CJIS Vendor Management Program - Agency Instructions
WHY DOES THE PROGRAM EXIST?
The CJIS Security Policy written and maintained by the Federal Bureau of Investigation is the standard by which all criminal justice agencies nationwide must protect the sensitive data they possess and share with authorized entities. Section 5.12.1 of the policy states that private contractors and vendors with access to criminal justice information (CJI) must submit a set of fingerprints for state and national fingerprint-based record checks. Previously, these vendors were required to submit fingerprints for each employee with physical, logical, or situational access to CJIS data, for each agency with which they contract. This occasionally proved to be cumbersome for vendors and contracting agencies, and was sometimes cost-prohibitive as each set of fingerprints requires a processing fee of $39.50.
The CJIS Vendor Management Program consolidates the fingerprint background check process so that vendors only need to fingerprint their personnel once for enrollment in the Program. The Program cuts the fingerprint processing fees down to a one-time payment of $39.50 per participating employee. Criminal justice agencies, when contracting with a participating vendor, can query for a list of approved personnel who are fingerprinted, reviewed, and authorized for CJI access by CBI staff.
The CBI website provides a detailed overview of a vendor’s responsibility to enroll in the Program, including signing the Vendor Agreement, applying for a fingerprint account, designating a Vendor Services Contact at their company, ensuring all personnel in the Program complete Security Awareness Training through CJIS Online, and notifying the CBI of when an enrolled employee leaves the company. Please refer vendors to https://www.colorado.gov/pacific/cbi/cjis-vendor-management-program for an outline of their responsibilities as well as the required forms.
It should be noted that vendors contracting with criminal justice agencies are not required by the CBI to participate, but the Program is the new preferred standard by which vendor fingerprints are processed, and Colorado law enforcement agencies may mandate the participation of their CJIS contractors.
For years, criminal justice agencies were required to submit vendor employee fingerprints under the Record Type (RTY) of VEN. These submissions required a processing fee of $39.50 and were submitted under the agency’s individual ORI. Fingerprint background check responses were then transmitted into the agency’s designated Secure Document Delivery System (SDDS) account. These types of background checks are still allowed at the agency’s request if, for example, the agency needs the vendor employee immediately and cannot wait for the company to apply for a new Vendor Management Program account. VEN fingerprints submitted under an agency ORI cannot be transferred to the Vendor Management Program, so if a vendor wishes to enroll in the future, the employee(s) must be re-fingerprinted for the Program.
Effective December 1, 2018, vendor employees applying for enrollment in the Vendor Management Program will be required to submit fingerprints through the CABS program. All of our points of contact at currently-enrolled vendor companies have received this email with instructions for submitting fingerprints to the CBI. Except in exigent circumstances, law enforcement agencies will not be required to take fingerprints for vendors after December 1, 2018.
As mentioned above, vendors are not mandated to enroll in the Vendor Management Program; however, agencies may elect to incorporate participation into contracts in order to more easily facilitate the background check process.
The scope of the Vendor Management Program does not include acknowledgement of the CJIS Security Addendum, nor does it guarantee the vendor’s policies and practices are CJIS compliant. Contracts between an agency and a vendor must still include the CJIS Security Policy by reference as well as the CJIS Security Addendum. The responsibility lies at the agency level, rather than with the CBI, to monitor the vendor’s adherence to the CJIS Security Policy in its operations.
CJIS Online is a resource for criminal justice agencies and vendors to use for providing and tracking the Security Awareness Training required by section 5.2 of the CJIS Security Policy. Generally, agencies who provide their own training are welcome to do so as long as the training covers the topics outlined in 5.2.1; however, for the purpose of the Vendor Management Program, vendors must use the Security Awareness Training within CJIS Online so their employees’ certificates of training completion are visible to anyone accessing CJIS Online. There is currently no capability to add certifications for custom training.
When the Vendor's account application for the Program is approved, the CBI searches for the vendor to see if they are already listed in the directory and, if necessary, adds them. It is up to the Vendor to add their individual employees.
The agency Coordinator can log into CJIS Online and see under Vendor Users Management whether a vendor employee is up to date with their Security Awareness Certification.
CJIS Online can also be used for vendors to see whether their own staff have been cleared to participate in the Vendor Management Program. In the Vendor Users Management utility, an employee can be searched, and if there is an entry made by the Colorado Bureau of Investigation in the Fingerprint Information section of the employee’s detail screen, the employee is authorized for the Program. Again, the entry must say Colorado Bureau of Investigation; other criminal justice agencies may make entries here, but this would not indicate participation in the Program.
SUBSEQUENT ARREST NOTIFICATIONS
While the nationwide subsequent arrest notification system known as RAP-Back has not yet come to Colorado, Colorado employs its own state-level subsequent arrest notification system. If a participating vendor employee is arrested in Colorado, a notification will be sent to the CBI's Crime Information Management Unit (CIMU). CIMU staff will review the arrest and, if any disqualifying criteria are present, may revoke authorization to participate in the Program. In such instances, the Vendor Services Coordinator will be notified as well as the criminal justice agencies with which they contract. The responsibility for termination of access lies at the agency level.
LINKING YOUR AGENCY WITH A VENDOR
In order to receive subsequent arrest notifications, it is imperative that agencies using the Vendor Management Program link their agency with the vendor by submitting the VCP-REQ form to the CBI. This will ensure that if any vendor personnel working within the agency are arrested in Colorado, the agency is promptly notified by the CBI.
To access the form, type VCP-REQ in the command line in OpenFox Messenger.
- The Hiring Agency field must contain the agency ORI.
- The Contact Name and information must be the contact at the agency—not to be confused with the contact at the vendor.
- Please only submit the VCP-REQ form for vendors participating in the Program. If a VCP-REQ form is submitted for a nonparticipating vendor, the message will be returned to the originating terminal.
The form will generate the following message to be sent to the CBI:
PLEASE SET UP EVEN FOR CCH-CJIS VENDOR NOTIFICATION:
VENDOR/ABC COMPANY NAME.
CONTACT EMAIL ADDRESS/EMILY.PHILIP@STATE.CO.US.
ADD OR REMOVE/ADD.
CHECKING EMPLOYEE STATUS
Before allowing a participating vendor employee any access to CJI, confirm whether they are authorized to participate in the Program.
First, use the QVCP form in OpenFox Messenger to locate the vendor’s account number. Vendor account numbers are nine digits in length and always begin with COVCP.
This search will return a message:
QVCP MATCH ON NAM: ABC COMPANY
RAF_NAM/ABC COMPANY LLC
Once the vendor account number is found, return to the QVCP form and query using the account number to return a list of vendor employees.
This search will return a list similar to:
Your query: QVCP: RAF/COVCP0001
RETURNED THE FOLLOWING EMPLOYEES:
VCP/NO LONGER EMPLOYED
- Pending = The fingerprints have been processed, and CBI staff is reviewing the results.
- Authorized = No disqualifying criminal history found; applicant is eligible to work on or around CJIS data.
- Not Authorized = Felony conviction or outstanding warrant discovered; applicant is not eligible to work on or around CJIS data.
- No Longer Employed = The CBI was notified that the employee no longer works for this vendor.
For more information, please contact the CIMU CJIS Compliance Team at (303) 239-4299 or firstname.lastname@example.org.