NCJA Frequently Asked Questions (FAQs)

General

What is a noncriminal justice agency or NCJA?
What is criminal justice information (CJI)?
What is the Compact Council?
Who is the Compact Officer for Florida?
Who is the CJIS systems Agency (CSA)/State Identification Bureau (SIB)?
What is outsourcing?
Does Florida allow outsourcing?

Information Security

What is the CJIS Security Policy (CSP)?
How can we get a copy of the CSP?
What parts of our agency have to comply with the CSP?
Is our agency required to have our own security policy?
What is incidence response?
What are we supposed to do for incidence response?
What do we need to include in our incident response plan?
What is media protection?

Compliance

What does our agency need to do to comply with Section 5.1.1.6 Agency User Agreements?
We don’t have our “own” IT staff; the city/county provides IT support of our agency.Is there anything we need to do?
We don’t have our “own” IT staff; we contract to a private company to provide IT support for our agency. Is there anything we need to do?
What is access?
Can we share CJI or criminal history information?
How do I know if another agency or person is authorized to receive criminal history information or CJI?
What is secondary dissemination?
What needs to be recorded in the secondary dissemination log?
Is there anything we must do before we surplus equipment that was used to process or store criminal history information?
What are the audit records identified in Appendix J, Paragraph 1. g.?
What do we do with old servers that stored CJI; are there any steps we have to take?
What is a controlled area?

Training

What is a Local Agency Security Officer (LASO)?
Is the LASO supposed to be a specific person or can it be assigned to a position?
What are the LASOs duties?
Who can be the LASO?
Who needs security awareness training?
How do we get security awareness training?
How does my agency get set up in CJIS Online?  
General
What is a noncriminal justice agency or NCJA?
 A Noncriminal justice agency is an agency that conducts criminal history record checks on applicants for licensing or employment purposes. There are two types of NCJAs; one that is statutorily authorized to conduct state and national fingerprint-based background checks under Public Law 92-544 and there are NCJAs qualified under the Volunteer and Employee Criminal History System (VECHS) to conduct state and national fingerprint-based background checks because they serve a vulnerable population; children, the disabled, or the elderly as defined in the National Child Protection Act (NCPA) and Volunteers for Children Act (VCA). 

Examples of noncriminal justice agencies include Agency for Health Care Administration, Universal Studios, YMCA, Seminole Montessori School, City of Perry Licensing Division, Advent Episcopal Church, etc. Back to Top

What is criminal justice information (CJI)?
Criminal justice information or CJI is any information obtained from a national criminal justice data system.However, in the scope of noncriminal justice use, it is easier to define CJI as criminal history information and data received from a state and/or national fingerprint based record check (in Florida, referred to as Level2) for hiring/licensure/volunteer screening purposes.The terms CJI and criminal history information are relatively interchangeable. Back to Top 

What is the National Crime Prevention and Privacy Compact Council?
Essentially, the Compact Council governs the national access to CJI for the NCJA community. On October 9, 1998, President Clinton signed into law the National Crime Prevention and Privacy Compact (Compact) Act of 1998, establishing an infrastructure by which states can exchange criminal records for noncriminal justice purposes according to the laws of the requesting state and provide reciprocity among the states to share records.

The Compact Council, as a national independent authority, works in partnership with criminal history record custodians, end users, and policy makers to regulate and facilitate the sharing the complete, accurate, and timely criminal history record information to noncriminal justice users in order to enhance public safety, welfare, and security of society while recognizing the importance of individual privacy rights. For more information please visit the FBI's National Crime Prevention and Privacy Compact Council's website at the following web address www.fbi.gov/services/cjis/compact-council
Back to Top

Who is the Compact Officer for Florida?
FDLE CJIS Director Charles Schaeffer is the Compact Officer for Florida. Back to Top

Who is the CJIS systems Agency (CSA)/State Identification Bureau (SIB)?
FDLE is the CSA and SIB for Florida. Back to Top

What is outsourcing?
Outsourcing is the process of having another entity perform a given service/function on behalf of the authorized receipt to include storage of CJI, destruction of CJI, or IT support where access to CJI may be incidental but necessary. Florida requires agencies to adhere to the Security and Management Control Outsourcing Standard for Non-Channelers established by the Compact Council. To review this standard please see our Resources pageBack to Top

Does Florida allow outsourcing?
Yes, but FDLE shall be notified and the request granted by the State Compact Officer prior to the work being performed where access (Physical/Logical) to CJI will be needed. Back to Top
Information Security

What is the CJIS Security Policy (CSP)?
The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy is the baseline standards developed and approved by the FBI CJIS Advisory Policy Board (APB) for securing criminal justice information (CJI). Back to Top

How can we get a copy of the CSP?
A copy of the CSP can be found HERE on our website. Back to Top

What parts of our agency have to comply with the CSP?
Typically, only those personnel and systems used to process or store CJI are required to comply with the CJIS Security Policy (CSP). However, how systems are integrated within the agency may change the scope of compliance. Back to Top

Is our agency required to have our own security policy?
There are a number of policies and procedures that your agency will be required to specifically document, including, but not limited to media disposal procedures and incident response procedures. Depending on your agency’s retention of CJI, you may have to document authentication strategy, patch management policy and network configuration. Back to Top

What is incidence response?
Incidence response is the action taken by your agency as the result of an actual or perceived computer/IT incident/attack that involves CJI. Back to Top

What are we supposed to do for incidence response?
First, you must have a plan. Each entity’s plan will be different based on their job/function and, potentially the computer, server or network that is used to process or store CJI. Most large or “technical” agencies will probably already have an incident response plan. Back to Top

What do we need to include in our incident response plan?
The CJIS Security Policy requires that your plan include preparation for, detection and analysis, containment, eradication, and recovery of and from an incident. You will also need to notify the FDLE CJIS ISO of the incident by sending an email to CJISISO@flcjn.net.  Back to Top

What is media protection?
You are required to follow certain standards (section 5.8 of the CJIS Security Policy) for protecting the media on which criminal justice information is recorded (electronic or hard copy/paper). These standards cover storage, transport, transmission and disposal/sanitization of CJI or media storing CJI. Back to Top


Compliance
What does our agency need to do to comply with Section 5.1.1.6 Agency User Agreements?
The CJIS Security Policy and FDLE requires an agency/entity to sign a user agreement prior to processing fingerprints for that agency. The agreement required by FDLE meets this policy. Back to Top


We don’t have our “own” IT staff; the city/county provides IT support of our agency. Is there anything we need to do?
You must have an agreement that the supporting entity will abide by the specified rules of your agency's user agreement with FDLE. Back to Top

We don’t have our “own” IT staff; we contract to a private company to provide IT support for our agency. Is there anything we need to do?
You must incorporate into the contract for services provided the requirements of your agency's user agreement with FDLE. Back to Top

What is access?
Access is the ability to “touch” hardware and/or “see” information both in a physical and/or electronic sense.Someone who can pull the plug out of the back of a computer, or someone who can hold a printout in their hands, has “physical” access. Someone who can open an electronic file and read its contents, or can log into the IT component to perform maintenance, has “logical” access. Back to Top

Can we share CJI or criminal history information?
CJI and/or criminal history information can only be shared or “disseminated” as allowed by your agency’s user agreement with FDLE, state statutes or federal guidelines. Back to Top

How do I know if another agency or person is authorized to receive criminal history information or CJI?
Any questions regarding authorized recipients shall be directed to the FDLE CJIS Audit unit at fciccompliance@fdle.state.fl.us. When you contact the Audit and Compliance Unit please include the authority by which you feel the dissemination/release of criminal history information is authorized. Back to Top

What is secondary dissemination?
Secondary dissemination is the process of sharing or “disseminating” criminal justice information (CJI) with another authorized agency/entity. The CJIS Security Policy requires all secondary disseminations to be documented in a “secondary dissemination log”. Back to Top

What needs to be recorded in the secondary dissemination log?

  1. The name of the person the record pertains to,
  2. the agency/person the record was disseminated to,
  3. the specific person who received the information,
  4. the FBI# or FDLE# of the criminal history record disseminated,
  5. the date the record was disseminated.

Back to Top

Is there anything we must do before we surplus equipment that was used to process or store criminal history information?
Any computer or server that has stored criminal history information must be sanitized before being “released” for surplus or leaving the control of your agency. The suggested method of sanitization is destruction. If you release the hard drive, it must have been completely over-written at least three times. This process is for any electronic media that has stored CJI including “biz hubs” and flash drives. Back to Top

What are the audit records identified in Appendix J, Paragraph 1. g.?
Systems that are used to process and store criminal justice information are required to “log” certain events. The application that is processing or storing typically has the ability to log these events for future review. These logs must be maintained for at least 365 days. Back to Top

What do we do with old servers that stored CJI; are there any steps we have to take.
Computer or server hard drives that have stored CJI must be properly disposed, and the process must be documented. There are two options:

  1. the hard drive (or other electronic media) must be wiped at least three times, or
  2. the hard drive/media must be physically destroyed.
Specialized wiping software that overwrites the entire drive with “1” and “0”. Most software available typically overwrites the drive seven times.

Destruction can be accomplished by drilling multiple holes in the drive. There are shredders that will destroy a hard drive. Whichever process your agency chooses, it must be defined in an agency policy. Back to Top

What is a controlled area?
A controlled area is where criminal justice information is accessed and “processed”. Processing includes reviewing for decision making purposes.

A controlled area is defined in section 5.9.2 of the CJIS Security Policy. Within a “controlled area” your agency must:

  1. Limit access to the area during CJI processing
  2. Lock the area/room/storage container when unattended
  3. Position computer screens and documents to prevent unauthorized individuals from viewing
  4. Follow the encryption requirements for electronic storage (data at rest)
  5. Use an advanced authentication process to access the electronic data if the data is located on a server/ type or centralized computer.Back to Top
 
Training

What is a Local Agency Security Officer (LASO)?
Each agency required to comply with the CSP must have a LASO. The LASO’s function is to ensure compliance with the CSP and acts as the security point of contact with the CJIS Systems Agency (CSA). FDLE is the CSA for Florida. Back to Top

Is the LASO supposed to be a specific person or can it be assigned to a position?
It can be a specific person or a position. Whoever fulfills the duties as LASO needs to be aware of the responsibilities, including the interaction with FDLE. FDLE needs to know who this person is as they are the primary contact compliance and security related issues. Therefore, if your agency specifies a position to be the LASO, each time a different person fills that position, FDLE must be notified who the new person is and contact information for that person. Back to Top

What are the LASOs duties?
According to the CSP, each LASO shall:

  1. Identify who has access to hardware, software, and firmware used to process/store CJI and ensure no unauthorized individuals or processes have access to the same.
  2. Identify and document if and how the equipment is connected to the state system.
  3. Ensure the approved and appropriate security measures are in place and working as expected.
  4. Support policy compliance and ensure CSA ISO is promptly informed of security incidents. Back to Top
Backgrounds are not required for those employees of noncriminal justice agencies accessing CJI or maintaining systems used to process or store CJI because there is no specific enabling legislation that meets this requirement. Therefore, agencies are encouraged to conduct criminal records screenings to the extent possible on anyone having access to CJI. Back to Top

Who can be the LASO?
The agency may designate any member to perform LASO duties. It should be someone familiar with the processes associated with the agency’s use of CJI. Back to Top

Who needs security awareness training?
Anyone who has “access” to CJI; including IT support personnel who work on the machines that process or store the information. Back to Top

How do we get security awareness training?
FDLE provides security awareness training through an application called CJIS Online. It is a free application that is accessed via the Internet and it meets all of the requirements of the CSP. You will be notified how to access it after FDLE receives information on the person assigned as your LASO. Back to Top

How does my agency get set up in CJIS Online?
FDLE will work with NCJAs to set-up access within CJIS Online. If you have further questions, contact FDLE (phone/email TBD), they will walk you through the process. Back to Top