This section compiles all sample agreements and NIST policy templates maintained by the Texas CJIS Security Office. These templates are provided to help Texas criminal justice agencies comply with the FBI CJIS Security Policy (CJISSECPOL).
Each sample is a starting point — customize with your agency's specific procedures, personnel, and technical environment before adopting
How to Use and When to Use these Documents
- Browse by category using the sections below
- Review the description and "When to use" guidance for each template
- Download the actual template file from the DPS CJIS Documents page
- Customize with your agency's specifics — do not use unedited
- Have it reviewed and approved through your agency's policy process
Sample Management Control Agreements
Management Control Agreements (MCAs) are required whenever a non-criminal-justice agency or contractor performs duties for a criminal justice agency that involve access to Criminal Justice Information (CJI). These templates provide a starting point for formalizing that relationship.
Management Control Agreement – Dispatch Services – Sample (DOC)
Sample agreement template for arrangements where an external entity provides dispatch services for a criminal justice agency.
When to use: Your agency is contracting out 911 or dispatch operations to another agency, city, county, or private service provider with access to CJI.
Management Control Agreement – Technical Services – Sample (DOC)
Sample agreement template for arrangements where an IT or technical vendor provides services that involve access to CJI systems or data.
When to use: You are engaging an IT contractor, MSP, cloud vendor, or technical consultant whose personnel will have access to systems processing CJI.
Sample NIST Policies (Templates)
The following 15 sample policies align with NIST control families required under the CJIS Security Policy. Each is intended as a template your agency can adapt to its specific operations, size, and technical environment.
IMPORTANT: These samples are starting points — not final policies. Every template must be reviewed, customized, and formally adopted through your agency's policy process before it takes effect
NIST Access Control Policy - Sample (DOCX)
Defines how user access to systems containing Criminal Justice Information is granted, reviewed, modified, and revoked. Covers account types, privileges, separation of duties, and session management.
When to use: Establishing your agency's baseline rules for who can access CJI systems and under what conditions.
NIST Awareness and Training Policy (AT) – Sample (DOCX)
Outlines the security awareness and role-based training program for all personnel with access to CJI. Includes required training frequency, topics, and documentation.
When to use: Building or updating your annual CJIS security awareness training program.
NIST Auditing and Accountability Policy – Sample (DOCX)
Establishes requirements for generating, reviewing, and retaining audit logs. Covers what events are logged, how long logs are kept, and who reviews them.
When to use: Setting up logging and monitoring standards for systems that process, store, or transmit CJI.
NIST Configuration Management Policy – Sample (DOCX)
Governs how system configurations are established, documented, maintained, and changed. Covers baseline configurations, change control, and approval processes.
When to use: Defining how your agency manages hardware, software, and system configuration changes for CJI systems.
NIST Identification and Authentication Policy – Sample (DOCX)
Defines requirements for uniquely identifying users and authenticating them before granting access. Covers MFA, password standards, and credential management.
When to use: Setting password rules, multi-factor authentication requirements, and identity verification for CJI users.
NIST Incident Response Policy – Sample (DOCX)
Establishes procedures for detecting, responding to, and recovering from security incidents. Covers roles, escalation paths, notification timelines, and post-incident review.
When to use: Preparing your agency to respond to a data breach, ransomware attack, or other security incident involving CJI.
NIST Maintenance Policy – Sample (DOCX)
Addresses how system maintenance is performed, including scheduled maintenance, remote maintenance, and use of external maintenance personnel.
When to use: Governing how vendors and internal staff perform maintenance on systems handling CJI — including remote support sessions.
NIST Media Protection Policy - Sample (DOCX)
Covers the handling, storage, transport, sanitization, and destruction of both digital and physical media containing CJI.
When to use: Managing hard drives, USB drives, printouts, and backup tapes containing CJI — including end-of-life disposal.
NIST Personnel Security Policy – Sample (DOCX)
Establishes security requirements for personnel, including background checks, access authorization, role assignment, and procedures for transfers or terminations.
When to use: Managing the security lifecycle of employees and contractors from hire to separation.
NIST Physical and Environmental Protection Policy - Sample (DOCX)
Addresses physical access controls, visitor management, protection from environmental hazards, and the security of rooms housing CJI systems.
When to use: Securing data centers, server rooms, dispatch centers, and any physical location housing CJI systems
NIST Planning Policy – Sample (DOCX)
Establishes a framework for developing, documenting, and maintaining security plans that describe the controls in place for CJI systems.
When to use: Creating formal System Security Plans (SSPs) for systems that process, store, or transmit CJI.
NIST System and Communications Protection Policy – Sample (DOCX)
Addresses protection of system boundaries, secure communications, encryption, and protection of transmitted CJI.
When to use: Implementing network segmentation, firewall rules, and encryption standards for CJI data in transit.
NIST System and Information Integrity Policy - Sample (DOCX)
Covers flaw remediation, malicious code protection, system monitoring, and the integrity of information stored or processed on CJI systems.
When to use: Managing patching, antivirus/EDR, and monitoring tools to protect against malware and ensure data integrity.
NIST System and Services Acquisition Policy – Sample (DOCX)
Addresses the acquisition of information systems and services, including requirements for vendors, software development, and supply chain risk management.
When to use: Evaluating and procuring new systems, software, or services that will handle CJI — including cloud services.
NIST Risk Assessment Policy - Sample (DOCX)
Defines the process for identifying, analyzing, and documenting security risks to CJI systems and the agency's overall security posture.
When to use: Conducting periodic risk assessments to identify threats and vulnerabilities to CJI systems.