CJIS Vendor Management Program

The Georgia Crime Information Center (GCIC) is proud to present the CJIS Vendor Management Program. This program is designed to make it easier for vendors who contract with Georgia criminal justice agencies to meet FBI CJIS Security Policy standards by streamlining the fingerprinting process and other requirements associated with this Policy.  Because CJIS Compliance is a process that can change as technology and law enforcement business needs change, participation in this program does not guarantee CJIS certification of a vendor’s product. However, it demonstrates a working knowledge of CJIS standards and a commitment to maintain these high standards.

What is the CJIS Vendor Management Program?
The CJIS Security Policy written and maintained by the Federal Bureau of Investigation is the standard by which all criminal justice agencies nationwide must protect the sensitive data they possess and share with authorized entities. Section 5.12.1 of the policy states that private contractors and vendors with access to criminal justice information (CJI) must submit a set of fingerprints for state and national fingerprint-based record checks. Previously, vendors were required to submit fingerprints for each employee with access to CJI, for each agency with which they contract but this requirement proved to be cumbersome for vendors and contracting agencies.

The GCIC CJIS Vendor Management Program consolidates the fingerprint background check process so that vendors only need to work with a single entity – GCIC – for enrollment in the program. It also makes the required Security Awareness training and Awareness Statement available online for vendor employees.  In addition, it establishes a centralized area where criminal justice agencies can view vendors who have been vetted and are authorized by GCIC for access to CJI.

Vetted Vendor Process Overview
Before an agency contracts with a new vendor, it should check with GCIC to see if the vendor has been vetted.  If so, the agency contacts the Vendor Coordinator to confirm that all vendor employees who will have access to CJI at the agency have been properly vetted.  If any have not, it is the vendor’s responsibility to ensure that those employees are vetted prior to performing any work at the agency.

If the vendor has not been previously vetted by GBI, the vetting process is initiated and the following steps are taken:

  1. The vendor designates a Coordinator who will be the single point of contact for all matters related to vetting.
  2. The vendor downloads and signs the CJA and Contractor/Vendor CJIS Network Agreement.
  3. The vendor downloads and completes the LMS Account Management Form.  The form is then sent to LMSHelp@gbi.ga.gov.
  4. Each employee who will have access to CJI must:
    • Submit fingerprints to the Georgia Applicant Processing Service (GAPS) website for a national and state check.
    • The employee will be notified by mail whether they have received approval to access CJI.  Approved employees continue with the following steps:
      • The employee requests a training account on the GBI Learning Management System (LMS) (https://firstnetcampus.com/GBI/entities/GBI/logon.htm)
      • The employee logs into LMS, completes Security Awareness training and signs the Awareness Statement on-line. 
      • The employee signs the FBI Security Addendum.  Note that a vendor representative must also sign this form.
      • Note: this process – including the fingerprint based background check – must be repeated every 2 years.
    • Employees who are not approved will receive a letter including all information pertinent to that decision.  The vendor will receive a letter simply stating that the employee has not been approved.  For more information see Personnel Security Requirements.
  5. The Vendor Coordinator returns the signed Awareness Statement, FBI Security Addendum and Certificate of Training (available from the LMS system) to GCIC.  Note: this step is also required every 2 years.
  6. The vendor and all approved employees are added to the Vetted Vendor List maintained by GCIC.

The following diagrams offer a visual overview of the process (click to expand):

 

For more information, please contact GCIC at GCIC.INFOsec@gbi.ga.gov.