Criminal Justice Information Systems (CJIS) Guidelines and Requirements

​​​​​​​​​​​​​Thank you for your interest in working with the City of Phoenix to enhance the services we provide to the citizens of our great city. The City of Phoenix recognizes that by allowing physical or logical (electronic) access to City of Phoenix facilities or network resources, people may gain access to information or systems that they are statutorily prohibited from accessing. In compliance with state and federal regulations, the City of Phoenix is required to ensure access is necessary and legally sound.  In order to comply with Arizona Department of Public Safety (AzDPS) and FBI Criminal Justice Information Systems (CJIS) security policies, state of residency and national fingerprint-based record checks must be conducted for all personnel who have authorized access to FBI CJIS systems.  The Contracting Department will provide the details to complete the fingerprint process and each person with access will be required to hold a valid driver’s license or valid government-issued identification card.

If a company is in possession of an existing CJIS Information Agreement with the Arizona Department of Public Safety you will be required to provide it prior to beginning work with the City of Phoenix.  Written confirmation  is required to ensure CJIS compliance and  it required through the duration of the contract. ​

Information referenced below is made available through the CJIS Security Policy Resource Center​.  If you have any questions related to CJIS or need additional information, please contact the Contracting Department. 
​​

Security Addendum - The CJIS Security Addendum outlined in Section 5.1.1.5 is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require.   The addendum is required by vendors only if employees need physical or any logical access to  network data systems or secured areas where Criminal Justice Information (CJI) may be accessible. 


Security Addendum Certification Form - Is required for each v​endor to complete if not included in previously entered contracts and made available in the Appendix of the current CJIS Security Policy​. Each employee performing work under a security addendum must complete a security addendum certification form. Prior to commencing on-site work, your Contracting Department must ensure contract employees are vetted accordingly.  The Security Addendum packet must be completed in a timely manner BEFORE employees are allowed to work "Unescorted" in secured areas where CJI may be transmitted, processed or stored. The approval process could take several weeks to finalize, so please plan accordingly. CJIS vetting involves national fingerprint based- background checks to ensure contractors with "Unescorted" access to areas where CJI is accessible meet the CJIS Systems Access policy.   This document will be attached to the contract and maintained by the Contracting Department  through the duration of the contract. 


Contractor Employee Reference Documentation - Code of Federal Regulations Title 28, Part 20 - Criminal Justice Information Systems must be made available to every employee included within the CJIS Security Addendum packet whereby a "Certification Sheet" is submitted.


Contractor Employee Reference Documentation NCIC2000 Manual​ - National Crime Information Center (NCIC) System 2000 introduction, system description, policies, standards, and sanctions for non-compliance. The NCIC200 Manual must be available to every employee included within the CJIS Security Addendum packet, whereby a "Certification Sheet" is submitted. 

​
CJIS Security Policy​ - The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of Criminal Justice Information (CJI), whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI data. This policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to or who operate in support of, criminal justice services and information. 


CJIS Security Awareness Training Acknowledgement Form – (Security Awareness Training Acknowledgement Form.pdf) Persons authorized to have direct access to CJIS-regulated data, such as criminal history information, or computer systems that interact directly with CJIS-regulated data must comply with the Security Awareness training requirement as designated by the Criminal Justice Information Services (CJIS) Compliance Office.  Security training program requirements are outlined in Section 5.2 of the CJIS Policy.   A contractor will assume the responsibilities of providing Security Awareness Training along with maintaining training records, which will be available to the City of Phoenix upon written request.  An example of a CJIS Security Awareness Training Acknowledgment Form is provided.  Contracting Departments are responsible for CJIS Security Awareness compliance If you have any questions or need additional information, please contact the Contracting Department. 

​​
Personnel Security – The City of Phoenix requires contractors who work with Criminal Justice Information (CJI) and or require access into secure areas complete a fingerprint based criminal history record check as referenced in Section 5.􀀀2 of the CJIS Policy.  This is a requirement that must be met prior to entering into a contract with the City of Phoenix and the City will manage the required required background screening and fingerprint process. ​