Policy Text
Policy
807Fremont Police Department
CJIS Access, Maintenance, and Security
807.1 PURPOSE AND SCOPE
The purpose of this policy is to provide guidelines for the use, maintenance, and security of
department systems that access, process, store, or transmit Criminal Justice Information.
807.1.1 DEFINITIONS
Definitions related to this policy include:
Criminal Justice Information (CJI) - Data provided by FBI Criminal Justice Information Services
(CJIS) that is necessary for law enforcement agencies to perform their mission and enforce the
laws (e.g., biometric, identity history, person, organization, case/incident history data).
Security incident - Any incident that compromises the security of CJI or systems that access,
process, store, or transmit CJI. Examples include but are not limited to unauthorized use of
legitimate code or credentials within department systems, email communications that contain
malicious code, data breaches, signaling to external systems, and unauthorized exporting of
information.
807.2 POLICY
It is the policy of the Fremont Police Department to maintain the security, confidentiality, and
integrity of its information systems that access, process, store, or transmit CJI by collaborating
with appropriate state and federal agencies to implement the applicable established protocols.
807.3 CJIS TERMINAL AGENCY COORDINATOR
The Chief of Police shall appoint a Terminal Agency Coordinator (TAC), who shall be responsible
for the Fremont Police Department's adherence to FBI CJIS Security Policy requirements.
The TAC shall establish procedures necessary to govern the department's use, maintenance, and
security of systems that access CJI as described in this policy.
807.3.1 CJIS COORDINATOR RESPONSIBILITIES
The responsibilities of the CJIS coordinator include but are not limited to:
(a)Coordinating with others, such as the information technology or legal departments,
as appropriate, to maintain department compliance with FBI CJIS Security Policy
requirements and the California Justice Information Services.
(b)Managing member accounts with access to CJI, including:
1.Creating, enabling, modifying, disabling, and removing member accounts in
accordance with this policy and the FBI CJIS Security Policy.
2.Configuring member accounts in accordance with federal and state
requirements (e.g., limiting unsuccessful login attempts, validating new
passwords against known compromised or commonly used passwords).
Copyright Lexipol, LLC 2026/01/08, All Rights Reserved.
Published with permission by Fremont Police DepartmentCJIS Access, Maintenance, and Security - 1
Fremont Police Department
CJIS Access, Maintenance, and Security
3.Reviewing member accounts for compliance with legal and policy requirements
at least annually.
(c)Overseeing the maintenance, repair, and replacement of CJI systems and system
components in accordance with manufacturer or vendor specifications and/or
department requirements, including:
1.Maintaining a list of organizations and personnel approved by the Chief of Police
to perform maintenance on CJI systems.
2.Approving, scheduling, documenting, and monitoring all maintenance and
diagnostic activities, whether performed on-site, remotely, or off-site, and
maintaining records.
3.Verifying that non-escorted personnel performing maintenance on any CJI
system or terminal possess the required access authorizations, and designating
members who have the required access authorizations and technical
competence to supervise the maintenance activities of personnel who do not
possess the required access authorizations.
4.Maintaining records for all system maintenance and diagnostic activities.
(d)Configuring remote access systems and devices only with the explicit authorization of
the Chief of Police or the authorized designee, including:
1.Routing through authorized and managed access control points (e.g., firewalls,
secure gateways).
2.Mandatory multi-factor authentications for users.
3.Use of automated mechanisms to monitor and control remote access methods.
4.Mandatory encryption (e.g., VPN, Transport Layer Security).
5.Required logging of all remote access activity.
(e)Monitoring department systems that have access to CJI to ensure compliance with
applicable laws and this policy; developing processes to detect, identify, and correct
flaws in software and firmware; and conducting security updates as necessary.
(f)Providing for the security of hardware that includes provisions for the following:
1.How hardware is to be brought into and taken out of department facilities
2.Physical security of hardware within department facilities
3.Physical security of areas containing network connections and transmission
lines, including monitored access
(g)Implementing and carrying out the department Incident Response Plan, including:
1.Tracking and documenting all suspected or actual security incidents related to
CJI in an appropriate manner.
2.Directing annual testing of the department's information security incident
response capabilities using tabletop or walk-through exercises, simulations, or
other types of testing.
Copyright Lexipol, LLC 2026/01/08, All Rights Reserved.
Published with permission by Fremont Police DepartmentCJIS Access, Maintenance, and Security - 2
Fremont Police Department
CJIS Access, Maintenance, and Security
3.Making the appropriate notifications outside of the Department (see the Records
Maintenance and Release Policy for additional guidance).
4.Providing information on security incidents to any third-party software
developers or vendors as appropriate.
(h)Protecting digital and non-digital media that contain CJI, including physical security,
transportation, destruction/sanitization, and documentation requirements.
(i)Developing and updating department information security and privacy literacy training
and incident response training as required by policy.
(j)Maintaining audit records in accordance with the established records retention
schedule, but in no event for less than one year.
(k)Managing the development, documentation, and dissemination of applicable policies
and