Version 1.0,  Last Modified 12.04.24

Criminal Justice Information Services (CJIS) Compliance at 8A Payments

This document is provided for informational purposes only, and it is provided "as is," without warranties of any kind, whether express or implied. In addition, this document does not create any representations, contractual commitments, conditions or assurances from 8A Payments. 8A Payments' responsibilities to its clients and partners are set forth in the contract(s) it has signed with those clients, and this document is not a part of, and does not modify, any such contract. This document conveys 8A Payments's CJIS compliance practices, which may be updated from time to time at 8A Payments's discretion and without advance notice. 

EXECUTIVE SUMMARY

The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NJCA) with a minimum set of security requirements for access to FBI CJIS systems and information for the protection and safeguarding of Criminal Justice Information (CJI).  Certain 8A Payments clients include CJAs who license 8A Payments services, which involve CJI, specifically names and cash bail payment transaction information, putting 8A Payments and those clients under a shared responsibility framework with respect to that CJI.  8A Payments manages for compliance with CJIS Security Policy requirements where applicable, such as signing CJIS security addendum agreements with our clients and partners. The purpose of this document is to provide an overview of 8A Payments's CJIS compliance program, including the shared responsibility model under which it operates in partnership with its impacted clients.

CRIMINAL JUSTICE INFORMATION (CJI), DEFINED

CJI refers to all of the FBI's CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws. CJI includes biometric, identity history, person, organization, property and case/incident history data. To access the FBI's CJIS Security Policy itself, please visit the FBI's CJIS Security Policy Resource Center.

PROTECTING CJI 

CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules.  The CJIS Security Policy outlines a minimum set of security requirements that create security controls for managing and maintaining CJI data.  There is no centralized body authorized to certify compliance with the CJIS Security Policy.  Consequently, there is no such thing as being "CJIS certified."

The FBI has advised government agencies that CJAs and NCJAs are ultimately responsible for ensuring compliance, even when they engage with a third-party vendor such as 8A Payments to provide software or services relating to the agency's CJI.  Those agencies interpret solutions according to the agency's own risk acceptance standard of what is CJIS-compliant. 8A Payments's clients include government agencies across the United States.  To the extent a 8A Payments client's compliance requirements exceed the minimum established by the FBI's CJIS Security Policy and conflict with the common standards followed by other 8A Payments clients, 8A Payments expects to work collaboratively with that client/those clients to arrive at a mutually agreeable approach that is consistent with the FBI's CJIS Security Policy and industry standards. 

To memorialize 8A Payments's commitment to fulfilling its responsibilities under the CJIS Security Policy, 8A Payments has executed the CJIS Security Addendum.  A copy of the CJIS Security Addendum that 8A Payments has signed is available for reference. Each 8A Payments employee with access to CJI is also required to sign a CJIS Security Addendum.

THE SHARED RESPONSIBILITY MODEL

CJIS compliance is a shared effort between 8A Payments and its clients and partners. Shared responsibility means that 8A Payments's clients remain responsible for managing their client-side environment(s) and their data.   For example, 8A Payments's clients are responsible for at least:

• User identity management;

• Access control of the 8A Payments solution;

• Security management and control of terminals that access cloud services, including hardware, software, applications and device rights; and

• Data security (transmission and storage security, integrity protection, backup and recovery, rights and permissions).

CJIS POLICY AREAS

The CJIS Security Policy is divided into 13 policy areas. Here’s how 8A Payments addresses each:

1. Information Exchange Agreements

8A Payments's standard license agreements with the CJAs include language directed at these concepts. 8A Payments also has executed the CJIS Security Addendum, as discussed above.

2. Security Awareness Training

Employees with CJI access complete FBI-approved training.  8A Payments maintains records of security awareness training.

3. Incident Response

We follow industry-standard protocols for handling security incidents but expect clients to manage their own incidents.

4. Auditing and Accountability

8A Payments will assist its clients who are undergoing an audit by responding to client inquiries relating to that audit and providing available information in response.

5. Access Control

8A Payments has implemented advanced tools for managing access, including VPNs and secure login systems.

6. Identification and Authentication

8A Payments provides 8A Payments personnel with unique user identification credentials and requires complex passwords, which must be changed regularly.

7. Configuration Management

8A Payments limits user access credentials to 8A Payments resources authorized to access and manage CJI on behalf of 8A Payments's clients.  

8. Media Protection

All CJI is encrypted during storage and transmission.

9. Physical Protection

Secure locations are designated for accessing CJI.

10. Systems and Communications Protection and Information Integrity

8A Payments takes industry standard measures to safeguard its network and the data on 8A Payments's network.  Those measures include encryption, antivirus tools, and patch management functionality.

11. Formal Audits

The FBI does not audit third-party vendors such as 8A Payments. Instead, the FBI audits law enforcement agencies, such as 8A Payments's clients. 8A Payments cooperates with its clients during such audits as necessary.

12. Personnel Security

8A Payments conducts background checks, including fingerprinting, on all 8A Payments personnel with physical or logical access to unencrypted CJI.  8A Payments maintains records of the results of those checks.

13. Mobile Devices

Agencies manage their own mobile device policies to ensure secure access to CJI. 

CONCLUSION

8A Payments continuously improves its security measures to keep up with evolving standards. Our efforts include:

• Appointing a CJIS security owner.

• Leveraging third-party compliance resources.

• Promoting a culture of compliance across our organization.

For the latest updates, visit our compliance page or contact us at info@8APayments.com.