The Outsourcing of Noncriminal Justice Administrative...

The National Crime Prevention and Privacy Compact Council

The Outsourcing of Noncriminal Justice

Administrative Functions Guide

for Federal Agencies

The National Crime Prevention and PrivacyCompact CouncilEmailAddress:[email protected]

CompactCouncilWeb site:www.fbi.gov/about‐us/cjis/cc May 2015Version1.0

Table of Contents

Introduction............................................................................................................................................................................. 3 Background .............................................................................................................................................................................. 4 Outsourcing: Non‐Channeling versus Channeling............................................................................................. 5 Outsourcing Scenarios ....................................................................................................................................................... 8 Non‐Channeling:OutsourcingFitnessDeterminations/Recommendations ............................................ 8

Channeling:FingerprintSubmissions/Results/Dissemination ..................................................................... 8

Responsibility Table for Non‐Channeling ............................................................................................................... 9 Responsibility Table for Channeling........................................................................................................................23 Authorized Recipient’s Responsibilities................................................................................................................37 Examples of Non‐Channeling Documentation ....................................................................................................38 Authorized RecipientSampleRequestLetter(Non‐Channeling).................................................................38Authorized RecipientSampleFBIResponseLetterforNon‐Channeling..................................................39 Sample Languagebetween the AuthorizedRecipientandChanneler regardingOutsourcingFunctions…………………………………………………………………………………………………………..41

Examples of Channeling Documentation...............................................................................................................42 Authorized RecipientSampleRequestLetterto UseaChanneler...............................................................42SampleFBIResponseLetter forChannelerRequest.........................................................................................43Sample Languagebetween the AuthorizedRecipientandChanneler regardingOutsourcingFunctions ...................................................................................................................................................45

Outsourcing Audit Guidelines......................................................................................................................................46 SampleAuditMethodology ..........................................................................................................................................46

Sample90dayAuditChecklist foranAuthorized Recipient..........................................................................49

Non‐Channeling Flowchart ............................................................................................................................................51 Non‐Channeling Checklist ..............................................................................................................................................52 Channeling Flowchart .....................................................................................................................................................53 Channeling Checklist.........................................................................................................................................................54 Frequently Asked Questions.........................................................................................................................................55 Recommended Online Reference Materials ........................................................................................................57 Definitions ..............................................................................................................................................................................58

Appendices .............................................................................................................................................................................62 Interim FinalRule:OutsourcingofNoncriminalJusticeAdministrativeFunctions.....................................................................63

FinalRule:OutsourcingofNoncriminalJusticeAdministrative Functions.............................................67

SecurityandManagementControl OutsourcingStandardforChannelers...............................................69

Securityand Management ControlOutsourcingStandard forNon‐Channelers............................................................................................................83

2 | Page OutsourcingGuidefo r Federal Agencies

Version1.0

Introduction Noncriminaljusticeoutsourcingincorporatestheprocessofathirdpartycontractortoperformnoncriminaljusticeadministrative functions(i.e.makingfitnessdeterminations/recommendations,obtainingmissingdispositions,archivaland off‐sitestorage offingerprintsubmissionsand correspondingcriminalhistoryrecord results,orthesubmissionoffingerprintsandthereceiptofcorrespondingcriminalhistoryrecords)relatedtothe processingofcriminalhistoryrecordinformation (CHRI)maintainedin the Interstate Identification Index (III) System, subject to appropriatecontrols,whenactingon behalfof the governmental or authorizedagency. The IIIisthesystemoffederalandstate criminalhistoryrecordsmaintainedbytheFederalBureauofInvestigation(FBI). TheOutsourcingof NoncriminalJusticeAdministrativeFunctions Guide forFederal Regulatory Agencies(Guide)wasdevelopedbytheNationalCrimePrevention andPrivacyCompactCouncil(Council)in consultation withtheFBI'sCriminalJusticeInformationServices(CJIS)Division.The Guideisdesignedto provideresourcesto federal regulatory agencies thatengage in and authorizetheoutsourcing ofnoncriminaljusticeadministrative functions.Theinformationcontainedin thisGuidemay be usedasaresource. Federalregulatoryagenciesareencouragedto continuetobuildupon thisinformationto enhance their outsourcingprograms.Federalregulatory agenciesshouldcontacttheFBI CompactOfficerforinformation pertaining tothe outsourcingofnoncriminaljusticeadministrativefunctions. TheGuideisbrokendown intoseveralsections.Topicsinclude anoutlineofresponsibilitiesforengaginginacontractor agreement forNon‐ChannelingandChanneling;samples ofcontractlanguageandoutsourcingrequests; auditmethodologies; and avariety ofchecklists.The Guidealsocontains alistof frequentlyasked questions,commondefinitionsrelatingtothe outsourcingofnoncriminaljusticeadministrativefunctions,andadditionalon‐lineresources.


Version1.0

Background The National Crime Prevention andPrivacy CompactActof 1998 (Compact)(Title42,UnitedStates Code [U.S.C.], Sections 14611‐14616)provides a legalframework forthecooperative exchange of criminalhistoryrecordsbetween federalandstateentitiesfor noncriminal justicepurposes.The Compact wassigned byPresident Clintonon October9,1998,and became effective on April28, 1999,when ratifiedby twostates.As ofDecember 2014,30statesandthefederalgovernmenthave ratified the Compact.Statesthat haveratified theCompact arereferredtoas “partystates.” The Compactestablisheda fifteen‐memberCouncil,whosemembers are appointed bythe United States(U.S.)Attorney General(AG),topromulgate rules,procedures,andstandardsgoverning the useof the III System and CHRIfor noncriminaljusticepurposes andtoensure theprotectionof anindividual’s privacywhilefacilitatingthenationwideautomated exchange of CHRI. TheCouncilpublishedthe"OutsourcingofNoncriminalJusticeAdministrativeFunctions"InterimFinalRule (IFR)and two "Security and ManagementControlOutsourcingStandards"(Outsourcing Standards)inthe Federal Register on December 16,2004. The IFRis attachedas Appendix A.The Counciladoptedthe IFR as aFinalRule(Rule) on December 15, 2005,whichisattachedas Appendix B.The Rule permitsanAuthorizedRecipient(AR),an agencyor entityauthorizedtoreceiveFBICHRI,tooutsourcenoncriminaljusticeadministrativefunctions relating tothe processing of CHRI toathirdparty,subjecttoappropriatecontrols. The Outsourcing Standard establishedminimumrequirements toensurethatsecurityandprivacycontrolsareinplacewhenconductingnationalcriminalhistory recordchecksfornoncriminal justicepurposes.The contractingpartiesmay not reducethese minimum standards;however, morerestrictiverequirements may be adoptedby thecontracting parties.Inaddition,theOutsourcingStandardidentifiedresponsibilitiesforadequatesecuritycontrolsbetweentheARandtheContractorinorder to maintainthesecurityandintegrity ofthe III System andCHRI.Thesecurityprogramshalladdresssitesecurity,dissemination restrictions,personnelsecurity,systemsecurity,and guidelinesfordocumentation ofsecurityevents. To ensure agencies followthe minimumstandards,theRulestatesthatcontractsoragreementsprovidingforauthorizedoutsourcing"shallincorporatebyreferenceasecurityandmanagementcontroloutsourcingstandardapprovedbytheCompactCouncilafterconsultationwith theUnitedStatesAttorneyGeneral."InNovember2009,inordertoclarifytheroles,theCouncilbifurcatedtheOutsourcingStandardto createone strictlyforChanneling(OutsourcingStandardforChannelers) [Appendix C]andtheotherforNon‐Channeling(OutsourcingStandardforNon‐Channelers)[Appendix D]. The Council periodicallyupdatesthe Outsourcing Standards andthemostcurrentversionsmaybefoundontheweb at.


Version1.0

Outsourcing: Non‐Channeling versus Channeling There aretwovery separate anddistinctpartsto theoutsourcingofnoncriminaljusticeadministrativefunctionsassociatedwithnational criminalhistoryrecords.ThefirstisNon‐Channeling.Inthisscenario,theContractorreceivesaccessto theCHRI directlyfrom the AR.TheARmayengagetheContractorto performavarietyof noncriminaljusticeadministrativefunctions, suchas,but notlimitedto,obtaining missingdispositions,makingfitnessdeterminations/ recommendations,orthe off‐site storage andarchivalof fingerprintsubmissionsand correspondingcriminalhistoryrecord results.In thisarrangement,theContractorsdonothavea directconnectiontotheFBI’s CJIS WideAreaNetwork(WAN). The ARprovidesthe resultsofthe nationalcriminalhistoryrecord checkdirectlyto theContractor.The Contractorperformsthe desirednoncriminaljusticeadministrativefunction(s).Figure 1‐1depictsaNon‐Channelingarrangement. Itisimportanttonotethatin orderto fullycomplywithfootnote4oftheOutsourcingStandardforNon‐Channelers,whichprovidesthatifanationalcriminalhistoryrecordcheckofgovernmentpersonnelhavingaccessto CHRIis mandatedor authorizedby a federalstatuteor executiveorderapprovedbytheU.S.AG,thentheAR mustensureContractorpersonnel accessingCHRIareeithercoveredbyexistinglaworthat theexistinglaw beamendedto includenationalcriminalhistoryrecordchecksforContractorspriortoauthorizingtheoutsourcinginitiatives.


Version1.0

Theotherpartofnoncriminaljustice outsourcing is Channeling,whichcreatesaconduit for an ARtosubmitfingerprintsvia anFBI‐approvedChannelerdirectlytothe FBI,the Channeler receivesthe CHRIon behalfofthe AR,andpromptly distributes theCHRIto the AR. The Channeler isaContractorthathasadirectconnectionto theFBI’sCJIS WANfortheelectronicsubmissionoffingerprintsonbehalf oftheAR.TheFBIelectronicallyreturns thecorrespondingresults of each fingerprint‐basednationalcriminalhistoryrecordchecktothe Channeler and theChannelerexpeditiouslydisseminatesthecriminalhistoryrecordcheckresultstothe AR.Figure 1‐2illustratestheChannelingarrangement. In 2011,the FBIreleased aRequest forProposal(RFP)tosolicitContractorstoprovideprocessingservicesforauthorizednational noncriminaljusticefingerprintsubmissionsfromARs.Inresponse tothe RFP,theFBIselectedmultiple Contractors toact asChannelers.Foracurrent listofChannelers,visitorcontacttheFBICompactOfficeat.PursuanttotheOutsourcingStandard forChannelers,theFBI isrequiredto conductcriminalhistoryrecordchecksofChannelingpersonnelhaving accesstoCHRI.Thus,in thisarrangement,the ARisnot responsibleforconducting backgroundchecksoftheContractor’spersonnel havingaccesstoCHRI. Asamatterofinformation,iftheContractorispostingnationalcriminalhistoryrecordcheckresultstoa Website,the FBI CJIS Division’sInformationSecurityOfficer mustreviewandapprovetheproposedtechnicalconfigurationpriortothe FBICompact Officer’sdecisiontoapprovethe request.

ItispossibleforthesameContractortoprovidebothChanneling andNon‐Channelingnoncriminal justiceadministrative functionservices.Ifthisoccurs,there mustbe adistinctseparationbetweentheChannelingandthe performanceoftheothernoncriminaljusticeadministrativefunctions (Non‐Channeling). AChannelermustpromptly forwardthecriminalhistoryrecordcheckresults tothe AR,whichendsthe“Channeling”outsourcingprocess.Then,theAR wouldberesponsibleforselectingandforwardingthecriminalhistoryrecordcheckresultsback totheContractorforthe performanceofapproved Non‐Channelingnoncriminaljusticeadministrativefunctions,suchasobtainingmissingdispositions, outsourcedbythe ARincompliancewiththe Outsourcing Standard 6 | Page OutsourcingGuide

fo r Federal AgenciesVersion1.0

forNon‐Channelers.Suchprocedureswillestablishadistinct beginning and endto eachofthe outsourcingcontracts(i.e.,acontract forChanneling andacontractforothernoncriminaljusticeadministrativefunctions).Additionally,thisprocesswillfacilitateanefficientaudit process.Essentially,aChanneler isan “expediter”or“conduit”rather thanauserofcriminalhistoryrecordresults.TheContractorprovidingtheNon‐Channelingfunction istheuser oftheinformation.Figure 1‐3 displaysthe sameContractorperformingboththe ChannelingandNon‐Channeling functions.


Version1.0

Outsourcing Scenarios Non‐Channeling: Outsourcing Fitness Determinations/RecommendationsThe National ReconnaissanceOffice(NRO),afederalagency,is authorizedtoaccessCHRIpursuant to Executive Order (EO) 12968, EO 10450, Intelligence Community Directive 704, and IntelligenceCommunityPolicyGuidance,Number 704.1. The NROsubmitsawrittenrequesttotheFBICompactOfficertooutsourcenoncriminaljusticeadministrative functionstoaContractor.The specificfunctionthatwill be outsourcedtothe Contractoris appropriatefollow‐upactivityonpositivefingerprint‐basedresponses,toincluderecordreview andadditionalsubjectinterviews.[AsampleNon‐Channelingrequest lettermay be foundunder ExampleofNon‐ChannelingDocumentation] UponwrittenapprovalbytheFBI CompactOfficer,theNRO,as theAR, may utilize a Contractortoperformthespecificnoncriminal justiceadministrativefunction.Therefore,inthisinstance,uponexecution of thenecessary outsourcing agreementsbythe NRO andtheContractor,theNROmay useaContractortoperformthe approvedfollow‐upactivityon positivefingerprint‐based responses. Channeling: Fingerprint Submissions/Results/DisseminationPursuanttoTitle49,UnitedStatesCode(U.S.C.)Section114(m);49U.S.C.§5103a; and 49 U.S.C.§44936the TransportationSecurityAdministration(TSA),afederalagency,isauthorizedtooutsourcenoncriminal justiceadministrativefunctionstoaChanneler. The TSAsubmitsawritten requestto the FBI CompactOfficerto useanFBI‐approvedChannelertoperformthenoncriminaljusticeadministrativefunctionsofsubmitting fingerprintson behalfofTSAandpromptly disseminating nationalfingerprint‐basedcriminalhistoryrecordcheckresultstothe TSA.The FBI providesa specificReason Fingerprintedfor these fingerprint submissions.[AsampleChanneling requestmaybefoundunderExamples of Channeling Documentation] UponwrittenapprovalbytheFBI CompactOfficer,theTSAmayutilizethe Channeler toperform thespecific noncriminaljustice administrativefunctionspertainingonlyto:(1)fingerprintsubmissionsofCoastGuard‐credentialedmerchantmariners,port facilityemployees,longshoreworkers,truckdrivers,andotherrequiringunescortedaccesstosecureareasofmaritimefacilitiesandvesselsthat areregulatedby the Maritime Transportation Security Act;and(2) the concomitantdissemination ofnationalfingerprint‐basedcriminalhistoryrecordcheckresultstothe TSA.Uponexecution ofthe necessaryoutsourcing agreementsbetween the twoparties,the TSA mayuse theChannelertoperform the Channeling functions.

Disclaimer: The agenciesusedinthe examplescenarioswere randomlyselected.


Version1.0

Responsibility Table for Non‐Channeling Security and Management Control Outsourcing Standard (OS) for Non‐ChannelersOS dated 11/06/2014, table updated12/17/2014

Outsourcing Standard (OS) Section #

Section 2.0 ‐Responsibiliti2.01 ‐Outsourcing Request

Footnote 2 ‐Audit Requirements

Footnote 3 ‐Outsourcing Approval

Authorized Recipient (AR) Federal/Regulatory

es of the AR AR shall: (1) Requestandreceivepermission fromthe FBI CO. (2) Provide FBICOcopiesofthespecificauthorityfor theoutsourcedwork, criminalhistory recordcheckrequirements,and/oracopyofrelevantportionsof thecontractasrequested.

Contractor Compact Officer

(FBI CO); CJIS Systems Agency (CSA)

FBI CO/CSA shall: (1) Approve/disapproverequest in writing. (2) FBI COmaynotgrant suchpermissionunlessafederalauditprogram isinplaceto,at aminimum,trienniallyauditarepresentativesampleoftheContractorsand ARsengaginginoutsourcing withthefirstofsuch auditstobe conductedwithin one yearof the datetheContractorfirstreceivesCHRIunder the approved outsourcingagreement. (3) Reviewcopies ofthespecificauthorityfor the outsourcedwork,criminal historyrecordcheckrequirements, and/or acopyofrelevantportionsof the contractifrequested.

FBI CJIS Division (CJIS); Compact Council (CC); United States Attorney

General (US AG)

(1) CJIS Audit Unit shallconductrequired auditsofFederal or Regulatory Agency AR andContractor.Theauditsareconductedon behalfofthe CC. (2) CJIS/CC to reviewauditreportsandimposesanctionsasnecessary.

2.02 ‐Contract 2.03(c) & 7.01 & 9.02 – OS and CJIS Security Policy

(1) Executecontractoragreementprior to providingaContractoraccesstoCHRI. (2) Shall notifytheContractorwithin60calendardays(unlessotherwise directed)ofFBI notification regarding changesor updatestotheOSand/orCJIS SecurityPolicy.

(1) Ensure thatthemostcurrent versionsof boththeOS and the CJIS Security Policy areincorporatedbyreferenceatthe timeof the contract,contractrenewal,orwithin the60calendardaynotificationof successorversions oftheOS and/orCJIS Security Policy,whicheveris sooner.

(1)CJIS shall ensurethat the mostcurrentversionsof both theOS and/or CJIS Security Policy areprovidedto the ARwithin60calendar days(unless otherwise directed)ofnotificationof successorversions oftheOS and/or CJIS Security Policy, whichever is sooner.


Version1.0


Authorized Recipient (AR) Federal/Regulatory Contractor

Compact Officer (FBI CO);

CJIS Systems Agency (CSA)


General (US AG)

2.03 ‐Access to CHRI When Contractorwillhaveaccessto CHRI, the AR shall: (1) Specifyterms andconditionsofaccess. (2) Limittheuse oftheinformationtothepurposesforwhichprovided. (3) Limittheretention of theinformationtoaperiodoftimenotto exceed that period oftimethe ARis permittedtoretainsuchinformation. (4) Prohibitdisseminationexceptas authorizedbyfederallaws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG. (5) Ensure securityandconfidentialityoftheinformationtoincludeconfirmationthat theintendedrecipientis authorizedtoreceiveCHRI. (6) Provide forauditsand sanctions. (7) Provideconditionsforterminationof thecontract. (8) Ensure Contractorpersonnel comply with OS.

2.03(a) & Footnote 4 ‐Criminal History Record (CHR) Checks

(1) Conductcriminal historyrecordchecksof Contractorpersonnel having accesstoCHRIif suchchecksarerequiredor authorizedof AR’spersonnel havingsimilaraccess. (2) Maintainupdatedrecordsof Contractor personnelwhohaveaccess to CHRI andupdatethoserecordswithin24hours whenchangestothataccessoccur,andifacriminalhistory recordcheckisrequired, maintain alistofContractorpersonnel whosuccessfullycompletedthecriminalhistory recordcheck. (3) Thenational criminalhistory recordchecksofContractorpersonnel withaccesstoCHRIcannotbeoutsourced and mustbe

(1) Ifa nationalcriminal historyrecordcheckofAR personnelhaving accesstoCHRIismandatedorauthorizedbyafederalstatuteor executiveorder,the FBI CO must ensureContractorpersonnel havingsimilaraccess are eithercoveredbytheexistinglaworthattheexistinglawis amendedtoinclude suchContractorpersonnel prior to authorizingoutsourcinginitiatives.

(1) FBI processcriminalhistoryrecordcheckofContractorpersonnel having accesstoCHRIifsubmittedby AR.


Version1.0






General (US AG)

performedby the AR.

2.03(b) ‐Site Security (1) Ensure Contractormaintains site(s) security.

(1) Maintainsite(s)security.

2.03(c) ‐See 2.02 ‐OS & CJIS Security Policy

See2.02 See2.02 See2.02 See2.02

2.03(d) – Access to Contract

MakeavailabletotheFBI COrelevant portions ofcurrentandapproved contractrelating toCHRI, upon request.

MakeavailabletotheFBICOrelevantportionsofcurrent and approvedcontractrelatingtoCHRI,upon request.

2.04 – Records and Topological Drawings

(1) Understandthecommunications andrecordcapabilitiesof the Contractorwhich hasaccess tofederalrecordsthrough, orbecauseof,itsoutsourcing relationshipwiththeAR. (2) Requestandapproveatopologicaldrawingwhichdepictsthe interconnectivityofthe Contractor’snetworkconfiguration as itrelates to theoutsourced function. (3) Understand andapproveanymodifications totheContractor’s networkconfiguration as itrelates to theoutsourced function(s).

(1) Provide updatedtopologicaldrawingstoAR.

2.05 ‐90 Day Compliance Review

(1) Responsible for theactionsof Contractor and monitoringthe Contractor’s compliance tothetermsand conditionsoftheOS. (2) Certify to the FBI COthataContractoraudit wasconductedwithin90daysofthedate the ContractorfirstreceivesCHRI undertheapproved outsourcingagreement.

(1) FBI COreview andmaintain AR’s certificationfor completionof90daycompliancereview.

2.06 – Contract Termination

(1) Provide writtennoticeof anyearlyvoluntaryterminationof contracttothe FBI CO.

2.07 – ISO Appointment (1) AppointanInformationSecurity Officer (ISO)to:

(a) Serve asthe securityPOCforthe FBICJISDivisionISO;

(b) Documenttechnical 11 | Page OutsourcingGuide







General (US AG)

3.0 ‐Responsibilities of the 3.01 ‐Regulation Compliance

compliancewiththeOS; and

(c) Establish a securityincidentresponse andreportingproceduretodiscover,investigate,document,andreportonmajorincidentsthatsignificantlyendangerthe security orintegrityoftheNCJagencysystemstotheCJISSystemsOfficer andthe FBICJISDivisionISO. Contractor

(1) Comply with allfederallaws, regulations, andstandards (includingtheCJIS Security Policy)as well aswithrules, procedures,andstandardsestablishedbythe CCand the USAG.

3.02 ‐Security Program (1) Reviewand providewrittenapproval/disapprovalof the Contractor’s SecurityProgramtothe FBICO.

(1) Develop,document,administer,and maintain aSecurityProgram(Physical,Personnel,andIT)tocomplywith themostcurrentOS andmostcurrent CJIS Security Policy. (2) TheSecurity Programshall outlinetheimplementation ofthesecurity requirementsdescribedinthisOSandthe CJIS Security Policy. (3) Responsible to set,maintain,and enforcethestandards for selection,supervision, andseparation ofpersonnelwho haveaccess to CHRI.

3.03 ‐Security Requirements

See CJIS Security Policy

(1) Requirements foraSecurityProgram shouldinclude,ata minimum: (a) Description of theimplementation ofthesecurity requirementsdescribedintheOSandthe CJIS Security Policy. (b) Securitytraining. (c) Guidelines fordocumentationof securityviolationsto include: (i) Developmentand


Version1.0






General (US AG)

maintain awrittenincidentreporting plan toaddresssecurity events, toincludeviolations andincidents. (ii) Have aprocessinplaceforreportingsecurity violations. (d) Standards for theselection, supervision,andseparation ofpersonnelwithaccess toCHRI. *Ifusing acorporatepolicy,itmust meettherequirements outlinedin theOS and the CJIS Security Policy. If thecorporatepolicyisnotthisspecific,it mustflowdownto alevel wherethedocumentationsupportsthese requirements.

Section 3.04 – Security Training Program

(1) Reviewand providetotheContractorwrittenapproval/disapprovaloftheContractorsSecurityTrainingProgram.Iftraining requirementisretainedby AR: (1) Develop a SecurityTrainingProgram forallContractorpersonnel withaccesstoCHRI priortotheirappointment/assignment. (2) Providetrainingpriortoappointment/assignmentandupon receiptof noticefromtheFBI COon any changestofederallaws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG. (3) Provideannualrefreshertraining,not later thantheanniversarydate ofthecontract,may certifyinwritingtothe FBIthatannualrefreshertraining wascompletedforthoseContractorpersonnel withaccesstoCHRI.

(1) Except when thetraining requirementisretainedby the AR,Contractor shall developaSecurityTrainingProgramforall Contractorpersonnel with accessto CHRIprior totheirappointment/ assignment. (2) Providetraininguponreceipt of notice from theARonany changestofederallaws, regulations,andstandards aswellaswithrules,procedures,andstandardsestablishedbythe CCand the USAG. (3) Provideannualrefreshertraining, notlaterthan the anniversarydateofthecontract,certifyinwritingtothe ARthatannualrefreshertrainingwascompleted forthoseContractorpersonnel withaccesstoCHRI.


Version1.0






General (US AG)

3.05 ‐Security Inspection (1) Perform announcedandunannouncedauditsandsecurity inspections.

(1) Makeitsfacilitiesavailableforannouncedandunannouncedauditsandsecurityinspectionsperformed by the AR or the FBI on behalf of the CC.

(1) FBI onbehalf ofCCmayperformannouncedandunannouncedauditsandsecurity inspections.

3.06 –Security Program Review

(1) Reviewand approveContractor’s SecurityProgram.

(1) Contractor’s SecurityProgramissubject toreviewby the AR, FBICO,andCJIS.

(1) May review Contractor’sSecurityProgram.


(2) Duringthisreview,provisionswillbe madetoupdatethe SecurityProgramtoaddresssecurity violationsand toensurechangesinpolicesandstandards aswellaschangesin federal lawareincorporated.

3.07 ‐Maintenance of CHRI

(1) AdvisecontractorofCHRImaintenancetime frame.

(1) MaintainCHRIonly forperiodoftime necessarytofulfillitscontractualobligationsbutnottoexceedthe period oftimethattheAR isauthorizedtomaintain and does maintain the CHRI.

3.08 ‐CHRI Logging (1) Maintainlogofanydissemination of CHRI, foraminimum of365 days.

3.09 – Availability of Contract

See also 2.03(d)

(1)Makeavailable tothe FBICOrelevantportionsofthecurrent and approvedcontractrelatingto CHRI, uponrequest.

(1)Makeavailable totheFBI COrelevant portionsofthecurrent and approvedcontractrelatingtoCHRI,upon request.

4.0 ‐Site Security 4.01 – Physically Secure Location

See section for review.

(1) Ensure Contractorsite(s)isaphysically securelocationtoprotectagainst anyunauthorizedaccesstoCHRI.

(1) Ensure site(s) isaphysicallysecurelocationtoprotectagainst anyunauthorizedaccesstoCHRI.

5.0 ‐Dissemination 5.01 – Dissemination Authority

(1) Authorize anydissemination of CHRI by theContractortoensurethat thedissemination falls within the guidelines offederallaws,regulations,andstandards aswellas withrules, procedures,andstandardsestablished bytheCCandtheUS AG.

(1) Ensure CHRI isnotdisseminated without theconsentof the AR, andas specifically authorizedbyfederallaws, regulations,andstandards aswellaswithrules,procedures,andstandardsestablishedbythe CCand the USAG.

5.02 – Dissemination Log (1) Maintainanup‐to‐datelogconcerningdissemination of CHRIfor


Version1.0






General (US AG)

aminimum ofoneyear. (2) Logmustidentify: (a) The AR and thesecondaryrecipientwithuniqueidentifiers, (b) therecorddisseminated, (c) the dateofdissemination, (d) thestatutory authorityfordissemination,and (e) themeansofdissemination.

5.03 – Unauthorized Access

6.0 ‐Personnel Security 6.01 ‐Personnel CHR Check

(1) Ensure any disseminationofCHRIdataby theContractoristo be for official purposes only.

(1) Process CHR checksonContractor (andapprovedSub‐Contractor) personnelhaving accessto CHRIif afederalwritten standardrequires orauthorizes a CHRcheck. (2) CHR checks of Contractor (andapproved Sub‐Contractor)personnel, ataminimum,willbenolessstringent thanCHR checksthatare performed on the AR’spersonnel performingsimilarfunctions. (3) CHR checks mustbecompletedpriortoaccessingCHRI under the contract.

(1) IfCHRIis storedordisseminated inanelectronicformat, protectagainstunauthorizedaccessto theequipmentandanyofthedata. (2) In no event shallresponses containingCHRIbedisseminated otherthan asgoverned bythisOSormorestringentcontractrequirements.

(1) Priorto performingworkunderthecontract,obtainand submitrelevantinformationof employees(and Sub‐Contractors)requestingaccess toCHRIforCHR checksandwaitforapproval. (2) CHR checks mustbecompletedpriortoaccessingCHRIunderthecontract.

6.02 ‐Requirements (1) Ensure thateachemployeeperformingworkunder thecontractisawareofthe requirementsof the OSandthe federallawsgoverningthe


Version1.0






General (US AG)

security andintegrityof CHRI. (2) Confirminwritingthateachemployee hascertifiedin writing thathe/she understandsthe OSrequirements and lawsthatapply tohis/herresponsibilities. (3) Maintainthe employeecertificationsin a filethatissubjectto reviewduringaudits. (4) Employees shallcompletecertificationpriortoperformingworkunder the contract.

6.03 – Updated Personnel Records with Access to CHRI

7.0 ‐System Security 7.01 ‐CJIS Security Policy – See 2.02 ‐OS & CJIS Security Policy

Recommendationbasedongoodbusinesspractice: (1) Maintainupdatedrecordsof contractor personnel whohaveaccess to CHRI,updatethoserecords within24 hourswhen changes to thataccess occur. (2) IfCHR checkis required, maintain list ofcontractorpersonnel whohavesuccessfullycompletedCHRchecks.

(1) Maintainupdatedrecordsofpersonnelwhohaveaccess to CHRI,updatethoserecordswithin 24hours whenchanges tothataccessoccur. (2) IfCHR checkisrequired,maintain list ofpersonnel whohavesuccessfullycompletedCHRchecks. (3) Notify AR’s within24hours whenpersonneladditions or deletions occur.

(1) Ensure securitysystemcomplieswith CJIS Security Policy in effect at thetime theOS isincorporatedintothecontract and withsuccessor versions ofthe CJIS Security Policy.

7.01(a) – Firewall (1) Ensure appropriatefirewall‐typedevicesareimplementedin accordance withtheCJISSecurityPolicy.

(1) Implement afirewall‐typedeviceforall systemsthatcan beaccessedviaWAN/LAN or Internet as specifiedin theCJISSecurityPolicy.

7.01(b) ‐Encryption (1) Ensure encryption is usedappropriately inaccordancewiththeCJISSecurityPolicy.

(1) EncryptCHRI thatispassedthrougha sharedpubliccarriernetwork.


Version1.0






General (US AG)

7.02 – CHRI and Media Storage and Disposal

(1) Provide for the securestorage& disposal ofallhardcopyandmediaassociatedwithsystem. (a) Physicallysecurelocation. (b) Sanitizationproceduresforall fixedandnon‐fixedstoragemedia. (c) Storageproceduresforallfixedandnon‐fixedstoragemedia.

7.03 ‐Identification Requirement

8.0 – Security Violations 8.01 – Security Violation Policy

See section for review

(1) BeassignedauniqueidentifyingnumberbytheContractor.

(a) Develop & maintain a written policyfor discipline ofemployeeswhoviolatesecurity provisionsof thecontract,includingOS. (a) Develop andmaintain awritten incident reportingplanforsecurityevents,toincludeviolations andincidents. (d) Immediately(within fourhours) notifyFBI COofany security violation orterminationof contract. (d) Providewrittenreport ofanysecurity violationtotheFBI CO, within 5calendardaysofreceiptofwrittenreportfrom Contractor. (d) WrittenReportmustincludecorrectiveactionstakenbyContractorandARtoresolvesecurity violation.

(1) IdentifyeachARandsub‐contractorbyauniqueidentifyingnumber.

(b) Upondetectionorawareness,suspendanyemployeewhocommitsasecurity violation fromassignmentswith accesstoCHRI under the contract,pendinginvestigation. (c) Immediately (withinfour hours)notify ARofanysecurity violationorterminationof thecontract,toincludeunauthorizedaccesstoCHRI. (d) Within5calendardaysofnotification, provideAR written reportdocumenting securityviolation,anycorrectiveactionstaken byContractor,andthedate,time,and summaryofpriornotification.


Version1.0






General (US AG)

8.02 ‐Contract Termination

(1) Terminate thecontract,when necessary, forsecurity violations: (a) InvolvingCHRIobtainedpursuant tothecontract. (b) FortheContractor’sfailuretonotify the ARofany securityviolation or toprovide awritten reportconcerning suchviolation. (c) If the Contractorrefuses toorisincapableof takingcorrectiveactions tosuccessfullyresolveasecurityviolation.

8.03(a) ‐ CHRI Suspension or Termination

(1) IfAR fails to provideawritten report notifying the FBICOofa securityviolation,orrefusestoor isincapableoftakingcorrective actiontosuccessfullyresolveasecurityviolation,theCC or USAG maysuspendor terminatetheexchange ofCHRI with ARpursuantto28CFR906.2(d).

(1) IfAR fails to provideawritten report notifying the FBICOofa securityviolation,orrefusesto or isincapableoftakingcorrective actiontosuccessfullyresolveasecurityviolation,theCC or USAG maysuspendor terminatetheexchange ofCHRI with ARpursuantto28CFR906.2(d).

8.03(b) – Exchange of CHRI Reinstatement

(1) IftheexchangeofCHRI issuspended, itmaybereinstated after satisfactorywritten assuranceshavebeenprovidedbytheFBICO,theARandtheContractortothe CCChairman orthe USAG that thesecurity violationhas beenresolved. (2) IftheexchangeofCHRI isterminated,inform theContractorwhethertodeleteorreturnrecords (includingmedia)containingCHRIinaccordancewiththeprovisionsandtimeframespecified.

(1) IftheexchangeofCHRIissuspended,it maybe reinstated aftersatisfactory writtenassuranceshave beenprovidedbytheFBICO,theAR andtheContractor to theCC Chairman ortheUSAG thatthesecurityviolationhasbeenresolved. (2) IftheexchangeofCHRIisterminated,inaccordancewiththeprovisionsandtimeframeasspecifiedbytheAR,deleteorreturn records (including media)containingCHRI.

(1) May reinstate aftersatisfactory writtenassuranceshavebeenprovidedtothe CCChairman andUSAG.

(2) AdviseAR of reinstatement.

(1) IftheexchangeofCHRI issuspended, itmaybereinstatedaftersatisfactory writtenassuranceshave beenprovidedbythe FBICO, the AR, and theContractortotheCCChairmanorthe USAG that thesecurityviolationhasbeen resolved.

8.04 ‐Security Violation Notification

(1) Provide writtennoticetoFBI COof the following: (a) Contract terminationfor security violations. (b) Security violationsinvolvingunauthorizedaccesstoCHRI. (c) Contractor’s name and

(1) Recorddate ofterminationnotificationreceivedfromAR.


Version1.0






General (US AG)

uniqueID number,nature ofsecurity violation, whetherviolationwasintentional,andnumberoftimesviolationoccurred. (d) RecorddatecontractterminatedanddateContractoraccess to CHRI isterminated.

8.05 – Investigation Rights of Unauthorized Access to CHRI

(1) FBI COreservesright toinvestigate ordeclinetoinvestigate any reportofunauthorizedaccesstoCHRI.

(1) CC andthe US AGreservesrighttoinvestigate ordecline toinvestigate any reportofunauthorizedaccesstoCHRI.

8.06 ‐Audits

9.0 ‐Miscellaneous Provisi9.01 – OS

ons (1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersons otherthan theContractor,theAR,and theFBI CO.

(1) This OSdoes notconfer,grant, orauthorizeanyrights, privileges,orobligationstoany personsother than the Contractor,theAR, and the FBICO.

(1) FBI COreservesthe right toauditAR andContractor’soperationsandproceduresatscheduled and unscheduled times.

(1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersonsother than theContractor,theAR,andthe FBICO.

(1) CC and USAG reserves therighttoaudit AR andContractor’soperationsandproceduresatscheduledandunscheduledtimes. (2) CC and USAG authorizedto performa final auditofContractorsystemsafterterminationof contract.

(1) This OSdoes notconfer,grant,or authorizeanyrights,privileges,orobligationstoanypersonsother than theContractor,theAR,andthe FBICO.

9.02 – CJIS Security Policy

(1) TheCJIS SecurityPolicyisincorporatedbyreferenceandmadeapart of thisOS.

(1) TheCJIS SecurityPolicyisincorporatedbyreferenceandmadeapartof this OS.



9.03 & Footnote 5 – OS Stringency

(1) TheCC, AR, andthe FBICOhavetheexplicit authoritytorequiremore stringentstandards thanthosecontainedintheOS.

(1) Comply with anyadditional conditions asrequiredby the CC,AR,orthe FBI CO.

(1) TheCC, AR, andthe FBICOhavetheexplicit authoritytorequiremore stringentstandards thanthosecontainedinthe OS.


9.04 – OS Modification (1) Theminimum security measures as outlinedin thisOSmayonlybemodifiedby theCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OS without the consent of theCCin consultationwith the USAG.

(1) Theminimum security measures as outlinedinthisOSmay only bemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbeless stringentthanstatedin thisOS withouttheconsentof the CCinconsultation withthe US AG.

(1) Theminimum security measures as outlinedin this OSmayonlybemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OSwithout the consent ofthe CCinconsultationwith theUS AG.

(1) Theminimum security measures as outlinedin this OSmayonlybemodifiedbytheCC. (2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OSwithout the consent ofthe CCinconsultationwith theUS AG.

9.05 ‐OS Modification (1) This OSmay onlybemodifiedbytheCC andmay

(1) This OSmay onlybemodifiedbytheCC and

(1) This OSmay onlybemodifiedbytheCC andmay not

(1) This OSmay onlybemodifiedbytheCC andmay not


Version1.0






General (US AG)

notbemodifiedbythe parties to theappendedcontractwithout theconsentoftheCC.

maynotbe modifiedbythepartiesto theappendedcontractwithout theconsentoftheCC.

bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

9.06 ‐FBI CO Address

10.0 – Exemption from Abo10.01

(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto: FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306 ve Provisions AnITcontractneedonlyincludeSections1.0,2.01,2.02,2.03,3.01,6.0,8.0, and 9.0ofthisOSwhen allof thefollowingconditionsexist: (1) Access to CHRI bytheIT contractor’s personnelislimitedsolely for thedevelopmentand/ormaintenanceoftheAR’scomputersystem; (2) Access to CHRI isincidental, butnecessary, totheduties beingperformedby theIT contractor; (3) Thecomputer systemresideswithin theAR’s facility: (4) TheAR’spersonnelsuperviseor workdirectlywiththe ITcontractorpersonnel; (5) TheAR maintainscomplete,positivecontroloftheIT contractor’saccesstothecomputer systemandCHRIcontainedtherein;and (6) TheARretainsall thedutiesandresponsibilitiesfortheperformance ofitsauthorizedNCJA functions, unlessit executes aseparatecontracttoperformsuch NCJAfunctions, subject to allapplicablerequirements,including the OS.

(1)Appropriatenotices,assurances, andcorrespondenceto the FBICO,CC,andtheUSAGrequiredbySection8.0ofthisOSshall beforwardedbyFirstClass Mailto: FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306

AnITcontractneedonlyincludeSections1.0,2.01,2.02,2.03,3.01,6.0,8.0,and9.0ofthisOSwhenall of the following conditions exist: (1) Access to CHRI bytheIT contractor’s personnelislimitedsolelyforthedevelopmentand/ormaintenanceoftheAR’scomputersystem; (2) Access to CHRI isincidental,butnecessary,to theduties beingperformed by the ITcontractor; (3) Thecomputer systemresideswithin theAR’s facility; (4) TheAR’spersonnelsuperviseor workdirectlywiththe ITcontractorpersonnel; (5) TheAR maintainscomplete,positivecontrolof the ITcontractor’saccesstothecomputersystemandCHRIcontainedtherein;and (6) TheARretainsall thedutiesandresponsibilitiesforthe performanceofitsauthorizedNCJA functions, unlessit executes aseparatecontract toperformsuchNCJAfunctions, subject to all

(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26306

(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:FBI CompactOfficer1000CusterHollowRoadModule D3Clarksburg,WV26301


Version1.0






General (US AG)

applicablerequirements,including the OS.

10.02 – Exemption AnAR’scontractneedonlyincludeSections1.0,2.01,2.02,2.03,3.01,4.0,6.0, 8.0, and9.0 of thisOS whenallof thefollowingconditionsexist: (1) Access to CHRI bytheContractoris limitedsolely forthepurposes of: (a) storage(referredtoasarchiving)oftheCHRIat theContractor’sfacility; (b) retrievaloftheCHRIbyContractorpersonnelonbehalf oftheAR withappropriate securitymeasuresin placeto protect the CHRI;and/or (c) destructionof theCHRIbyContractorpersonnel whennotobservedbytheAR; (2) Access to CHRI isincidental, butnecessary, totheduties beingperformedbytheContractor; (3) TheContractorisnotauthorizedto disseminateCHRI to any other agency orcontractoronbehalfof the AR; (4) The Contractor’s personnelaresubjectto the sameCHRchecksasthe AR’spersonnel; (5) TheCHR checksof theContractorpersonnel arecompletedpriorto workonthecontract oragreement; (6) TheARretainsall otherdutiesandresponsibilitiesfortheperformance ofitsauthorizedNCJA functions, unlessit executes aseparatecontracttoperformsuch NCJAfunctions, subject to allapplicablerequirements,including the OS; and (7) TheContractorstorestheCHRIin aphysicallysecurelocation.

AnAR’scontract whereaccesstoCHRI is limitedsolelyfor the purposesofthefollowing (a‐c)needonlyincludeSections1.0,2.01,2.02,2.03,3.01,4.0,6.0,8.0,and9.0 ofthisOSwhen allof thefollowing conditionsexist (1‐7): (a) storage(referredtoasarchiving)oftheCHRIattheContractor’s facility; (b) retrievaloftheCHRIby Contractor personnelon behalfof the AR withappropriatesecuritymeasures in place toprotectthe CHRI; and/or (c) destructionof theCHRIby Contractor personnelwhen not observedbythe AR. (1) Access to CHRI bytheContractoris limitedsolelyforthe purposes of:(a) storage(referredtoasarchiving)oftheCHRIattheContractor’s facility; (b) retrievaloftheCHRIby Contractor personnelon behalfof the AR withappropriatesecuritymeasures in place toprotectthe CHRI; and/or (c) destructionof theCHRIby Contractor personnelwhen not observedbythe AR; (2) Access to CHRI isincidental,butnecessary,to theduties beingperformedby theContractor; (3) TheContractorisnotauthorizedto disseminateCHRI to any other agencyor contractor onbehalf oftheAR; (4) TheContractor’spersonnel are subjecttothesame CHR checksas


Version1.0






General (US AG)

theAR’spersonnel; (5) TheCHR checksof theContractorpersonnel arecompletedpriorto work on the contractoragreement; (6) TheARretainsallotherduties andresponsibilities fortheperformance of itsauthorizedNCJA functions, unlessit executes aseparatecontract toperformsuchNCJAfunctions, subject to allapplicablerequirements,including the OS; and (7) TheContractorstorestheCHRIin aphysicallysecurelocation.


Version1.0

Responsibility Table for Channeling Security and Management Control Outsourcing Standard (OS) for ChannelersOS dated 11/06/2014, table updated12/17/2014


Section 2.0 ‐Responsibiliti2.01 ‐Outsourcing Request

Footnote 2 ‐Audit Requirements

Footnote 3 ‐Outsourcing Approval

Authorized Recipient (AR)

es of the AR AR shall:

(a) Request and receive written permission fromthe FBI CO.

(b) Provide FBICOcopiesofthespecificauthorityfor theoutsourcedwork, criminalhistory recordcheckrequirements,and/oracopyofrelevantportionsof thecontractasrequested.

(2) ConductauditsofContractor,as necessary.

(3) Reviewaudit reportsandimposesanctionsasnecessary.

Contractor Compact Officer

(FBICO); CJIS Systems Agency (CSA)

FBI CJIS Division (CJIS); FBI Compact Officer (FBI CO);

Compact Council (CC); United States Attorney

General (US AG)

FBI CO shall:

(1) approve/disapproverequest in writing.

(2) FBI COmaynotgrant suchpermission unlesshe/she hasimplementeda federalauditprogramto,at aminimum,trienniallyauditarepresentativesampleoftheContractorsand ARsengaginginoutsourcing withthefirstofsuch auditstobe conductedwithin one yearof the datetheContractorfirstreceivesCHRIunder the approved outsourcingagreement. (3) FBI CO willreviewcopiesofthespecificauthorityfor theoutsourcedwork, criminalhistory recordcheckrequirements, and/or a copy ofrelevant portions ofthe contractifrequested.

CJIS Audit Unit shall:

(1) Conductrequiredaudits ofARandContractorandaudits on behalfof the CC.

(2) CJIS/CCto reviewauditreportsandimposesanctionsasnecessary.

2.02 ‐Contract 2.03(c) & 7.01 & 9.02 – OS and CJIS Security Policy

(1) Executecontractoragreementprior to providingaContractoraccesstoCHRI.

(2) Ensure thatthemost current version ofboth the OSandthe CJIS Security Policy areincorporatedbyreferenceatthetime oftheinitialcontract,contractrenewal,orwithinthe

(1) Ensure thatthemost current version ofboth theOSandthe CJIS Security Policy areincorporatedbyreferenceandappendedtothecontract atthetimeoftheinitialcontract,contractrenewal,and/orOptionrenewal.

(1) CJIS shallmakeavailable totheARthemost currentversions ofboth theOS and the CJIS Security Policy within60calendardays(unlessotherwisedirected) of notification ofsuccessor versions oftheOSand/orCJIS SecurityPolicy.

(2) CJIS shall notifycontractors 23 | Page OutsourcingGuide



Authorized Recipient (AR) Contractor Compact Officer




General (US AG) 60calendarday notificationperiod, whichever is sooner.

of such changes or updates.

2.03 ‐Access to CHRI When Contractorwillhave accessto CHRI, the AR shall:

(1) Specifyterms andconditionsofaccess.

(2) Limittheuse oftheinformationtothepurposesforwhichprovided.

(3) Prohibitdisseminationexceptas authorizedbyfederallaws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG.

(4) Ensure securityandconfidentialityoftheinformationtoincludeconfirmationthat theintendedrecipientis authorizedtoreceiveCHRI.

(5) Provide forauditsand sanctions.

(6) Provideconditionsforterminationof thecontract.

(7) Ensure Contractorpersonnel comply with OS.

(8) Mayconduct90‐day,oneyear, and triennial audits of Contractors.

(1) CJIS Audit Unit shallconduct90‐day, oneyear, andtriennial auditsof Contractors.

2.03(a) – Criminal History Record (CHR) Checks

(1) Provide personnelinformationrelevantfor aCHRcheck.

(2) Provide updatesofpersonnel changestoCJISwithin 24hours ofchanges.

(1) CJIS shallconductCHRchecksofContractorpersonnelhaving accesstoCHRI.

(2) CJIS shallmaintainupdatedrecordsofContractorpersonnelwho haveaccess to CHRIandupdatethoserecordswithin24hours whenchangesto thataccessoccur.

(3) CJIS shallmaintainlistof 24 | Page OutsourcingGuide







General (US AG)Contractorpersonnel who havesuccessfullycompletedCHRchecks.

2.03(b) ‐Site Security (1) May ensurethataContractormaintainssite(s)security.

(1) Maintainsite(s)security.

(1) FBI shallensurethatContractormaintainsite(s)security.

2.03(c) ‐OS and CJIS Security Policy

See2.02 See2.02

2.03(d) & 3.02 ‐Security Program

AR may:

(1) Ensure thattheContractorestablishes and administers a SecurityProgram.

(2) Provide writtenapprovalof a Contractor’s SecurityProgram. However, thisapprovalis notinlieuof theFBI’s writtenapproval.

Contractor shall:

(1) Develop,document,administer,and maintain aSecurityProgram(Physical,Personnel,andIT)tocomplywith themostcurrentOS andmost current CJIS Security Policy.

(2) Provide writtensecurity program toFBIforapproval and ifrequested tothe AR.

FBI shall:

(1) Ensure thattheContractorestablishand administeraSecurityProgram.

(2) Providethewrittenapprovalof aContractor’sSecurityProgram.

(3) Security Programshalldescribetheimplementation ofthesecurity requirementsdescribedinthisOSandthe CJIS Security Policy.

(4) Set,maintain,andenforcethestandardsforselection, supervision,andseparation ofpersonnelwho haveaccess to CHRI.

2.03(e) ‐Penetration Testing

(1) Shall allow theFBItoperiodicallytesttheabilitytopenetrate the FBI’snetworkthroughtheexternalnetworkconnectionorsystem.

(1) CJIS may testabilityto penetrate network through the external network connectionor system.

2.03(f) – Access to Contract

(1) Make availabletotheFBI COthe relevantportionsof the current and approvedcontractrelatingto CHRI, uponrequest.

(1) Make availabletotheFBI COtherelevantportionsof the currentandapproved contract relatingtoCHRI, upon request.

(1) CJIS mayrequestrelevantportionsof the currentandapprovedcontractrelatingtoCHRI.


Version1.0






General (US AG) 2.04 – Records and Topological Drawing

(1) Understandthecommunications andrecordcapabilitiesof the Contractorwhich hasaccess tofederalrecordsthrough, orbecauseofitsoutsourcing relationshipwiththeAR.

(2) May maintain anupdatedtopologicaldrawingwhichdepictsthe interconnectivityofthe Contractor’snetworkconfiguration.

(1) Provide updatedtopologicaldrawingsdepictingtheinterconnectivityofthenetworkconfigurationtothe FBI, and,if requested to theAR.

(1) FBI shall maintain anupdatedtopologicaldrawingwhichdepictstheinterconnectivityoftheContractor’s networkconfiguration.

2.05 ‐90 Day Compliance Review

(1) Responsible for theactionsof Contractor and monitoringthe Contractor’s compliance tothetermsand conditionsoftheOS.

(1) FBI shallcertifytothe FBICOthat an audit wasconductedwiththeContractorwithin90daysofthedatetheContractorfirstreceivesCHRIundertheapproved outsourcingagreement.

2.06 – Contract Termination

(1) Provide writtennoticeof anyearlyvoluntaryterminationof thecontractto the FBI CO.

2.07 ‐ISO Appointment (1) AppointanInformationSecurity Officer (ISO)to:

(a) Serve asthe securityPOCforthe FBICJISDivisionISO;

(b) DocumenttechnicalcompliancewiththeOS; and

(c) Establish a securityincidentresponse andreportingproceduretodiscover,investigate,document,andreportonmajorincidentsthatsignificantlyendangerthe security orintegrityoftheNCJagencysystemstothe FBI CJISDivision ISO.

3.0 ‐Responsibilities of the Contractor 3.01 ‐Regulation Compliance

(1) Contractoranditsemployeesshall complywithall federal laws,regulations,andstandards


Version1.0






General (US AG) (including the CJISSecurityPolicy) aswell aswithrules,procedures,andstandardsestablishedbythe CCand the USAG.

3.02 ‐Security Program – See 2.03(d)

See2.03(d) See2.03(d)

3.03 ‐Security Requirements

(1) Requirements foraSecurityProgram should include, ata minimum:

(a) Description of theimplementation ofthesecurity requirementsdescribedintheOSandthe CJIS Security Policy.

(b) Securitytraining.

(c) Guidelines fordocumentationof security violations.

(d) Standards for theselection, supervision,andseparation ofpersonnelwithaccess toCHRI.

*Ifusing acorporatepolicy,itmust meettherequirements outlinedin theOS and the CJIS Security Policy. If thecorporatepolicyisnotthisspecific,it mustflowdown to alevel wherethedocumentationsupportstheserequirements.

3.04 – Security Program Management

Shall be:

(1) Accountable forthemanagementoftheSecurityProgram.

(2) Responsible for reportingall securityviolationsof the OStotheAR.


Version1.0






General (US AG) 3.05 ‐Security Training Program

Iftraining requirementretainedby AR:

(1) Develop a SecurityTrainingProgram forallContractorpersonnel withaccesstoCHRI priortotheirappointment/assignment.

(2) Providetraininguponreceipt of notice from the FBI COonanychangesto federal laws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG.

(3) Provideannualrefreshertraining,not later thantheanniversarydate ofthecontract,and maycertifyinwritingto the FBI that annual refreshertraining wascompletedforthoseContractorpersonnel withaccesstoCHRI.

(1) Except when thetraining requirementisretainedby the AR,the Contractor shall developaSecurityTrainingProgramforall Contractorpersonnel with accessto CHRIprior totheirappointment/assignment.

(2) Providetraininguponreceipt of notice from theFBI COon any changestofederallaws, regulations,andstandards aswellaswithrules,procedures,andstandardsestablishedbythe CCand the USAG.

(3) Provideannualrefreshertraining, notlaterthan the anniversarydateofthecontract,andcertifyin writing tothe FBIthatannual refreshertraining was completedforthoseContractorpersonnel with accessto CHRI.

FBI shall:

(1) Reviewand providetoaContractorwrittenapproval/disapprovaloftheContractor’s SecurityTrainingProgram.

(2) Ensure thatannualrefreshertraining wascompletedbythoseContractorpersonnel with accesstoCHRI.

3.06 ‐Security Inspection

(1) May performannouncedandunannouncedaudits andsecurity inspections.

(1) Makeitsfacilitiesavailableforannouncedandunannouncedauditsandsecurityinspectionsperformed by the AR or the FBI on behalf of the CC.

(1) FBI, on behalf of CC, shall performannouncedandunannouncedauditsandsecurity inspections.

3.07 ‐Security Program Review


(1) CJIS shallreviewContractor’s SecurityProgram.

(2) Duringthisreview,provisionwillbe madetoupdatethe SecurityProgramtoaddress securityviolationsandtoensurechangesinpoliciesand standardsas wellaschangesinfederallaw areincorporated.

(2) Duringthisreview,provisionwillbe madetoupdatethe SecurityProgramtoaddresssecurity violationsandtoensurechangesinpoliciesandstandardsaswellaschangesin federal lawareincorporated.

3.08 ‐Maintenance of CHRI

(1) Mannerof and timeframeforCHRI disseminationby theContractorshallbe specified in

(1) MaintainCHRIonly forperiodoftime necessarytofulfillitscontractual


Version1.0






General (US AG) thecontract oragreement. obligations.

(2) CHRIdisseminatedbya Contractor toan AR viaanauthorizedWebsiteshall remain onsuchWebsiteonly for the timenecessary to meetthe AR’srequirements but innoeventshall thattimeexceed30calendardays.

(3) DestroyCHRIimmediatelyafterconfirmationofsuccessfulreceiptbytheAR.

(4) Mannerof and timeframefor CHRIdissemination toan ARshall bespecifiedinthecontractoragreement.

3.09 ‐CHRI Logging (1) MaintainlogofanyCHRI dissemination foraminimumof365days.

3.10 – Access to Contract

4.0 ‐Site Security 4.01 ‐Physically Secure Location

See2.03(f)

(1) Maintainaphysicallysecure site(s).

FBI shall:

(1) Ensure thata Contractor’ssiteis aphysicallysecurelocation to protect against anyunauthorizedaccesstoCHRI.

4.02 ‐Visitor Escort (1) Onlyauthorizedpersonnel shall escortallvisitorstocomputercentersand/orterminalareas.

4.03 – Contractor with Direct Access

5.0 ‐Dissemination 5.01 ‐System Access (1) Ensure thataccessto the

systemisonly providedto

(1) AnyContractorwithdirectaccesstoCHRIshallallowtheFBI toconductperiodicpenetrationtesting.

(1) Ensure thataccesstothesystemisonly

(1) FBI mayconductperiodicpenetration testing.

(1) CJIS will ensurethat accesstothe system isonlyprovided


Version1.0






General (US AG) employeesofthe Contractor,employeesofthe AR,andsuchotherpersons as authorizedbythe ARfor official purposes consistent withtheappended contract.

providedtoemployeesoftheContractor,employeesofthe AR,andsuchotherpersons asauthorizedbytheAR forofficial purposes consistentwiththeappendedcontract.

toemployeesoftheContractor,employeesofthe AR,andsuchotherpersons as authorizedbythe ARfor official purposes consistent withtheappended contract.

5.02 – Official Use of CHRI

(1) Ensure access to thesystemisavailableonly forofficialpurposes consistentwiththe appended contract.

(2) Ensure any disseminationof CHRI data to authorizedemployeesofthe Contractoristobeforofficialpurposes only.

(1) Ensure access to thesystemisavailableonly forofficialpurposesconsistent withtheappendedcontract.

(2) Ensure anydissemination of CHRIdatatoauthorizedemployeesoftheContractoris tobeforofficialpurposes only.

CJIS will:

(1) Ensure access to the systemisavailableonlyforofficialpurposes consistentwith the appendedcontract.

(2) Ensure any dissemination ofCHRI data to authorizedemployeestotheContractoristobeforofficialpurposes only.

5.03 ‐CHRI Dissemination

(1) Ensure informationcontainedin oraboutthesystemwill notbe providedtoagenciesotherthantheARoranother entity whichis specifically designatedin the contract.

(1) Ensure informationcontainedin oraboutthesystemwill notbeprovidedtoagenciesotherthan the AR or anotherentitywhichis specificallydesignatedinthecontract.

(1) CJIS will ensureinformationcontainedin oraboutthesystemwill notbe providedtoagenciesotherthantheARoranother entity whichis specifically designatedin the contract.

5.04 ‐Dissemination Authority

(1) Authorize anydissemination by theContractorofCHRIthat iswithin the guidelinesof federallaws, regulations, andstandards aswell aswithrules, procedures, andstandards establishedby theCCandtheUSAG.

(1) NotdisseminateCHRIwithout theconsentoftheAR,andasspecificallyauthorizedby federallaws,regulations,andstandardsaswell as withrules,procedures,andstandardsestablishedbytheCCandtheUS AG.

(1) CJIS will ensurethat thecontractordoesnotdisseminateCHRI without the consentof theAR,andasspecificallyauthorizedby federallaws,regulations,andstandardsestablishedbytheCCand theUSAG.

5.05 – Dissemination Log (1) Maintainanup‐to‐datelogofCHRIfora minimumoneyearretention periodthatmust clearly identify:

(a) ARand the secondaryrecipientwith uniqueidentifiers,

(b) Recorddisseminated,

(1) CJIS will ensurethat thecontractorwill maintain anup‐to‐datelogofCHRIforaminimumoneyear retentionperiodthat must clearlyidentify:

(a) ARand the secondaryrecipientwith uniqueidentifiers,

(c) Date of dissemination, (b) Recorddisseminated.

(d) Statutory authority for 30 | Page OutsourcingGuide







General (US AG) dissemination,and (c) Date of dissemination,

(e) Means ofdissemination

(d) Statutory authority fordissemination,and

(e) Means ofdissemination

5.06 – Unauthorized Access

(1) IfCHRIis storedordisseminated inanelectronicformat, protectagainstunauthorizedaccessto theequipmentandanyofthedata.

(2) In no event shallresponses containingCHRIbedisseminated otherthan asgoverned bythisOSormorestringentcontractrequirements.

CJIS will:

(1) IfCHRIis storedordisseminated inanelectronicformat,protect againstunauthorizedaccesstotheequipment andanyofthe data.

(2) In no event shallresponsescontainingCHRIbedisseminated.

5.07 ‐Access Attempts (1) Shall not attemptaccessforinappropriateorillegalactivities.

(2) Recordandreview accessattempts todetectinappropriate orillegalactivity.

5.08 ‐Contingency Plan (1) Establish adocumentedcontingencyplanasdefinedin the CJIS Security Policy andapprovedbytheFBI.

(1) FBI shallapproveaContractor’sdocumentedcontingencyplan asdefinedin the CJIS Security Policy.

6.0 ‐Personnel Security 6.01 ‐Personnel CHR Check

(1) Priorto performingworkunderthecontract,obtainand submitrelevantinformationof Contractor (andapproved Sub‐Contractor)personnelrequestingaccess toCHRIforCHR checksandwaitforapproval.

(1) The FBI shall processCHRchecksonContractor(andapproved Sub‐Contractor)personnel having accesstoCHRI. CHR checksmustbecompletedpriortoaccessingCHRI under the contract.

(2) The FBI shall notifycontractorofCHRcheckdecision.

6.02 ‐Requirements (1) Shall ensure thateachemployeeperformingworkunder thecontractisawareofthe requirements

(1) The FBI shall reviewconfirmationcertificationsduring audits.


Version1.0






General (US AG) of the OSandfederallawsgoverningthesecurity andintegrityof CHRI.

(2) Shall confirm inwritingthat eachemployeehascertifiedinwritingthat he/sheunderstands the OSrequirements and lawsthatapply tohis/herresponsibilities.

(3) Shall maintain theemployeecertificationsinafilethat issubjecttoreviewduringaudits.

(4) Employees shallmakesuchcertification priortoperforming work underthecontract.

6.03 – Updated Personnel Records with Access to CHRI

7.0 ‐System Security 7.01 ‐CJIS Security Policy ‐See 2.02 ‐OS & CJIS Security Policy

See2.02

(1) Shall maintain updatedrecordsofpersonnelwhohaveaccess to CHRI,updatethoserecordswithin 24hours whenchanges tothataccessoccur,and maintainalistofpersonnelwhohavesuccessfullycompletedCHRchecks.

(2) Shall notify FBIwithin24hours whenadditionsordeletionsoccur.

(1) Ensure securitysystemcomplieswith CJIS Security Policy in effect at thetime theOS isincorporatedintothecontract and withsuccessor versions ofthe CJIS Security Policy.

(1) CJIS shallmaintainlistofpersonnel whosuccessfullycompletetheCHR check.

(2) CJIS shall updatethe list ofContractorpersonnel whenadditionsordeletionsoccur.

7.01(a) – Firewall (1) ProtecttheCHRIwithfirewall‐typedevicestopreventsuch unauthorizedaccessifCHRIcanbeaccessedbyunauthorizedpersonnel via WAN/LAN

(1) CJIS will ensurefirewall‐typedevices areimplemented to ensure unauthorized access to CHRIas specifiedinthe CJIS Security Policy.


Version1.0






General (US AG) orthe Internet.

(2) Implementaminimumfirewall profile as specified bythe CJIS Security Policyinordertoprovideapointof defenseand acontrolledandauditedaccesstoCHRI,both frominsideandoutsidethenetworks.

7.01(b) ‐Encryption (1) EncryptCHRI thatispassedthrougha sharedpubliccarriernetwork.

7.02 – CHRI and Media Storage and Disposal

(1) Provide for the securestorage& disposal ofallhardcopyandmediaassociatedwithsystem.

7.02(a) – CHRI Storage (1) Store CHRI in aphysicallysecurelocation.

7.02(b) ‐Media Sanitization

(1) Ensure aprocedureis inplacefor sanitizing allfixedstoragemedia(e.g.,disks,drives,backupstorage)atthecompletionofthe contractand/orbefore itisreturnedformaintenance,disposal,or

(1) Establish aprocedureforsanitizingall fixedstoragemediaatcompletionofcontractand/or before it isreturnedformaintenance,disposal, or re‐use.

reuse.

7.02(c) – Disposal Procedure

(1) Ensure aprocedureis inplaceforthedisposalorreturnofallnon‐fixedstoragemedia(e.g., hardcopies, print‐outs).

(1) Establish aprocedure fordisposal and return ofallnon‐fixedstoragemedia.

7.03 ‐Identification Requirement

(1) Be assignedauniqueidentifyingnumberbyCJIS ortheContractor.

(1) IdentifyeachARandsub‐contractorbyauniqueidentifyingnumber.

(1) CJIS assign a unique identifier toeachContractor.

8.0 – Security Violations 8.01 – Security Violation Policy

(d) Immediately(within fourhours) notifyFBI COofany security violation orterminationof contract.

(d) Providewrittenreport ofanysecurity violationtotheFBI CO, within 5calendardaysofreceiptofwrittenreport

(a) Develop & maintain a written policyfordisciplineofemployeeswhoviolate securityprovisionsofthecontract,including this OS.

(b) Upondetectionorawareness,suspendany


Version1.0






General (US AG) from Contractor.

(d) WrittenReportmustincludecorrectiveactionstakenbyContractorandARtoresolvesecurity violation.

employeewhocommitsasecurity violation fromassignmentsin which he/she has access to CHRI,pendinginvestigation.

(c) Immediately (withinfour hours)notify ARandtheFBI ofanysecurityviolationtoincludeunauthorizedaccesstoCHRI.

(c) Within5calendardaysofnotification, provideARandtheFBI awrittenreportdocumentingsecurity violation, anycorrectiveactions takenbyContractor,andthedate,time,and summaryofpriornotification.

8.02 ‐Contract Termination

(1) TerminateContract, whennecessary,for securityviolations:

(a) InvolvingCHRIobtainedpursuant tothecontract.

(b) FortheContractor’sfailuretonotify the ARofany securityviolation or toprovide awritten reportconcerning suchviolation.

(c) If the Contractorrefuses toorisincapableof takingcorrectiveactions tosuccessfullyresolveasecurityviolation.

8.03(a) ‐ CHRI Suspension or Termination

(1) IfAR fails to provideawritten report notifying the FBICOofa securityviolation,orrefusestoor isincapableoftakingcorrective actiontosuccessfullyresolveasecurityviolation,the CC or US AG maysuspendor terminatetheexchange ofCHRI with ARpursuantto28CFR906.2(d).


Version1.0






General (US AG) 8.03(b) – Exchange of CHRI Reinstatement

(1) TheAR andContractorshall provideto theCCChairman ortheUSAGsatisfactory written assurances that the security violationhasbeen resolved.

(2) IftheexchangeofCHRI isterminated,inform theContractorwhethertodeleteorreturnrecords (includingmedia)containingCHRIinaccordancewiththeprovisionsandtimeframespecified.

(1) TheAR andContractorshall provideto theCCChairman ortheUSAGsatisfactory written assurances that the security violation hasbeenresolved.

(2) IftheexchangeofCHRIisterminated,deleteorreturn records(includingmedia)containingCHRI,inaccordancewiththeprovisionsandtimeframeasspecifiedbyAR.

(1) IftheexchangeofCHRI issuspended, itmaybereinstatedaftersatisfactory writtenassuranceshave beenprovidedtothe CC Chairman or the US AG,bytheAR and theContractorthatthesecurityviolationhasbeen resolved.

8.04 ‐Security Violation Notification

(1) Provide writtennoticetothe FBI COof the following:

(a) Contract terminationfor security violations.

(b) Security violationsinvolvingunauthorizedaccesstoCHRI.

(c) Contractor’s name anduniqueID number,nature ofsecurity violation, whetherviolationwasintentional,andnumberoftimesviolationoccurred.

8.05 – Investigation Rights of Unauthorized Access to CHRI

(1) CC and the US AG reserve righttoinvestigate ordecline toinvestigate any reportofunauthorizedaccesstoCHRI.

8.06 ‐Audits

9.0 ‐Miscellaneous Provisi9.01 – OS

ons (1) This OSdoes notconfer,grant,or authorizeanyrights,

(1) This OSdoes notconfer,grant, orauthorize

(1) This OSdoes notconfer,grant,or authorizeanyrights,

(1) CC and US AG reserve therighttoaudit AR andContractor’soperationsandproceduresatscheduledanunscheduledtimes.

(2) CC and US AG areauthorized to perform a finalauditof Contractorsystemsaftertermination ofcontract.

(1) This OSdoes notconfer,grant,or authorizeanyrights,


Version1.0






General (US AG) privileges,orobligationstoanypersons otherthan the Contractor,theAR,CJISSystemsAgencyandthe FBI.

anyrights, privileges,orobligationstoany personsother than the Contractor,theAR, CJISSystemsAgencyand the FBI.

privileges,orobligationstoanypersonsother than theContractor,theAR,CJISSystemsAgencyand the FBI.

privileges, orobligationstoanypersonsother than theContractor,theAR,CJISSystemsAgencyand the FBI.

9.02 – CJIS Security Policy


(1) TheCJIS SecurityPolicyisincorporatedbyreferenceandmadeapartof this OS.



9.03 & Footnote 4 – OS Stringency

(1) ARhas the explicitauthoritytorequiremorestringent standardsthan those containedintheOS.

(1) Comply with anyadditional conditions asrequiredby the CC and/orAR.



9.04 – OS Modification (1) Theminimum security measures as outlinedin thisOSmayonlybemodifiedby theCC.

(2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OS without the consent of theCCin consultationwith the USAG.

(1) Theminimum security measures as outlinedinthisOSmay only bemodifiedbytheCC.

(2) Conformanceto suchsecurity measuresmay notbeless stringentthanstatedin thisOS withouttheconsentof the CCinconsultation withthe US AG.

(1) Theminimum security measures as outlinedin this OSmayonlybemodifiedbytheCC.

(2) Conformanceto suchsecurity measuresmay notbelessstringentthan stated in this OSwithout the consent ofthe CCinconsultationwith theUS AG.

9.05 ‐OS Modification (1) This OSmay onlybemodifiedbytheCC andmaynotbemodifiedbythe parties to theappendedcontractwithout theconsentoftheCC.

(1) This OSmay onlybemodifiedbytheCC andmaynotbe modifiedbythepartiesto theappendedcontractwithout theconsentoftheCC.

(1) This OSmay onlybemodifiedbytheCC andmay not bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

(1) This OSmay onlybemodifiedbytheCC andmay not bemodifiedbythe parties totheappendedcontractwithouttheconsentof the CC.

9.06 ‐FBI CO Address (1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:

FBI CompactOfficer1000CusterHollowRoadModule D‐3Clarksburg,WV26306

(1) Appropriate notices,assurances, andcorrespondenceto the FBICO,CC,andtheUSAGrequiredbySection8.0ofthisOSshall beforwardedbyFirstClass Mailto:


(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:


(1) Appropriate notices,assurances, andcorrespondenceto the FBI CO,CC,and the US AG required by Section8.0ofthisOSshallbeforwardedby FirstClass Mailto:



Version1.0

Authorized Recipient’s Responsibilities Priortoengagingintheoutsourcingofanynoncriminaljustice administrativefunctions,theARisrequiredto request andreceive writtenpermissionfromtheFBI CompactOfficer. The following sectionsprovideexamplesofNon‐Channelingand Channelingdocumentation andmay beusedas areferencewhendraftingdocuments relatingtotheoutsourcingofnoncriminaljusticeadministrativefunctions. Non‐Channeling Sample Documentation

Authorized RecipientSampleRequestLetterforNon‐Channeling Authorized RecipientSampleFBIResponseLetterforNon‐Channeling Sample Languagebetween the AuthorizedRecipientandContractor regardingNoncriminalJusticeOutsourcingFunctionsfor Non‐Channeling

Channeling Sample Documentation

Authorized RecipientSampleRequestLetterto UseaChanneler Authorized RecipientSampleFBIResponseLetterforChannelerRequest Sample Languagebetween the AuthorizedRecipientandChanneler regardingNoncriminalJusticeOutsourcingFunctionsfor Channeling


Version1.0

Examples of Non‐Channeling Documentation Authorized Recipient Sample Request Letter for Non‐Channeling

REQUEST LETTER FOR[insert Authorized Recipient’s name] TO USE [insert Contractor’s name]AS ACONTRACTOR

FORNONCRIMINALJUSTICEADMINISTRATIVEFUNCTIONS [FBI Compact Officer]

[Federal Agency]

[Address]

[City, State and Zip Code] Dear[insert FBI Compact Officer]: [Insert Authorized Recipient’s name],theAuthorizedRecipient, requestspermissiontouse

[insert Contractor’s name] asa contractorto outsourcenoncriminaljusticeadministrative functions relatingtotheprocessingofcriminalhistoryrecord information(CHRI)on our behalf. Thiswouldinclude[insert all functions that may apply. For example, obtaining missing dispositions, making determinations and recommendations, off‐site storage of criminal history record information and its corresponding fingerprint submissions, etc].[Insert Authorized Recipient’s name] and [insert Contractor’s name]have enteredinto an agreement inwhich[insert Contractor’s name]willactonourbehalfinaccordancewiththeSecurityand Management ControlOutsourcingStandard(OutsourcingStandard) forNon‐Channelers.[Insert Authorized Recipient’s name] isauthorizedto perform backgroundcheckspursuant tothe [insert the legal citation of the federal statutory authority or executive order that requires or authorizes the Authorized Recipient to have access to CHRI]. Uponexecutionof the Contract,[insert Authorized Recipient’s name]willtakeresponsibilityfor [insert Contractor’s name]compliancewiththetermsoftheContract,toincludetheOutsourcingStandardforNon‐Channelers,andwillnotifytheFBICompactOfficerofanyviolations. Sincerely,

[insert name][insert title][insert address][insert phone number][insert email address][insert fax number]


Version1.0

Authorized Recipient Sample FBI Response Letter for Non‐Channeling

[Date] [Name]

[Position Title]

[Division]

[Federal Agency]

[Address]

[City, State and Zip Code] Dear[Name]: Reference ismade toyourrequesttouse[insert Contractor’s name]toperformthenoncriminaljusticeadministrative functionsrelatingto the processing of criminalhistoryrecordinformation (CHRI).This wouldbe limitedto [insert specific noncriminal justice administrative functions to be performed]. Itis notedthat your authority foraccessto the FBI CHRI is[insert the legal citation of the federal statutory authority or executive order that requires or authorizes the Authorized Recipient to have access to CHRI]. Inaccordance withtheNationalCrimePreventionandPrivacyCompactCouncil'sFinalRuleentitled"OutsourcingofNoncriminalJusticeAdministrativeFunctions," (Title 28,CodeofFederalRegulations,Part906),outsourcingofnoncriminaljusticeadministrativefunctionsispermittedundercertainconditionswhenapprovedbytheFBICompact OfficerandasspecifiedintheSecurityandManagement ControlOutsourcing StandardforNon‐Channelers (OutsourcingStandard). The [insert Authorized Recipient’s name] is grantedpermissiontoprovideCHRIto [insert Contractor’s name], asitscontractor,solelyforthe purpose of [insert specific noncriminal justice administrative functions to be performed]pursuanttothisapproval. In the eventof a conflictbetween the terms of the [insert Authorized Recipient’s name]/[insert Contractor’s name] agreement, amendmentstothe[insert Authorized Recipient’s name]/[insert Contractor’s name] agreement,and theOutsourcingStandardrelatingto FBI‐provided data,the termsof theOutsourcingStandardshall control. AccordingtoPart 2.05 of theOutsourcingStandard,[insert Authorized Recipient’s name] shallconductan auditofthecontractorwithin90 days ofthe datethecontractor firstreceivesCHRI undertheapprovedoutsourcingagreementandshallcertifytomethatthe auditwasconducted.


Version1.0

Further,asprovidedinfootnote 2 oftheOutsourcingStandard, the FBI willtriennially audita representativesampleofcontractorsandauthorizedrecipients engaging in outsourcingwiththefirst ofsuch audits tobe conductedwithin one year of thedatethe contractorfirstreceives CHRIunder theapproved outsourcing agreement. Enclosedis a copy of the mostrecent versionofthe OutsourcingStandard,datedNovember6,2014. Accesstothe FBI‐maintainedCHRI is subjecttonumerousrestrictivelawsandregulations. Disseminationof such information toaprivateentityisprohibitedexceptasspecificallyauthorized by federal law orregulation.Further, theexchangeofCHRI is subjecttocancellationifsuch unauthorizeddisseminationismade. Shouldyou haveanyquestionsregardingyourresponsibilitiesinrelation totheoutsourcingof noncriminaljusticeadministrative functions,pleasedonothesitate to contact [insert name of CJIS Division POC]at [insert telephone number],or viae‐mailat[insert e‐mail address] or me at [insert telephone number],or via e‐mailat [insert e‐mail address]. Respectfully,

[Insert FBI Compact Officer’s name]FBICompact Officer Enclosure

Note: Send a copy oftheresponseto theCompact CouncilChairmanandContractor.


Version1.0

Sample Language between the Authorized Recipient and Contractor regarding Noncriminal Justice Outsourcing Functions for Non‐Channeling

CONTRACT BETWEEN [AUTHORIZED RECIPIENT’S NAME]

AND

[CONTRACTOR’S NAME]

REGARDINGOUTSOURCING

NONCRIMINALJUSTICEADMINISTRATIVEFUNCTIONS Thiscontractisenteredintobetween [insert Authorized Recipient’s name and address],

theAuthorizedRecipient, and[insert Contractor’s name and address],the Contractor,underthe termsofwhichtheAuthorizedRecipientisoutsourcingthe performanceof noncriminaljustice administrativefunctionsinvolving the handlingof criminalhistoryrecordinformation(CHRI) pursuanttoTitle28,Codeof FederalRegulations,Part906and theSecurity andManagementControlOutsourcingStandard(OutsourcingStandard)forNon‐Channelers.Themostcurrentversionofthe Outsourcing Standardis incorporatedbyreferenceinto thiscontractandappended heretoasAttachment“[insert]”.

TheAuthorizedRecipient'sauthoritytosubmitfingerprintsfor noncriminal justicepurposesandobtaintheresults ofthefingerprintsearch,which may contain CHRI, is [insert the legal citation of the federal statutory authority or executive order

The Outsourcing of Noncriminal Justice Administrative...

Documents

Transcript of The Outsourcing of Noncriminal Justice Administrative...