Texas Law Enforcement Agencies
New Agency Procedure
The agency will need to fill out an application for satellite access with TLETS first. When a new agency, one that does not currently have TLETS, gets their ORI approved and is looking to connect with TLETS satellite, we will travel to the agency and go over the compliance requirements for their configuration and possible future changes. New agencies are encouraged to contact us after receiving TLETS approval. We do not expect that the Agency will have the satellite equipment in place at this time. This is basically training on the requirements at this point. We will also notify the agency to set up their operator lists through TCIC Training.
The CJIS Security Office will inform IT to have the Satellite install scheduled and to generate the TCR.
In 30 to 60 days after all equipment is installed and running, The CJIS Security Office will return to the agency and audit for compliance. To receive a satellite dish application, please send email requests to firstname.lastname@example.org.
Agency Audit Procedure
Prior to the audit at your agency, you will receive notification of the date and time of the audit and who will be doing the audit. You will also be asked to prepare the following prior to the audit:
Following the audit, the agency will receive an email from DPS explaining the results. One of the following three possible emails will be sent:
If an agency is found to be compliant, they will receive an email stating that they were found to be compliant.
If an agency is non-compliant but fixes any issues during the audit, they will receive a compliant email outlining any issues corrected while the auditor was on site. This documents the non-compliance issues that were corrected and the agency is compliant.
If an agency is non-compliant, they will receive a non-compliant email. This email will describe any problems and give the policy reference for the requirement. Agencies that receive a non-compliant email must reply to the CJIS Security Office with the actions they intend to take to correct any problems and provide the date when this corrective action will be completed. The CJIS Security Office will review the agency’s response. If compliant, the agency will receive a compliant email. If still non-compliant, the agency remains in a non-compliant state until achieving compliance and receiving a compliance email.
Agency Configuration Changes
When an agency wants to add something – workstations, MDT’s, CAD system interfaced with the TLETS system, the CJIS Security Office will apply the rules in the CJIS Security Policy. If it’s a major change, we will visit the agency first and then inform IT that the changes are authorized. If it is a minor change, the CJIS Security Office will review the additional issues caused by the change with the agency and then inform IT that the changes are authorized. For a major change, we may schedule a follow up visit in the 30 to 60 day time frame following the new equipment implementation. A network diagram may be needed for changes.
Non-Satellite Based Computing Device Instructions
The Non-Satellite Based Computing Device Agreement describes the process and paperwork required by DPS to connect an agency behind an interface located at another agency to the DPS TLETS system. The agency with the interface is considered the “hosting” agency. The agency being connected to this interface is considered the “hosted” agency. Both the hosting and hosted agencies have responsibilities and both agencies are required to be fully compliant with the applicable policies as defined in both the CJIS Security Policy and the NCIC Operating Manual.
In some cases a vendor is involved in the process. FBI Security Addendums are required between each agency and the vendor. If an agency has signed a contract with a vendor, a Security Addendum is required. If the contract is between two governmental agencies, then a Security Addendum is not required.
This process should also be supported with a Memorandum of Understanding between the two agencies describing the relationship for using the interface to DPS. It should describe the responsibilities of each agency.
The process with DPS is as follows:
Contact the TLETS Order Center to start the move process. The CJIS Security Office will have a conversation with the agency about being compliant in the new building. Following this conversation, the CJIS Security Office will then inform the TLETS Order Center that the move is authorized. TLETS will schedule the Satellite move. The CJIS Security Office will schedule a follow up visit 30 to 60 days after the move is complete.
Please send all inquiries and/or questions regarding F.A.C.T., F.A.S.T. or the fingerprint process to Fingerprint Service or you may call (512) 424-2365 and select the appropriate option from the menu.
The agency should refer to their Incident Response Plan first. The agency should contact their internal IT support next to determine the extent of the computer virus breakout. The computer should be isolated from other functional computers by disconnecting the network cable, but not unplugged from power. The agency should contact the DPS OIC next to inform us of the computer virus and what steps have been taken so far. Contact the OIC at 1-800-638-5387 (1-800-63-TLETS) so the agency’s traffic can be re-routed while the computer is sanitized. The agency will remain re-routed until a CJIS Technical Auditor approves the reconnection to the TLETS network.
At this time, please do not update the version of Java if the TLETS / Omnixx system is functional.
TxDPS is working to upgrade to a more current Omnixx version that will utilize a newer version of Java and work better with Windows 7; however, we do not know when it will be available.
In the meantime, this is our stance:
CJIS Security Compliance
DPS will not find an agency to be out of compliance with the CJIS security policy if the cause of the potential violation is out of the control of the agency in question (or out of control of the entity that provides IT related services to that agency). However, this exception only applies to applications deemed to be mission critical by the CSO. In the case of Omnixx, the CSO recognizes that computers utilizing JAVA 6 are not compliant with the CJIS security policy, however, since Omnixx is a mission critical application whose technical configuration is outside the control of the agency using it, the agency in question will not be found to be non-compliant because they have JAVA 6 installed in support of Omnixx.
DPS is in the process of upgrading Omnixx so that it will be fully compliant with the CJIS security policy.
In order to avoid vulnerabilities associated with earlier versions of JAVA, DPS suggests that agencies utilize computers with legacy versions of JAVA only to support Omnixx (if possible) and isolate those computers from the rest of their local network.
Law Enforcement Agency Vendor
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for the access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI). This minimum standard of security requirements ensures continuity of information protection. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit.
The CJIS Security Policy is available on our website and the FBI CJIS website.
Contracting personnel will need to complete the CJIS Security Addendum, pass and clear a finger print based background check and be made aware of these regulating codes.
Yes, personnel that have access to equipment that stores, processes or transmits CJI data must meet Security Awareness Training requirements. The training should be documented and repeated every two years.
Not within Texas. One set of good, cleared fingerprint results is only needed for the contracted agencies within Texas. If prints are rejected, then another set of prints will need to be done. The submitting law enforcement agency that the company has a signed contract with will receive the results. An FBI Certification page is required for each person per each signed Security Addendum with the individual law enforcement agency.