/or authorized subcontractor(s) while performing this MOU.
VIII. PERIOD OF MOU
This MOU becomes effective on the date of the last signature and continues for five (5) years and may
be renewed. It may be modified by mutual written consent of the two agencies.
IX. TERMINATION
Except as otherwise provided in this MOU, either party may terminate this MOU upon ninety (90) days'
written notification to the other party. If this MOU is so terminated, the terminating party shall be liable
only for performance in accordance with the terms of this MOU for performance prior to the effective date
of termination.
X. DISPUTES.
In the event that a dispute arises under this MOU, it shall be resolved by a Dispute board as follows: The
Chief of the WSP, or designee, shall appoint one member to the Dispute Board; the NCJA shall appoint
one member to the Dispute Board; and the Chief of the WSP, or designee, and the NCJA shall jointly
appoint an additional member to the Dispute Board. The Dispute Board shall evaluate the dispute and
rnake a determination of the dispute. The determination of the Dispute Board shall be final and binding
on the parties hereto. If applicable and as an alternative to this process, either of the parties may
request intervention by the Superior Courts of Thurston County.
FBI MOU CHRI AAG APPROVED NCJA Rev 12-21-20 Page 4 of 5
WSP Contract No. K16529
This Memorandum of Understanding shall be deemed to have been made in Thurston County, in the State
of Washington, and its validity construction, interpretation and legal effect shall be governed by the laws
of the State of Washington. The parties acknowledge that they have voluntarily entered into a consensual
relationship and, by doing so, have knowingly and voluntarily consented to the jurisdiction of the State of
Washington. The parties agree:
1. Any action, suit, or proceeding arising from or based upon this Memorandum of Understanding
shall be commenced in and determined exclusively by the appropriate Superior Courts of
Thurston County.
2. To submit to and to be bound by the jurisdiction of those appropriate courts.
3. Service of process may be effected by certified mail, which shall be as binding as if personally
served.
XI. EXHIBITS
The documents listed below are incorporated into and made a part of this MOU:
1. FBI CJIS Security olicv-resom-ce-
center.
NCJA shall store records in accordance with Exhibit A, the Security and Management
Control Outsourcing Standard for Non-Channelers. Exhibit A, attached hereto, is the most
recently revised Standard. The Standard can be found at the following link:
https://www.lbi.rov/file-reposito /r�pact-council-security-and-management-control-
outsourciny-standard-for-non-charulelers.pdf/view The NCJA shall review the Standard at
least yearly, and adhere to any the provisions of the most recently implemented by the
National Crime Prevention and Privacy Compact Council.
XH. ORDER OF PRECEDENCE
In the event of any inconsistency in the terms of this MOU, unless otherwise provided herein, the
inconsistency shall be resolved by giving precedence in the following order:
a. Applicable federal and state statutes and regulations;
b. The Terms and Conditions contained in this MOU;
c. Security and Management Control Outsourcing Standard for Non-Channelers;
d. Any other provisions of the MOU, whether incorporated by reference or otherwise.
XIII. ALL WRITINGS CONTAINED HEREIN
This MOU contains all the terms and conditions agreed upon by the parties. No other understandings, oral
or otherwise, regarding the subject matter of this MOU shall be deemed to exist or to bind any of the parties
hereto.
WASHINGTON STATE PATROL
John R. Batiste, Chief
Date
GRANT COUNTY JUVENILE COURT
Sign Lure Date
ca / ► y� r (11 `�i►Z;�C�'
Print Name and Title
FBI MOU CHRI AAG APPROVED NCJA Rev 12-21-20 Pale 5 of 5
WSP Contract No. K16529
This Memorandum of Understanding shall be deemed to have been made in Thurston County, in the State
of Washington, and its validity construction, interpretation and legal effect shall be governed by the laws
of the State of Washington. The parties acknowledge that they have voluntarily entered into a consensual
relationship and, by doing so, have knowingly and voluntarily consented to the jurisdiction of the State of
Washington. The parties agree:
1. Any action, suit, or proceeding arising from or based upon this Memorandum of Understanding
shall be commenced in and determined exclusively by the appropriate Superior Courts of
Thurston County.
2. To submit to and to be bound by the jurisdiction of those appropriate courts.
3. Service of process may be effected by certified mail, which shall be as binding as if personally
served.
XI. EXHE3ITS
The documents listed below are incorporated into and made a part of this MOU:
1. FBI CJISSecurity Policyhttps:/h�nna� fbi.gov/sen�ices/cjis/cjis-securit�noliCt�-resotrrce-
center,
2. NCJA shall store records in accordance with Exhibit A, the Security and Management
Control Outsourcing Standard for Non-Channelers. Exhibit A, attached hereto, is the most
recently revised Standard. The Standard can be found at the following link:
https•//www fbi gov/file-repository/compact-council-security-and-management-control-
outsourcing-standard-for-non-channelers.pdf/view TheNCJA shall review the Standard at
least yearly, and adhere to any the provisions of the most recently implemented by the
National Crime Prevention and Privacy Compact Council.
XII. ORDER OF PRECEDENCE
In the event of any inconsistency in the terms of this MOU, unless otherwise provided herein, the
inconsistency shall be resolved by giving precedence in the following order:
a. Applicable federal and state statutes and regulations;
b. The Terms and Conditions contained in this MOU,
c. Security and Management Control Outsourcing Standard for Non-Channelers;
d. Any other provisions of the MOU, whether incorporated by reference or otherwise.
XIII. ALL WRITINGS CONTAINED HEREIN
This MOU contains all the terms and conditions agreed upon by the parties. No other understandings, oral
or otherwise, regarding the subject matter of this MOU shall be deemed to exist or to bind any of the parties
hereto.
WASHINGTON STATE PATROL
Sin Tee
Simon Tee Date. 2021 01.1.221b16:51 43 -08'00'
John R. Batiste, Chief
Date
GRANT COUNTY JUVENILE COURT
Sign ture Date
-50yuli 9clyzkA Cax+ iD*aC n'
Print Name and Title '
FBI MOU CHRI AAO APPROVED NCJA_Rev 12-21-20 Page 5 of 5
ATTEST:
�L-
ra J. Vasque
CI of the Boar
[IF APPLICABLE:]
Approved as to form:
Date� ii , 2021
Kevin McCrae, WSBA #43487
Chief Civil Deputy Prosecuting Attorney
BOARD OF C NTY
COMMIS SIO ER
T OUET
Cindy Cart6r, Chair
INGTON
Danny E�Stone, Chair
Rob Jo s, Member
Exhibit A
National Crime Prevention
and Privacy Compact Council
Security and
Management Control
Outsourcing Standard
for Non-Channelers
Approved by the Council on
May 16, 2018
Exhibit A
SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for
NON-CHANNELERS
The goal of this document is to provide adequate security and integrity for
criminal history record information (CHRI) while under the control or management of an
outsourced third party, the Contractor. Adequate security is defined in Office of
Management and Budget Circular A-130 as "security commensurate with the risk and
magnitude of harm resulting from the loss, misuse, or unauthorized access to or
modification of information."
The intent of this Security and Management Control Outsourcing Standard
(Outsourcing Standard) is to require that the Contractor maintain a security program
consistent with federal and state laws, regulations, and standards (including the FBI
Criminal Justice Information Services (CJIS) Security Policy) as well as with rules,
procedures, and standards established by the Compact Council and the United States
Attorney General.
This Outsourcing Standard identifies the duties and responsibilities with
respect to adequate internal controls within the contractual relationship so that the
security and integrity of the Interstate Identification Index (III) System and CHRI are not
compromised. The standard security program shall include consideration of site security,
dissemination restrictions, personnel security, system security, and data security.
The provisions of this Outsourcing Standard are established by the
Compact Council pursuant to 28 CFR Part 906 and are subject to the scope of that rule.
They apply to all personnel, systems, networks, and facilities supporting and/or acting on
behalf of the Authorized Recipient to perform noncriminal justice administrative
functions requiring access to CHRI without a direct connection to the FBI CJIS Wide
Area Network (WAN).
1.0 Definitions
1.01 Access to CHRI means to view or make use of CHRI obtained from the III
System but excludes direct access to the III System by computer terminal or
other automated means by Contractors other than those that may be
contracted by the FBI or state criminal history record repositories or as
provided by Title 34, United States Code (U.S.C.), Section 40314 (b),
(formally cited as 42 U.S.C. S 14614(b)).
1.02 Author ed Recipient means (1) a nongovernmental entity authorized by
federal statute or federal executive order to receive CHRI for noncriminal
justice purposes, or (2) a government agency authorized by federal statute,
federal executive order, or state statute which has been approved by the
United States Attorney General to receive CHRI for noncriminal justice
purposes.
last updated 05/16/2018
Exhibit A
1.03 Clzief'Adin inistrator means the primary administrator of a Nonparty State's
criminal history record repository or a designee of such administrator who
is a regular frill -time employee of the repository, which is also referred to as
the State Identification Bureau (SIB) Chief.
1.04 CHRI, as referred to in Article I(4) of the Compact, means inforination
collected by criminal justice agencies on individuals consisting of
identifiable descriptions and notations of arrests, detentions, indictments, or
other formal criminal charges, and any disposition arising therefrom,
including acquittal, sentencing, correctional supervision, or release; but
does not include identification information such as fingerprint records if
such information does not indicate involvement of the individual with the
criminal justice system.
1.05 Criminal History Record Check, for purposes of this Outsourcing Standard
only, means an authorized noncriminal justice fingerprint -based search of a
state criminal history record repository and/or the FBI system.
1.06 Compact Officer, as provided in Article 1(2) of the Compact, means (A)
with respect to the Federal Government, an official [FBI Compact Officer]
so designated by the Director of the FBI [to administer and enforce the
compact among federal agencies], or (B) with respect to a Party State, the
chief administrator of the State's criminal history record repository or a
designee of the chief administrator who is a regular full-time employee of
the repository.
1.07 Contractor means a government agency, a private business, non-profit
organization or individual, that is not itself an Authorized Recipient with
respect to the particular noncriminal justice purpose, who has entered into a
contract with an Authorized Recipient to perform noncriminal justice
administrative functions requiring access to CHRI.
1.08 Dissemination means the disclosure of III CHRI by an Authorized
Recipient to an authorized Contractor, or by the Contractor to another
Authorized Recipient consistent with the Contractor's responsibilities and
with limitations imposed by federal and state laws, regulations, and
standards as well as rules, procedures, and standards established by the
Compact Council and the United States Attorney General.
1.09 Identity History Summary (MHS), for the purposes of this Outsourcing
Standard, means the report of all identification, demographic, and event
information (criminal and/or civil) within a Next Generation Identification
(NGI) Identity record which may be disseminated to an Authorized
Recipient contingent upon legislation and federal regulations. The IdHS
contains the criminal justice information associated with criminal
fingerprint (i.e., "rap sheets") and/or noncriminal justice information
associated with the civil fingerprints, therefore the existence of an IdHS
last updated 05/16/2018
Exhibit A
alone does not reflect criminal history events on that NGI Identity. This
term is unique to NGI and is not intended to affect other agencies' use of
the term "rap sheet" to describe reports of information in their identification
repositories.
1.10 Noncriminal Justice Administrative Functions means the routine
noncriminal justice administrative functions relating to the processing of
CHRI, to include but not limited to the following:
1. Making fitness deter-rminations/recommendations
2. Obtaining missing dispositions
3. Disseminating CHRI as authorized by Federal statute, Federal
Executive Order, or State statute approved by the United States
Attorney General
4. Other authorized activities relating to the general handling, use, and
storage of CHRI
1.11 Noncriminal Justice Purposes, as provided in Article I(18) of the Compact,
means uses of criminal history records for purposes authorized by federal
or state law other than purposes relating to criminal justice activities,
including employment suitability, licensing determinations, immigration
and naturalization matters, and national security clearances.
1.12 Outsourcing Standard means a document approved by the Compact
Council after consultation with the United States Attorney General which is
to be incorporated by reference into a contract between an Authorized
Recipient and a Contractor. This Outsourcing Standard authorizes access
to CHRI for noncriminal justice purposes, limits the use of the information
to the purposes for which it is provided, prohibits retention and/or
dissemination except as specifically authorized, ensures the security and
confidentiality of the information, provides for audits and sanctions,
provides conditions for termination of the contract, and contains such other
provisions as the Compact Council may require.
1.13 Personally Identifiable Information (PH) means information which can be
used to distinguish or trace an individual's identity, such as name, social
security number, or biometric records, alone or when combined with other
personal or identifying information which is linked or linkable to a specific
individual, such as date and place of birth, or mother's maiden name.
1.14 Physically Secure Location means a facility or an area, a room, or a group
of rooms, within a facility with both the physical and personnel security
controls sufficient to protect CHRI and associated information systems.
1.15 PII Breach means the loss of control, compromise, unauthorized disclosure,
unauthorized acquisition, unauthorized access or any similar term referring
to situations where persons other than the authorized users, and for other
last updated 05/16/2018
Exhibit A
than authorized purposes, have access or potential access to PII, whether
physical or electronic,
1.16 Positive Identification, as provided in Article I(20) of the Compact, means a
determination, based upon a comparison of fingerprints' or other equally
reliable biometric identification techniques, that the subject of a record
search is the same person as the subject of a criminal history record or
records indexed in the III System. Identifications based solely upon a
comparison of subjects' names or other non -unique identification
characteristics or numbers, or combinations thereof, shall not constitute
positive identification.
1.17 Public Carrier Network means a telecommunications infrastructure
consisting of network components that are not owned, operated, and
managed solely by the agency using that network, i.e., any
telecommunications infrastructure which supports public users other than
those of the agency using that network. Examples of a public carrier
network include but are not limited to the following: Dial-up and Internet
connections, network connections to Verizon, network connections to
AT&T, ATM Frame Relay clouds, wirelessnetworks, wireless links, and
cellular telephones. A public carrier network provides network services to
the public; not just to the single agency using that network.
1.18 Security Violation means the failure to prevent or failure to institute
safeguards to prevent access, use, retention, or dissemination of CHRI in
violation of: (A) Federal or state law, regulation, or Executive Order; or
(B) a rule, procedure, or standard established by the Compact Council and
the United States Attorney General.
2.0 Responsibilities of the Authot•ized Recipient
2.01 Prior to engaging in outsourcing any noncriminal justice administrative
functions, the Authorized Recipient shall: (a) Request and receive written
permission from (1) the State Compact Officer/Chief Administrator or (2)
' The Compact Council currently defines positive identification for noncriminal justice
purposes as identification based upon a qualifying ten -rolled or qualifying ten -flat
fingerprint submission. Further information concerning positive identification may be
obtained from the FBI Compact Council office.
2The Compact Officer/Chief Administrator may not grant such permission unless he/she has
implemented a combined state/federal audit program to, at a minimum, triennially audit a
representative sample of the Contractors and Authorized Recipients engaging in outsourcing
with the first of such audits to be conducted within one year of the date the Contractor first
receives CHRI under the approved outsourcing agreement. A representative sample will be
based on generally accepted statistical sampling methods.
4
last updated 05/16/20 t 8
2.02
2.03
Exhibit A
the FBI Compact Officer 3; and (b) provide the State Compact Officer/Chief
Administrator or the FBI Compact Officer copies of the specific authority
for the outsourced work, criminal history record check requirements, and/or
a copy of relevant portions of the contract as requested.
The Authorized Recipient shall execute a contract or agreement prior to
providing a Contractor access to CHRI. The contract shall, at a minimum,
incorporate by reference and have appended thereto this Outsourcing
Standard.
The Authorized Recipient shall, in those instances when the Contractor is to
perforin duties requiring access to CHRI, specify the terms and conditions
of such access; limit the use of such information to the purposes for which
it is provided; limit retention of the information to a period of time not to
exceed that period of time the Authorized Recipient is permitted to retain
such information; prohibit dissemination of the information except as
specifically authorized by federal and state laws, regulations, and standards
as well as with rules, procedures, and standards established by the Compact
Council and the United States Attorney General; ensure the security and
confidentiality of the information to include confirmation that the intended
recipient is authorized to receive CHRI; provide for audits and sanctions;
provide conditions for termination of the contract; and ensure that
Contractor personnel comply with this Outsourcing Standard.
a. The Authorized Recipient shall conduct criminal history record
checks of Contractor personnel having access to CHRI if such
checks of the Authorized Recipient's personnel are required or
authorized under an existing federal statute, executive order, or state
statute approved by the United States Attorney General under Public
Law 92-544.4 The Authorized Recipient shall maintain updated
records of Contractor personnel who have access to CHRI and
update those records within 24 hours when changes to that access
3State or local Authorized Recipients based on State or Federal Statutes shall contact the
State Compact Officer/Chief Administrator. Federal or Regulatory Agency Authorized
Recipients shall contact the FBI Compact Officer.
4 i a national criminal history record check of Authorized Recipient personnel having
access to CHRI is mandated or authorized by a federal statute, executive order, or state
statute approved by the United States Attorney General under Public Law 92-544, the
State Compact Officer/Chief Administrator and/or the FBI Compact Officer must ensure
Contractor personnel accessing CHRI are either covered by the existing law or that the
existing law is amended to include such Contractor personnel prior to authorizing
outsourcing initiatives. The national criminal history record checks of Contractor
personnel with access to CHRI cannot be outsourced and must be performed by the
Authorized Recipient.
last updated 05/16/2018
Exhibit A
occur and, if a criminal history record check is required, the
Authorized Recipient shall maintain a list of Contractor personnel
who successfully completed the criminal history record check.
b. The Authorized Recipient shall ensure that the Contractor maintains
site security. (See the current CJIS Security Policy
[www.fbi.gov/about-us/cjis/cj is-security-policy-resource-center/view])
C. The State Compact Officer/Chief Administrator or the FBI Compact
Officer shall make available the most current versions of both the
Outsourcing Standard and the CJIS Security Policy to the
Authorized Recipient within 60 calendar days (unless otherwise
directed) of notification of successor versions of the Outsourcing
Standard and/or the CHS Security Policy. The Authorized Recipient
shall notify the Contractor within 60 calendar days of the FBI/state
notification regarding changes or updates to the Outsourcing
Standard and/or the CJIS Security Policy. The Authorized Recipient
shall be responsible to ensure the most updated versions are
incorporated by reference at the time of contract, contract renewal,
or within the 60 calendar day notification period, whichever is
sooner.
d. The Authorized Recipient and/or Contractor shall make available to
the State Compact Officer/Chief Administrator or the FBI Compact
Officer the relevant portions of the current and approved contract
relating to CHRI, upon request.
2.04 The Authorized Recipient shall understand the communications and record
capabilities of the Contractor which has access to federal or state records
through, or because of, its outsourcing relationship with the Authorized
Recipient. The Authorized Recipient shall request and approve a
topological drawing which depicts the interconnectivity of the Contractor's
network configuration as it relates to the outsourced function(s). The
Authorized Recipient shall understand and approve any modifications to
the Contractor's network configuration as it relates to the outsourced
function(s). For approvals granted through the State Compact
Officer/Chief Administrator, the Authorized Recipient, if required, shall
coordinate the approvals with the State Compact Officer/Chief
Administrator.
2.05 The Authorized Recipient is responsible for the actions of the Contractor
and shall monitor the Contractor's compliance to the terms and conditions
of the Outsourcing Standard. For approvals granted through the FBI
Compact Officer, the Authorized Recipient shall certify to the FBI
Compact Officer that an audit was conducted with the Contractor within 90
days of the date the Contractor first receives CHRI under the approved
last updated 05/16/2018
Exhibit A
outsourcing agreement. For approvals granted through the State Compact
Officer/Chief Administrator, the Authorized Recipient, in conjunction with
the State Compact Officer/Chief Administrator, will conduct an audit of the
Contractor within 90 days of the date the Contractor first receives CHRI
under the approved outsourcing agreement, The Authorized Recipient shall
certify to the State Compact Officer/Chief Administrator that the audit was
conducted.
2.06 The Authorized Recipient shall provide written notice of any early
voluntary termination of the contract to the Compact Officer/Chief
Administrator or the FBI Compact Officer.
2.07 The Authorized Recipient shall appoint an Information Security Officer.
The Authorized Recipient's Information Security Officer shall:
a. Serve as the security POC for the FBI CJIS Division Information
Security Officer.
b. Document technical compliance with this Outsourcing Standard.
C. Establish a security incident response and reporting procedure to
discover, investigate, document, and report on major incidents that
significantly endanger the security or integrity of the noncriminal
justice agency systems to the CJIS Systems Officer, State Compact
Officer/Chief Administrator and the FBI CJIS Division Information
Security Officer.
2.08 The Authorized Recipient shall immediately (within one hour) notify the
State Compact Officer/Chief Administrator or the FBI of any PII breach.
The Authorized Recipient shall also provide a written report of any PII
breach (to include unauthorized access to CHRI by the Contractor) to the
State Compact Officer/Chief Administrator or the FBI within five calendar
days of receipt of the initial report of the PII breach. The written report
must include corrective actions taken by the Authorized Recipient and, if
necessary, the Contractor to resolve such PII breach.
3.0 Responsibilities of the Contractor-
3.01 The Contractor and its employees shall comply with all federal and state
laws, regulations, and standards (including the CJIS Security Policy) as
well as with rules, procedures, and standards established by the Compact
Council and the United States Attorney General.
3.02 The Contractor shall develop, document, administer, and maintain a
Security Program (Physical, Personnel, and Information Technology) to
comply with the most current Outsourcing Standard and the most current
CJIS Security Policy. The Security Program shall describe the
implementation of the security requirements outlined in this Outsourcing
Standard and the CJIS Security Policy. In addition, the Contractor is also
last updated 05/16/2018
Exhibit A
responsible to set, maintain, and enforce the standards for the selection,
supervision, and separation of personnel who have access to CHRI. The
Authorized Recipient shall provide the written approval to the State
Compact Officer/Chief Administrator or the FBI Compact Officer of a
Contractor's Security Program. For approvals granted through the State
Compact Officer/Chief Administrator, it is the responsibility of the State
Compact Officer/Chief Administrator to ensure the Authorized Recipient is
in compliance with the CJIS Security Policy.
3.03 The requirements for a Security Program should include, at a minimum:
a) Description of the implementation of the security requirements
described in this Outsourcing Standard and the CJIS Security Policy.
b) Security Training.
c) Guidelines for documentation of security violations to include:
i) Develop and maintain a written incident reporting plan to address
security events, to include violations and incidents. (See the CJIS
Security Policy
f www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/
view}).
ii) A process in place for reporting security violations.
d) Standards for the selection, supervision, and separation of personnel
with access to CHRI.
**If the Contractor is using a corporate policy, it must meet the
requirements outlined in this Outsourcing Standard and the CJIS Security
Policy. If the corporate policy is not this specific, it must flow down to a
level where the documentation supports these requirements.
3.04 Except when the training requirement is retained by the Authorized
Recipient, the Contractor shall develop a Security Training Program for all
Contractor personnel with access to CHRI prior: to their
appointment/assignment. The Authorized Recipient shall review and
provide to the Contractor written approval of the Security Training Program.
Training shall be provided upon receipt of notice from the Compact
Officer/Chief Administrator on any changes to federal and state laws,
regulations, and standards as well as with rules, procedures, and standards
established by the Compact Council and the United States Attorney General.
Annual refresher training shall also be provided. The Contractor shall
annually, not later than the anniversary date of the contract, certify in
writing to the Authorized Recipient that annual refresher training was
completed for those Contractor personnel with access to CHRI.
3.05 The Contractor shall make its facilities available for announced and
unannounced audits and security inspections performed by the Authorized
Recipient, the state, or the FBI on behalf of the Compact Council.
last updated 05/16/2018
Exhibit A
3.06 The Contractor's Security Program is subject to review by the Authorized
Recipient, the Compact Officer/Chief Administrator, and the FBI CJIS
Division. During this review, provision will be made to update the Security
Program to address security violations and to ensure changes in policies
and standards as well as changes in federal and state law are incorporated.
3.07 The Contractor shall maintain CHRI only for the period of time necessary
to fulfill its contractual obligations but not to exceed the period of time that
the Authorized Recipient is authorized to maintain and does maintain the
CHRI.
3.08 The Contractor shall maintain a log of any dissemination of CHRI, for a
minimum of 365 days.
3.09 The Authorized Recipient and/or Contractor shall make available to the
State Compact Officer/Chief Administrator or the FBI Compact Officer the
relevant portions of the current and approved contract relating to CHRI,
upon request.
4.0 Site Security
4.01 The Authorized Recipient shall ensure that the Contractor site(s) is a
physically secure location to protect against any unauthorized access to
CHRI.
5.0 Dissemination
5.01 The Contractor shall not disseminate CHRI without the consent of the
Authorized Recipient, and as specifically authorized by federal and state
laws, regulations, and standards as well as with rules, procedures, and
standards established by the Compact Council and the United States
Attorney General.
5.02 An up-to-date log concerning dissemination of CHRLshall be maintained
by the Contractor for a minimum one year retention period. This log must
clearly identify: (A) the Authorized Recipient with unique identifiers to
include the FBI assigned Originating Agency Idenifiers to include the FBI
assigned Originating Agency Identifier (ORI)/Originating Agency Case
(OCA) number, (B) the Transaction Control Number (TCN), (C) the date of
dissemination, (D) the statutory authority for dissemination, and (E) the
means of dissemination.
5.03 If CHRI is stored or disseminated in an electronic format, the Contractor
shall protect against unauthorized access to the equipment and any of the
data. In no event shall responses containing CHRI be disseminated other
than as governed by this Outsourcing Standard or more stringent contract
requirements.
last updated 05/16/2018
Exhibit A
6.0 Personnel Security
6.01 If a local, state, or federal written standard requires or authorizes a criminal
history record check of the Authorized Recipient's personnel with access to
CHRI, then a criminal history record check shall be required of the
Contractor's (and approved Sub -Contractor's) employees having access to
CHRI. Criminal history record checks of Contractor and approved
Sub -Contractor employees, at a minimum, will be no less stringent than
criminal history record checks that are performed on the Authorized
Recipient's personnel performing similar functions. Criminal history
record checks must be completed prior to accessing CHRI under the
contract.
6.02 The Contractor shall ensure that each employee performing work under the
contract is aware of the requirements of the Outsourcing Standard and the
state and federal laws governing the security and integrity of CHRI. The
Contractor shall confirn in writing that each employee has certified in
writing that he/she understands the Outsourcing Standard requirements and
laws that apply to his/her responsibilities. The Contractor shall maintain
the employee certifications in a file that is subject to review during audits.
Employees shall make such certification prior to performing work under the
contract.
6.03 The Contractor shall maintain updated records of personnel who have
access to CHRI, update those records within 24 hours when changes to that
access occur, and if a criminal history record check is required, maintain a
list of personnel who have successfully completed criminal history record
checks. The Contractor shall notify Authorized Recipients within 24 hours
when additions or deletions occur.
7.0 System Security
7.01 The Contractor's security system shall comply with the CJIS Security
Policy in effect at the time the Outsourcing Standard is incorporated into
the contract and with successor versions of the CJIS Security Policy.
a. Devices shall be implemented to provide a point of defense and a
controlled and audited access to CHRI, both from inside and outside
the networks.
b. Data encryption shall be required for data in transit pursuant to the
requirements in the CJIS Security Policy.
7.02 The Contractor shall provide for the secure storage and disposal of all hard
copy and media associated with the system to prevent access by
unauthorized personnel.
See the current CJIS Security Policy to address:
10
last updated 05/16/2018
Exhibit A
[www,fbi.gov/about-us/cj is/cj is-security-policy-reSOLli-ce-center/view]
a. Physically secure location.
b. Sanitization procedures for all fixed and non -fixed storage media.
C. Storage procedures for all fixed and non -fixed storage media.
7.03 To prevent and/or detect unauthorized access to CHRI in transmission or
storage, each Authorized Recipient, Contractor, or Sub -Contractor must be
assigned a unique identifying number.
8.0 Security Violations
8.01 Duties of the Authorized Recipient and Contractor
a. The Authorized Recipient shall develop and maintain a written
policy for discipline of Contractor employees who violate the
security provisions of the contract, which includes this Outsourcing
Standard that is incorporated by reference. The Authorized
Recipient shall develop and maintain a written incident reporting
plan for security events, to include violations and incidents, (See
also Sections 2.07 and 3.03)
b, Pending investigation, the Contractor shall, upon detection or
awareness, suspend any employee who commits a security violation
from assignments in which he/she has access to CHRI under the
contract.
C. The Contractor shall immediately (within one hour of discovery)
notify the Authorized Recipient, the State Compact Officer/Chief
Administrator, or the FBI of any security violation to include
unauthorized access to CHRL Within five calendar days of such
discovery, the Contractor shall provide the Authorized Recipient, the
State Compact Officer/Chief Administrator or the FBI a written
report documenting such security violation, corrective actions taken
by the Contractor to resolve such violation, and the date, time, and
summary of the violation.
d. The Authorized Recipient shall immediately (within four hours)
notify the State Compact Officer/Chief Administrator and the FBI
Compact Officer of any security violation or termination of the
contract, to include unauthorized access to CHRI made available
pursuant to the contract. The Authorized Recipient shall provide a
written report of any security violation (to include unauthorized
access to CHRI by the Contractor) to the State Compact
Officer/Chief Administrator, if applicable, and the FBI Compact
Officer, within five calendar days of receipt of the written report
from the Contractor. The written report must include any corrective
actions taken by the Contractor and the Authorized Recipient to
Il
last updated 05116/2018
Exhibit A
resolve such security violation.
8.02 Termination of the contract by the Authorized Recipient for security
violations
a. The contract is subject to termination by the Authorized Recipient
for security violations involving CHRI obtained pursuant to the
contract.
b. The contract is subject to termination by the Authorized Recipient
for the Contractor's failure to notify the Authorized Recipient of any
security violation or to provide a written report concerning such
violation.
C, If the Contractor refuses to or is incapable of taking corrective
actions to successfully resolve a security violation, the Authorized
Recipient shall terminate the contract.
8.03 Suspension or termination of the exchange of CHRI for security violations
a. Notwithstanding the actions taken by the State Compact Officer, if
the Authorized Recipient fails to provide a written report notifying
the State Compact Officer/Chief Administrator or the FBI Compact
Officer of a security violation, or refuses to or is incapable of taking
corrective action to successfully resolve a security violation, the
Compact Council or the United States Attorney General may
suspend or terminate the exchange of CHRI with the Authorized
Recipient pursuant to 28 CFR §906.2(d).
b. If the exchange of CHRI is suspended, it may be reinstated after
satisfactory written assurances have been provided to the Compact
Council Chairman or the United States Attorney General by the
Compact Officer/Chief Administrator, the Authorized Recipient and
the Contractor that the security violation has been resolved. If the
exchange of CHRI is terminated, the Contractor's records (including
media) containing CHRI shall be deleted or returned in accordance
with the provisions and time frame as specified by the Authorized
Recipient.
8.04 The Authorized Recipient and Contractor shall provide written notice
(through the State Compact Officer/Chief Administrator if applicable) to
the FBI Compact Officer of the following:
a. The termination of a contract for security violations.
b. Security violations involving the unauthorized access to CHRI.
C. The Contractor's name and unique identification number, the nature
of the security violation, whether the violation was intentional, and
the number of times the violation occurred.
8.05 The Compact Officer/Chief Administrator, Compact Council and the
12
last updated 05/16/2018
Exhibit A
United States Attorney General reserve the right to investigate or decline to
investigate any report of unauthorized access to CHRI.
8.06 The Compact Officer/Chief Administrator, Compact Council, and the
United States Attorney General reserve the right to audit the Authorized
Recipient and the Contractor's operations and procedures at scheduled or
unscheduled tinges. The Compact Council, the United States Attorney
General, and the state are authorized to perform a final audit of the
Contractor's systems after termination of the contract.
9.0 PH
9.01 The Contractor is responsible for protecting all PII in its possession and
control when dandling, using, or storing CHRI.
9.02 The Contractor shall notify authorized individuals of their right to report
PII breaches directly to the FBI should they believe their information has
been mishandled or compromised.
9.03 The Contractor shall immediately (within one hour of discovery) notify the
Authorized Recipient, the State Compact Officer/Chief Administrator, or
the FBI of any PII breach or potential PII breach. Within five calendar
days of such discovery, the Contractor shall provide the Authorized
Recipient, the State Compact Officer/Chief Administrator, or the FBI a
written report documenting such violation and corrective actions taken to
resolve such violation, to include the date, time, and summary of the
notification to resolve such breach.
10.0 Miscellaneous Provisions
10.01 This Outsourcing Standard does not confer, grant, or authorize any rights,
privileges, or obligations to any persons other than the Contractor, the
Authorized Recipient, Compact Officer/Chief Administrator (where
applicable), and the FBI.
10.02 The following document is incorporated by reference and made part of this
Outsourcing Standard: (1) The CJIS Security Policy.
10.03 The terms set forth in this document do not constitute the sole
understanding by and between the parties hereto; rather they provide a
minimum basis for the security of the system and the CHRI accessed
therefrom and it is understood that there may be terms and conditions of the
appended contract which impose more stringent requirements upon the
Contractor.5
5Such conditions could include additional audits, fees, or security requirements. The
Compact Council, Authorized Recipients, and the Compact Officer/Chief Administrator
have the explicit authority to require more stringent standards than those contained in the
Outsourcing Standard.
13
last updated 05/16/2018
Exhibit A
10.04 The minimum security measures as outlined in this Outsourcing Standard
may only be modified by the Compact Council. Conformance to such
security measures may not be less stringent than stated in this Outsourcing
Standard without the consent of the Compact Council in consultation with
the United States Attorney General.
10.05 This Outsourcing Standard may only be modified by the Compact Council
and may not be modified by the parties to the appended contract without
the consent of the Compact Council.
10.06 Appropriate notices, assurances, and correspondence to the FBI Compact
Officer, Compact Council, and the United States Attorney General required
by Section 8.0 of this Outsourcing Standard shall be forwarded by First
Class Mail to:
FBI Compact Officer
1000 Custer Hollow Road
Module D-3
Clarksburg, WV 26306
11.0 Exemption front Above Provisions
l l .01 An Information Technology (IT) contract need only include Sections 1.0,
2.01, 2.02, 2.03, 3.01, 6.0, 8.0, and 9.0 of this Outsourcing Standard for
Non-Channelers when all of the following conditions exist:
I . Access to CHRI by the IT contractor's personnel is limited
solely for the development and/or maintenance of the
Authorized Recipient's computer system;
2. Access to CHRI is incidental, but necessary, to the duties
being performed by the IT contractor;
3. The computer system resides within the Authorized
Recipient's facility;
4. The Authorized Recipient's personnel supervise or work
directly with the IT contractor personnel;
5. The Authorized Recipient maintains complete, positive
control of the IT contractor's access to the computer system
and CHRI contained therein; and
6. The Authorized Recipient retains all of the duties and
responsibilities for the performance of its authorized
noncriminal justice administrative functions, unless it
executes a separate contract to perform such noncriminal
justice administrative functions, subject to all applicable
requirements, including the Outsourcing Standard.
11.02 An Authorized Recipient's contract where access to CHRI is limited solely
14
last updated 05/16/2018
Exhibit A
for the purposes of: (A) storage (referred to as archiving in some states) of
the CHRI at the Contractor's facility; (B) retrieval of the CHRI by
Contractor personnel on behalf of the Authorized Recipient with
appropriate security measures in place to protect the CHRI; and/or (C)
destruction of the CHRI by Contractor personnel when not observed by the
Authorized Recipient need only include Sections 1.0, 2.01, 2.02, 2.03, 3.01,
4.0, 6.0, 8.0, and 9.0 of this Outsourcing Standard for Non-Channelers
when all of the following conditions exist:
1. Access to CHRI by the Contractor is limited solely for the
purposes of: (A) storage (referred to as archiving in some
states) of the CHRI at the Contractor's facility; (B) retrieval
of the CHRI by Contractor personnel on behalf of the
Authorized Recipient with appropriate security measures in
place to protect the CHRI; and/or (C) destruction of the CHRI
by Contractor personnel when not observed by the
Authorized Recipient;
2. Access to CHRI is incidental, but necessary, to the duties
being performed by the Contractor;
3. The Contractor is not authorized to disseminate CHRI to any
other agency or contractor on behalf of the Authorized
Recipient;
4. The Contractor's personnel are subject to the same criminal
history record checks as the Authorized Recipient's
personnel;
5. The criminal history record checks of the Contractor
personnel are completed prior to work on the contract or
agreement;
6. The Authorized Recipient retains all other duties and
responsibilities for the performance of its authorized
noncriminal justice administrative functions, unless it
executes a separate contract to perform such noncriminal
justice administrative functions, subject to all applicable
requirements, including the Outsourcing Standard; and
7. The Contractor stores the CHRI in a physically secure
location.
12.0 Duties of the State Compact Officer/Chief Adininistr•ator•
12.01 The State Compact Officer/Chief Administrator shall review legal authority
and respond in writing to the Authorized Recipient's request to outsource
noncriminal justice administrative functions.
15
last updated 05/16/2018
Exhibit A
12.02 The State Compact Officer/Chief Administrator reserves the right to review
relevant portions of the outsourcing contract relating to CHRI throughout
the duration of the contract approval.
12.03 The State Compact Officer/Chief Administrator must ensure criminal
history record checks on approved Contractor and Sub -Contractor
employees with access to CHRI are completed by the Authorized Recipient,
if such checks are required or authorized of the Authorized Recipient
personnel by federal statute, executive order, or state statute approved by
the United States Attorney General under Public Law 92-544. Criminal
history record checks should be no less stringent than the checks performed
on the Authorized Recipient personnel. Criminal history record checks
must be completed prior to accessing CHRI under the contract.
12.04 Coordinate with the Authorized Recipient for the review and approval of
the Contractor's Topological drawing which depicts the interconnectivity of
the Contractor's network configuration as it relates to the outsourcing
function(s).
12.05 90 Day Compliance Review
a. The State Compact Officer/Chief Administrator shall work in
coordination with the Authorized Recipient to conduct an audit of
the Contractor within 90 days of the date the Contractor first
receives CHRI under the approved outsourcing agreement.
b. The State Compact Officer/Chief Administrator shall review the
Authorized Recipient's audit certification to ensure compliance with
the Outsourcing Standard.
i) The State Compact Officer/Chief Administrator shall address
concerns with the Authorized Recipient resulting in non-compliance
with the 90 day audit of the Contractor.
ii) The State Compact Officer/Chief Administrator shall have the right
to terminate an Authorized Recipient's Outsourcing approval to a
Contractor(s) for failure or refusal to correct a non-compliance
issue(s).
12.06 The State Compact Officer/Chief Administrator shall coordinate with the
Authorized Recipient to review the Contractor's Security Program. The
program shall describe the implementation of the security requirements
outlined in this Outsourcing Standard and the CHS Security Policy. During
the review, provisions will be made to update the Security Program to
address security events and to ensure changes in policies and standards, as
well as changes in federal and state law, are incorporated.
12.07 The State Compact Officer/Chief Administrator shall audit the Authorized
Recipient and/or Contractor's operations and procedures. This may be
done at scheduled and unscheduled times.
12.08 The State Compact Officer/Chief Administrator shall assign a unique
16
last updated 05/16/2018
Exhibit A
identifying number to each Authorized Recipient, Contractor, or
Sub -Contractor to ensure system security.
12.09 The State Compact Officer/Chief Administrator shall require immediate
(within four hours) notification by the Authorized Recipient of any security
event, to include security violations and incidents or termination of the
contract, to include unauthorized access to CHRI made available pursuant
to the contract. The State Compact Officer/Chief Administrator shall
receive a written report from the Authorized Recipient of any security event
(to include unauthorized access to CHRI by the Contractor) within five
calendar days of receipt of the written report from the Contractor, that must
include any corrective actions taken by the Contractor and Authorized
Recipient to resolve such security event. (See the CJIS Security Policy
f www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view})
12.10 Suspension or termination of the exchange of CHRI for security events.
a. The State Compact Officer/Chief Administrator may suspend or
terminate the exchange of CHRI for security events or refusal or
incapability to take corrective action to successfully resolve a
security event.
b. The State Compact Officer/Chief Administrator may reinstate access
to CHRI between the Authorized Recipient and the Contractor after
receiving written assurance(s) of corrective action(s) from the
Authorized Recipient and/or the Contractor.
12.11 The State Compact Officer/Chief Administrator shall provide written
notification to the FBI Compact Officer of the termination of a contract for
security events to include the security events involving access to CHRI; the
Contractor's name and unique identification number; the nature of the
security event; whether the event was intentional; and the number of times
the event occurred.
12.12 The State Compact Officer/Chief Administrator reserves the right to
investigate or decline to investigate any report of unauthorized access to
CHRI.
12.13 The State Compact Officer/Chief Administrator is authorized to perform a
final audit of the Contractor's system following termination of contract.
17
last updated 05/16/2018