Criminal Justice Information Services (CJIS) Resource Materials

CJIS Audit Unit (CAU)

(L-R, Amber McDonald, CJIS Auditor, Steve Steiner, Deputy CJIS Systems Officer, Tamitra McClain, CJIS Auditor, and 
Derek Holbert, CJIS ISO)

Welcome! The CAU program oversees the implementation of the NIGC’s external and internal compliance strategies to achieve and demonstrate compliance with the Memorandum of Understanding (MOU) between the Federal Bureau of Investigation and NIGC concerning Noncriminal Justice Fingerprint Submissions.  CAU audit staff deliver training, technical assistance and conduct selective audits/investigations of those tribes with an executed, suspended, or terminated MOU with the NIGC regarding Criminal History Record Information (CHRI).

The CAU can be reached by email: cau@nigc.gov
To request CJIS training, please complete the Training and Technical Assistance Request Form here.

Memorandum of Understanding MOU:

This MOU memorializes the NIGC’s and the TGRA’s understandings and responsibilities regarding the submission of noncriminal justice fingerprints and the transmittal, receipt, storage, use, and dissemination of CJI and CHRI.

• FBI and NIGC Memorandum of Understanding (Effective 01/17/20)
• Dear Tribal Gaming Regulator - Final CHRI MOU for TGRA signature
• Final CHRI MOU
• Dear Tribal Gaming Regulator- CHRI MOU Compliance Update- Fingerprinting TGRA Employees and Commissioners
• 2021 CHRI MOU Checklist
• Tribal notification Form for CHRI MOU V.B.13

Local Agency Security Officer (LASO) Handbook

This handbook is a tool and not meant to be duplicated word for word but is intended to guide the LASO and staff to understand the responsibilities of being an authorized recipient of FBI CHRI. Please utilize this tool to develop your own policies and procedures according to your specific practices and systems. 

• Local Agency Security Officer (LASO) Handbook

Compliance with 25 C.F.R. §§ 502, 556 and 558

• Memo to Compliance re: Special Emphasis on Compliance with Parts 502, 556 and 558
• Steps to Ensure Compliance with September 14, 2023, Regulatory Updates to 25 C.F.R. Part 502
• Frequently Asked Questions – 25 C.F.R. §§ 502, 556 and 558

Bulletins:

Bulletins provide program-related guidance to tribes, tribal regulators and gaming operations, for example, fee rates, fingerprint submission and guidance on Agreed Upon Procedures submission. Bulletins may also restate existing policy or procedure to provide further clarification.

• No. 2022-3   Criminal History Record Information (CHRI) Retention
• No. 2020-2   Fingerprint processing - applicant Privacy Act rights and protecting CHRI

Awareness Training (AT) Information:

All users with authorized access to CJI should be made aware of their individual responsibilities and expected behavior when accessing CJI and the systems which process CJI.

• Sample Noncriminal Justice Agency Information Change Form (ex. LASO designation) 
• CJIS Online Training for Security Awareness and LASO’s can be taken here:
  • www.cjisonline.com/
• How to guide for CJIS Online Login

Outsourcing Agreement Resources:

Prior to engaging in outsourcing any noncriminal justice administrative functions with a Contractor, an Authorized Recipient (Tribe/TGRA) must request and receive written permission from the FBI Compact Officer.

• Helpful Outsourcing Information
• Security and Management Control Outsourcing Standard for Non-Channelers
• Outsourcing Standard for Non-Channelers Sample Policy
• Outsourcing Agreement and FBI Permission Aid
• Sample Non-Channeler Request for Permission to Outsource
• Sample CJIS Outsourcing Contract
• Sample 90-Day Audit Checklist for Contractor Access to FBI CHRI

CJIS Security Policy (CJISSecPol) Sample Checklists:

The CJISSecPol policy areas focus upon the data and services that the FBI CJIS Division exchanges and provides to the criminal justice community and its partners. Each policy area provides both strategic reasoning and tactical implementation requirements and standards.

These sample checklists are audit tools that Tribes can use to self-assess compliance with the CJISSecPol.

• Sample Audit Checklist 5.1 Information Exchange Agreements
• Sample Audit Checklist 5.2 Awareness and Training (AT)
• Sample Audit Checklist 5.3 Incident Response (IR)
• Sample Audit Checklist 5.4 Auditing and Accountability (AU)
• Sample Audit Checklist 5.5 Access Control (AC)
• Sample Audit Checklist 5.6 Identification and Authentication (IA)
• Sample Audit Checklist 5.7 Configuration Management
• Sample Audit Checklist 5.8 Media Protection (MP)
• Sample Audit Checklist 5.9 Physical and Environmental Protection (PE)
• Sample Audit Checklist 5.10 Systems and Communications Protection (SC)
• Sample Audit Checklist 5.12 Personnel Security
• Sample Audit Checklist 5.13 Mobile Devices
• Sample Audit Checklist 5.14 System and Services Acquisitions (SA)
• Sample Audit Checklist 5.15 System and Information Integrity (SI)
• Sample Audit Checklist 5.16 Maintenance (MA)
• Sample Audit Checklist 5.17 Planning (PL)
• Sample Audit Checklist 5.18 Contingency Planning (CP)
• Sample Audit Checklist 5.19 Risk Assessment (RA)

Sample Forms and Policies:

• Notice of Results
• Tribal notification Form for CHRI MOU V.B.13
• Authorized Personnel List
• Acknowledgment Statement
• Training Record Form
• Security Incident Response Form
• Applicant’s Privacy Rights Notice (Updated 11/6/19)
• FBI Privacy Act (Updated 03/30/18)

Helpful Resources:

• Noncriminal Justice Information Technology Security Audit Authorized Recipient Policy Reference Guide
• Job Aid - How to Read an Identity History Summary (IdHS)
• NGI Audit Methodology
• FBI CJIS Security Policy Version 5.9.4
• FBI Criminal Justice Information Services (CJIS)
• National Crime Prevention and Privacy Compact Council
• FBI Compact Council Sanction Process Information
• Next Generation Identification (NGI) Audit Noncriminal Policy Reference Guide (June 2022)
• NCJITS Audit Methodology