NCIC and III Transaction Log Content, v1.0

Defines conformance and assessment criteria for verifying that NCIC and III transaction logs include appropriate content.
If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.

The assessment step shall not be marked as satisfied without this evidence.

Assessment Steps (3)

1
NCIC and III Transaction Log Identifies Operator and Receiving Agency (NCICandIIITransactionLogIdentifiesOperatorandReceivingAgency)
Does the III portion of the organization's transaction logs clearly identify both the operator and the authorized receiving agency?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
2
III Transaction Log Identifies Requestor and Secondary Recipient (IIITransactionLogIdentifiesRequestorandSecondaryRecipient)
Does the III portion of the organization's transaction logs clearly identify the requester and the secondary recipient?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
3
NCIC and III Transaction Log Identifiers Unique To Requestors and Recipients (NCICandIIITransactionLogIdentifiersUniqueToRequestorsandRecipients)
Does the identification on the NCIC and III transaction log take the form of a unique identifier that remain unique to the individual requester and to the secondary recipient throughout the minimum retention period?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.

Conformance Criteria (3)

C1
The III portion of the log shall clearly identify both the operator and the authorized receiving agency.
Citation
CJIS-SP-V5-4
Section 5.4.7.
C2
III logs shall also clearly identify the requester and the secondary recipient.
Citation
CJIS-SP-V5-4
Section 5.4.7.
C3
The identification on the log shall take the form of a unique identifier that shall remain unique to the individual requester and to the secondary recipient throughout the minimum one year retention period.
Citation
CJIS-SP-V5-4
Section 5.4.7.