2 Essential CJIS Certifications for a Third-Party Vendor

What are the 2 Essential Qualifications for CJIS Certification?

Vendors must maintain compliance to the 13 areas of the FBI’s CJIS Security Policy to be qualified to handle Criminal Justice Information (CJI).

If your prospective IT and/or cyber security partner has communicated that they are CJIS Compliant, here are the 3 essential qualifications to look for. (You should be able to verify these quickly, but we’ve also provided a shortcut at the end of this article to help you speed up the process.)

1. Their Auditors Have an Intimate Knowledge of CJIS Policy

This is an obvious one but the most difficult to verify. The fact that third-party auditors do not need access to CJI information (and therefore do not require fingerprint-based background checks) throws additional confusion into the mix.

Though auditing staff ideally do have a background check in place, the essential qualification for this role is a deep understanding of CJIS Policy—they must know how a federal auditor would assess your security landscape and be able to replicate that process to uncover any gaps that may be exposed during the “real” audit.

Because there is no test or certification to verify CJIS knowledge, look instead for these industry-recognized security and audit credentials: CISSP, CISA, CISM, and GSNA credentials, which are associated with DoD 8140.

2. Their Solutions Meet the Requirements of All 13 Areas of CJIS Policy

The government sets program and procedure standards through the Federal Risk and Authorization Management Program (FedRAMP). In the past, CJI needed to be stored in a FedRAMP-compliant cloud platform. That is no longer the case, although the platform does need to meet the requirements of all 13 areas of CJIS policy (including data sovereignty [U.S., U.S. territories, tribal territories, and Canada only]).

Though it’s no longer a requirement, FedRAMP readiness is still a good goal because it pushes organizations toward better security. From that perspective, it’s a good idea to ensure security assessments, authorization, and continuous monitoring, among other SaaS solutions, are FedRamp ready.

Why engage an outside vendor in your CJIS audit preparations?

Budgets are tight in today’s economic environment. It’s rare that an organization has the internal resources it needs to cover all preparations for a CJIS audit.

A third-party vendor brings in the firepower you need to get this done. Specifically, a vendor can help:

• Assess your current security stance against CJIS standards
• Formulate an airtight game plan for closing gaps
• Supplement your processes with services provided by CJIS-compliant vendors

Is there such a thing as Federal CJIS Certification?

Unfortunately, no.

Just as there is no CJIS certification for criminal justice organizations (it’s either pass or fail the tri-annual audit), there is no federal CJIS certification for vendors.

Stephen Exley, information security analyst within the CJIS Information Security Officer Program, says, “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS…are in regard to facial recognition and fingerprint capture standards…We do not certify, nor endorse any product, solution, or vendor.”

It’s a red flag when any vendor claims to be “CJIS Certified”—unless the state in which you reside uses the term “certified” to recognize vetted vendors.

Download our CJIS Compliance Checklist >>

That said, finding a CJIS vendor doesn’t have to be hard.

The quickest way to find a qualified vendor: Ask the FBI!

Many states have established a list of approved and verified vendors to help you pass your federal CJIS compliance audits. The easiest way to engage a qualified vendor is to request a list from your state’s branch of the FBI. This can greatly shorten the process of identifying an affordable, reliable vendor.

Here at Corsica Technologies, we’ve helped numerous organizations achieve CJIS compliance. 

Contact us today to get started.