The URL can be used to link to this page

Browse Search

Home My WebLink About20192483.tiffBOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW PASS -AROUND TITLE: Internal CJIS Management Control Agreements for Communications DEPARTMENT: Information Technology PERSON REQUESTING: Ryan Rose DATE: 5/17/2019 Brief description of the problem/issue: As a part of our CJIS compliance, we need to have updated agreements between 1T/BOCC/Communications which set policies, procedures, and processes associated with the non -criminal justice agency's access to criminal justice information and to stipulate that management control of the criminal justice functions (and information) remain solely with the criminal justice agency. Similar agreements have previously been signed between IT, the BOCC and the Sheriffs Office, Justice Services, and the DA. We are asking to have the same agreement in place with Communications. What options exist for the Board? (include consequences, impacts, costs, etc. of options): To maintain our CJIS compliance posture, IT is requesting authorization for the Chair to sign the agreements. Recommendation: Weld County IT recommends that the Board grant approval for the Chair to sign the attached agreements. Sean P. Conway Mike Freeman, Pro -Tern Scott K. James Barbara Kirkmeyer, Chair Steve Moreno Ari Approve Schedule Recommendation Work Session Other/Comments: C.c.: CVO( (nw),TTCRR) O (O1/ l9 2019-2483 GM oobzi ZToeo MANAGEMENT CONTROL AGREEMENT REGARDING COLORADO BUREAU OF INVESTIGATION AND FBI CRIMINAL JUSTICE INFORMATION SYSTEMS The purpose of this document is to establish and enforce Security Control of the access and use of the Colorado Bureau of Investigation's (CBI) Colorado Crime Information Center (CCIC) database and associated CJIS systems (NCIC, Nlets, etc.) in a location where access to and/or use of that system is accomplished by a criminal justice agency with the assistance of a non- criminal justice governmental agency. This document places Security Control of that access and use under the authority of the criminal justice agency. This document is an agreement between Weld County Communications, the "criminal justice agency," the Weld County Information Technology Department and Weld County Board of Commissioners, the "non -criminal justice agency" providing services in support of the criminal justice agency in the execution of its duties under the "administration of criminal justice." Whereas the non -criminal justice agency manages the associated computer and/or equipment and personnel that provide the criminal justice agencies with access to CCIC and associated CJIS systems, and Whereas the non -criminal justice agency through the CCIC Coordinator performs certain administrative functions of the Colorado Crime Information Center (CCIC) and the National Crime Information Center (NCIC) for the criminal justice agency, and Whereas the criminal justice agency has signed an agreement with the Colorado Bureau of Investigation to use and participate in the state's telecommunications networks and associated systems, and Whereas the state transmits state and national criminal history information over those networks, and Whereas the state participates in the FBI CJIS Systems, which require that all access to the FBI CJIS Systems be controlled by the FBI CBS Security Policy, and Whereas the CJIS Security Policy requires that the State CJIS Systems Agency (CSA) (i.e., the Colorado Bureau of Investigation) establish "Security Control," for that access, and Whereas Security Control is defined as the ability of the CSA or criminal justice agency to set, maintain, and enforce: 1. Standards for the selection, supervision, and termination of personnel; and 2. Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that make up and support a telecommunications 020/9_ a $4g3 Management Control Agreement Page 2 network and related CJIS systems used to process, store, or transmit criminal justice information, guaranteeing the priority, integrity, and availability of service needed by the criminal justice community. Whereas the Colorado Bureau of Investigation defines management control as the authority and responsibility to enforce Security Control as herein defined, and Therefore, be it resolved that this agreement hereby places the technical services division under the management control, as herein defined, of the criminal justice agency. SECURITY The non -criminal justice agency agrees to abide by all current and hereafter approved rules of the Colorado Bureau of Investigation and Federal Bureau of Investigation, including but not limited to all requirements of the CJIS Security Policy. The compliance with those requirements shall be determined by the criminal justice agency and the CBI. Computers having access to CCIC/NCIC must have the proper software and hardware controls, implemented under the supervision of the criminal justice agency, to prevent criminal history and other CJIS data from being accessible to any terminals other than authorized terminals. The non -criminal justice agency must allow adequate physical security, as required by the CJIS Security Policy and determined by the criminal justice agency, to protect against any unauthorized personnel gaining access to the terminals, computer equipment, or any of the stored data. Personnel at the criminal justice agency site, or with remote access to the criminal justice agency's data, must be screened thoroughly under the authority and supervision of the criminal justice agency, in accordance with CCIC/NCIC policy. This screening applies to criminal justice and non -criminal justice personnel, including non -criminal justice maintenance and technical personnel. This screening will be done under the guidelines established in the CJIS Security Policy. Decisions by the criminal justice agency related to personnel are limited to the inclusion or exclusion of personnel from the criminal justice agency, according to the guidelines established by the O15 Security Policy and implemented by CCIC Policy. All visitors to the criminal justice agency and the technical services division must be accompanied by staff personnel at all times. All terminals and network equipment having access to the state's law enforcement networks must be physically placed in secure locations, as required by the CJIS Security Policy and determined by the criminal justice agency. Management Control Agreement Page 3 Access to all terminals and network equipment that protects and/or transmits the criminal justice data must be restricted to the minimum number of authorized employees needed to complete the work. Printed copies of criminal history data obtained from CCIC/NCIC must be afforded security to prevent any unauthorized access to or use of the data. When the printout is no longer needed, it must be filed in a secure file or destroyed. No terminal will access the state's law enforcement networks, and no data will be requested or obtained through these networks without the approval of the criminal justice agency. No changes will be made to the configuration of the networks accessing the state's law enforcement network without prior approval of the state. TRAINING Personnel at the criminal justice agency site, or with remote access to the criminal justice agency's data, must take Security Awareness training within 6 months of initial assignment, and biennially thereafter, as required by the CJIS Security Policy. This training and certification applies to criminal justice and non -criminal justice personnel, including non -criminal justice maintenance and technical personnel. This training shall include, at a minimum, the topics required by the CJIS Security Policy. MONITORING AND AUDITING The non -criminal justice agency agrees to allow the criminal justice agency and CBI necessary access, as determined by CBI and the criminal justice agency, to the physical locations, any computer programs, any computer files, and/or network activities necessary to implement and enforce security control as defined by the CJIS Security Policy. The criminal justice agency, in accordance with CCIC/NCIC policy, has the responsibility and authority to monitor, audit, and enforce the implementation of this agreement by the non -criminal justice agency. CBI and FBI audits of the technical services division will be to determine whether policies have been established by the criminal justice agency and implemented by the non -criminal justice agency. GENERAL The criminal justice agency will not manage the day to day operations of the technical services division but may establish and enforce the priorities necessary to meet CBI and FBI policies regarding system use. Management Control Agreement Page 4 The non -criminal justice agency agrees to cooperate with the criminal justice agency in the implementation of this agreement, and to accomplish the directives of the criminal justice agency under the provisions of this agreement. Non -Criminal Justice A ency Si at re Ryan Rose Printed Name Chief Information Officer, Weld County Title s --t3- )9 Date gnature Barbara Kirkmeyer Printed Name Chair, Weld County Board of Commissioners Title ,1UL 01 2019 Date Gi inal Justice Agency Signature Michael Wallace Printed Name Director of Weld County Communications Title Date 02oi9 -,,ziK3 Management Control Agreement Page 5 APPENDIX A Appropriate environmental security measures would include: a) A back-up power supply or uninterruptible power source. b) Environment monitors and controls for temperature, air conditioning, humidity, etc. c) Emergency lighting. d) Adequate fire detection/suppression devices. e) Emergency shutdown of system and/or power devices. f) Duplicate computer files, if applicable, (as a countermeasure for unauthorized destruction of original files) which are to be maintained off premise. Computer tapes or discs should be locked in a safe (fireproof) storage area under the control of senior agency personnel. Secondary storage (off -site location) will be used to back-up. Management Control Agreement Page 6 APPENDIX B The standards apply to all personnel with access to network systems as defined in Title 28 CFR, Part 20 to CHRI data, including, but not limited to: a) Management personnel who direct criminal justice related software, hardware, or dispatch functions. b) Supervisory personnel who supervise criminal justice related software, hardware, or dispatch functions; or have terminal access to criminal justice data either directly or through their subordinates; or who have general responsibility for criminal justice related data storage, switching, transmission and logging. c) Personnel involved in analysis, evaluation and/or programming of criminal justice related data stored, switches, transmitted or logged by the center. d) Non -Data processing personnel who regularly provide necessary software or hardware installation, modification or maintenance in the dispatch center. e) Non -Data Processing personnel who provide temporary and necessary software, hardware or telecommunications installation, modification or maintenance, or such other services as deemed necessary by the Communications Supervisor. f) All other persons with direct access to the dispatch center or terminals with access to the state's telecommunications system. Entity Information Entity Name* Entity ID* WELD COUNTY COMMUNICATIONS 4100 Contract Name* Contract ID COMMUNICATIONS, IT/BOCC CJIS MANAGEMENT CONTROL 2815 AGREEMENT Contract Lead* Contract Status NWONDER CTB REVIEW ❑ New Entity? Parent Contract ID Requires d YES Contract Lead Email Department Project It rr o der@co.weld.co.us Contract Description AGREEMENT BETWEEN COMMUNICATIONS (CRIMINAL _JUSTICE .AGENCY), IT AND BOCC (NON -CRIMINAL ..JUSTICE AGENCY) SUPPORTING CJIS DUTIES. Contract Description 2 Contract Type AGREEMENT Amount* $0. GO Renewable* NO Automatic Renewal NO Grant NO IGA NO Department I NFORMATi ON TECHNOLOGY-GIS t.-,. rtment Email CM- InformationTechnology eidgo'v'.cGm ent Head Email CM-InfermationTec hnolog_yGlS- DeptHead@weldgov corn County Attorney GENERAL COUNTY ATTORNEY EMAIL County Attorney Email Cfl- COUNTYATTORNEYgAELD GO`=/. COM tf this is a renewal enter previous Contract ID tf this is part of a MSA enter MSA Contract ID Requested BOCC Agenda Date* 06/24/2019 Due Date 00,20/2019 Will a work session with BOCC be required?* NO Does Contract require Purchasing Dept. to be included? NO Note: the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts are not in OnBase Effective Date 66/24/2019 Termination Notice Period Review Date* 12/01/2022 Committed Delivery Date Renewal Date Expiration Date 01/01/2023 Contact Info Contact Name Contact T Contact Email Purchasing Purchasing Approval Proce Department Head RYAN ROSE OH Approved Date D6/20/2019 Final Approval BOCC Approved BOCC Signed Date BOCC Agen 07/01/2019 Originator NWONDER Purchasing Approved Date Finance Approver BARB CONNOLLY Finance Approved Date 06121/2019 Legal Counsel KARIN MC©OUGAL Legal Counsel 06/26/2019 Tyler Ref It AG 070119 Hello