CJIS Vendor Management Program - Vendor Instructions
**ATTENTION CURRENT AND FUTURE VENDORS**
- Notices from the CBI regarding vendor eligibility will start to look different. Please view this letter to see what to expect regarding these changes.
- The fingerprint process for this program is changing effective December 1, 2018. Please view this letter for further instructions.
Participation in the CJIS Vendor Management Program requires the following steps for enrollment:
- Carefully review and complete the CBI CJIS Vendor Agreement
- This agreement outlines the responsibilities of the vendor regarding participation in the program and adherence to the CJIS Security Policy. Agreements will be retained by the CBI, and must be resubmitted if the Vendor Administrator changes.
- Complete an Account Application and IRS Form W-9, Request for Taxpayer Identification Number
- An account is needed not only for identification of the vendor for fingerprint processing, but for billing purposed. Participating vendors will be invoiced monthly for any fingerprint submissions occuring during the previous month.
- Submit a copy of an existing contract with a Colorado criminal justice agency. If your company provides services which involve direct handling of CJIS data (document shredding, IT services, software support, etc.), the contract must include the CJIS Security Addendum by reference.
- Mail the completed documents to the CBI at:
Colorado Bureau of Investigation
Vendor Management Program
690 Kipling Street, Ste. 3000
Denver, CO 80215
- Alternatively, the forms can be emailed to firstname.lastname@example.org.
Once the CBI's Identification Unit approves the vendor and issues an account number, they will notify the vendor by email of the new account number, along with instructions on submitting the fingerprints. The correct account number assigned to your company must be used, or the fingerprint submission may be rejected.
Employee Management and Security Awareness
The CJIS Security Policy states in section 5.2 that "basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI". Peak Performance Solutions provides an easy way for vendors to keep track of personnel Security Awareness certifications through CJIS Online. Upon approval for the program, the Vendor Administrator will be issued a CJIS Online account with administrator access, if one does not already exist. Thereafter, the Vendor Administrator can log in to CJIS Online to add personnel, assign required training, and manage certifications.
The CJIS Online portal also allows the Vendor Administrator to view which employees are authorized to participate in the program. Once the CBI reviews and approves the results of the fingerprint-based background check, authorized personnel will have an entry made by the Colorado Bureau of Investigation in the Fingerprint Information section of the Vendor Employee Details screen.
Employee Separation and Subsequent Denial Notifications
If participating employees no longer work for the vendor, the Vendor Administrator must notify the CBI's CJIS Vendor Management Group immediately (CJIS Security Policy 5.12.2).
If a previously-approved vendor employee is found to no longer be authorized to access CJI, a notification will be sent to the Vendor Administrator, as well as any criminal justice agencies with whom they contract, to inform them that the individual may no longer access CJI.
For more information, please contact the CIMU CJIS Compliance Team at (303) 239-4222 or email@example.com.