Security and Management Control Outsourcing Standards

Download PDF
Federal RegisterDec 16, 2004
69 Fed. Reg. 75350 (Dec. 16, 2004)

AGENCY:

National Crime Prevention and Privacy Compact Council.

ACTION:

Notice.

SUMMARY:

Pursuant to the publication requirement in title 42, United States Code, 14616, Article VI(e), the Compact Council, established by the National Crime Prevention and Privacy Compact (Compact) Act of 1998, is providing public notice of the attached Security and Management Control Outsourcing Standards (Outsourcing Standards) established by the Compact Council.

DATES:

All comments must be received on or before February 14, 2005.

ADDRESSES:

Send all written comments concerning these Outsourcing Standards to the Compact Council Office, 1000 Custer Hollow Road, Module C3, Clarksburg, WV 26306; Attention: Todd C. Commodore. Comments may also be submitted by fax at (304) 625-5388 or via electronic mail at tcommodore@leo.gov. To ensure proper handling, please reference Noncriminal Justice Outsourcing Standards” on your correspondence.

FOR FURTHER INFORMATION CONTACT:

Todd C. Commodore, FBI CJIS Division, 1000 Custer Hollow Road, Module C3, Clarksburg, WV 26306; telephone (304) 625-2803; e-mail tcommodo@leo.gov; fax number (304) 625-5388.

SUPPLEMENTARY INFORMATION:

The National Crime Prevention and Privacy Compact (Compact), 42 U.S.C. 14616, establishes uniform standards and processes for the interstate and Federal-State exchange of criminal history records for noncriminal justice purposes. The Compact was approved by the Congress on October 9, 1998 (Pub. L. 105-251), and became effective on April 28, 1999, when ratified by the second state. Article VI of the Compact provides for a Compact Council that has the authority to promulgate rules and procedures governing the use of the Interstate Identification Index (III) System for noncriminal justice purposes. The III is the system of Federal and State criminal history records maintained by the Federal Bureau of Investigation (FBI).

The Compact Council has adopted an interim final rule, “Outsourcing of Noncriminal Justice Administrative Functions” (Outsourcing Rule), published elsewhere in today's edition of the Federal Register and to be codified at 28 CFR part 906, to permit the outsourcing of noncriminal justice administrative functions involving access to criminal history record information (CHRI) from the III System. This interim rule will permit a third party to perform noncriminal justice administrative functions relating to the processing of CHRI maintained in the III System, subject to appropriate controls, when acting as an agent for a governmental agency or other authorized recipient of CHRI. Among other things, the interim rule provides that contracts or agreements providing for the outsourcing authorized by the rule “shall incorporate by reference a security and management control outsourcing standard approved by the Compact Council after consultation with the United States Attorney General.” See 28 CFR 906.2(c). The attached Security and Management Control Outsourcing Standards (Outsourcing Standards), are the standards referenced in the Outsourcing Rule. The Outsourcing Standards were developed by the Compact Council in coordination with the FBI's Criminal Justice Information Services (CJIS) Division and relevant subcommittees of the CJIS Advisory Policy Board (APB). The APB is an advisory committee with representatives of State, local, and Federal contributors and users of the FBI's National Crime Information Center information systems, including the III.

The Compact Council developed two Outsourcing Standards—one for Contractors having access to CHRI on behalf of an authorized recipient for noncriminal justice purposes and one for Contractors serving as channelers of noncriminal justice criminal history record check requests and results. The first Outsourcing Standard (“Security and Management Control Outsourcing Standard for Contractors Having Access to CHRI on Behalf of an Authorized Recipient for Noncriminal Justice Purposes”) will be used by Contractors authorized to perform noncriminal justice administrative functions requiring access to CHRI without a direct connection to the FBI's CJIS Wide Area Network (WAN). The second Outsourcing Standard (“Security and Management Control Outsourcing Standard for Channelers Only”) will be used by Contractors authorized access to CHRI through a direct connection to the FBI's CJIS WAN. The two Outsourcing Standards are printed below. Hereafter, prior to utilizing the Outsourcing Standards, interested parties should request the most current version by contacting the Compact Council Office, 1000 Custer Hollow Road, Module C3, Clarksburg, WV 26306, Attention: FBI Compact Officer.

The Outsourcing Standards were discussed at public Compact Council meetings held in May and November of 2004 and the Outsourcing Standards were adopted by the Compact Council at its November 2004 meeting. The meetings were attended by many interested stakeholders, but in order to facilitate more broad-based public comment, written comments on the Outsourcing Standards are invited.

Dated: November 29, 2004.

Donna M. Uzzell,

Compact Council Chairman.

Attachment: Security and Management Control Outsourcing Standard for Contractors Having Access to Criminal History Record Information on Behalf of an Authorized Recipient for Noncriminal Justice Purposes

The goal of this document is to provide adequate security and integrity for criminal history record information (CHRI) while under the control or management of an outsourced third party, the Contractor. Adequate security is defined in Office of Management and Budget Circular A-130 as “security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.”

The intent of this Security and Management Control Outsourcing Standard (Outsourcing Standard) is to require that the Contractor maintain a security program consistent with Federal and State laws, regulations, and standards (including the FBI Criminal Justice Information Services (CJIS) Security Policy) as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

This Outsourcing Standard identifies the duties and responsibilities with respect to adequate internal controls within the contractual relationship so that the security and integrity of the Interstate Identification Index (III) System and CHRI are not compromised. The standard security program shall include consideration of site security, dissemination restrictions, personnel security, system security, and data security.

The provisions of this Outsourcing Standard are established by the Compact Council pursuant to 28 CFR part 906 and are subject to the scope of that rule. They apply to all personnel, systems, networks, and facilities supporting and/or acting on behalf of the Authorized Recipient of CHRI.

1.0 Definitions

1.01 Access to CHRI means to use, exchange, retain/store, or view CHRI obtained from the III System but excludes direct access to the III System by computer terminal or other automated means by Contractors other than those that may be contracted by the FBI or state criminal history record repositories or as provided by title 42, United States Code, section 14614(b).

1.02 Authorized Recipient means (1) a nongovernmental entity authorized by Federal statute or Federal executive order to receive CHRI for noncriminal justice purposes, or (2) a government agency authorized by Federal statute, Federal executive order, or State statute which has been approved by the United States Attorney General to receive CHRI for noncriminal justice purposes.

1.03 Chief Administrator, as referred to in Article I(2)(B) of the Compact, means the primary administrator of a Nonparty State's criminal history record repository or a designee of such administrator who is a regular full-time employee of the repository.

1.04 CHRI, as referred to in Article I(4) of the Compact, means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, or release; but does not include identification information such as fingerprint records if such information does not indicate involvement of the individual with the criminal justice system.

1.05 Criminal History Record Check, for purposes of this Outsourcing Standard only, means an authorized noncriminal justice fingerprint-based search of a state criminal history record repository and/or the FBI system.

1.06 Compact Officer, as provided in Article I(2) of the Compact, means (A) with respect to the Federal Government, an official [FBI Compact Officer] so designated by the Director of the FBI [to administer and enforce the compact among Federal agencies], or (B) with respect to a Party State, the chief administrator of the State's criminal history record repository or a designee of the chief administrator who is a regular full-time employee of the repository.

1.07 Contractor means a government agency, a private business, non-profit organization or individual, that is not itself an Authorized Recipient with respect to the particular noncriminal justice purpose, who has entered into a contract with an Authorized Recipient to perform noncriminal justice administrative functions requiring access to CHRI.

1.08 Dissemination means the disclosure of III CHRI by an Authorized Recipient to an authorized Contractor, or by the Contractor to another Authorized Recipient consistent with the Contractor's responsibilities and with limitations imposed by Federal and State laws, regulations, and standards as well as rules, procedures, and standards established by the Compact Council and the United States Attorney General.

1.09 Noncriminal Justice Administrative Functions means the routine noncriminal justice administrative functions relating to the processing of CHRI, to include but not limited to the following:

1. Making fitness determinations/recommendations.

2. Obtaining missing dispositions.

3. Disseminating CHRI as authorized by Federal statute, Federal Executive Order, or State statute approved by the United States Attorney General.

4. Other authorized activities relating to the general handling, use, and storage of CHRI.

1.10 Noncriminal Justice Purposes, as provided in Article I(18) of the Compact, means uses of criminal history records for purposes authorized by Federal or State law other than purposes relating to criminal justice activities, including employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances.

1.11 Outsourcing Standard means a document approved by the Compact Council after consultation with the United States Attorney General which is to be incorporated by reference into a contract between an Authorized Recipient and a Contractor. The Outsourcing Standard authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, prohibits retention and/or dissemination except as specifically authorized, ensures the security and confidentiality of the information, provides for audits and sanctions, provides conditions for termination of the contract, and contains such other provisions as the Compact Council may require.

1.12 Physically Secure Location means a location where access to CHRI can be obtained, and adequate protection is provided to prevent any unauthorized access to CHRI.

1.13 Positive Identification, as provided in Article I(20) of the Compact, means a determination, based upon a comparison of fingerprints or other equally reliable biometric identification techniques, that the subject of a record search is the same person as the subject of a criminal history record or records indexed in the III System. Identifications based solely upon a comparison of subjects' names or other nonunique identification characteristics or numbers, or combinations thereof, shall not constitute positive identification.

The Compact Council currently defines positive identification for noncriminal justice purposes as identification based upon a qualifying ten-rolled or qualifying ten-flat fingerprint submission. Further information concerning qualifying fingerprint submissions may be obtained from the FBI Compact Council office.

1.14 Public Carrier Network means a telecommunications infrastructure consisting of network components that are not owned, operated, and managed solely by the agency using that network, i.e., any telecommunications infrastructure which supports public users other than those of the agency using that network. Examples of a public carrier network include but are not limited to the following: dial-up and Internet connections, network connections to Verizon, network connections to AT&T, ATM Frame Relay clouds, wireless networks, wireless links, and cellular telephones. A public carrier network provides network services to the public; not just to the single agency using that network.

1.15 Security Violation means the failure to prevent or failure to institute safeguards to prevent access, use, retention, or dissemination of CHRI in violation of: (A) federal or state law, regulation, or Executive Order; or (B) a rule, procedure, or standard established by the Compact Council and the United States Attorney General.

2.0 Responsibilities of the Authorized Recipient

2.01 Prior to engaging in outsourcing any noncriminal justice functions, the Authorized Recipient shall request and receive written permission from (A) the State Compact Officer/Chief Administrator or (B) the FBI Compact Officer. The Authorized Recipient shall provide the Compact Officer/Chief Administrator copies of the specific authority for the outsourced work, criminal history record check requirements, and/or a copy of the contract as requested. The Authorized Recipient shall inquire whether a prospective Contractor has any security violations (See Section 8.04) and report those findings to the Compact Officer/Chief Administrator prior to outsourcing noncriminal justice administrative functions.

The Compact Officer/Chief Administrator may not grant such permission unless he/she has implemented a combined state/federal audit program to triennially audit each Contractor and Authorized Recipient engaging in outsourcing with the first of such audits to be conducted within one year of the signing of the contract.

State or local Authorized Recipients based on State or Federal Statutes shall contact the State Compact Officer/Chief Administrator. Federal or Regulatory Agency Authorized Recipients shall contact the FBI Compact Officer.

2.02 The Authorized Recipient shall execute a contract prior to providing a Contractor access to CHRI. The contract shall, at a minimum, incorporate by reference and have appended thereto this Outsourcing Standard.

2.03 The Authorized Recipient shall, in those instances when the Contractor is to perform duties requiring access to CHRI, specify the terms and conditions of such access; limit the use of such information to the purposes for which it is provided; limit retention of the information to a period of time not to exceed that period of time the Authorized Recipient is permitted to retain such information; prohibit dissemination of the information except as specifically authorized by federal and state laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General; ensure the security and confidentiality of the information to include confirmation that the intended recipient is authorized to receive CHRI; provide for audits and sanctions; provide conditions for termination of the contract; maintain up-to-date records of Contractor personnel who have access to CHRI; and ensure that Contractor personnel comply with this Outsourcing Standard.

a. The Authorized Recipient shall conduct criminal history record checks of Contractor personnel having access to CHRI if such checks are required of the Authorized Recipient's personnel having similar access.

If a national criminal history record check of government personnel having access to CHRI is mandated by a state statute approved by the Attorney General under Public Law 92-544, the State Compact Officer/Chief Administrator must ensure Contractor personnel having similar access are either covered by the existing law or that the existing law is amended to include such Contractor personnel prior to authorizing outsourcing initiatives.

b. The Authorized Recipient shall ensure that the Contractor maintains site security.

c. The Authorized Recipient shall ensure that the most current version of both the Outsourcing Standard and the CJIS Security Policy are incorporated by reference at the time of contract and/or Option renewal.

2.04 The Authorized Recipient is responsible for the actions of the Contractor and shall monitor the Contractor's compliance to the terms and conditions of the Outsourcing Standard. The Authorized Recipient shall certify to the Compact Officer/Chief Administrator that a compliance review was conducted with the Contractor within 90 days of execution of the contract.

2.05 The Authorized Recipient shall provide written notice of any early voluntary termination of the contract to the Compact Officer/Chief Administrator or the FBI Compact Officer.

3.0 Responsibilities of the Contractor

3.01 The Contractor and its employees shall comply with all Federal and State laws, regulations, and standards (including the CJIS Security Policy) as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

3.02 The Contractor shall develop and document a security program to comply with the current Outsourcing Standard and any revised or successor Outsourcing Standard. The Security Program shall describe the implementation of the security requirements described in this Outsourcing Standard, the associated Security Training Program, and the reporting guidelines for documenting and communicating security violations and corrective actions to the Authorized Recipient. The Security Program shall be subject to the approval of the Authorized Recipient.

3.03 The Contractor shall be accountable for the management of the Security Program. The Contractor shall be responsible for reporting all security violations of this Outsourcing Standard to the Authorized Recipient.

3.04 Except when the training requirement is retained by the Authorized Recipient, the Contractor shall develop a Security Training Program for all Contractor personnel with access to CHRI prior to their appointment/assignment. Immediate training shall be provided upon receipt of notice on any changes to Federal and State laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General. Annual refresher training shall also be provided. The Contractor shall certify to the Authorized Recipient that the annual refresher training was completed for those Contractor personnel with access to CHRI. The Security Training Program shall be subject to the approval of the Authorized Recipient.

3.05 The Contractor shall make its facilities available for announced and unannounced security inspections performed by the Authorized Recipient, the State, or the FBI on behalf of the Compact Council. Such facilities are also subject to triennial audits by the State and the FBI on behalf of the Compact Council. An audit may also be conducted on a more frequent basis.

3.06 The Contractor's Security Program is subject to review by the Authorized Recipient, the Compact Officer/Chief Administrator, and the FBI CJIS Division. During this review, provision will be made to update the Security Program to address security violations and to ensure changes in policies and standards as well as changes in Federal and State law are incorporated.

3.07 The Contractor shall maintain CHRI only for the period of time necessary to fulfill their contractual obligations but not to exceed the period of time that the Authorized Recipient is authorized to maintain and does maintain the CHRI.

3.08 The Contractor shall maintain a log of any dissemination of CHRI.

4.0 Site Security

4.01 The Authorized Recipient shall ensure that the Contractor site is a physically secure location at all times to protect against any unauthorized access to CHRI.

5.0 Dissemination

5.01 The Contractor shall not disseminate CHRI without the consent of the Authorized Recipient, and as specifically authorized by Federal and State laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

5.02 An up-to-date log concerning dissemination of CHRI shall be maintained by the Contractor for a minimum one year retention period. This log must clearly identify: (A) the Authorized Recipient and the secondary recipient with unique identifiers, (B) the record disseminated, (C) the date of dissemination, (D) the statutory authority for dissemination, and (E) the means of dissemination.

6.0 Personnel Security

6.01 If a local, State, or Federal written standard requires a criminal history record check of the Authorized Recipient's personnel with access to CHRI, then a criminal history record check shall be required of the Contractor's employees having access to CHRI. The criminal history record check of Contractor employees at a minimum will be no less stringent than the criminal history record check that is performed on the Authorized Recipient's personnel performing similar functions. Criminal history record checks must be completed prior to performing work under the contract.

6.02 If a local, State, or Federal written standard requires a criminal history record check for support personnel, contractors, and custodial workers who work in a physically secure location, then a criminal history record check shall be required for these individuals, unless these individuals are escorted by authorized personnel at all times. The criminal history record check for these individuals at a minimum will be no less stringent than the criminal history record check that is performed on the Authorized Recipient's support personnel, contractors, and custodial workers performing similar functions. Criminal history record checks must be completed prior to performing work under the contract.

6.03 The Contractor shall ensure that each employee performing work under the contract is aware of the requirements of the Outsourcing Standard and the State and Federal laws governing the security and integrity of CHRI. The Contractor shall confirm that each employee understands the Outsourcing Standard requirements and laws that apply to his/her responsibilities.

6.04 If a criminal history record check is required, the Contractor shall maintain a list of personnel who successfully completed the criminal history record check.

7.0 System Security

7.01 The Contractor's security system shall comply with the CJIS Security Policy in effect at the time the Outsourcing Standard is incorporated into the contract and with successor versions of the CJIS Security Policy as they are made known to the Contractor by the Authorized Recipient.

a. If CHRI can be accessed by unauthorized personnel via Wide Area Network/Local Area Network or the Internet, then the Contractor shall protect the CHRI with firewall-type devices to prevent such unauthorized access. These devices shall implement a minimum firewall profile as specified by the CJIS Security Policy in order to provide a point of defense and a controlled and audited access to CHRI, both from inside and outside the networks.

b. Data encryption shall be required throughout the network, passing CHRI through a shared public carrier network.

7.02 The Contractor shall provide for the secure storage and disposal of all hard copy and media associated with the system to prevent access by unauthorized personnel.

a. CHRI shall be stored in a physically secure location.

b. The Authorized Recipient shall ensure that a procedure is in place for sanitizing all fixed storage media (e.g., disks, drives, backup storage) at the completion of the contract and/or before it is returned for maintenance, disposal, or reuse. Sanitization procedures include overwriting the media and/or degaussing the media.

7.03 To prevent and/or detect unauthorized access to CHRI in transmission or storage, each Authorized Recipient must be identified by an Originating Agency Identifier (ORI) or state assigned identifier, and each Contractor or sub-Contractor must be uniquely identified.

8.0 Security Violations

8.01 Duties of the Authorized Recipient and Contractor. a. The Contractor shall develop and maintain a written policy for discipline of Contractor employees who violate the security provisions of the contract, which includes this Outsourcing Standard that is incorporated by reference.

b. Pending investigation, the Contractor shall immediately suspend any employee who commits a security violation from assignments in which he/she has access to CHRI under the contract.

c. The Contractor shall immediately notify the Authorized Recipient of any security violation or termination of the contract, to include unauthorized access to CHRI made available pursuant to the contract. Within five calendar days of such notification, the Contractor shall provide the Authorized Recipient a written report documenting such security violation, any corrective actions taken by the Contractor to resolve such violation, and the date, time, and summary of the prior notification.

d. The Authorized Recipient shall immediately notify the State Compact Officer/Chief Administrator and the FBI Compact Officer of any security violation or termination of the contract, to include unauthorized access to CHRI made available pursuant to the contract. The Authorized Recipient shall provide a written report of any security violation (to include unauthorized access to CHRI by the Contractor) to the State Compact Officer/Chief Administrator, if applicable, and the FBI Compact Officer, within five calendar days of receipt of the written report from the Contractor. The written report must include any corrective actions taken by the Contractor and the Authorized Recipient to resolve such security violation.

8.02 Termination of the contract by the Authorized Recipient for security violations.

a. The contract is subject to termination by the Authorized Recipient for security violations involving CHRI obtained pursuant to the contract.

b. The contract is subject to termination by the Authorized Recipient for the Contractor's failure to notify the Authorized Recipient of any security violation or to provide a written report concerning such violation.

c. If the Contractor refuses to or is incapable of taking corrective actions to successfully resolve a security violation, the Authorized Recipient shall terminate the contract.

8.03 Suspension or termination of the exchange of CHRI for security violations. a. Notwithstanding the actions taken by the State Compact Officer, if the Authorized Recipient fails to provide a written report notifying the State Compact Officer/Chief Administrator or the FBI Compact Officer of a security violation, or refuses to or is incapable of taking corrective action to successfully resolve a security violation, the Compact Council or the United States Attorney General may suspend or terminate the exchange of CHRI with the Authorized Recipient pursuant to 28 CFR 906.2(d).

b. If the exchange of CHRI is suspended, it may be reinstated after satisfactory written assurances have been provided to the Compact Council Chairman or the United States Attorney General by the Compact Officer/Chief Administrator, the Authorized Recipient and the Contractor that the security violation has been resolved. If the exchange of CHRI is terminated, the Contractor's records (including media) containing CHRI shall be immediately deleted or returned as specified by the Authorized Recipient.

8.04 The Authorized Recipient shall provide written notice (through the State Compact Officer/Chief Administrator if applicable) to the FBI Compact Officer of the following:

a. The termination of a contract for security violations.

b. Security violations involving the unauthorized access to CHRI.

c. The Contractor's name and unique identification number, the nature of the security violation, whether the violation was intentional, and the number of times the violation occurred.

8.05 The Compact Officer/Chief Administrator, Compact Council and the United States Attorney General reserve the right to investigate or decline to investigate any report of unauthorized access to CHRI.

8.06 The Compact Officer/Chief Administrator, Compact Council, and the United States Attorney General reserve the right to audit the Authorized Recipient and the Contractor's operations and procedures at scheduled or unscheduled times. The Compact Council, the United States Attorney General, and the state are authorized to perform a final audit of the Contractor's systems after termination of the contract.

9.0 Miscellaneous Provisions

9.01 This Outsourcing Standard does not confer, grant, or authorize any rights, privileges, or obligations to any persons other than the Contractor, the Authorized Recipient, Compact Officer/Chief Administrator (where applicable), and the FBI.

9.02 The following document is incorporated by reference and made part of this Outsourcing Standard: (1) The CJIS Security Policy.

9.03 The terms set forth in this document do not constitute the sole understanding by and between the parties hereto; rather they provide a minimum basis for the security of the system and the CHRI accessed therefrom and it is understood that there may be terms and conditions of the appended contract which impose more stringent requirements upon the Contractor.

Such conditions could include additional audits, fees, or security requirements.

9.04 The minimum security measures as outlined in this Outsourcing Standard may only be modified by the Compact Council. Conformance to such security measures may not be less stringent than stated in this Outsourcing Standard without the consent of the Compact Council in consultation with the United States Attorney General.

9.05 This Outsourcing Standard may only be modified by the Compact Council and may not be modified by the parties to the appended contract without the consent of the Compact Council.

9.06 Appropriate notices, assurances, and correspondence to the FBI Compact Officer, Compact Council, and the United States Attorney General required by Section 8.0 of this Outsourcing Standard shall be forwarded by First Class Mail to: FBI Compact Officer, 1000 Custer Hollow Road, Module C3, Clarksburg, WV 26306.

Security and Management Control Outsourcing Standard for Channelers Only

The goal of this document is to provide adequate security and integrity for criminal history record information (CHRI) while under the control or management of an outsourced third party, the Contractor. Adequate security is defined in Office of Management and Budget Circular A-130 as “security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.”

The intent of this Security and Management Control Outsourcing Standard (Outsourcing Standard) is to require that the Contractor maintain a security program consistent with federal and state laws, regulations, and standards (including the FBI Criminal Justice Information Services (CJIS) Security Policy) as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

This Outsourcing Standard identifies the duties and responsibilities with respect to adequate internal controls within the contractual relationship so that the security and integrity of the Interstate Identification Index (III) System and CHRI are not compromised. The standard security program shall include consideration of site security, dissemination restrictions, personnel security, system security, and data security.

The provisions of this Outsourcing Standard are established by the Compact Council pursuant to 28 CFR part 906 and are subject to the scope of that rule. They apply to all personnel, systems, networks, and facilities supporting and/or acting on behalf of the Authorized Recipient of CHRI.

1.0 Definitions

1.01 Access to CHRI means to use, exchange, retain/store, or view CHRI obtained from the III System but excludes direct access to the III System by computer terminal or other automated means by Contractors other than those that may be contracted by the FBI or State criminal history record repositories or as provided by title 42, United States Code, section 14614(b).

1.02 Authorized Recipient means (1) a nongovernmental entity authorized by Federal statute or Federal executive order to receive CHRI for noncriminal justice purposes, or (2) a government agency authorized by Federal statute, Federal executive order, or State statute which has been approved by the United States Attorney General to receive CHRI for noncriminal justice purposes.

1.03 Authorized Recipient's Information Security Officer means the individual who shall ensure technical compliance with all applicable elements of this Outsourcing Standard.

1.04 Chief Administrator, as referred to in Article I(2)(B) of the Compact, means the primary administrator of a Nonparty State's criminal history record repository or a designee of such administrator who is a regular full-time employee of the repository.

1.05 CHRI, as referred in Article I(4) of the Compact, means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, or release; but does not include identification information such as fingerprint records if such information does not indicate involvement of the individual with the criminal justice system.

1.06 Criminal History Record Check, for purposes of this Outsourcing Standard only, means an authorized noncriminal justice fingerprint-based search of a State criminal history record repository and/or the FBI system.

1.07 CJIS Systems Agency, as provided in Section 1.4 of the FBI Criminal Justice Information Services (CJIS) Division's Advisory Policy Board Bylaws, means a criminal justice agency which has overall responsibility for the administration and usage of CJIS Division Programs within a State, district, territory, or foreign country. This includes any Federal agency that meets the definition and provides services to other Federal agencies and/or whose users reside in multiple states or territories.

1.08 CJIS Systems Officer, as provided in Section 1.5 of the CJIS Advisory Policy Board Bylaws, means the individual employed by the CJIS Systems Agency who is responsible for monitoring system use, enforcing system discipline and security, and assuring that CJIS operating procedures are followed by all users as well as other related duties outlined by the user agreements with the FBI's CJIS Division. (This title was formerly referred to as the Control Terminal Officer or the Federal Service Coordinator).

1.09 Compact Officer, as provided in Article I(2) of the Compact, means (A) with respect to the Federal Government, an official [FBI Compact Officer] so designated by the Director of the FBI [to administer and enforce the compact among Federal agencies], or (B) with respect to a Party State, the chief administrator of the State's criminal history record repository or a designee of the chief administrator who is a regular full-time employee of the repository.

1.10 Contractor means a government agency, a private business, non-profit organization or individual, that is not itself an Authorized Recipient with respect to the particular noncriminal justice purpose, who has entered into a contract with an Authorized Recipient to perform noncriminal justice administrative functions requiring access to CHRI. Under this Outsourcing Standard applicable to channelers, a Contractor includes one who has direct connectivity to the CJIS Wide Area Network (WAN) for the purpose of electronic submission of fingerprints to and the receipt of CHRI from the FBI on behalf of an Authorized Recipient.

1.11 Contractor's Security Officer means the individual accountable for the management of the Contractor's security program.

1.12 Dissemination means the disclosure of III CHRI by an Authorized Recipient to an authorized Contractor, or by the Contractor to another Authorized Recipient consistent with the Contractor's responsibilities and with limitations imposed by Federal and State laws, regulations, and standards as well as rules, procedures, and standards established by the Compact Council and the United States Attorney General.

1.13 Noncriminal Justice Administrative Functions means the routine noncriminal justice administrative functions relating to the processing of CHRI, to include but not limited to the following:

1. Making fitness determinations/recommendations.

2. Obtaining missing dispositions.

3. Disseminating CHRI as authorized by Federal statute, Federal Executive Order, or State statute approved by the United States Attorney General.

4. Other authorized activities relating to the general handling, use, and storage of CHRI.

1.14 Noncriminal Justice Purposes, as provided in Article I(18) of the Compact, means uses of criminal history records for purposes authorized by Federal or State law other than purposes relating to criminal justice activities, including employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances.

1.15 Outsourcing Standard means a document approved by the Compact Council after consultation with the United States Attorney General which is to be incorporated by reference into a contract between an Authorized Recipient and a Contractor. The Outsourcing Standard authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, prohibits retention and/or dissemination except as specifically authorized, ensures the security and confidentiality of the information, provides for audits and sanctions, provides conditions for termination of the contract, and contains such other provisions as the Compact Council may require.

1.16 Physically Secure Location means a location where access to CHRI can be obtained, and adequate protection is provided to prevent any unauthorized access to CHRI.

1.17 Positive Identification, as provided in Article I(20) of the Compact, means a determination, based upon a comparison of fingerprints or other equally reliable biometric identification techniques, that the subject of a record search is the same person as the subject of a criminal history record or records indexed in the III System. Identifications based solely upon a comparison of subjects' names or other nonunique identification characteristics or numbers, or combinations thereof, shall not constitute positive identification.

The Compact Council currently defines positive identification for noncriminal justice purposes as identification based upon a qualifying ten-rolled or qualifying ten-flat fingerprint submission. Further information concerning qualifying fingerprint submissions may be obtained from the FBI Compact Council office.

1.18 Public Carrier Network means a telecommunications infrastructure consisting of network components that are not owned, operated, and managed solely by the agency using that network, i.e., any telecommunications infrastructure which supports public users other than those of the agency using that network. Examples of a public carrier network include but are not limited to the following: dial-up and Internet connections, network connections to Verizon, network connections to AT&T, ATM Frame Relay clouds, wireless networks, wireless links, and cellular telephones. A public carrier network provides network services to the public; not just to the single agency using that network.

1.19 Security Violation means the failure to prevent or failure to institute safeguards to prevent access, use, retention, or dissemination of CHRI in violation of: (A) Federal or State law, regulation, or Executive Order; or (B) a rule, procedure, or standard established by the Compact Council and the United States Attorney General.

2.0 Responsibilities of the Authorized Recipient

2.01 Prior to engaging in outsourcing any noncriminal justice functions, the Authorized Recipient shall request and receive written permission from (A) the State Compact Officer/Chief Administrator or (B) the FBI Compact Officer. The Authorized Recipient shall provide the Compact Officer/Chief Administrator copies of the specific authority for the outsourced work, criminal history record check requirements, and/or a copy of the contract as requested. The Authorized Recipient shall inquire whether a prospective Contractor has any security violations (see Section 8.04) and report those findings to the Compact Officer/Chief Administrator prior to outsourcing noncriminal justice administrative functions.

The Compact Officer/Chief Administrator may not grant such permission unless he/she has implemented a combined state/federal audit program to triennially audit each Contractor and Authorized Recipient engaging in outsourcing with the first of such audits to be conducted within one year of the signing of the contract.

State or local Authorized Recipients based on State or Federal Statutes shall contact the State Compact Officer/Chief Administrator. Federal or Regulatory Agency Authorized Recipients shall contact the FBI Compact Officer.

2.02 The Authorized Recipient shall execute a contract prior to providing a Contractor access to CHRI. The contract shall, at a minimum, incorporate by reference and have appended thereto this Outsourcing Standard.

2.03 The Authorized Recipient shall, in those instances when the Contractor is to perform duties requiring access to CHRI, specify the terms and conditions of such access; limit the use of such information to the purposes for which it is provided; limit retention of the information to a period of time not to exceed that period of time the Authorized Recipient is permitted to retain such information; prohibit dissemination of the information except as specifically authorized by Federal and State laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General; ensure the security and confidentiality of the information to include confirmation that the intended recipient is authorized to receive CHRI; provide for audits and sanctions; provide conditions for termination of the contract; maintain up-to-date records of Contractor personnel who have access to CHRI; and ensure that Contractor personnel comply with this Outsourcing Standard.

a. The Authorized Recipient shall conduct criminal history record checks of Contractor personnel having access to CHRI if such checks are required of the Authorized Recipient's personnel having similar access.

If a national criminal history record check of government personnel having access to CHRI is mandated by a state statute approved by the Attorney General under Public Law 92-544, the State Compact Officer/Chief Administrator must ensure Contractor personnel having similar access are either covered by the existing law or that the existing law is amended to include such Contractor personnel prior to authorizing outsourcing initiatives.

b. The Authorized Recipient shall ensure that the Contractor maintains site security.

c. The Authorized Recipient shall ensure that the most current version of both the Outsourcing Standard and the CJIS Security Policy are incorporated by reference at the time of contract and/or Option renewal.

d. The Authorized Recipient shall ensure that the Contractor establishes and administers an Information Technology (IT) Security Program.

e. The Authorized Recipient shall allow the FBI to periodically test the ability to penetrate the FBI's network through the external network connection or system.

2.04 The Authorized Recipient shall understand the communications and record capabilities of the Contractor which has access to federal or state records through, or because of, its outsourcing relationship with the Authorized Recipient. The Authorized Recipient shall maintain an updated topological drawing which depicts the interconnectivity of the Contractor's network configuration.

2.05 The Authorized Recipient is responsible for the actions of the Contractor and shall monitor the Contractor's compliance to the terms and conditions of the Outsourcing Standard. The Authorized Recipient shall certify to the Compact Officer/Chief Administrator that a compliance review was conducted with the Contractor within 90 days of execution of the contract.

2.06 The Authorized Recipient shall provide written notice of any early voluntary termination of the contract to the Compact Officer/Chief Administrator or the FBI Compact Officer.

2.07 The Authorized Recipient shall appoint an Information Security Officer. The Authorized Recipient's Information Security Officer shall:

a. Serve as the security POC for the FBI CJIS Division Information Security Officer;

b. Document technical compliance with this Outsourcing Standard; and

c. Establish a security incident response and reporting procedure to discover, investigate, document, and report on major incidents that significantly endanger the security or integrity of the noncriminal justice agency systems to the CJIS Systems Officer and the FBI CJIS Division Information Security Officer.

3.0 Responsibilities of the Contractor

3.01 The Contractor and its employees shall comply with all federal and state laws, regulations, and standards (including the CJIS Security Policy) as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

3.02 The Contractor shall develop and maintain an IT security program. The Contractor is therefore responsible to set, maintain, and enforce the following:

a. Standards for the selection, supervision, and separation of personnel who have access to CHRI.

b. Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that comprise and support a telecommunications network and related CJIS systems used to process, store, or transmit CHRI.

3.03 The Contractor shall develop and document a security program to comply with the current Outsourcing Standard and any revised or successor Outsourcing Standard. The Security Program shall describe the implementation of the security requirements described in this Outsourcing Standard, the associated Security Training Program, and the reporting guidelines for documenting and communicating security violations and corrective actions to the Authorized Recipient. The Security Program shall be subject to the approval of the Authorized Recipient.

3.04 The Contractor shall be accountable for the management of the Security Program. The Contractor shall be responsible for reporting all security violations of this Outsourcing Standard to the Authorized Recipient.

3.05 Except when the training requirement is retained by the Authorized Recipient, the Contractor shall develop a Security Training Program for all Contractor personnel with access to CHRI prior to their appointment/assignment. Immediate training shall be provided upon receipt of notice on any changes to Federal and State laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General. Annual refresher training shall also be provided. The Contractor shall certify to the Authorized Recipient that the annual refresher training was completed for those Contractor personnel with access to CHRI. The Security Training Program shall be subject to the approval of the Authorized Recipient.

3.06 The Contractor shall make its facilities available for announced and unannounced security inspections performed by the Authorized Recipient, the State, or the FBI on behalf of the Compact Council. Such facilities are also subject to triennial audits by the state and the FBI on behalf of the Compact Council. An audit may also be conducted on a more frequent basis.

3.07 The Contractor's Security Program is subject to review by the Authorized Recipient, the Compact Officer/Chief Administrator, and the FBI CJIS Division. During this review, provision will be made to update the Security Program to address security violations and to ensure changes in policies and standards as well as changes in Federal and State law are incorporated.

3.08 The Contractor shall maintain CHRI only for the period of time necessary to fulfill their contractual obligations but not to exceed the period of time that the Authorized Recipient is authorized to maintain and does maintain the CHRI.

3.09 The Contractor shall maintain a log of any dissemination of CHRI.

4.0 Site Security

4.01 The Authorized Recipient shall ensure that the Contractor site is a physically secure location at all times to protect against any unauthorized access to CHRI.

4.02 All visitors to computer centers and/or terminal areas shall be escorted by authorized personnel at all times.

5.0 Dissemination

5.01 Only employees of the Contractor, employees of the Authorized Recipient, and such other persons as may be granted authorization by the Authorized Recipient shall be permitted access to the system.

5.02 The Contractor shall maintain appropriate and reasonable quality assurance procedures.

5.03 Access to the system shall be available only for official purposes consistent with the appended contract. Any dissemination of CHRI data to authorized employees of the Contractor is to be for official purposes only.

5.04 Information contained in or about the system will not be provided to agencies other than the Authorized Recipient or another entity which is specifically designated in the contract.

5.05 The Contractor shall not disseminate CHRI without the consent of the Authorized Recipient, and as specifically authorized by federal and state laws, regulations, and standards as well as with rules, procedures, and standards established by the Compact Council and the United States Attorney General.

5.06 An up-to-date log concerning dissemination of CHRI shall be maintained by the Contractor for a minimum one year retention period. This log must clearly identify: (A) The Authorized Recipient and the secondary recipient with unique identifiers, (B) the record disseminated, (C) the date of dissemination, (D) the statutory authority for dissemination, and (E) the means of dissemination.

5.07 The Contractor shall protect against any unauthorized persons gaining access to the equipment, any of the data, or the operational documentation for the system. In no event shall copies of messages or CHRI be disseminated other than as contracted and governed by this Outsourcing Standard.

5.08 All access attempts are subject to recording and routine review for detection of inappropriate or illegal activity.

5.09 The Contractor's system shall be supported by a well-written contingency plan.

6.0 Personnel Security

6.01 If a local, State, or Federal written standard requires a criminal history record check of the Authorized Recipient's personnel with access to CHRI, then a criminal history record check shall be required of the Contractor's employees having access to CHRI. The criminal history record check of Contractor employees at a minimum will be no less stringent than the criminal history record check that is performed on the Authorized Recipient's personnel performing similar functions. Criminal history record checks must be completed prior to performing work under the contract.

6.02 If a local, State, or Federal written standard requires a criminal history record check for support personnel, contractors, and custodial workers who work in a physically secure location, then a criminal history record check shall be required for these individuals, unless these individuals are escorted by authorized personnel at all times. The criminal history record check for these individuals at a minimum will be no less stringent than the criminal history record check that is performed on the Authorized Recipient's support personnel, contractors, and custodial workers performing similar functions. Criminal history record checks must be completed prior to performing work under the contract.

6.03 The Contractor shall ensure that each employee performing work under the contract is aware of the requirements of the Outsourcing Standard and the State and Federal laws governing the security and integrity of CHRI. The Contractor shall confirm that each employee understands the Outsourcing Standard requirements and laws that apply to his/her responsibilities.

6.04 If a criminal history record check is required, the Contractor shall maintain a list of personnel who successfully completed the criminal history record check.

7.0 System Security

7.01 The Contractor's security system shall comply with the CJIS Security Policy in effect at the time the Outsourcing Standard is incorporated into the contract and with successor versions of the CJIS Security Policy as they are made known to the Contractor by the Authorized Recipient.

a. If CHRI can be accessed by unauthorized personnel via Wide Area Network/Local Area Network or the Internet, then the Contractor shall protect the CHRI with firewall-type devices to prevent such unauthorized access. These devices shall implement a minimum firewall profile as specified by the CJIS Security Policy in order to provide a point of defense and a controlled and audited access to CHRI, both from inside and outside the networks.

b. Data encryption shall be required throughout the network, passing CHRI through a shared public carrier network.

7.02 The Contractor shall provide for the secure storage and disposal of all hard copy and media associated with the system to prevent access by unauthorized personnel.

a. CHRI shall be stored in a physically secure location.

b. The Authorized Recipient shall ensure that a procedure is in place for sanitizing all fixed storage media (e.g., disks, drives, backup storage) at the completion of the contract and/or before it is returned for maintenance, disposal, or reuse. Sanitization procedures include overwriting the media and/or degaussing the media.

7.03 To prevent and/or detect unauthorized access to CHRI in transmission or storage, each Authorized Recipient must be identified by an Originating Agency Identifier (ORI) or state assigned identifier, and each Contractor or sub-Contractor must be uniquely identified.

8.0 Security Violations

8.01 Duties of the Authorized Recipient and Contractor. a. The Contractor shall develop and maintain a written policy for discipline of Contractor employees who violate the security provisions of the contract, which includes this Outsourcing Standard that is incorporated by reference.

b. Pending investigation, the Contractor shall immediately suspend any employee who commits a security violation from assignments in which he/she has access to CHRI under the contract.

c. The Contractor shall immediately notify the Authorized Recipient of any security violation or termination of the contract, to include unauthorized access to CHRI made available pursuant to the contract. Within five calendar days of such notification, the Contractor shall provide the Authorized Recipient a written report documenting such security violation, any corrective actions taken by the Contractor to resolve such violation, and the date, time, and summary of the prior notification.

d. The Authorized Recipient shall immediately notify the State Compact Officer/Chief Administrator and the FBI Compact Officer of any security violation or termination of the contract, to include unauthorized access to CHRI made available pursuant to the contract. The Authorized Recipient shall provide a written report of any security violation (to include unauthorized access to CHRI by the Contractor) to the State Compact Officer/Chief Administrator, if applicable, and the FBI Compact Officer, within five calendar days of receipt of the written report from the Contractor. The written report must include any corrective actions taken by the Contractor and the Authorized Recipient to resolve such security violation.

8.02 Termination of the contract by the Authorized Recipient for security violations.

a. The contract is subject to termination by the Authorized Recipient for security violations involving CHRI obtained pursuant to the contract.

b. The contract is subject to termination by the Authorized Recipient for the Contractor's failure to notify the Authorized Recipient of any security violation or to provide a written report concerning such violation.

c. If the Contractor refuses to or is incapable of taking corrective actions to successfully resolve a security violation, the Authorized Recipient shall terminate the contract.

8.03 Suspension or termination of the exchange of CHRI for security violations. a. Notwithstanding the actions taken by the State Compact Officer, if the Authorized Recipient fails to provide a written report notifying the State Compact Officer/Chief Administrator or the FBI Compact Officer of a security violation, or refuses to or is incapable of taking corrective action to successfully resolve a security violation, the Compact Council or the United States Attorney General may suspend or terminate the exchange of CHRI with the Authorized Recipient pursuant to 28 CFR 906.2(d).

b. If the exchange of CHRI is suspended, it may be reinstated after satisfactory written assurances have been provided to the Compact Council Chairman or the United States Attorney General by the Compact Officer/Chief Administrator, the Authorized Recipient and the Contractor that the security violation has been resolved. If the exchange of CHRI is terminated, the Contractor's records (including media) containing CHRI shall be immediately deleted or returned as specified by the Authorized Recipient.

8.04 The Authorized Recipient shall provide written notice (through the State Compact Officer/Chief Administrator if applicable) to the FBI Compact Officer of the following:

a. The termination of a contract for security violations.

b. Security violations involving the unauthorized access to CHRI.

c. The Contractor's name and unique identification number, the nature of the security violation, whether the violation was intentional, and the number of times the violation occurred.

8.05 The Compact Officer/Chief Administrator, Compact Council and the United States Attorney General reserve the right to investigate or decline to investigate any report of unauthorized access to CHRI.

8.06 The Compact Officer/Chief Administrator, Compact Council, and the United States Attorney General reserve the right to audit the Authorized Recipient and the Contractor's operations and procedures at scheduled or unscheduled times. The Compact Council, the United States Attorney General, and the state are authorized to perform a final audit of the Contractor's systems after termination of the contract.

9.0 Miscellaneous Provisions

9.01 This Outsourcing Standard does not confer, grant, or authorize any rights, privileges, or obligations to any persons other than the Contractor, the Authorized Recipient, Compact Officer/Chief Administrator (where applicable), CJIS Systems Agency, and the FBI.

9.02 The following document is incorporated by reference and made part of this Outsourcing Standard: (1) The CJIS Security Policy.

9.03 The terms set forth in this document do not constitute the sole understanding by and between the parties hereto; rather they provide a minimum basis for the security of the system and the CHRI accessed therefrom and it is understood that there may be terms and conditions of the appended contract which impose more stringent requirements upon the Contractor.

Such conditions could include additional audits, fees, or security requirements.

9.04 The minimum security measures as outlined in this Outsourcing Standard may only be modified by the Compact Council. Conformance to such security measures may not be less stringent than stated in this Outsourcing Standard without the consent of the Compact Council in consultation with the United States Attorney General.

9.05 This Outsourcing Standard may only be modified by the Compact Council and may not be modified by the parties to the appended contract without the consent of the Compact Council.

9.06 Appropriate notices, assurances, and correspondence to the FBI Compact Officer, Compact Council, and the United States Attorney General required by Section 8.0 of this Outsourcing Standard shall be forwarded by First Class Mail to: FBI Compact Officer, 1000 Custer Hollow Road, Module C 3, Clarksburg, WV 26306.

[FR Doc. 04-27489 Filed 12-15-04; 8:45 am]

BILLING CODE 4410-02-P