SLED Certification of 3 rd Party NCIC/SCIC Applications Overview February 2, 2004

Transcription

1 SLED Certification of 3 rd Party NCIC/SCIC Applications Overview February 2, 2004 This document provides an overview of the program put into place by the South Carolina Law Enforcement Division (SLED) for certifying 3 rd party NCIC 2000 application software. The certification program applies to all vendors offering products or services to any criminal justice agency within the state of South Carolina if those products or services consist of software applications that access the National Crime Information Center (NCIC) or the South Carolina Information Center (SCIC). The certification program does not apply to any governmental organization that develops its own solution for accessing NCIC/SCIC via SLED. The current version of this document, as well as any of those referenced herein, is available for review and downloading from the SLED web site ( Navigate to the Criminal Justice Information Services folder and then to Certification of 3 rd Party Software. Why Certification? Meet agency expectations for SLED guidance in selecting among vendor offerings Provide an equal opportunity for any vendor to compete Meet FBI/CJIS security requirements (Security Addendum, background checks, and encryption) Insure agencies have adequate helpdesk support of the vendor s application software Insure agencies are offered one or more opportunities for training Insure vendor software is upgraded in a timely manner when necessary to meet changes mandated by FBI CJIS modifications to the NCIC transaction codes, revisions in CJIS policy, upgrades to the NCIC architecture, or changes made by SLED to its information systems. SLED-Vendor Participation Agreement Effective immediately, all vendors will be required to complete a formal agreement with SLED. One of the specifications in the agreement is that the vendor understands and agrees to the certification program and the criteria that will be used to determine certification. Completion of the FBI s Security Addendum is a condition of this agreement. The addendum will be between the vendor and SLED and will substitute for the current requirement that an addendum be completed between the vendor and each agency that uses its software applications. Fingerprint-based background checks will be required on all vendor employees who may have access to un-encrypted NCIC data. This agreement will apply to all vendors presently doing business within the state as well as those that may wish to do so in the future. SLED will not approve any new or additional connections or user accounts using the vendor s software until the requirements contained in this participation agreement have been met and the agreement has been signed and returned to SLED. SLED Certification of 3 rd Party NCIC/SCIC Applications Overview - 2/2/2004 Page 1 of 5

2 Certification Program Timeline The certification program will be phased in over 18 months. Effective February 1, 2004 all vendors that do not have a signed contract with a South Carolina criminal justice agency for supplying software that accesses NCIC/SCIC via SLED will be required to comply with one of the two levels of certification. Permission will not be granted for any vendor customers to connect until the certification requirement is met. Vendors with an active contract in place prior to February 1, 2004 with one or more South Carolina criminal justice agencies will be required to complete certification before June 30, After that time, no new customers will be allowed to connect with that vendor s application software until certification is obtained. Vendor Obligations Upon successful completion of the certification process, SLED will issue a Letter of Certification to the vendor permitting it to designate its application as Certified by SLED. Until this letter is issued, the vendor will refrain from marketing its product as reviewed, approved, certified, or otherwise endorsed by SLED. Certification status will be withdrawn if vendors do not comply with the requirements to maintain their software to meet new or changed transaction codes, message formats, or otherwise fail to comply with the requirements for certification. Once certification is withdrawn, the vendor will not be permitted to add new customers until certification is again obtained. SLED will notify all known South Carolina customers of the vendor s loss of certification. Agency Awareness SLED will make a best effort to maintain on its web site a list of all known vendors of NCIC 2000 software and the certification status of those products. Agencies should consult that list when selecting a vendor solution for their NCIC connectivity. All agencies are encouraged to specify SLED certification as a requirement in their RFP or contract negotiations with vendors. In addition, agencies should consider including a clause in the contract that releases the agency from any further financial obligation to the vendor if the vendor should lose certification. In the event the vendor looses certification, SLED will attempt to contact every known customer to advise them of the change in certification status. Those customers that are already using the vendor s product will not be disconnected or forced by SLED to switch to a certified vendor. However, the agency should consider the consequences of doing business with a vendor that will not be permitted to add any new customers within South Carolina. SLED Certification of 3 rd Party NCIC/SCIC Applications Overview - 2/2/2004 Page 2 of 5

3 Certification Levels Two levels of certification are supported: Inquiry-only and Full Function. SLED will provide a list of the most commonly used transaction codes for each level. To meet certification, the vendor s application will be required to properly process the SLED specified set of commonly used transactions. The vendor may extend this minimum set to include other less commonly used transactions to meet customer needs or market expectations. Any such extensions will not be subject to the certification process. Certification Costs SLED will not impose on any vendor an initial fee for certification or require any fee to maintain certification status. However, SLED will charge the vendor for reimbursement of excessive staff time spent working with the vendor to obtain certification. This reimbursement is based on an estimate of the number of SLED staff hours that will be required to verify the vendor s application meets the certification criteria. The reimbursement charges are calculated on the number of hours that exceed these estimates and are dependent upon the level of certification as follows: Inquiry only: SLED will allow 20 hours per vendor at no charge before requiring reimbursement for staff time based on the mid-point salary of a Statistical & Research Analyst $13.02 per hour. Full-function: SLED will allow 40 hours per vendor at no charge before requiring reimbursement for staff time based on the mid-point salary of a System Programmer $23.46 per hour. SLED Certification of 3 rd Party NCIC/SCIC Applications Overview - 2/2/2004 Page 3 of 5

4 Requirements for Certification Compliance Must pass transaction tests Transaction response times must meet NCIC specifications. SLED personnel will run a test transaction stream and measure the response times from a production PC located at a customer s location. Helpdesk staff available: Inquiry-only 8 x 5, Full Function 24 x 7 Training options must be available to customers Must notify SLED when customer agencies are added or deleted Must agree to re-certify and distribute to all PCs running the vendor s software, within 60 days of notification by SLED of the required modifications, relatively minor changes made to specific transactions. SLED will contact the vendor using the information provided by the vendor on the Application for SLED Certification form. Must agree to re-certify and distribute to all PCs running the vendor s software, within 180 days of notification by SLED of the required modifications, the entire application when major changes are made (NFF, XML, etc.). SLED will contact the vendor using the information provided by the vendor on the Application for SLED Certification form. Must have completed FBI Security Addendum on file Employees must have fingerprint background checks completed and on file Foreign Hosts (also known as Client Server) o Must encrypt from server to desktop (minimum AES w/256 bit key) o o Should support Cisco VPN client to encrypt from server to SLED If server is unable to run the Cisco VPN client, vendor must provide an alternative that is acceptable to SLED Direct Workstation Software o Must support Cisco VPN client to encrypt from desktop to SLED Reimbursement for SLED staff time (if any) must be paid SLED Certification of 3 rd Party NCIC/SCIC Applications Overview - 2/2/2004 Page 4 of 5

5 Certification Process This section provides a brief synopsis of the actual certification process that takes place between SLED and a vendor. This process is subject to change as experience is gained by SLED and feedback is received from vendors undergoing certification. 1. Vendor completes and sends to SLED a SLED-Vendor Participation Agreement. As part of this agreement, the vendor must complete the FBI Security Addendum and have completed fingerprint-based background checks on any of its personnel that will have contact with unencrypted NCIC data. 2. SLED adds vendor to its compliance tracking system 3. Vendor requests certification by completing and sending to SLED the Vendor Application for SLED Certification. 4. SLED provides a test stream of NCIC/SCIC transaction codes 5. Vendor runs the test stream and captures screen images for all transaction codes 6. Captured screen images sent to SLED for verification 7. SLED verifies responses and issues Stage 1 Pass/Fail a. If Pass continue with Step 8 b. If Fail i. SLED sends vendor list of incorrect responses with description of errors ii. Vendor corrects problems and sends screen captures of corrected transactions to SLED iii. Repeat from Step 7 8. SLED meets with vendor at agency site for live test a. SLED personnel run a test suite of transactions to verify correct operation b. If Pass continue with Step 9 c. If Fail i. SLED informs vendor of live test results ii. Vendor makes corrections iii. Vendor re-applies for certification from Step 3 9. Vendor reimburses SLED for staff expenses (if any) 10. SLED issues Letter of Certification to vendor authorizing use of Certified by SLED 11. SLED designates vendor s product as certified a. SLED web site updated to reflect product version number and date of certification ( b. SLED updates any other published documents to reflect the certification SLED Certification of 3 rd Party NCIC/SCIC Applications Overview - 2/2/2004 Page 5 of 5