HomeMy WebLinkAboutCAG2020-406 - Original - WSP - 2021 WSP ACCESS User Acknowledgement - 01/01/2021WASHTNGTON STATE PATROL (WSP)
A Central Gomputerized Enforcement Service System (ACCESS)
USER ACKNOWLEDGMENT
l. lntroduction
Since its inception, the National Crime lnformation Center (NCIC) has operated under a
shared management concept between the Federal Bureau of lnvestigation (FBl) Criminal
Justice lnformation Services (CJIS) Division and state users. The NCIC Advisory Policy
Board established a single state agency in each state to assume responsibility as the NCIC
CJIS Systems Agency (CSA) for all agencies within the state. The CSA is responsible for
the planning of necessary hardware, software, funding, security, auditing, and training of all
authorized agencies within the state for complete access to FBI CJIS systems. The CJIS
Systems include, but are not limited to: the lnterstate ldentification lndex (lll); NCIC; Uniform
Crime Reporting (UCR); summary or incident-based reporting to the National lncident-
Based Reporting System (NIBRS); Fingerprint ldentification Record System; National Data
Exchange (N-DEx); Law Enforcement Enterprise Portal (LEEP); and the National lnstant
Criminal Background Check System (NICS). The WSP Criminal Records Division (CRD)
Administrator is designated as the NCIC CJIS Systems Officer (CSO). The FBI CJIS
Division requires the CSO to manage the following:
1. Operational, technical, and investigative assistance.
2. Telecommunications lines to state, federal and regulatory interfaces.
3. Legal and legislative review of matters pertaining to all CJIS systems.
4. Timely information regarding all aspects of CJIS systems and other related programs
by means of the ACCESS Operations Manual, NCIC Operating Manual, NCIC Code
Manual, CJIS Security Policy, Technical and Operational Updates (TOU), and
related documents.
5. Training and training materials to all participating agencies.
6. System security to include physical security, personnel, and all technical aspects of
security as required in the CJIS Security Policy.
The following documents are incorporated by reference and made part of this user
acknowledgment:
1. ACCESS Operations Manual http ://www.ws p.wa. qov/u red/access/manuals. htm
2. CJIS Security Policy: https://www.fbi.qov/services/ciis/ciis-securitv-policv-resource-
center/view
3. U.S. Code of Federal Regulations, Title 28, Part20
4. Applicable federal and state laws and regulations; ACCESS/ìiVAC|C rules,
regulations, and policies as recommended by the ACCESS Section
ll. Primary Connection and Originating Agency ldentifier (ORl) lssuance
All agencies that inquire on or enter data into ACCESS must have a primary connection to
ACCESS and a signed WSP ACCESS User Acknowledgment on file prior to adding
secondary connections such as regional management systems. Agencies must ensure that
all system use, through both the primary or secondary connections, remain in compliance
with ACCESS and FBI CJIS rules.
2021 WSP ACCESS User Acknowledgment
1
The CSO will coordinate the assignment of new ORI numbers, the change in ORI location or
address, and any other changes, cancellations, or retirements of ORls accessing
WACIC/NCIC. The assignment of an ORI to an agency is not a guarantee of access to the
state and federal systems. The CSA makes the final determination of who may access
WACIC/NCIC based on the standards provided by the CJIS Security Policy and
determination of an agency's administration of criminaljustice. Any requests for additional
ORls by an agency will be forwarded to the ACCESS Section, who will conduct a short audit
of the agency to verify compliance standards are being met. See the ACCESS Operations
Manual lntroduction for more information.
lll. lndemnification
The parties acknowledge that each party is liable for the negligent or wrongful acts or
omissions of its agents and employees while acting within the scope of their employment as
permitted by applicable law, including, but not limited to, the FederalTort Claims Act, 28 U.S.C
Section 1 346(b), 2401 -2416.
lV. Admi nistrative Responsibil ities
The agency shall respond to requests for information by the FBI CJIS Division or ACCESS
in the form of questionnaires, surveys, or similar methods, to the maximum extent possible,
consistent with any fiscal, time, or personnel constraints of that agency.
All agencies are required to have formalized written procedures for the following, if
applicable: validations, hit confirmation, criminal history use and dissemination, ACCESS
misuse, record entry (for all record types entered into WACIC and NCIC), rebackground
investigations, password management, disposal of media, physical protection, NICS appeal
process, and a network drawing.
The CSO provides system training to agencies accessing WACIC/NCIC through the state
computer system. lf employees are using inquiry only functions, they must attend Level 1
certification training. Employees entering information into the WACIC/NCIC system must
attend Level 2 certification training. All certifications must be acquired within six months of
hire date and renewed bienniallY.
Security awareness training is required within six months of initial assignment, and biennially
thereafter, for all personnel (who are not ACCESS certified)that have unescorted access to
Criminal Justice lnformation (CJl), or to the secure area where CJI is stored. This includes
agency employees, custodial staff, lnformation Technology (lT) staff, upper management,
etc. Records of individual basic security awareness training shall be documented, kept
current, and maintained by each agency for review during the triennial ACCESS or
Technical Security audit.
A Terminal Agency Coordinator (TAC) must be assigned for each terminal agency. This
person is the Point of Contact (POC) for the agency. A TAC must maintain a Level 2
ACCESS certification. The TAC retains the responsibility of ensuring his/her agency is in
compliance with state and FBI CJIS Division policies and regulations. A TAC must attend
TAC training within six months of being assigned the TAC duties and then at least once
every three years thereafter. The TAC may attend multiple classes, if desired.
For those agencies providing ACCESS services through regional computer systems to
outside agencies, the TAC shall be responsible for the dissemination of all administrative
messages received on the 24 hour printer to those agencies.
2021 WSP ACCESS User Acknowledgment
The CSO provides the criminaljustice community with the current ACCESS Operations
Manual, NCIC Operating Manual, NCIC Code Manual, and CJIS Security Policy. The TAC
will be notified immediately of any updates. The agency shall incorporate such changes
when notified. lnformation is provided via email and can be found on the ACCESS website
at the following link: http://un¡vw.wsp.wa.qov/ secured/access/access.htm.
V. Fees
Every criminaljustice agency that has a connection to the ACCESS switch is responsible for
fees associated with the amount of transactions processed. All fees are transaction based.
See the Fee Explanation for the current rates.
htto ://www.wsp.wa. qov/ secu red/access/access. htm
VI. Criminal Justice lnformation (CJl) Responsibilities
Each agency shall conform to system policies, as established by the FBI CJIS Division and
ACCESS, before access to CJI is permitted. This will allow for control over the data and
give assurance of system security.
1. The rules and procedures governing terminal access to CJI shall apply equally to all
participants in the system.
2. All criminaljustice agencies with ACCESS terminals and access to computerized CJI
data from the system shall permit an FBI CJIS Division and an ACCESS audit team
to conduct appropriate audits. Agencies must cooperate with these audits and
respond promptly.
3. All terminals interfaced directly with the ACCESSA/VACIC/NCIC systems for the
exchange of CJI must be under the management control of a criminaljustice agency,
as defined by the CJIS Security Policy.
4. All agencies must ensure they provide all required information when running criminal
justice information.
5. WSP retains access to all agency criminal history logs through the ACCESS System.
Secondary dissemination of criminal history must be logged by the agency.
Vll. Prohibition on Use for lmmigration Enforcement Activities
Under Washington's Keep Washington Working (lffW) law, RCW 10.93.160, state and
local law enforcement agencies are generally prohibited from enforcing federal immigration
law. This prohibition is in recognition of the fact that, standing alone, an individual's
unauthorized presence in the United States is not a violation of state or local law.
Therefore, to comply with KWW, no criminaljustice agency shall use or share ACCESS, or
any information obtained through ACCESS, to support or engage in immigration
enforcement activities. The prohibition on information sharing includes place of birth,
present location, release date from detention, if applicable, and family members' names,
absent a court order, judicial warrant, or as may be required by the Public Records Act
(PRA), chapter 42.56 RCW. lncidents of disclosure of such personal information shall be
considered a breach this agreement and shall be reported to a designated WSP official.
Vlll. Record Entry Responsibilities
Record Quality
Criminaljustice agencies have a specific duty to maintain records that are accurate,
complete, and current. ACCESS recommends agencies conduct self-audits as a means of
verifying the completeness and accuracy of the information in the system. These self-
2021 WSP ACCESS User Acknowledgment
assessments should be on a continual basis to ensure both quality assurance and
compliance with standards. Errors discovered in NCIC records are classified as serious
errors or non-serious errors.
Serious errors: FBI CJIS will cancel the record and notify the entering agency via
administrative message. The message provides the entire canceled record and a
detailed explanation of the reason for cancellation.
Non-serious errors: The CSA notifies the ORI by email of the corrective action to be
taken. No further notification or action will be taken by the CSA, unless the CSA deems
it appropriate.
Timeliness
WACIC/NCIC records must be entered promptly to ensure maximum system effectiveness
Records must be entered according to standards defined in the ACCESS Operations
Manual.
Accuracy and Gompleteness
The accuracy of WACIC/NCIC data must be double checked and documented, including the
initials and date by a second party. This must be done within seven days of the initial entry.
The verification should include assuring the data in the WACIC/NCIC record matches the
data in the investigative report and that other checks were made. Agencies lacking support
staff for second party checks should require the case officer to check the record.
Complete records of any kind include all information available on the person or property at
the time of entry, othenruise known as "packing the record". Complete inquiries on persons
include numbers that could be indexed in the record (i.e. Social Security Number (SSN),
Vehicle ldentification Number (VlN), Operator's License Number (OLN), etc.). lnquiries
should be made on all names/aliases used by the suspect. Complete vehicle inquiries
include VIN and license plate numbers.
Record Validations
WACIC/NCIC validation listings are prepared pursuant to a schedule, as published in the
ACCESS Operations Manual. These listings are distributed to the originating agency via
CJIS Validations.
Validation requires the originating agency to confirm the record is complete, accurate, and
active. Validation is accomplished by reviewing the original entry and current supporting
documents and correspondence with any appropriate complainant, victim, prosecutor, court,
motor vehicle registry files, or other appropriate source or individual. Validation efforts must
be well documented. Validation efforts include what was done to complete the validation of
the individual record. Documentation of phone calls, letters, dates and dispositions need to
be included with each record that was validated. Many agencies document this information
in the case file. ln the event the agency is unsuccessful in its attempts to contact the victim,
complainant, etc., the entering agency must make a determination based on the best
information and knowledge available whether or not to retain the original entry in the file.
The agency must review the validation list found within CJIS Validations. Once all of the
recordl have been processed the system will advise ACCESS once they are complete. lf
the CSA is notified the records have not been validated within the specified period of time,
the CSA will purge all records which are the subject of that agency's validation listings from
2021 WSP ACCESS User Acknowledgment
WACIC and NCIC
lX. Security Responsibilities
Technical Roles and Responsibilities
All agencies participating in ACCESS must comply with and enforce system security.
Each interface agency (city, county, or other agency) having access to a criminaljustice
network must have someone designated as the technical security POC. A criminaljustice
network is a telecommunications infrastructure dedicated to the use by criminaljustice
entities exchanging criminaljustice information. The technical security POCs shall be
responsible for the following:
1. ldentifying the user of the hardware/software and ensuring that no unauthorized
users have access to the same.
2. ldentifying and documenting how the equipment is connected to the state system.
3. Ensuring that personnel security screening procedures are being followed as stated
in the CJIS Security Policy.
4. Ensuring that appropriate hardware security measures are in place.
5. Supporting policy compliance and keeping the WSP lnformation Security Officer
(lSO) informed of security incidents.
Security Enforcement
Each interface agency is responsible for enforcing system security standards for their
agency, in addition to all of the other agencies and entities to which the interface agency
provides CJIS and Washington State Department of Licensing (DOL) records information.
Authorized users shall access CJIS and DOL systems and disseminate the data only for the
purpose for which they are authorized. Each criminaljustice and non-criminaljustice
agency authorized to access FBI CJIS systems and DOL shall have a written policy for the
discipline of policy violators.
Physical Security
A physically secure location is a facility, a criminaljustice conveyance, or an area, a room,
or a group of rooms within a facility with both the physical and personnel security controls
sufficient to protect CJI and associated information systems. The physically secure location
is subject to criminaljustice agency management control.
The perimeter of a physically secure location shall be prominently posted and separated
from non-secure locations by physical controls.
All personnelwith access to computer centers, terminal areas, and/or areas where
unencrypted CJIS information is housed shall either be escoÉed by authorized personnel at
all times or receive a fingerprint-based background check and view security awareness
training prior to being granted access to the area.
Personnel Security
To verify identification, a state of residency and national fingerprint-based record checks
shall be conducted prior to employment or assignment for all personnel who have
authorized access to FBI CJIS systems and those who have direct responsibility to configure
and maintain computer systems and networks with access to FBI CJIS systems. All
requests for system access shall be made as specified by the CSO. The CSO or their
2021 WSP ACCESS User Acknowledgment
official designee is authorized to approve CJIS systems access. All official designees to the
CSO shall be from an authorized criminaljustice agency. lf a record of any kind exists,
access to CJI shall not be granted until the CSO or his/her designee reviews the matter to
determine if access is appropriate. The agency is required to request a variance from the
cso.
Support personnel, contractors, and custodial workers who access computer terminal areas
shall be subject to a Washington state and nationalfingerprint-based background check and
view the security awareness training, unless these individuals are escorted by authorized
personnel at all times. Authorized personnel are those persons who have passed a
Washington state and national fingerprint-based background check and have been granted
access. These personnel must be employed by the criminal justice agency or part of the lT
Department that provides a criminaljustice function for the criminaljustice agency.
Private ContractorsA/endors
Private contractors shall be permitted access to CJIS record information systems pursuant
to an agreement which specifically identifies the contractor's purpose and scope ofproviding
services for the administration of criminaljustice. The agreement between the criminal
justice government agency and the private contractor shall incorporate the CJIS Security
Addendum approved by the Director of the FBl, found at
https://www.fbi.qov/servicesiciis/ciis'securitv-policv-resource-center/view
User shall download the latest Addendum at least annually and conform to its requirements.
Private contractors who perform the administration of criminaljustice shall meet the same
training and certification criteria required by governmental agencies performing a similar
function, and shall be subject to the same extent of audit review as are local user agencies.
Hit Confirmation
Any agency that enters a record into WACIC/NCIC has the duty to promptly respond with
the necessary confirmation of the hit and other details. They must furnish a response within
a specific time period. Valid hit confirmation is based on two levels of priority:
Priority 1: Urgent
The hit must be confirmed within ten minutes. ln those instances where the hit is the
only basis for detaining a suspect or the nature of a case requires urgent confirmation of
a hit, priority 1 should be specified.
Priority 2: Routine
The hit must be confirmed within one hour. Generally, this priority will be used when the
person is being held on local charges, property has been located under circumstances
where immediate action is not necessary, or an urgent confirmation is not required.
X. Compliance Audits
The FBI CJIS Division requires triennial audits be conducted by the CSA to review CJIS
standards of compliance and provide recommendations for best business practices. WSP
audit staff provide three types of reviews:
1. Agency Gompliance Review: WSP Auditors conduct an administrative interview
with the TAC. The interview includes questions to determine adherence to
WACI C/NCIC policy requirements including:
2021 WSP ACCESS User Acknowledgment
b
a. System Administration
b. System lntegrity
c. Hit Confirmation
d. Record lntegrity
e. Criminal Historyf. Nrcs
g. N-DEx
h. Written Procedures
i. Validations
2. Data Quality Review: WSP Auditors conduct an on-site data quality review.
Auditors compare WACIC/NCIC records against agency case files. Auditorscheck
for accuracy, completeness, and verify entry and removal practices. The auditors
document records with errors for the agency to update.
3. Auditor Recommendations for Best Practices: WSP Auditors provide a
compliance report of information received during the interview and data quality
review. They provide recommendations for best business practices.
XI. Technical Security Audits
The agency is responsible for compliance to technical standards set forth by ACCESS and
the CJIS Security Policy. Technical Security Audits will follow the WACIC/NCIC triennial
audit schedule.
1. Agency Gompliance Review: The WSP peforms security audits addressing the
following compliance areas:
a. Personnel security
b. CJIS security incident reporting
c. Configuration management
d. Media protection (physical and electronic)
e. Physical protection
f . Session lock
g. System and communications protection and information integrity
h. Boundary protection
i. Malicious code protection
j. Event logging
k. System use notification
l. Patch management
m. ldentification and authentication
n. Wireless devices - mobile / bluetooth / cellular
o. Handheld mobile devices
p. Cloud computing
2021 WSP ACCESS User A,cknowledgment
7
WSP ACCESS USER ACKNOWLEDGMENT
As an agency head/director, I hereby acknowledge the duties and responsibilities as set forth in
this WSP ACCESS User Acknowledgment, as well as those documents incorporated by
reference. I acknowledge that these duties and responsibilities have been developed to ensure
the reliability, confidentiality, completeness, and accuracy of all records contained in or obtained
by means of the WACIC/NCIC system. I also acknowledge that a failure to comply with these
duties and responsibilities will subject my agency to various sanctions. These sanctions may
include the termination of ACCESS^/VACIC/NCIC services to my agency.
I further understand Department of Llcensing (DOL) may review activities of any person who
receives vehicle, vessel, and firearm record information to ensure compliance with limitations
imposed on the use of the information. The DOL shall suspend or revoke for up to five years the
privilege of obtaining information of a person found to be in violation of Revised Code of
Washington (RCW) 42.56, RCW 46.12, or the user agreement with DOL. I understand misuse
of this information is a gross misdemeanor and is punishable by a fine not to exceed $10,000 or
by imprisonment in a county jail not to exceed one year, or both such fine and imprisonment for
each violation. RCW 46.12.640.
Please return a copy of this signature page to the WSP ACCESS Secfíon.
2021 WSP ACCESS User Acknowledgment
B
Agency Name:
Kenl ill,o )"*,/^r,l
oRt I
UA ot-t ozoo
Agency Head Name
(printed):
Agency Head Email:
r ilaàìll. @ L.4r^ ..ñov
Agency Head Telephone
Number:
T-
lasJ sE6- sB 1o
u/
Agency Head Signature:?¿¿z /rh Date:
n-lb-Ao