Memo

 

Date 5-23-18

To Attorney Janet Ainsworth

From Versie Jones, BA Auditor

Agency US Immigration and Customs Enforcement

Subject COLLECT FBI CJ IS User Agreement for Criminal Justice Agencies

 

 

 

 

 

 

 

 

Dear Attorney Ainsworth:

Please ?nd partially executed COLLECT and FBI CJIS User Agreement for access to criminal justice
information (CH).

The US ICE has been approved to obtain state and national name-based CJI under state and federal law.
Before providing CJI, the FBI requires the State Police to execute an information exchange agreement. The
written agreement shall specify the FBI CJ IS systems and services to which the agency will have access, and
the FBI CJ IS Division policies to which the agency must adhere. The attached User Agreement meets FBI
requirements and includes FBI CJ IS Division audit requirements to ensure compliance with FBI policy.
Upon full execution please forward a copy to my unit for auditing purposes and a copy of the agreement to
the US ICE as requested.

If you have any questions or concerns, please do not hesitate to contact me 860-685-8020.

Sincerely,

Versie L. Jones

   

SHARE EE hi it}. E: ESE
?Eli"; iilzs?t Eifiifi 

E) i a i. 5; ion Etta ta a line

Connecticut On-Line Law Enforcement Communications Teleprocessing System (COLLECT)
and
Federal Bureau of Investigation (FBI)
Criminal Justice Information Services Division (CJIS)
Criminal Justice Information
User Agreement for
Criminal Justice Agencies

WHEREAS, the Division of State Police acts as the CJIS State Agency (CSA) under the authority of
the NCIC Bylaws section 1.4 for the CJIS Advisory Policy Board and Regional Working Groups approved
on October 17, 1984, the Federal Advisory Committee Act pursuant to United States Public Law 92-463 of
the 92?d United States Congress on October 6, 1972 and the CJIS Security Policy;

WHEREAS, the Division of State Police acts as the CSA for the International Justice and Public
Safety Network (NLET S) under the authority of the NLETS Constitution and Bylaws Article 11, sections 1
and 2, approved on June 27, 1985 and provides for the interstate transmission of criminal justice information
to and from agencies inside and outside of Connecticut through its link to the FBI and the 

WHEREAS, the Division of State Police is responsible for establishing and administering an
information technology security program throughout the State of Connecticut under the authority of the
Federal Information Security Management Act of 2002 (F ISMA) and in accordance with the CJIS Security
Policy;

WHEREAS, improper access, use or dissemination of COLLECT or FBI CJIS System information is
serious and may result in administrative sanctions including, but not limited to, termination of services and
state and federal criminal penalties;

NOW, THEREFORE, in consideration of the mutual covenants and conditions hereinafter stated, the
State of Connecticut Department of Emergency Services and Public Protection, Division of State Police
(hereinafter an agency of the State of Connecticut with headquarters at ilii Country Club Road,
Middletown, CT and the Hartford Sub Office of US. Immigration and Customs Enforcement with a
principal business address at 450 Main St, Hartford, CT 06103 (hereinafter ?User?), enter into this User
Agreement to set forth the User?s roles, responsibilities, and obligations with respect to the User?s access to
Connecticut On-Line Law Enforcement Communications Teleprocessing System (hereinafter 
terminal operation and COLLECT and Federal Bureau of Investigation (hereinafter Criminal Justice
Information Services Division (hereinafter CJIS or criminal justice information (hereinafter


1. Effective Date.

This Agreement shall be effective upon signature by both parties.

MAY 32018

I 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

2. Authority to Enter Agreement.

DESPP is authorized to enter into this agreement through the Commissioner of the Department of
Emergency Services and Public Protection, pursuant to the authority provided under C.G.S. 4-8 and the
FBI CJIS Security Policy.

3. Duration of Agreement.

This Agreement shall remain in full force and effect unless terminated by DESPP, giving User written notice
of such intention at least thirty (30) days in advance or by the User upon (30) day written notice. DESPP
reserves the right to immediately suspend or revoke access to CHRI without notice in the event of a breach
of the conditions of this Agreement. Notwithstanding any provisions in this Agreement, DESPP, through a
duly authorized employee, may terminate the Agreement whenever DESPP makes a written determination
that such termination is in the best interest of the State. DESPP shall notify User in writing of termination
pursuant to this section, which notice shall specify the effective date of termination and the extent to which
User must complete its performance under the Agreement prior to such date.

4. Modification or Amendment of the Agreement.

This Agreement may not be modified or amended unless through a writing signed by an authorized
representative of both parties.

5. De?nition.

Access to Criminal Justice Information? The physical or logical (electronic) ability, right or
privilege to view, modify or make use of CJI.

Administration of Criminal Justice -The detection, apprehension, detention, pretrial release, post-
trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons
or criminal offenders. It also includes criminal identification activities; the collection, storage, and
dissemination of criminal history record information; and criminal justice employment.

0.) Agency Coordinator A User member who manages an agreement between the User and a
private contractor.

Authorized Recipient-(l) A criminal justice agency (CJA) or federal agency authorized to receive
criminal history record information pursuant to federal statute or executive order; (2) A
nongovernmental entity authorized by federal statute or executive order to receive CHRI for
noncriminal justice purposes; or (3) A government agency authorized by federal statute or executive
order, or state statute which has been approved by the US Attorney General to receive CHRI for
noncriminal justice purposes.

CJIS Security Policy-The FBI CJIS Security Policy document as published by the FBI CJIS
Information Security Officer(ISO) and provides CJAs and Noncriminai Justice Agencies (NCJAS)
with a minimum set of security requirements for access to FBI CJIS Division systems and
information and to protect and safeguard I. It provides minimum security requirements associated
with the creation, viewing, modification, transmission, dissemination, storage, or destruction of ?31.
The IS Security Policy integrates presidential directives, federal laws, FBI directives, the criminal
justice community?s Advisory Policy Board (APB) decisions along with nationally recognized
guidance from the National Institute of Standards and Technology (NIST) and the National Crime
Prevention and Privacy Compact Council (Compact Council). At the consent of the advisory process,

MAY 5232018

2 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

and taking into consideration federal law and state statutes, the CJIS Security Policy applies to ail
entities with access to, or who operate in support of, FBI CJ IS Division?s services and information.

CJIS Systems Agency The duly authorized state CJA on the CJIS network providing
statewide (or equivalent) service to its criminal justice users with respect to the C11 from various
systems managed by the FBI CJIS Division.

CJIS Systems Agency Information Security Of?cer (CSA The CSA personnel responsible to
comdinate infounation secu11ty eff01ts at all CSA mtel face agencies.

11.) CJIS Systems Officer The individual located within the Division of State Police, as the
CSA, designated by and responsible to the Commissioner of the DESPP to, among other things
supervise and manage the activities of COLLECT, administration of the CJIS network within the
State of Connecticut as the Commissione1 directs. The CSO shall be the COLLECT Manager The
COLLECT Manager shall also serve as NLETS Representative. Pursuant to the Bylaws for the CJ IS
Advisory Policy Board and Working Groups, the roie of C80 shall not be outsourced. The CSO may
delegate responsibilities to subordinate agencies.

CJIS Advisory Policy Board governing organization within the FBI CJIS Advisory
Process composed of representatives from criminal justice and national security agencies within the
United States. The APB reviews policy, technical, and operational issues relative to CJIS Division
programs and makes subsequent recommendations to the Director of the FBI.

Connecticut O11-Line Law Enforcement Communications Teleprocessing System 
The statewide, computerized information system established as a service to help criminal justice and
law enforcement agencies perform it duties by providing and maintaining a computerized ?ling
system of accurate and timely documented CJI from multipie CJI databases and the FBI CJIS
Systems. COLLECT provides large amounts of CJI that can be instantly retrieved by and/or
furnished to any authorized recipient. COLLECT must be used for administration of criminal justice
and severely restrictive noneriminal justice purposes authorized by federal or state law, such as a
Permit to Carry Pistol or Revolver. COLLECT also provides access to intrastate, interstate, and
international criminal justice information systems, for the exchange of information relating to crimes,
criminals, criminal activity and public safety.

COLLECT Policy Board (Policy Board)? The Poiicy Board shall advise the Commissioner of
DESPP with respect to the operation and management of COLLECT. The Commissioner of DESPP
shall have ultimate authority to manage, direct and control the COLLECT.

1.) Criminal Justice Agency The cou1ts, a governmental agency, or any subunit of a
governmental agency which performs the administration of criminal justice pursuant to a statute or
executive order and which allocates a substantial part of its annual budget to the administration of
criminal justice. State and federal Inspectors General Of?ces are included.

1n.) Criminal Justice Information Criminal Justice Information is the abstract term used to refer
provided data necessary for law enforcement agencies to perform their mission
and enforce the laws, including but not limited to: biometric, identity history, person, organization,
property (when accompanied by any personally identifiable information), and case/incident history
data. is a subset of I and includes any notations or other written or electronic evidence of an
arrest, detention, complaint, indictment, information or other formal criminal charge relating to an
identifiable person that includes identifying information regarding the individual as well as the
disposition of any charges.

11.) Criminal Justice Information Services Division (FBI CJIS 01' The FBI division responsible
for the collection, warehousing, and timely dissemination of relevant CJI to the FBI and to quali?ed
law enforcement, criminal justice, civilian, academic, employment, and licensing agencies. It also
serves as the central repository for I services within the FBI.

0.) Department of Justice The Department within the US Government responsible to enforce the
law and defend the interests of the US according to the law, to ensure public safety against threats

MAY 2 32018

2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

foreign and domestic, to provide federal leadership in preventing and controlling crime, to seekjust
punishment for those guilty of unlawful behavior, and to ensure fair and impartial administration of
justice for all Americans.

Dissemination- The transmission/distribution of to Authorized Recipients within an agency.

Federal Bureau of Investigation The agency within the responsible to protect and
defend the United States against terrorist and foreign intelligence threats, to uphold and enforce the
criminal laws of the US, and to provide leadership and criminal justice services to federal, state,
municipal, and international agencies and partners.

Federal Information Security Management Act The Federal Information Security
Management Act of 2002, a US Federal law that established information security standards for the
protection of economic and national security interests of the United States. It requires each federal
agency to develop, document, and implement an agency-wide program to provide information
security for the information and information systems that support the operations and assets of the
agency, including those provided or managed by another agency, contractor, or other source.

Holder of the Record Agreement An agreement between authorized recipients that
delineates the responsibility for third party record entries and hit confirmations.

Integrated Automated Fingerprint Identification System The national fingerprint and
criminal history system maintained by the FBI CJIS Division that provides the law enforcement
community with automated fingerprint search capabilities, latent searching capability, electronic
image storage, and electronic exchange of fingerprints and responses.

International Justice and Public Safety Network A private, not-for-profit corporation
owned by the States that provides an interstate and international justice and public safety network
and provides telecommunication capabilities for the exchange of law enforcement, criminal justice
and public safety?related information.

Interstate Identification Index The CJIS service that manages automated submission and
requests for CHRI that is warehoused subsequent to the submission of ?ngerprint information.

Law Enforcement Enterprise Portal A secure, Internet-based communications portal
provided by the FBI CJ IS Division for use by law enforcement, first responders, criminal justice
professionals, and anti-terrorism and intelligence agencies around the globe. its primary purpose is to
provide a platform on which various law enforcement agencies can collaborate on For Official Use
Only (FOUO) matters. FOUO is a caveat applied to unclassi?ed sensitive information that may be
exempt from mandatory release to the public under the Freedom of Information Act (FOIA), 5 U.S.C
522. in general, information marked FOUO shall not be disclosed to anybody except Government
(Federal, State, tribal, or local) employees or contractors with a need to know.

Law Enforcement National Data Exchange An unclassi?ed national information sharing
system that enables CJAs to search, link, analyze, and share local, state, tribal, and federal records.

Local Agency Security Officer The primary Information Security contact between a local
law enforcement agency and the CSA under which this agency interfaces with the FBI CJIS
Division. The LASO actively represents their agency in all matters pertaining to Information
Security, disseminates Information Security alerts and other material to their constituents, maintains
information Security documentation (including system con?guration data), assists with Information
Security audits of hardware and procedures, and keeps the CSA informed as to any Information
Security needs and problems.

2.) Management Control Agreement An agreement between parties that wish to share or pool
resources that codifies precisely who has administrative control over, versus overall management and
legal responsibility for, assets covered under the agreement. An MCA must stipulate that
management control of the criminal justice function remains solely with the CJA.

MAY a 32013

NIB COLLECT User Agreement for Full Access Criminal Justice Agencies

 

aa.) National Crime Information Center An information system which stores CJI which can
be queried by appropriate Federal, state, and local law enforcement and other criminal justice
agencies.

bb.) National Instant Criminal Background Check System A system mandated by the Brady
Handgun Violence Prevention Act of 1993 that is used by Federal Firearms Licensees (FFLS) to
instantly determine via telephone or other electronic means whether the transfer of a ?rearm would
be in violation of Section 922 or of Title 18, United States Code, or state law, by evaluating
the prospective buyer?s criminal history.

cc.) National Institute of Standards and Technology Founded in 1901, NIST is a non-
regulatory federal agency within the US. Department of Commerce whose mission is to promote US
innovation and industrial competitiveness by advancing measurement science, standards, and
technology in ways that enhance economic and national security.

dd.) Noncriminal Justice Purpose-The uses of criminal history records for purposes authorized by
federal or state law other than purposes relating to the administration of criminal justice, including
employment suitability, licensing determinations, immigration and naturalization matters, and
national security clearances.

ee.) Originating Agency Identifier (ORD-A nine digit identi?er assigned by the FBI to authorized
recipients of Oil.

ff.) Outsourcing- The process of delegating operations to a third-party.

gg.) Physically Secure Location-A facility, a criminal justice conveyance, or an area, a room, or a group
of rooms, within a facility with both the physical and personnel security controls sufficient to
protect CH and associated information systems.

1111.) Secondary Dissemination- The promulgation of C11 from a releasing agency to an authorized
recipient agency when the recipient agency has not been previously identified in a formal
information exchange agreement.

ii.) Security Addendum uniform addendum to an agreement between the government agency
and a private contractor, approved by the US Attorney General, which speci?cally authorizes access
to CHRI, limits the use of the information to the purposes for which it is provided, ensures the
security and con?dentiality of the information consistent with existing regulations and the CJIS
Security Policy, provides for sanctions, and contains such other provisions as the Attorney General
may require.

jj.) Terminal Agency Coordinator Serves as the point~of~contact at the local agency for
matters relating to CJIS information access. A TAC administers CJIS systems programs within the
local agency and oversees the agency?s compliance with CJIS systems policies.

Uniform Crime Reporting A CJIS System that collects, publishes, archives crime
statistics. The UCR is often associated with the National Incident-Based Reporting System (NIBRS).

ll.) Uscr~ A criminal justice or law enforcement agency that has an 0R1 and meets the criteria to be an
authorized recipient. The User shall be legally responsible for all activities under the agreement.

6. Policy Board.

The Policy Board shall consist primarily of the committee of the Connecticut Police Chiefs Association
(CPCA) known as the Telecommunications and Technology Committee. By August 1st of each calendar
year, the Executive Director of the CPCA shall provide a list of people to serve on the Telecommunications
and Technology Committee for the following twelve-month period. However, to preserve continuity, no
fewer than four people will be reappointed from the previous year. In addition, the Commissioner of DESPP
shall appoint four members, one of whom shall be the COLLECT Manager and one of who shall represent
the data processing or maintenance function of the COLLECT System. At the discretion of the Policy Board,

5 2013 COLLECT User Agreement for Full Access Criminal Justice Agencies MAY 2 3 2018

 

with the approval of DESPP and with proper noti?cation, the User may levy a surcharge on additional users
if in theirjudgment, state funds will not be available to meet the needs of the User.

7. DESPP Responsibilities. DESPP shall:

Assign a C80. The CSO shall set, maintain, and enforce the following:
1. Standards for the selection, supervision, and separation of personnel who have access to CJI.
2. Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and
other components that comprise and support a telecommunications network and related CJIS systems
used to process, store, or transmit CJI, guaranteeing the priority, con?dentiality, integrity, and
availability of service needed by the criminaljustice community.
a. Ensure appropriate use, enforce system discipline, and ensure CJIS Division operating
procedures are followed by all users of the respective services and information.
b. Ensure state/federal agency compliance with policies approved by the APB and adopted by
the FBI.
c. Ensure the appointment of the CSA ISO and determine the extent of authority to the CSA
ISO.
(1. The CSO, or designee, shall ensure that a Terminal Agency Coordinator (TAC) is
designated within each agency that has devices accessing CJ IS systems.
e. Ensure each agency having access to CJI has someone designated as the Local Agency
Security Officer (LASO).
f. Approve access to FBI CJIS systems.
g. Assume ultimate responsibility for managing the security of C3 IS systems within their
state and/or agency.
h. Perform other related duties outlined by the user agreements with the FBI CJIS Division.
3. Outsourcing ofCriminal Justice Functions
a. Responsibility for the management of the approved security requirements shall remain
with the CIA. Security control includes the authority to enforce the standards for the
selection, supervision, and separation of personnel who have access to set and enforce
policy governing the operation of computers, circuits, and telecommunications terminals used
to process, store, or transmit and to guarantee the priority service needed by the criminal
justice community.
b. Responsibility for the management control of network security shall remain with the CJA.
Management control of network security includes the authority to enforce the standards for
the selection, supervision, and separation of personnel who have access to set and
enforce policy governing the operation of circuits and network equipment used to transmit
Cl]; and to guarantee the priority service as determined by the criminal justice community.
Assign a CSA ISO. The CSA ISO shall:
1. Serve as the security point of contact (POC) to the FBI Division ISO.
2. Document technical compliance with the CJIS Security Policy with the goal to assure the
confidentiality, integrity, and availability of criminal justice information to the user
community throughout the user community, to include the local level.
3. Document and provide assistance for implementing the security-related controls for the
Interface Agency and its users.
4. Establish a security incident response and reporting procedure to discover, investigate,
document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS
Division major incidents that significantly endanger the security or integrity of Oil.
Provide certification and recertiflcation through training and functional testing to terminal operators and
other personnel at locations and times arranged by the COLLECT Manager. Only User members who

6 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies MAY 2 3 2018

 

have completed such training shall be allowed to perform a transaction in COLLECT or on a COLLECT
terminal.

Provide security awareness training to User members. Only User members who have completed such
training shall be allowed to have access to CJI or a physically secure location.

Furnish the User, through COLLECT with such CII as is available, to serve the means of exchange of
computerized administrative messages, between the User and other criminal justice agencies on the
COLLECT and through NCIC and NLETS.

Operate and administer access to the following state agency information systems to include, but not be
limited to; Department of Corrections (DOC), Department of Energy and Environmental Protection
(DEEP), Department of Motor Vehicles (DMV), Paperless Re~arrest Warrant Network (PRAWN),
Protective Order Registry (SOR) and the State Police Criminal History System (CCH), Sex Offender
Registry (SOR), and State Police Special Licensing and Firearms Unit and to the following FBI
CJIS systems to include, but not be limited to; IAFIS, NCIC, NICS, NLETS, UCR, NDEX, LEEP in
order for the User to effectively discharge its public duties.

Determine and or deny access to CH if access to CH by a User member or its certified personnel would
not be in the public interest. The User shall be noti?ed in writing of the access denial.

Conduct audits, once every three (3) years as a minimum, to ensure compliance with applicable statutes,
regulations and policies for all CJIS Systems. The DESPP shall have the authority to conduct
unannounced security inspections and scheduled audits of Contractor facilities.

The DESPP shall have the authority, on behalf of another CSA, to conduct a compliance audit of
contractor facilities and provide the results to the requesting CSA.

The DESPP will provide, subject to budgetary constraints, the following to help User comply with
regulations:

COLLECT Personnel and administrative support

Quality Control

24-hour Message Center Communications Operators

Programming and technical assistance

Distribution of rules and regulations and COLLECT, FBI and NLETS documentation

Maintain records of User transaction such as Ill and NCIC transactions.



8. User Responsibilities. User shall:

a) Qualify for assignment of an that would permit access to CHRI, pursuant to Title 28, United
States Code (U.S.C), Section 534 and be considered a CIA pursuant to Title 28, C.F.R., Part 20,
Subpart A.

b) Ensure that equipment is approved compatible with the CSA.

c) Be responsible for all costs relating to the purchase and maintenance of end User equipment.

d) Be responsible for any costs for the ?ber connection to the public safety data network.

e) The User shall be responsible for all costs relating to the purchase and maintenance of end User
equipment and any costs for the fiber connection to the public safety data network. All network
connections must be approved by the CSA ISO.

f) The User agrees to follow COLLECT, FBI, and NLETS policies and guidelines for noncriminal
justice use of Oil systems, including but not limited to information for pistol permits, housing
concerns, and wrecker companies.

g) Assign a 

h) Assign a TAC. The TAC shall perform the following duties:

1. Possess a working knowledge ofthe COLLECT System.
2. Effect User training and use of related training materials that have been forwarded by the
COLLECT Manager.

7 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies MAY 2 3 

 

j)



Serve as the liaison and coordinator for the User agency.

4. Effect the distribution of information, brochures, and descriptive materials within the User
agency, supplied by COLLECT.

Attend annual meetings of User agencies.

Submit written reports of any misuse or unauthorized access.

7. Provide immediate written noti?cation to the COLLECT Manager of any change in the
employment status of any authorized individual user of the User agency that affects the
individual user?s authority to use and access COLLECT.

8. Act to notify the COLLECT manager in case of any violation of this Agreement or the CJ IS
Security Policy.

9. Act to suspend COLLECT, AFIS, and all CJIS system access, including, but not limited to
PRAWN, DWOR, SOR, and NCIC, to users who have violated any provision of this
agreement or the CJ IS Security Policy.

Ensure compliance with all regulations, rules, policies, and procedures for all CJIS Systems, the
security guidelines as set forth in this agreement, in the publication, NCIC: Computerized Criminal
History Program Background, Concept and Policy, and in Subparts A and of the US 
Regulations governing the dissemination of criminal records and criminal history information
(Regulations) published in the Federal Register on May 20, 1975, and August 7, 1976 (Title 28, Code
of Federal Regulations (CFR), Part 20) Federal Register on March 19, 1976, all regulations, rules,
policies, and procedures, as outlined in the NCIC operating manual, and part 10 US. CCH
regulations, the regulations of the CJIS Advisory Policy Board, the National Crime Prevention and
Privacy Compact (Compact) Council at Article VI established the Compact Council (Council),
Council Sanctions Committee, the FBI CJIS Security Policy, and Connecticut General Statute (CGS)
54?142i regarding Duties of CJAs regarding Collection, Storage and Dissemination of CHRI.

Ensure the training and certi?cation of User members. The User shall ensure that new operators are
trained and certi?ed within six (6) months of initial assignment and biennially thereafter within thirty
(30) days prior to the expiration of certi?cation. Certi?cation shall expire biennially.

Ensure that all User personnel with access to C11 or a physically secure location complete security
awareness within six (6) months of initial assignment and biennially thereafter.

Operate the terminal on a 24-hour, seven-day week basis unless some other prior arrangement is
made that is acceptable to the Commissioner. Users that are not available 24 hours a day must place
instructions for after?hour hit con?rmation, e.g. a 24-hour contact teiephone number or an ORI in the
Miscellaneous Field.

Send only criminal justice/law enforcement messages over and through COLLECT. All messages
will be treated as privileged unless otherwise authorized by the originating agency. With respect to
information from other states that is available through COLLECT, it is User?s responsibility to
contact the other source state to determine the applicabie laws regarding con?dentiality of that
information. However, information which is classi?ed under federal or state laws and regulations
will not be transmitted.

Operate the COLLECT terminal and otherwise conduct itself in strict compliance with applicable
DESPP, FBI, and NLETS policies including, but not limited to, policies, practices and procedures
relating to prudent use of multipoint transmissions and use of plain English text in message traffic.
Perform hit confirmations in within the designated time frame. Urgent hit con?rmation must be
con?rmed within 10 minutes. Urgent hit con?rmations shall be used in instances where the hit is the
only basis for detaining a suspect or the nature of a case requires urgent con?rmation of a hit.
Routine hit con?rmation must be con?rmed within 1 hour. Routine hit con?rmation shall be used
when the person is being held on local charges, property has been located under circumstances where
immediate action is not necessary, or an urgent con?rmation is not required.



MAY 9,3201%

2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

p)

q)

t)

Certify validations in the manner and time designated by the DESPP. Validations that are
not certified will be purged from the COLLECT and with the exception of Unidenti?ed
Persons records.
Provide the COLLECT Manager ninety (90) days advance written notice to relocate the terminal(s).
All costs related to the physical relocation of the terminal and communications line(s) shall be borne
by the User. The repair and cost of any damages resulting from such relocation(s) will be the User's
responsibility. All COLLECT terminals shall be housed in a physically secure location.
Take necessary measures to make the terminal secure from any unauthorized persons and prevent
any unauthorized use. The COLLECT Manager reserves the right to define equipment (terminal)
location, security measures, and to suspend or withhold service until such matters are corrected to
their reasonable satisfaction. The COLLECT manager or their designee is authorized to conduct
inspections based upon the above criteria. The inspections should be accompanied by personnel of
the User. Any departure from this responsibility warrants the removal of the offending terminal from
further COLLECT, NCIC, and NLETS participation.
Where computerized data processing is employed, institute effective and technologically advanced
software and hardware designs to prevent unauthorized access to such information and restrict to
authorized organizations and personnel only, access to criminal history record information system
facilities, systems operating environments, systems documentation, and data ?le contents while in
use or when stored in a media library.
Develop procedures for computer operations which support COLLECT, whether dedicated or shared,
to assure that: (A) C31 is stored by the computer in such a manner that it cannot be modified,
destroyed, accessed, changed, purged, or overlaid in any fashion by noncriminal justice terminals;
(B) operation programs are used that will prohibit inquiry, record updates, or destruction of records,
from any terminal other than criminal justice system terminals which are so designated; (C) the
destruction of records is limited to designated terminals under the direct control of the User
responsible for creating or storing the criminal history record information; (D) operational programs
are used to detect and store for the output of designated User employees all unauthorized attempts to
penetrate any criminal history record information system, program or ?le; (E) the programs specified
in subparagraphs (B) and (D) of this subdivision are known only to User employees responsible for
CH system control or individuals or agencies pursuant to a speci?c agreement with the User to
provide such programs and the programs are kept continuously under maximum security conditions.
Appoint an AC when a private contractor is designated to perform a criminal justice function on
behalf of the User.
Request approvai, prior to providing CJI or undertaking any procedure through a private dispatch
system. Any User that has, or transfers to using, a private dispatch function shall immediately notify
the COLLECT Manager and ensure that there is a security addendum and approved management
control agreement in place for both. In such event, the User shall at all times maintain control over
the COLLECT, COLLECT terminal(s), or other information systems containing CJI from
COLLECT, and NLETS pursuant to FBI policy. Control of the criminal justice function must
remain solely with the CJA.
Screen and exercise the right to reject for employment, based on good cause, all personnel to be
authorized to have direct access to criminal history record information
Meet personnel security requirements in accordance with the C313 Security Policy, up to and
including:
1. Subjecting all personnel with unescorted access to CJI to a state and national ?ngerprint-
based criminal history check within thirty (30) days of assignment;
2. Subjecting all contractor personnel with unescorted access to C11 or a physically secure
location to a state and national fingerprint-based criminal history check before access to C11
is granted.

2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

MAY 232018

 

10

3. Request approval for access for any User member with a felony conviction of any kind who
appears to be a fugitive or has an arrest history without conviction.

4. Request approval for access to a User member who already has access to I and is
subsequently arrested and or convicted of a crime. This does not implicitly grant hiring/?ring
authority with the CSA, only the authority to grant access to C11.

5. Disqualify a contractor employee from having access to CJI.

6. Request approval for and delay access to I to any contractor employee with a record of any
kind.

y) Initiate or cause to be initiated administrative action that could result in the transfer or removal of
personnel authorized to have direct access to OH when such individual violates the provisions of
COLLECT, FBI, or NLETS regulations or other security requirements established for the collection,
storage or dissemination of CH.

2) Ensure that each individual working with or having access to C31 shall be made familiar with the
substance and intent of the provisions in this Agreement.

aa) Ensure record accuracy, timeliness, and completeness to afford the maximum protection to the law
enforcement of?cer by providing up-to-date information, up to and including

1. Accuracy-The User must ensure that the accuracy of a record is double?checked by a second
party. The veri?cation of a record should include assuring all avaiiable cross checks, 
were made and that the data in the NCIC record match the data in the investigative
report.

2. Timeliness-The User must ensure that entry, modi?cation, update, and removal of
information are completed as soon as possible after information is available and information
is processed and transmitted in accordance with standards as established by the APB.

3. Completeness?The User must ensure that complete records include all critical information
that was available on the person or property at the time of entry. Critical information is
defined as data ?elds that will: (I) increase the likelihood of a positive hit on the subject or
property and aid in the identification of a subject or property; or (2) assist in compliance with
applicable laws and requirements.

bb) Ensure that CJ I is retained for as long as there remains any possibility that a defendant will challenge
the arrest, search, or other law enforcement action taken because of the information contained on the
printout. should be retained until all possible levels of appeal are exhausted, the possibility of a
civil suit is no longer anticipated, or in accordance with state retention schedules.

CC) Request written approval from the COLLECT Manager, to the extent that such assistance is not
otherwise prohibited, to provide assistance to other law enforcement or criminal justice agencies not
equipped with a COLLECT terminal in accordance with FBI policy.

dd)Maintain all required CJIS Security Policy written policies, up to and including a media protection
policy to ensure that access to digital and physical C31 in all forms is restricted to authorized
individuals and a physical protection policy to ensure that CJI and information system hardware,
software, and media are physically protected through access control measures.

User Outsourcing Responsibilities. User shall:

institute a local policy to validate a requestor of CJI as an employee and/or contractor of a law
enforcement agency or an authorized recipient before disseminating CH. The User shail log
secondary dissemination for a minimum of one (1) year. The logs shall clearly identify the requester
and the secondary recipient. The identification on the log shall take the form of a unique identi?er
that shall remain unique to the individual requester and t0 the secondary recipient throughout the
minimum one year retention period.

MAY 9. 32018

2013 COLLECT User Agreement for Fuli Access Criminal Justice Agencies

 

 Execute a HOR when records are entered into the COLLECT or FBI CJIS System on behalf of
another CJA or NCJA.

Execute an MCA when a governmental NCJA is designated to perform criminal justice functions for
a CJA and requires access to the CH. Access shall be permitted when such designation is authorized
pursuant to executive order, statute, regulation, or interagency agreement. NCJA personnel shall be
subjected to a state and national fingerprint?based record check and complete the appropriate level of
security awareness training.

Execute a SA with each contractor personnel when a private contractor performs criminal justice
functions and requires access to CJI. Access shall be permitted via signing of the CJIS Security
Addendum Certification page. Private contractor personnel shall be subjected to a state and national
fingerprint-based record check and complete the appropriate level of security awareness training.

10. User Suspension

The User may be suspended from COLLECT for noncompliance with the CJIS Security Policy or a two-
thirds vote of the Policy Board for noncompliance of policy board regulations hereinafter approved. A
suspension may be imposed by the Commissioner of DESPP or their designee for noncompliance with the
User agreement or the IS Security Policy.

The User may be suspended if it fails to initiate or cause to be initiated administrative action that could result
in the transfer or removal of personnel authorized to have direct access to CM when such individual violates
the provisions of COLLECT, FBI, NLETS regulations or other security requirements established for the
collection, storage or dissemination of CH.

The User may be suspended if it fails to conduct an immediate investigation and take necessary action
against any individual accused of violating this Agreement.

11. User Reinstatement

Upon satisfactory proof that the offending User has corrected the violation or de?ciencies, the User may be
reinstated.

12. User Member Suspension and Reinstatement

A suspension or revocation of COLLECT access and use may be imposed by the COLLECT Manager with
respect to an individual within a User agency upon receipt of any information that, in the COLLECT
Manager?s determination, disquali?es the individual User from having COLLECT access and use under state
or federal law or the DESPP, NCIC, NLETS and CJIS Security policies. Reinstatement must be approved by
the C80.

13. User Member Reinstatement

Any request for reinstatement of COLLECT and CH access and use must be made by the User head on
of?cial agency letterhead together with documentation supporting the request for reinstatement.
Reinstatement must be approved by the C80. Access to I will not be reinstated if the C80 determines that

access to Cil would not be in the public interest in accordance with the CJIS Security Policy.

14. FBI Authority

MAY 62 3 2018

2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

 The FBI CJIS Division shall have the authority to conduct audits, once every three (3) years as a
minimum, to assess agency compliance with applicable statutes, regulations and policies.

13.) The FBI CJIS Division shall have the authority to conduct security audits once every three (3) years
as a minimum, to assess agency compliance with the CJ IS Security Policy. Audits may be conducted
on a more frequent basis if the audit reveals that an agency has not complied with applicable statutes,
regulations and policies and CJIS Security Policy. The FBI CJIS Division shall also have the
authority to conduct unannounced security inspections and scheduled audits of Contractor facilities.

Users shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged
security violations. The inspection team shall be appointed by the APB and shall include at least one
representative ofthe CJIS Division.

Users shall allow the FBI to periodically test the ability to penetrate the FBi?s network through the
external network connection or system per authorization of Order 0904

15. FBI Compliance Subcommittees

The APB established the Compliance Evaluation Subcommittee (CBS) to evaluate the results of audits
conducted by the CJ IS Audit Unit (CAU). The National Crime Prevention and Privacy Compact (Compact)
Council at Article VI established the Compact Council (Council). The Compact Council Sanctions
Committee is responsible for ensuring the use of the ill for noncriminal justice purposes complies with the
Compact and with rules, standards, and procedures established by the Compact Council. Both committees
review the audit results and determine a course of action necessary to bring the Users into compliance.

16. Internal Service Fund

Account #4002 (COLLECT System) is an internal service fund authorized by the Comptroller of the State of
Connecticut, which will account for the above ?nancial transactions of COLLECT.

17. 

it is the intent of all parties to this agreement that, should any portion hereof be finally declared invalid by
any court, all other portions remain in full force and effect subject to any amendments hereto that may
thereafter be made in writing by all parties hereto.

18. Indemnification

User shall indemnify and hold harmless the State of Connecticut, the State of Connecticut Department of
Emergency Services and Public Protection, its of?cers, agents, employees, commissions, boards,
departments, divisions, successors and assigns from and against all actions (pending or threatened and
whether at law or in equity in any forum), and proceedings by reason of or arising out of any misuse of
criminal history record information or any cause of action whatsoever arising out of User?s access to
COLLECT and operation of a COLLECT terminal, liabilities, damages, losses, costs and expenses, including
but not limited to reasonable attorneys? and other professionals? fees, resulting from or arising out of or
involving any negligence on the part of User in the exercise or enjoyment of this agreement misconduct or
negligent or wrongful acts (whether of commission or omission) of User or any of its officers,
representatives, agents, servants, consultants, employees or other persons or entities with whom User is in
privity of oral or written contract; (ii) liabilities arising directly or indirectly in connection with this
Agreement out of the acts of User and damages, losses, costs and expenses, including but not limited to,
attorneys? and other professionals? fees, that may arise out of such claims and/or liabilities.

19. Incorporated Documents

MAY 9; 32018

12 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies

 

The following documents are incorporated by reference and made part of this MOU:

CJIS Security Policy;

National Crime Prevention and Privacy Compact, 42 U.S.C. Section 14616; and

Title 28, Code of Federal Regulations, Parts 20 and 25, Section 50.12, and Chapter 1X.

All policies, procedures and Operating instructions contained in FBI and NLETS documents and the
COLLECT Users Guide published by DESPP, are hereby incorporated into and made a part of this
agreement except to the extent that they are inconsistent herewith or legally superseded by higher
authority.

THE DEPARTMENT OF EMERGENCY SERVICES AND PUBLIC PROTECTION

By: a; 57-- 35? ?5
Schriro (Date)
Commissioner
Duly Authorized Pursuant to C.G.S. Section 4?8

 

User



By: 05/21/2018



Aldean Beaumont: (Date)
Assistant Field Of?ce Director

Duly Authorized

MAY 9, 3 2018

13 2018 COLLECT User Agreement for Full Access Criminal Justice Agencies