Transcription
U. S. Department of JusticeFederal Bureau of InvestigationCriminal Justice Information Services DivisionRequirements and Tiering DocumentFBI CJIS Security Policy Version 5.506/01/2016Recommended changes to version 5.4 of the CJIS Security Policy were approved by theAdvisory Policy Board (APB) in 2015 and subsequently approved by the Director, FBI in 2016.The Policy contains current requirements carried over from previous versions along with newlyapproved requirements for agencies to implement.Effective October 1, 2014, Noncriminal Justice Agencies (NCJA) who had not previously beensubject to CJIS Security Policy audit and whose only access to FBI CJIS data is for the purposeof civil fingerprint-based background checks or other noncriminal justice purposes, began beingsubject to zero-cycle audits. The zero-cycle audits will end September 30, 2017.The “Summary of Changes” page lists requirements that were added, deleted, or changed fromthe previous version and are now reflected in the current version. Within the document, thechanges and additions are highlighted in yellow for ease of location.The document also contains the “Requirement Priority Tier” column. This column lists theindividual requirement tier of 1 or 2. Tier 1 requirements are indicated in BLUE. Tier 2requirements are indicated in GOLD. Tier priorities are defined as indicated here: Tier 1 requirements must be met by a system before a CSO can allow connection tothe state system.Tier 2 requirements must be met by the date indicated in the plan approved by theCSO.For continuity within the document, there are columns on the left which reflect locations in thecurrent version and the previous version of the Policy.Please refer questions or comments about this requirements document or the current version ofthe CJIS Security Policy to your respective Information Security Officer, CJIS Systems Officer,or Compact Officer.
SUMMARY OF CHANGESVersion 5.5Requirement No.133134 - 138139 – 144169, 172, 173,176, 189, 190,195417450483484499 – 501, 504 –505506508 – 514524 – 528531535536538545549550 – 551552553 – 565ChangeChange language in Section 5.2Change requirements for Level One Security Awareness TrainingChange requirements for Level Two Security Awareness TrainingChange language in Section 5.3Relocate previous requirements in Section 5.6.2.2.1Add new requirement in Section 5.10.2Add new requirement in Section 5.11.2Add new requirement in Section 5.13.1.1Change language in Section 5.13.1.1Change language in Section 5.13.1.1Change language, add new requirement and renumber requirementsin Section 5.13.1.1Change language in Section 5.13.1.2.1Change language and section number for Section 5.13.1.4Change language and add new requirements in Section 5.13.1.4Change language in Section 5.13.2Change language and add new requirements in Section 5.13.2Change language in Section 5.13.3Change language in Section 5.13.3Change language in Section 5.13.3Delete previous requirement in Section 5.13.3.1Change language in Section 5.13.4.1Delete previous requirement in Section 5.13.4.3Change language and section number for Section 5.13.4.4Change languageDelete previous requirements in Section 5.13.5Delete previous requirements in Section 5.13.6Change language and section number for Section 5.13.7Delete previous requirements in Section 5.13.8Renumber Section 5.13.9.1Add new requirementAdd relocated requirements in Sections 5.13.7.2 and 5.13.7.2.1Change language and section number for Section 5.13.10
Ver 5.4 Locationand NewRequirement121.33456783.2.1Ver 5.5 Locationand NewRequirementTopicSecurity Policy Sections 1 - 4 (Introduction, Approach, Roles & Responsibilities, and CJI/PII)The local agency may complement the CJIS Security Policy with a local policy, orRelationship to Local Security the agency may develop their own stand-alone security policy; however, the CJISPolicy and Other PoliciesSecurity Policy shall always be the minimum standard and local policy mayaugment, or increase the standards, .and local policy may augment, or increase the standards, but shall not detract"1.3from the CJIS Security Policy standards.The agency shall develop, disseminate, and maintain formal, documented"procedures to facilitate the implementation of the CJIS Security Policy and,where applicable, the local security policy.The policies and procedures shall be consistent with applicable laws, Executive"Orders, directives, policies, regulations, standards, and guidance.CJIS Systems Agencies (CSA) The head of each CSA shall appoint a CJIS Systems Officer (CSO).3.2.1Such decisions shall be documented and kept current."3.2.13.2.13.2.2(1)3.2.2(1)CJIS Systems Officer (CSO)""9"10"11"123.2.2(2)Shall Statement3.2.2(2)"13"14"15"16"17""Pursuant to The Bylaws for the CJIS Advisory Policy Board and Working Groups,the role of CSO shall not be outsourced.The CSO shall set, maintain, and enforce the following:1. Standards for the selection, supervision, and separation of personnel whohave access to CJI.2. Policy governing the operation of computers, access devices, circuits, hubs,routers, firewalls, and other components that comprise and support atelecommunications network and related CJIS systems used to process, store, ortransmit CJI, guaranteeing the priority, confidentiality, integrity, and availability ofservice needed by the criminal justice community.a. Ensure appropriate use, enforce system discipline, and ensure CJIS Divisionoperating procedures are followed by all users of the respective services andinformation.b. Ensure state/federal agency compliance with policies approved by the APBand adopted by the FBI.c. Ensure the appointment of the CSA ISO and determine the extent of authorityto the CSA ISO.d. The CSO, or designee, shall ensure that a Terminal Agency Coordinator(TAC) is designated within each agency that has devices accessing CJISsystems.e. Ensure each agency having access to CJI has someone designated as theLocal Agency Security Officer (LASO).f. Approve access to FBI CJIS systems.g. Assume ultimate responsibility for managing the security of CJIS systemswithin their state and/or agency.h. Perform other related duties outlined by the user agreements with the FBICJIS Division.3. Outsourcing of Criminal Justice FunctionsPage 1 of 36RequirementPriority Tier11211111111111111
Ver 5.4 Locationand NewRequirement18Ver 5.5 Locationand .2.719TopicCJIS Systems Officer (CSO)(continued)a. Responsibility for the management of the approved security requirementsshall remain with the CJA.b. Responsibility for the management control of network security shall remain"with the CJA.A CGA is a government agency, whether a CJA or a NCJA, that enters into anContracting Government Agency agreement with a private contractor subject to the CJIS Security Addendum. The(CGA)CGA entering into an agreement with a contractor shall appoint an AgencyCoordinator.The AC shall be responsible for the supervision and integrity of the system,training and continuing education of employees and operators, scheduling ofAgency Coordinator (AC)initial training and testing, and certification testing and all required reports byNCIC.The AC shall:"22"23"24"25"26"3.2.7Shall Statement3.2.727"28"29"30"1. Understand the communications, records capabilities, and needs of theContractor which is accessing federal and state records through or because of itsrelationship with the CGA.2. Participate in related meetings and provide input and comments for systemimprovement.3. Receive information from the CGA (e.g., system updates) and disseminate itto appropriate Contractor employees.4. Maintain and update manuals applicable to the effectuation of the agreement,and provide them to the Contractor.5. Maintain up-to-date records of Contractor’s employees who access thesystem, including name, date of birth, social security number, date fingerprintcard(s) submitted, date security clearance issued, and date initially trained,tested, certified or recertified (if applicable).6. Train or ensure the training of Contractor personnel. If Contractor personnelaccess NCIC, schedule the operators for testing or a certification exam with theCSA staff, or AC staff with permission from the CSA staff. Schedule newoperators for the certification exam within six (6) months of assignment.Schedule certified operators for biennial re-certification testing within thirty (30)days prior to the expiration of certification. Schedule operators for othermandated class.7. The AC will not permit an untrained/untested or non-certified Contractoremployee to access CJI or systems supporting CJI where access to CJI can begained.8. Where appropriate, ensure compliance by the Contractor with NCIC validationrequirements.9. Provide completed applicant fingerprint cards on each Contractor employeewho accesses the system to the CJA (or, where appropriate, CSA) for criminalbackground investigation prior to such employee accessing the system.Page 2 of 36RequirementPriority Tier1111121211211
31Ver 5.4 Locationand NewRequirementVer 5.5 Locationand NewRequirement3.2.73.2.732333.2.83.2.8TopicAgency Coordinator (AC)10. Any other responsibility for the AC promulgated by the FBI.(continued)CJIS System Agency Information The CSA ISO shall:Secrurity Officer (CSA ISO)1. Serve as the security point of contact (POC) to the FBI CJIS Division ISO.""34"35"Local Agency Security Officer(LASO)3637"3.2.93.2.9"38"39"40"4142FBI CJIS Division InformationSecurity Officer (FBI CJIS ISO)""43"443.2.103.2.10Shall Statement"45"46"2. Document technical compliance with the CJIS Security Policy with the goal toassure the confidentiality, integrity, and availability of criminal justice informationto the user community throughout the CSA’s user community, to include the locallevel.3. Document and provide assistance for implementing the security-relatedcontrols for the Interface Agency and its users.4. Establish a security incident response and reporting procedure to discover,investigate, document, and report to the CSA, the affected criminal justiceagency, and the FBI CJIS Division ISO major incidents that significantlyendanger the security or integrity of CJI.Each LASO shall:1. Identify who is using the CSA approved hardware, software, and firmware andensure no unauthorized individuals or processes have access to the same.2. Identify and document how the equipment is connected to the state system.3. Ensure that personnel security screening procedures are being followed asstated in this policy.4. Ensure the approved and appropriate security measures are in place andworking as expected.5. Support policy compliance and ensure CSA ISO is promptly informed ofsecurity incidents.The FBI CJIS ISO shall:1. Maintain the CJIS Security Policy.2. Disseminate the FBI Director approved CJIS Security Policy.3. Serve as a liaison with the CSA’s ISO and with other personnel across theCJIS community and in this regard provide technical guidance as to the intentand implementation of operational and technical policy issues.4. Serve as a point-of-contact (POC) for computer incident notification anddistribution of security alerts to the CSOs and ISOs.5. Assist with developing audit compliance guidelines as well as identifying andreconciling security-related issues.6. Develop and participate in information security training programs for theCSOs and ISOs, and provide a means by which to acquire feedback to measurethe effectiveness and success of such training.Page 3 of 36RequirementPriority Tier1122111111111111
47Ver 5.4 Locationand NewRequirementVer 5.5 Locationand NewRequirementTopic3.2.103.2.10FBI CJIS Division InformationSecurity Officer (FBI CJIS .44.2.4666768694.2.5.14.2.5.14.34.3Compact OfficerProper Access, Use, andDissemination of CHRIShall Statement7. Maintain a security policy resource center (SPRC) on FBI.gov and keep theCSOs and ISOs updated on pertinent information.Pursuant to the National Crime Prevention and Privacy Compact, each partystate shall appoint a Compact Officer .Compact Officer who shall ensure that Compact provisions and rules,procedures, and standards established by the Compact Council are compliedwith in their respective state.The III shall be accessed only for an authorized purpose.Further, CHRI shall only be used for an authorized purpose consistent with thepurpose for which III was accessed.Proper Access, Use, andProper access to, use, and dissemination of data from restricted files shall beDissemination of NCIC Restricted consistent with the access, use, and dissemination policies concerning the IIIFiles Informationdescribed in Title 28, Part 20, CFR, and the NCIC Operating Manual.The restricted files, which shall be protected as CHRI, are as follows:""""""""""""For Other Authorized Purposes1. Gang File2. Known or Appropriately Suspected Terrorist File3. Supervised Release File4. National Sex Offender Registry File5. Historical Protection Order File of the NCIC6. Identity Theft File7. Protective Interest File8. Person With Information [PWI] data in the Missing Person Files9. Violent Person File10. NICS Denied Transaction FileNon-restricted files information shall not be disseminated commercially.Agencies shall not disseminate restricted files information for purposes other"than law enforcement.When CHRI is stored, agencies shall establish appropriate administrative,Storagetechnical and physical safeguards to ensure the security and confidentiality ofthe information.These records shall be stored for extended periods only when they are key"elements for the integrity and/or utility of case files and/or criminal record files.In addition to the use of purpose codes and logging information, all users shallprovide a reason for all III inquiries whenever requested by NCIC SystemJustificationManagers, CSAs, local agency administrators, or their representatives.Personally Identifiable Information PII shall be extracted from CJI for the purpose of official business only.(PII)Agencies shall develop policies, based on state and local privacy rules, to"ensure appropriate controls are applied when handling PII extracted from CJI.Page 4 of 36RequirementPriority Tier11111111111111111111111
Ver 5.4 Locationand NewRequirement705.1Ver 5.5 Locationand 1.177785.1.1.25.1.1.2TopicCJIS Security Policy Area 1 - Information Exchange AgreementsPolicy Area 1: InformationThe information shared through communication mediums shall be protected withExchange Agreementsappropriate security safeguards.Before exchanging CJI, agencies shall put formal agreements in place thatInformation Exchangespecify security controls.Information exchange agreements for agencies sharing CJI data that is sent to"and/or received from the FBI CJIS shall specify the security controls andconditions described in this document.Information exchange agreements shall be supported by documentation"committing both parties to the terms of information exchange.Law Enforcement and civil agencies shall have a local policy to validate a"requestor of CJI as an authorized recipient before disseminating CJI.Procedures for handling and storage of information shall be established toInformation Handlingprotect that information from unauthorized disclosure, alteration or misuse.Using the requirements in this policy as a starting point, the procedures shall"apply to the handling, processing, storing, and communication of CJI.Each CSA head or SIB Chief shall execute a signed written user agreement withState and Federal Agency User the FBI CJIS Division stating their willingness to demonstrate conformity with thisAgreementspolicy before accessing and participating in CJIS records information programs."79"80"81Criminal Justice Agency .35.1.1.3Shall StatementThis agreement shall include the standards and sanctions governing utilizationof CJIS systems.As coordinated through the particular CSA or SIB Chief, each Interface Agencyshall also allow the FBI to periodically test the ability to penetrate the FBI’snetwork through the external network connection or system per authorization ofDepartment of Justice (DOJ) Order 2640.2F.All user agreements with the FBI CJIS Division shall be coordinated with theCSA head.Any CJA receiving access to FBI CJI shall enter into a signed written agreementwith the appropriate signatory authority of the CSA providing the access.The written agreement shall specify the FBI CJIS systems and services to whichthe agency will have access, and the FBI CJIS Division policies to which theagency must adhere.These agreements shall include:1. Audit.2. Dissemination.3. Hit confirmation.4. Logging.5. Quality Assurance (QA).6. Screening (Pre-Employment).7. Security.8. Timeliness.9. Training.Page 5 of 36RequirementPriority Tier1111111111111111111111
Ver 5.4 Locationand NewRequirement925.1.1.3Ver 5.5 Locationand inal Justice Agency UserAgreements(continued)"Inter-Agency and ManagementControl Agreements"96"97Private Contractor UserAgreements and CJIS 3"104"105"106"1071085.1.1.65.1.1.6Agency User Agreements"Shall Statement10. Use of the system.11. Validation.A NCJA (government) designated to perform criminal justice functions for a CJAshall be eligible for access to the CJI.Access shall be permitted when such designation is authorized pursuant toExecutive Order, statute, regulation, or inter-agency agreement.The NCJA shall sign and execute a management control agreement (MCA) withthe CJA, which stipulates management control of the criminal justice functionremains solely with the CJA.Private contractors who perform criminal justice functions shall meet the sametraining and certification criteria required by governmental agencies performing asimilar function, and .and shall be subject to the same extent of audit review as are local useragencies.All private contractors who perform criminal justice functions shall acknowledge,via signing of the Security Addendum Certification page, and abide by all aspectsof the CJIS Security Addendum.Modifications to the CJIS Security Addendum shall be enacted only by the FBI.1. Private contractors designated to perform criminal justice functions for a CJAshall be eligible for access to CJI.Access shall be permitted pursuant to an agreement which specifically identifiesthe agency’s purpose and scope of providing services for the administration ofcriminal justice.The agreement between the CJA and the private contractor shall incorporate theCJIS Security Addendum approved by the Director of the FBI, acting for the U.S.Attorney General, as referenced in Title 28 CFR 20.33 (a)(7).2. Private contractors designated to perform criminal justice functions on behalfof a NCJA (government) shall be eligible for access to CJI.Access shall be permitted pursuant to an agreement which specifically identifiesthe agency’s purpose and scope of providing services for the administration ofcriminal justice.The agreement between the NCJA and the private contractor shall incorporatethe CJIS Security Addendum approved by the Director of the FBI, acting for theU.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7).A NCJA (public) designated to request civil fingerprint-based backgroundchecks, with the full consent of the individual to whom a background check istaking place, for noncriminal justice functions, shall be eligible for access to CJI.Access shall be permitted when such designation is authorized pursuant tofederal law or state statute approved by the U.S. Attorney General.Page 6 of 36RequirementPriority Tier11111111111111111
Ver 5.4 Locationand NewRequirementVer 5.5 Locationand NewRequirementTopicAgency User 2A NCJA (public) receiving access to FBI CJI shall enter into a signed writtenagreement with the appropriate signatory authority of the CSA/SIB providing theaccess.A NCJA (private) designated to request civil fingerprint-based backgroundchecks, with the full consent of the individual to whom a background check istaking place, for noncriminal justice functions, shall be eligible for access to CJI.Access shall be permitted when such designation is authorized pursuant tofederal law or state statute approved by the U.S. Attorney General.A NCJA (private) receiving access to FBI CJI shall enter into a signed writtenagreement with the appropriate signatory authority of the CSA, SIB, or authorizedagency providing the access.All NCJAs accessing CJI shall be subject to all pertinent areas of the CJIS"Security Policy (see appendix J for supplemental guidance).Each NCJA that directly accesses FBI CJI shall also allow the FBI to periodicallytest the ability to penetrate the FBI’s network through the external network"connection or system per authorization of Department of Justice (DOJ) Order2640.2F.Channelers designated to request civil fingerprint-based background checks orOutsourcing Standards fornoncriminal justice ancillary functions on behalf of a NCJA (public) or NCJAChannelers(private) for noncriminal justice functions shall be eligible for access to CJI.Access shall be permitted when such designation is authorized pursuant to"federal law or state statute approved by the U.S. Attorney General.All Channelers accessing CJI shall be subject to the terms and conditions"described in the Compact Council Security and Management ControlOutsourcing Standard.Each Channeler that directly accesses CJI shall also allow the FBI to conduct"periodic penetration testing.Channelers leveraging CJI to perform civil functions on behalf of an Authorized"Recipient shall meet the same training and certification criteria required bygovernmental agencies performing a similar function .and shall be subject to the same extent of audit review as are local user"agencies.Contractors designated to perform noncriminal justice ancillary functions onOutsourcing Standards for Nonbehalf of a NCJA (public) or NCJA (private) for noncriminal justice functions shallChannelersbe eligible for access to CJI.Access shall be permitted when such designation is authorized pursuant to"federal law or state statute approved by the U.S. Attorney General."114117Shall Statement5.1.1.85.1.1.8123"124"All contractors accessing CJI shall be subject to the terms and conditionsdescribed in the Compact Council Outsourcing Standard for Non-Channelers.Contractors leveraging CJI to perform civil functions on behalf of an AuthorizedRecipient shall meet the same training and certification criteria required bygovernmental agencies performing a similar function, and Page 7 of 36RequirementPriority Tier1111111111111111
Ver 5.4 Locationand NewRequirementVer 5.5 Locationand 1.4130TopicShall StatementOutsourcing Standards for Non- .and shall be subject to the same extent of audit review as are local userChannelersagencies.(continued)As specified in the inter-agency agreements, MCAs, and contractual agreementsMonitoring, Review, and Deliverywith private contractors, the services, reports and records provided by theof Servicesservice provider shall be regularly monitored and reviewed.Monitoring, Review, and Delivery The CJA, authorized agency, or FBI shall maintain sufficient overall control andof Servicesvisibility into all security aspects to include, but not limited to, identification of(continued)vulnerabilities and information security incident reporting/response.The incident reporting/response process used by the service provider shall"conform to the incident reporting/response specifications provided in this policy.Managing Changes to Service Any changes to services provided by a service provider shall be managed by theProvidersCJA, authorized agency, or FBI.Evaluation of the risks to the agency shall be undertaken based on the criticality"of the data, system, and the impact of the change.If CHRI is released to another authorized agency, and that agency was not partSecondary Disseminationof the releasing agency’s primary information exchange agreement(s), thereleasing agency shall log such dissemination.Dissemination shall conform to the local policy validating the requestor of theSecondary Dissemination of Non- CJI as an employee or contractor of a law enforcement agency or civil agencyCHRI CJIrequiring the CJI to perform their mission or a member of the public receiving CJIvia authorized dissemination.Page 8 of 36RequirementPriority Tier11111111
Ver 5.4 Locationand NewRequirement1335.2Ver 5.5 Locationand .2.1.2140141142143TopicCJIS Security Policy Area 2 - Security Awareness TrainingBasic security awareness training shall be required within six months of initialPolicy Area 2: Security Awareness assignment and biennially thereafter, for all personnel who have access to CJITrainingto include all personnel who have unescorted access to a physicallysecure location .At a minimum, the following topics shall be addressed as baseline securityAll Personnel Level Oneawareness training for all authorized personnel with access to CJI personnelSecurity Awareness Trainingwho have access to a physically secure location :1. Rules that describe Individual responsibilities and expected behavior with"regard to being in the vacinity of CJI usage and/or terminals ."2. Implications of noncompliance.3. Incident response (Identify Points points of contact; and Individual"individual actions)."4. Media Protection.5 4 . Visitor control and physical access to spaces—discuss applicable physical"security policy and procedures, e.g., challenge strangers, report unusual activity,etc .In addition to 5.2.1.1 above, the following topics, at a minimum, shall beLevel Two Security Awarenessaddressed as baseline security awareness training for all authorizedTrainingpersonnel with access to CJI:"1. Media Protection.6 2 . Protect information subject to confidentiality concerns — hardcopy through"destruction."7 3 . Proper handling and marking of CJI."8 4 . Threats, vulnerabilities, and risks associated with handling of CJI.9 5 . Social engineering.""Personnel with Physical andLogical Access Level ThreeSecurity Awareness .1.3Shall Statement"""""""10 6 . Dissemination and destruction.In addition to 5.2.1.1 and 5.2.1.2 above, the following topics, at a minimum,shall be addressed as baseline security awareness training for all authorizedpersonnel with both physical and logical access to CJI:1. Rules that describe responsibilities and expected behavior with regard toinformation system usage.2. Password usage and management—including creation, frequency of changes,and protection.3. Protection from viruses, worms, Trojan horses, and other malicious code.4. Unknown e-mail/attachments.5. Web usage—allowed versus prohibited; monitoring of user activity.6. Spam.7. Physical Security—increases in risks to systems and data.8. Handheld device security issues—address both physical and wireless securityissues.Page 9 of 36RequirementPriority Tier1111111111111111111
Ver 5.4 Locationand NewRequirementVer 5.5 Locationand NewRequirementTopicShall Statement9. Use of encryption and the transmission of sensitive/confidential informationover the Internet—address agency policy, procedures, and technical contact forassistance.153Personnel with Physical andLogical Access Level ThreeSecurity Awareness 5.2.1.3"""158"159"160"Personnel with InformatinonTechnology Roles Level FourSecurity Awareness 35.2.1.4"5.2.2Security Training Records""""10. Laptop security—address both physical and information security issues.11. Personally owned equipment and software—state whether allowed or not(e.g., copyrights).12. Access control issues—address least privilege and separation of duties.13. Individual accountability—explain what this means in the agency.14. Use of acknowledgement statements—passwords, access to systems anddata, personal use and gain.15. Desktop security—discuss use of screensavers, restricting visitors’ view ofinformation on screen (preventing/limiting “shoulder surfing”), battery backupdevices, allowed access to systems.16. Protect information subject to confidentiality concerns—in systems, archived,on backup media, and until destroyed.17. Threats, vulnerabilities, and risks associated with accessing CJIS Servicesystems and services.In addition to 5.2.1.1, and 5.2.1.2 and 5.2.1.3 above, the following topics at aminimum shall be addressed as baseline security awareness training for tors,securityadministrators, network administrators, etc.):1. Protection from viruses, worms, Trojan horses, and other maliciouscode—scanning, updating definitions.2. Data backup and storage—centralized or decentralized approach.3. Timely application of system patches—part of configuration management.4. Access control measures.5. Network infrastructure protection measures.Records of individual basic security awareness training and specific informationsystem security training shall be:- documented- kept current- maintained by the CSO/SIB/Compact OfficerPage 10 of 36RequirementPriority Tier11111111111111111
Ver 5.4 Locationand NewRequirementVer 5.5 Locationand 1176TopicCJIS Security Policy Area 3 - Incident ResponseTo ensure protection of CJI, Agencies agencies shall: (i) establish anoperational incident handling capability for agency information systemsPolicy Area 3: Incident Responseprocedures that includes adequate preparation, detection,
f. Approve access to FBI CJIS systems. 1; 16 " g. Assume ultimate responsibility for managing the security of CJIS systems within their state and/or agency. 1; 17 " h. Perform other related duties outlined by the user agreements with the FBI CJIS Division. 1 " 3. Outsourcing of Criminal Justice Functions; 3.2.2(2) 3.2.2(2) 3.2.1. 3.2.1
