CJIS Frequently Asked Questions

September 1, 2020

Texas Law Enforcement Agencies

1. How does the agency receive new TLETS satellite access?

New Agency Procedure
The agency will need to fill out an application for satellite access with TLETS first. When a new agency, one that does not currently have TLETS, gets their ORI approved and is looking to connect with TLETS satellite, we will travel to the agency and go over the compliance requirements for their configuration and possible future changes. New agencies are encouraged to contact us after receiving TLETS approval. We do not expect that the Agency will have the satellite equipment in place at this time. This is basically training on the requirements at this point. We will also notify the agency to set up their operator lists through TCIC Training.

The CJIS Security Office will inform IT to have the Satellite install scheduled and to generate the TCR.

In 30 to 60 days after all equipment is installed and running, The CJIS Security Office will return to the agency and audit for compliance. To receive a satellite dish application, please send email requests to tlets@dps.texas.gov.

2. What can the agency expect during the audit process?

Agency Audit Procedure
Prior to the audit at your agency, you will receive notification of the date and time of the audit and who will be doing the audit. You will receive a link for an online audit which must be completed. You will also be asked to prepare or submit the following prior to the audit:

  • Current Network Diagram

  • The agency’s policies that pertain to CJIS Security

  • The agency’s Incident Response Plan

  • The agency’s Security Alert & Advisories Process

  • Documented Security Awareness Training completed (or CJIS Online enrollment for all personnel)

  • If applicable: Management Control Agreements for Technical Services, Security Addendums, FIPS 140-2 Certificates for Encryption, Memorandum of Understanding & Inter-Agency Agreements

  • If applicable: A list of wireless devices (Example: air card number, carrier phone number, etc)

  • If applicable: Verification that any Wireless Access Points (WAP) connecting to agency’s network meet CJIS requirements

  • If applicable: Service contracts/warranties covering network components (routers/switches) which may be at or near end-of-life per the manufacturer/vendor

Following the online audit, the agency will receive an email from DPS scheduling the site visit and follow up. Upon completion, one of the following three possible emails will be sent:

If an agency is found to be compliant, they will receive an email stating that they were found to be compliant.

If an agency is non-compliant but fixes any issues during the audit, they will receive a compliant email outlining any issues corrected while the auditor was on site. This documents the non-compliance issues that were corrected and the agency is compliant.

If an agency is non-compliant, they will receive a non-compliant email. This email will describe any problems and give the policy reference for the requirement. Agencies that receive a non-compliant email must reply to the CJIS Security Office with the actions they intend to take to correct any problems and provide the date when this corrective action will be completed. The CJIS Security Office will review the agency’s response. If compliant, the agency will receive a compliant email. If still non-compliant, the agency remains in a non-compliant state until achieving compliance and receiving a compliance email.

3. What is the process to add new MDTs, additional connections or change vendors?

Agency Configuration Changes
When an agency wants to add something - workstations, MDT’s, CAD system interfaced with the TLETS system, the CJIS Security Office will apply the rules in the CJIS Security Policy. This includes changes to incorporate cloud services or adding connections such as Livescan or other devices which may process CJI. If it’s a major change, we will visit the agency first and then inform IT that the changes are authorized. If it is a minor change, the CJIS Security Office will review the additional issues caused by the change with the agency and then inform IT that the changes are authorized. For a major change, we may schedule a follow up visit in the 30 to 60 day time frame following the new equipment implementation. A network diagram may be needed for changes.

4. What is the process for an agency to add MDTs hosted by another agency?

Non-Satellite Based Computing Device Instructions
The Non-Satellite Based Computing Device Agreement describes the process and paperwork required by DPS to connect an agency behind an interface located at another agency to the DPS TLETS system. The agency with the interface is considered the “hosting” agency. The agency being connected to this interface is considered the “hosted” agency. Both the hosting and hosted agencies have responsibilities and both agencies are required to be fully compliant with the applicable policies as defined in both the CJIS Security Policy and the NCIC Operating Manual.

In some cases a vendor is involved in the process. FBI Security Addendums are required between each agency and the vendor. If an agency has signed a contract with a vendor, a Security Addendum is required. If the contract is between two governmental agencies, then a Security Addendum is not required.

This process should also be supported with a Memorandum of Understanding between the two agencies describing the relationship for using the interface to DPS. It should describe the responsibilities of each agency.

The process with DPS is as follows:

  • Hosted agency completes and signs the Non-Satellite Based Computing Device Agreement (The Agreement) and forwards it to this office (CJIS Security Office).
  • CJIS Security Office conducts a CJIS Security Policy Pre-Audit with the hosted agency.
  • Upon completing the pre-audit, DPS approves The Agreement and sends an email to both the hosting and hosted agencies.
  • CJIS Security Office notifies the TLETS Order Center the hosted agency is approved to receive TLETS via the hosting agency's connection. The hosted agency requests the user IDs from TCIC Training and forwards them to the hosted agency to ensure all operators are assigned an Omnixx user ID.
  • The TLETS Order Center will then contact via email both the hosted and hosting agencies to enable the hosted agency's TLETS connection.
  • The TLETS Order Center updates the TCR and distributes it to all interested parties.
  • The CJIS Security Office audits the hosted agency 60 to 90 days after their connection is enabled and triennially thereafter for compliance.

5. What steps must the agency do to have a satellite moved?

Agency Moves
Contact the TLETS Order Center to start the move process. The CJIS Security Office will have a conversation with the agency about being compliant in the new building. Following this conversation, the CJIS Security Office will then inform the TLETS Order Center that the move is authorized. TLETS will schedule the Satellite move. The CJIS Security Office will schedule a follow up visit 30 to 60 days after the move is complete.

6. What process do I need to follow for IT staff and IT vendor finger print based background checks?

Please send all inquiries and/or questions regarding F.A.C.T., F.A.S.T. or the fingerprint process to Fingerprint Service or you may call (512) 424-2365 and select the appropriate option from the menu.

7. What is the process to report a computer virus or Malware Incident at the agency?

The agency should refer to their Incident Response Plan first. The agency should contact their internal IT support next to determine the extent of the computer virus breakout. The computer should be isolated from other functional computers by disconnecting the network cable, but not unplugged from power. The agency should contact the DPS OIC next to inform us of the computer virus and what steps have been taken so far. Contact the OIC at 1-800-638-5387 (1-800-63-TLETS) so the agency’s traffic can be re-routed if necessary while the computer is sanitized. The agency will remain re-routed until a CJIS Technical Auditor approves the reconnection to the TLETS network.

Agencies may refer to our documents section here to obtain an Incident Response Form if one is not available locally.

8. What is considered CJIS?

Criminal Justice Information is the abstract term used to refer to all of the FBI CJIS provided data necessary for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric, identity history, person, organization, property (when accompanied by any personally identifiable information), and case/incident history data. In addition, CJI refers to the FBI CJIS-provided data necessary for civil agencies to perform their mission; including, but not limited to data used to make hiring decisions. The following type of data are exempt from the protection levels required for CJI: transaction control type numbers (e.g. ORI, NIC, UCN, etc.) when not accompanied by information that reveals CJI or PII

Law Enforcement Agency Vendor

1. What is the CJIS Security Policy and where can I locate a copy?

The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for the access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI). This minimum standard of security requirements ensures continuity of information protection. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit.

The latest CJIS Security Policy is available on our website as listed here and is also available via the FBI CJIS website.

2. What other CJIS related documents does my company need to know about working with law enforcement agencies in Texas?

Contracting personnel will need to complete the CJIS Security Addendum, pass and clear a finger print based background check and be made aware of these regulating codes.

Additional guidance and documentation to assist solution providers is available for review here.

3. Does my company need to have Security Awareness Training for the CJI access we receive?

Yes, personnel that have access to equipment that stores, processes or transmits CJI data must meet Security Awareness Training requirements. The training should be documented and repeated every two years.

4. Do company employees need to have fingerprints submitted for each Security Addendum at each law enforcement agency?

Not within Texas. One set of good, cleared fingerprint results is only needed for the contracted agencies within Texas. If prints are rejected, then another set of prints will need to be done. The submitting law enforcement agency that the company has a signed contract with will receive the results. An FBI Certification page is required for each person per each signed Security Addendum with the individual law enforcement agency.