CJIS Documentation

This document is provided solely for informational purposes by M&M Micro Systems, Inc. It is offered as is, without any expressed or implied warranties. Nothing in this document creates a contractual obligation, commitment, or guarantee from M&M Micro Systems Inc. The company’s duties and responsibilities to clients are defined exclusively by the executed agreements between M&M Micro Systems Inc. and each client.

The information below outlines M&M Micro Systems Inc. CJIS practices. These practices may evolve as regulations or operational needs change, and updates may be made at M&M Micro’ Systems Inc. discretion. Clients and potential partners should independently assess this information and their own compliance obligations.

1. Overview
The Criminal Justice Information Services (CJIS) Security Policy sets forth the minimum security standards required for agencies that access or handle Criminal Justice Information (CJI).
M&M Micro Systems Inc. serves both Criminal Justice Agencies (CJAs) and Non-Criminal Justice Agencies (NJCAs) that utilize M&M Micro Systems Inc. solutions to process or store CJI. Because of this, M&M Micro Systems Inc. and its clients share responsibilities under the CJIS framework.

M&M Micro Systems Inc. supports policies by:
- Coordinating fingerprint background checks for employees with CJI access.
- Executing CJIS Security Addendum agreements with applicable clients.
- Implementing industry-recognized safeguards that align with FBI CJIS Security Policy For reference.

The full FBI CJIS Security Policy is available on the FBI’s CJIS Security Policy Resource Center.

2. Understanding Criminal Justice Information (CJI)
CJI encompasses all FBI CJIS-provided data required for law enforcement and related civil functions, including:
- Biometric and identity history information
- Personal, organizational, property, and case/incident data
- Records used for hiring or eligibility determinations in civil contexts

CJI must remain protected until it is either officially released to the public or properly destroyed according to record retention regulations.

3. Protection and Compliance
There is no official CJIS certification process. Any vendor claiming to be “CJIS certified” is misrepresenting the policy.
CJAs and NJCAs bear responsibility for maintaining compliance, even when engaging third-party providers. Each agency determines its own risk tolerance and interpretation of CJIS compliance standards.

M&M Micro Systems Inc. partners closely with agencies to meet both the baseline FBI requirements and any agency-specific expectations. Where clients’ needs exceed standard measures, M&M Micro Systems Inc. collaborates to establish reasonable, compliant solutions. At the time of installation, M&M Micro Systems Inc. explains the CJIS practices to the agency.

M&M Micro and all employees with CJI access execute the CJIS Security Addendum, affirming adherence to FBI-mandated obligations.

4. Shared Responsibility Model
Clients are responsible for managing and securing their own environments and data, especially when using a local server. This includes:
- Managing user identities and access control
- Enforcing terminal and device security
- Protecting data during transmission and storage
- Maintaining backups and recovery mechanisms

5. CJIS Policy Areas and M&M Micro Systems Inc. Practices
- M&M Micro Systems Inc. agreements include appropriate CJIS-related provisions.
- Employees with CJI access must complete and maintain FBI-approved CJIS Level 4 security training. Training records are maintained and audited periodically by the agency.
- Agencies should maintain incident response programs.
- Audit trails must be available for defined security events. M&M Micro Systems Inc. provides documentation and responses relevant to iSOMS access.
- M&M Micro Micro Systems Inc. urges multi-factor authentication; VPNs can be used to ensure controlled access to internal and hosted environments. Wireless and mobile connectivity should include multi-factor authentication.
- M&M Micro Systems Inc. recommends all personnel have unique credentials and are required to use complex passwords with regular rotation and monitoring.
- CJI in any form should be encrypted and protected in transit and at rest. Caution should be used when using third party texting or email services.
- Designated secure facilities restrict access to areas where CJI is processed or stored is recommended.
- Network integrity should be maintained using encryption, antivirus tools, intrusion prevention systems, and regular patch management.
- The FBI audits agencies directly, not vendors. M&M Micro Systems Inc. will assist with client agencies during FBI or state-level audits.
- Agencies are responsible for managing mobile access policies, including encryption, authorization, and wireless controls.

M&M Micro Systems inc. has a long-term commitment to protecting Criminal Justice Information and supporting agency partners in their compliance efforts. Data security is evolving and CJIS compliance requirements may change. We encourage each agency to reflect CJIS requirements periodically.