Criminal Justice Information Services (CJIS) Resource Materials

CJIS Audit Unit (CAU)

(L-R, Steve Steiner, Deputy CJIS Systems Officer, Seneca Chavis, Background Investigative Specialist,
Amber McDonald, CJIS Auditor, Derek Holbert, CJIS ISO, Beverly Carter, Program Support Specialist)

Welcome! The CAU program oversees the implementation of the NIGC’s external and internal compliance strategies to achieve and demonstrate compliance with the Memorandum of Understanding (MOU) between the Federal Bureau of Investigation and NIGC concerning Noncriminal Justice Fingerprint Submissions.  CAU audit staff deliver training, technical assistance and conduct selective audits/investigations of those tribes with an executed, suspended, or terminated MOU with the NIGC regarding Criminal History Record Information (CHRI).

The CAU can be reached by email: cau@nigc.gov

You can now watch the following CAU Recorded Training Sessions

Please complete the request form to receive an emailed link to the recorded session.

• Sample Audit Checklist for 2021 CHRI MOU
• Criminal History Record Information (CHRI) and Compliance with 25 CFR Part 558.3(f)
• LASO Handbook
• Outsourcing Basics
• NIGC and/or FBI NGI/NCJITS Audits(s): What to expect!
• Updated Regulations: Key Employees and Primary Management Officials, Background Investigations, and Licensing

Memorandum of Understanding MOU:

This MOU memorializes the NIGC’s and the TGRA’s understandings and responsibilities regarding the submission of noncriminal justice fingerprints and the transmittal, receipt, storage, use, and dissemination of CJI and CHRI.

• FBI and NIGC Memorandum of Understanding (Effective 01/17/20)
• Final CHRI MOU
• 2021 CHRI MOU Checklist

Local Agency Security Officer (LASO) Handbook

This handbook is a tool and not meant to be duplicated word for word but is intended to guide the LASO and staff to understand the responsibilities of being an authorized recipient of FBI CHRI. Please utilize this tool to develop your own policies and procedures according to your specific practices and systems. 

• Local Agency Security Officer (LASO) Handbook v.5.9.5

Compliance with 25 C.F.R. §§ 502, 556 and 558

• Sample Classification for 25 C.F.R. § 502.14 (d)
• Sample Classification for 25 C.F.R. § 502.19 (e)
• Memo to Compliance re: Special Emphasis on Compliance with Parts 502, 556 and 558
• Steps to Ensure Compliance with September 14, 2023, Regulatory Updates to 25 C.F.R. Part 502
• Frequently Asked Questions – 25 C.F.R. §§ 502, 556 and 558

Bulletins:

Bulletins provide program-related guidance to tribes, tribal regulators, and gaming operations, for example, fee rates, fingerprint submission, and guidance on Agreed Upon Procedures submission. Bulletins may also restate existing policy or procedure to provide further clarification.

• No. 2022-3   Criminal History Record Information (CHRI) Retention
• No. 2020-2   Fingerprint processing - applicant Privacy Act rights and protecting CHRI

Awareness Training (AT) Information:

All users with authorized access to CJI should be made aware of their individual responsibilities and expected behavior when accessing CJI and the systems which process CJI.

• LASO Designation Form 
• CJIS Online Training for Security Awareness and LASO’s can be taken here:
  • www.cjisonline.com/
• How to guide for CJIS Online Login

Outsourcing Agreement Resources:

Prior to engaging in outsourcing any noncriminal justice administrative functions with a Contractor, an Authorized Recipient (Tribe/TGRA) must request and receive written permission from the FBI Compact Officer.

• Helpful Outsourcing Information
• Security and Management Control Outsourcing Standard for Non-Channelers
• Outsourcing Standard for Non-Channelers Sample Policy
• Outsourcing Agreement and FBI Permission Aid
• Sample Non-Channeler Request for Permission to Outsource
• Sample CJIS Outsourcing Contract
• Sample 90-Day Audit Checklist for Contractor Access to FBI CHRI

Policy Templates:

• Policy Template 5.2 Awareness Training (AT)
• Policy Template 5.3 Incident Response (IR)
• Policy Template 5.4 Audit and Accountability (AU)
• Policy Template 5.5 Access Control (AC)
• Policy Template 5.7 Configuration Management
• Policy Template 5.8 Media Protection (MP)
• Policy Template 5.9 Physical and Environmental Protection (PE)

CJIS Security Policy (CJISSecPol) Sample Checklists:

The CJISSecPol policy areas focus upon the data and services that the FBI CJIS Division exchanges and provides to the criminal justice community and its partners. Each policy area provides both strategic reasoning and tactical implementation requirements and standards.

These sample checklists are audit tools that Tribes can use to self-assess compliance with the CJISSecPol.

• Sample Audit Checklist 5.1 Information Exchange Agreements
• Sample Audit Checklist 5.2 Awareness and Training (AT)
• Sample Audit Checklist 5.3 Incident Response (IR)
• Sample Audit Checklist 5.4 Auditing and Accountability (AU)
• Sample Audit Checklist 5.5 Access Control (AC)
• Sample Audit Checklist 5.6 Identification and Authentication (IA)
• Sample Audit Checklist 5.7 Configuration Management
• Sample Audit Checklist 5.8 Media Protection (MP)
• Sample Audit Checklist 5.9 Physical and Environmental Protection (PE)
• Sample Audit Checklist 5.10 Systems and Communications Protection (SC)
• Sample Audit Checklist 5.12 Personnel Security
• Sample Audit Checklist 5.13 Mobile Devices
• Sample Audit Checklist 5.14 System and Services Acquisitions (SA)
• Sample Audit Checklist 5.15 System and Information Integrity (SI)
• Sample Audit Checklist 5.16 Maintenance (MA)
• Sample Audit Checklist 5.17 Planning (PL)
• Sample Audit Checklist 5.18 Contingency Planning (CP)
• Sample Audit Checklist 5.19 Risk Assessment (RA)

Sample Forms:

• Notice of Results
• Tribal notification Form for CHRI MOU V.B.13
• Authorized Personnel List
• Personnel Sanctions and Standards of Discipline Form
• Training Record Form
• Security Incident Response Form
• Applicant’s Privacy Rights Notice (Updated 11/6/19)
• FBI Privacy Act (Updated 03/30/18)

Helpful Resources:

• Noncriminal Justice Information Technology Security Audit Authorized Recipient Policy Reference Guide
• Job Aid - How to Read an Identity History Summary (IdHS)
• NGI Audit Methodology
• FBI CJIS Security Policy Version 5.9.5
• FBI Criminal Justice Information Services (CJIS)
• National Crime Prevention and Privacy Compact Council
• FBI Compact Council Sanction Process Information
• Next Generation Identification (NGI) Audit Noncriminal Policy Reference Guide (June 2022)
• NCJITS Audit Methodology