Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section’s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.
The following is an excerpt from the FBI Security Policy:
126.96.36.199 Personnel Screening for Contractors and Vendors
In addition to meeting the requirements in paragraph 188.8.131.52, contractors and vendors shall meet the following requirements:
- Prior to granting access to CJI, the CGA on whose behalf the Contractor is retained shall verify identification via a state of residency and national fingerprint-based record check. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances.
- If a record of any kind is found, the CGA shall be formally notified and system access shall be delayed pending review of the criminal history record information. The CGA shall in turn notify the Contractor-appointed Security Officer.
- When identification of the applicant with a criminal history has been established by fingerprint comparison, the CGA or the CJA (if the CGA does not have the authority to view CHRI) shall review the matter.
- A Contractor employee found to have a criminal record consisting of felony conviction(s) shall be disqualified.
- Applicants shall also be disqualified on the basis of confirmations that arrest warrants are outstanding for such applicants.
- The CGA shall maintain a list of personnel who have been authorized access to CJI and shall, upon request, provide a current copy of the access list to the CSO.
Applicants with a record of misdemeanor offense(s) may be granted access if the CSO determines the nature or severity of the misdemeanor offense(s) do not warrant disqualification. The CGA may request the CSO to review a denial of access determination.
5.12.2 Personnel Termination
The agency, upon termination of individual employment, shall immediately terminate access to CJI.
5.12.3 Personnel Transfer
The agency shall review CJI access authorizations when personnel are reassigned or transferred to other positions within the agency and initiate appropriate actions such as closing and establishing accounts and changing system access authorizations.
5.12.4 Personnel Sanctions
The agency shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures.
For more information, please contact GCIC at [email protected].