Frequently Asked Questions (FAQs)


General Questions

Accessing the Training Site

There are three ways to access/register for the 28 CFR Part 23 online training:
  1. Regional Information Sharing Systems (RISS) members may access the training through the secure RISS portal. Instructions may be found here: https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_RISS.pdf.

  2. Members with a secure account through the Federal Bureau of Investigation’s (FBI) Law Enforcement Enterprise Portal (LEEP) may log in to LEEP to access the training. Instructions may be found here: https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_LEEP.pdf.

  3. If your agency was previously provided with a preauthorization code, you may register for the training using that code by selecting the “LOG IN or SIGN UP” menu button located on the top left side of the home page. Enter your email address and password, then select “Preauthorization Registration.” (Note: New preauthorization codes are no longer being issued.)

To log in to the training, select the activation link that is included in the verification email you received. Once you have activated your account, you can log in to the training from the log-in screen.

The link https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_RISS.pdf contains instructions on how to access the training after logging in to RISS. The 28 CFR Part 23 training program does not manage the RISS website. If you experience issues with the RISS Program website, please submit an email to the RISS Help Desk at support@riss.net.

The link https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_LEEP.pdf contains instructions on how to access the training after logging in to LEEP. Your LEEP account will need to be marked with the standard “law enforcement designation” which will allow you to see the 28 CFR Part 23 training once signed in to LEEP. The 28 CFR Part 23 training program does not manage the LEEP website. If you have logged in to LEEP and do not see the training, your agency will need to update your account with a “sworn law enforcement” designation. To update this information in LEEP, please contact the FBI’s LEEP Program Office at leoprogramoffice@leo.gov or call (888) 334-4536.

If you have already registered for an account, go to the log-in screen and enter your email address and password. It must be the same email and password used during registration.

There is a “Forgot Password?” link located on the log-in screen. Select the link to access instructions on how to create a new password.

Preauthorization Codes

Please email your agency and division name to the program staff at 28CFR23Info@ncirc.gov to inquire whether your agency has a preauthorization code. If your agency has an established preauthorization code, 28 CFR Part 23 program staff will contact you with the preauthorization agent’s information. If your agency does not have a preauthorization code, 28 CFR Part 23 program staff will notify you and you will have to access the training either through a RISS or LEEP account.

Registration approval emails are often caught in the spam or junk mail filter and can be found within that folder. If you have checked this folder and still cannot locate the approval email, please contact the program staff at 28CFR23Info@ncirc.gov.

Unfortunately, no new preauthorization codes are being issued at this time. Individual users will need to access and take the 28 CFR Part 23 online training by using either a RISS or LEEP account.

Please email the program staff at 28CFR23Info@ncirc.gov to request a Preauthorization Agent Change Form. This form will need to be completed and returned to the program staff. The staff will make the necessary updates to the account and will notify you when that process is complete.

Only individual users are permitted to print their certificates of completion. Users must log in to their accounts to access and print their certificates

Account Questions

Once you have logged in to the training, your name and email address will appear in the top right corner. Select your name to access options for changing your account information. Please ensure that you select “Submit” to save the updated information before exiting the screen.

Training

There is no mandatory retraining requirement in the 28 CFR Part 23 regulation. Earned certificates do not expire. However, many agencies require their staff to retake the training every year as part of agency policy to refresh employee knowledge on the regulation’s requirements. To support this annual agency activity, the 28 CFR Part 23 online training is programmed so that, after earning a certificate, users’ accounts automatically convert to a “review mode” for one year and transition out of “review mode” in readiness for retaking the training a year later. If, however, a user would like to retake the training before one year has passed, simply select the “Retake Training” button shown within your account page in the earned certificate box.

This training program consists of five modules. Before beginning the training, review the Training Instructions to ensure the best user experience. These include important technical recommendations for the best module performance and information on user completion statuses and certificates of completion.
  1. Agency information—Prior to taking the training, users are encouraged to familiarize themselves with the following agency information to better understand how to implement regulation requirements within their agency.
    • The agency’s policies and procedures
    • The agency’s standard definitions of need to know and right to know
  2. Technical specifications—Training modules incorporate the use of graphics and video. To ensure the best experience, refer to the following recommended technical specifications:
    • Web Browsers: Use the most current version available. Google Chrome, Microsoft Edge, and Apple Safari are preferred. Internet Explorer is no longer supported.
    • Internet Speed: A solid and fast broadband internet connection will reduce buffering and time spent waiting for content to load.
    • Devices: Laptops or desktop computers provide the best format for viewing the modules. While the training can be completed on a mobile device, such as a smartphone or tablet, not all mobile devices are compatible with the training platform. Outdated devices or operating systems may also affect performance.
  3. Completion of modules—Please complete each module in the order shown.
    • Self-Paced Completion: Modules are self-paced, allowing users to complete them in multiple sessions.
    • Locked Module Topics: A topic menu is located on the left-hand side of each module’s viewing window. Menu items are locked until the user views that topic in its entirety. Once the topic has been viewed, users may reselect the topic to review the information again before moving on to other topics or to the module quiz.
    • Completion Statuses: After each module is completed and the system processes the completion status, a check mark will appear next to that module. If a check mark does not appear, refresh the page.
      Lesson completed
    • Quizzes: Each module contains a brief quiz, for which users must receive a 100 percent score. For any incorrect answers, the module will provide reviews of missed content and will repeat quiz questions.
    • Exiting Modules: To exit a module at any time, close out the browser window (select “X”) to return to the training modules page. Your progress will be saved.
    • Certificate of Completion: A certificate of completion will be earned and displayed on this page once all modules are complete with 100 percent quiz scores. If the certificate does not appear, refresh the page.

Regulation Questions

General

28 Code of Federal Regulations (CFR) Part 23 (28 CFR Part 23) is a U.S. Department of Justice regulation that governs the operation of interjurisdictional and multijurisdictional criminal intelligence systems that are operated by and principally for the benefit of state, local, tribal, or territorial law enforcement agencies. If a project is supported with funding under the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Safe Streets Act), or is required to comply by grant special condition (e.g., High Intensity Drug Trafficking Areas, Homeland Security Grant Program) or state law (e.g., Texas), then the project must comply with the regulation.

28 CFR Part 23 has become the de facto national standard for criminal intelligence information sharing. The National Criminal Intelligence Sharing Plan recommends that law enforcement agencies follow the tenets of the regulation regarding the collection/submission, access or storage, and dissemination of criminal intelligence information by law enforcement agencies regardless of whether the criminal intelligence system is subject to the regulation. By using the operating principles of 28 CFR Part 23, intelligence projects and member or participating law enforcement and homeland security agencies will ensure that their criminal intelligence information sharing activities conform with sound practices that protect the privacy and constitutional rights of individuals and organizations.

A “criminal intelligence system” provides a way to receive, store, and share or exchange criminal intelligence information (and other information and intelligence). According to 28 CFR Part 23, a criminal intelligence system includes the facilities, equipment, agreements, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information. Most intelligence projects have established an electronic database in a criminal intelligence system to store and share criminal intelligence information. Other agencies participate in an intelligence project, such as one of the six Regional Information Sharing Systems (RISS) Centers, which operates a criminal intelligence system. Although multiple databases and applications may be maintained on the same criminal intelligence system, 28 CFR Part 23 only applies to the database that contains criminal intelligence information.

The regulation defines an “intelligence project” (or “project”) as “the organizational unit which operates:

  1. An intelligence system on behalf of or for the benefit of a single agency; or
  2. An interjurisdictional intelligence system on behalf of a group of participating agencies.”

Users of criminal intelligence systems may recognize a project by another name. Other commonly used names for a project include “center,” such as a RISS Center, and “unit,” such as a gang unit. Sometimes, a gang unit may operate an intelligence system and serve as a project.

The project typically manages the criminal intelligence system. Most criminal intelligence databases are “pointer index” systems containing subject and crime identification information (structured), while others are narrative or report-based (unstructured) criminal intelligence databases. 28 CFR Part 23 applies to both types of databases.

The regulation defines a “participating agency” as “a local, state, or federal agency or governmental unit which:

  1. Exercises law enforcement or criminal investigation authority; and
  2. Is authorized to submit and receive criminal intelligence information through an interjurisdictional intelligence system.”

A law enforcement or homeland security agency may be a participating agency.

Users may recognize this entity (participating agency) by other names. Commonly used names include “member agency” and “nonmember agency.”

“Criminal intelligence information” is data that has been evaluated (analyzed) to determine that it (1) is relevant to the identification of, and the criminal activity engaged in by, an individual or organization that is reasonably suspected of involvement in criminal activity; and (2) meets criminal intelligence system submission criteria. It is information that is developed from data gathered by investigators and analysts. Criminal intelligence, because it has undergone some form of evaluation or analysis, indicates to law enforcement that the subject is likely to be involved in some definable criminal activity. It is more than separate pieces of information, which by themselves mean nothing; but rather, when used collectively, they show an investigator or analyst something about the subject’s criminal involvement. For example, when an investigator analyzes information and determines that there is “reasonable suspicion” that a subject (whether an individual or an organization, such as a gang business) is reasonably suspected of being involved in a definable criminal activity or enterprise, that information qualifies as criminal intelligence and may be stored in a criminal intelligence system database and disseminated as criminal intelligence information.

Criminal intelligence information subject to 28 CFR Part 23 is analyzed information related to an identified criminal subject and the definable criminal activity in which the subject is reasonably suspected of being involved. Other types of intelligence include tactical intelligence (a deconfliction system is used to help make tactical decisions); strategic intelligence, which may be associated with crime analysis activities and long-term planning; and operational intelligence, such as criminal intelligence information and other types of evaluated data housed in a variety of law enforcement systems.

Only criminal intelligence information records are in the system’s criminal intelligence database. However, the 1998 Bureau of Justice Assistance Policy Clarification expressly states that an inquiry to a criminal intelligence system may trigger searches of additional databases or information systems that result in the dissemination of information or intelligence from those other databases or systems; therefore, any criminal intelligence information that is disseminated must be clearly labeled to identify it as such.

Projects may conduct federated searches, accessing information on subjects across a spectrum of non-intelligence information sources such as:

  • Criminal history records
  • Wants and warrants
  • Case investigative files
  • Case management systems
  • Records Management System data
  • Records Management System data
  • Deconfliction systems
  • Identification systems
  • Tips and leads, including suspicious activity reporting

Such federated searches may be conducted without those systems being brought under 28 CFR Part 23. This also means that multiple databases and applications may be maintained on the same computer system, although 28 CFR Part 23 only applies to the system’s database that contains criminal intelligence information. The 1998 Policy Clarification therefore requires the two types of data (i.e., criminal intelligence information and non-intelligence information) to be separated and identified in a manner to make it clear to operators and users of the information when criminal intelligence information is being accessed. A range of mechanisms may be utilized to provide such notice, including:

  • Using multiple windows.
  • Employing different color schemes for the different types of data.
  • Clearly labeling the nature of the information displayed.

No agency or individual is required to take the online course unless required to do so as a matter of agency policy. The regulation requires participating agencies, if certain responsibilities are delegated to them, to be properly trained. To satisfy this requirement, many intelligence projects require that individuals who will access or receive criminal intelligence information take the course as a prerequisite to accessing or receiving criminal intelligence information.

No changes have been made to the regulation since 1993, and no changes are currently under consideration.

The Bureau of Justice Assistance website offers an online training course certification.

Applicability and Scope of 28 CFR Part 23

28 CFR Part 23 applies to state, local, tribal, or territorial agencies if they are operating interjurisdictional or multijurisdictional criminal intelligence systems that are supported with Crime Control Act funding. For participating or member agencies, the intelligence project’s operating policies, as set forth in a participation or membership agreement, govern their submission, access, use, retention/destruction, and any third-party dissemination of criminal intelligence information received from the intelligence project.

Information that is maintained in a criminal intelligence system and that cannot be disseminated outside the agency in any manner under any circumstances is not subject to the regulation, even if it is supported with Crime Control Act funds.

The regulation sets forth the minimum operating principles and funding guidelines that a project must incorporate into its operating policies and procedures. Additional (or more restrictive) state, local, tribal, or territorial agency criteria also can be provided in project operating policies and procedures, provided they are consistent with the regulation.

Criminal intelligence information records entered into a criminal intelligence database are generally limited to pointer information designed to identify the criminal subject and his or her criminal activity. As a general rule, any information that is relevant to the identification of the criminal subject and the criminal activity can be entered into an information field (structured data) or a free-text narrative (unstructured data). However, information cannot be included in a criminal intelligence information record when:
  • The information is illegally obtained.
  • The information is irrelevant.
  • The information identifies a noncriminal individual or organization, unless entered and identified as noncriminal identifying information.
  • The information is subject to civil rights and civil liberties protection.

A crime bulletin is generally a distillation of fact-based information and is not subject to 28 CFR Part 23. An intelligence bulletin is an “intelligence product” because it is based on the evaluation/analysis of information. Dr. David Carter, in Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies (2nd Ed., 2009), defines the term “intelligence product” as “reports or documents that contain assessments, forecasts, associations, links, and other outputs from the analytic process that may be disseminated for use by law enforcement agencies for prevention of crimes, target hardening, apprehension of offenders, and prosecution.” However, an intelligence bulletin is only subject to 28 CFR Part 23 if the bulletin identifies a criminal subject based on a criminal intelligence information record.

No SOPs are established or required for criminal intelligence systems. Rather, the regulation provides a policy framework (sometimes referred to as a guideline or guidelines) that intelligence projects use to guide them in establishing their own operating policies and procedures (sometimes referred to as SOPs). Each Regional Information Sharing Systems (RISS) project, for example, has its own unique set of bylaws and operating policies and procedures (though all operate under common Bureau of Justice Assistance Program Guidance and overall RISS policies).

Only criminal intelligence information records that meet the reasonable suspicion criteria and other 28 CFR Part 23 operating principles and are shared between agencies by an intelligence project are subject to the regulation. Fact-based or uncorroborated information (case investigative files, case management systems, incident/offense reports, field interview cards or contact files, criminal history records, arrest blotters, Records Management System data, tips and leads, including Suspicious Activity Reports, etc.) and other types of information or intelligence gathered/collected and shared by state, local, tribal, or territorial law enforcement and intelligence agencies are not subject to 28 CFR Part 23.

An investigator, for example, might start the process of developing a criminal case using the information contained in a tips and leads file. Investigating the tips and leads information could produce adequate information that, when analyzed, meets the reasonable suspicion standard. If it meets the reasonable suspicion standard, a record on that subject could be entered into a criminal intelligence database. The information from the tips and leads file, as well as any other investigative information gathered, would need to be kept as supporting documentation for that record.

This is a matter of agency policy, but generally, this type of information is restricted to internal agency use for recordkeeping and deconfliction.

LPR data may be stored in and accessed through a criminal intelligence system. Agencies use different types of information (e.g., criminal history, Suspicious Activity Reports [SARs]) and intelligence (e.g., criminal intelligence information) as part of their intelligence or investigative activities. Keep in mind that each type of information and intelligence is governed by laws, regulations, and policies. LPR information, as collected and maintained in an LPR database, is not considered intelligence, criminal history, or SAR information. As such, the laws, regulations, and policies that apply to those types of information and intelligence may not apply to LPR information until such time as an LPR record is downloaded and incorporated into an intelligence or investigative case file.

No, there are several key reasons why all suspected crimes/criminals cannot be entered into a criminal intelligence system. First, in accordance with 28 CFR § 23.20(c), an officer, investigator, or employee of the agency must have an identified criminal subject (individual or organization). Second, the investigators analyze the available information and determine that there is reasonable suspicion that the subject is engaging in an identifiable criminal activity or enterprise. Third, the criminal activity or enterprise identified must meet the project’s submission criteria (see 28 CFR § 23.30(b)(1–3) for the types of criminal activity eligible to be submitted).

Generally, subjects—whether individuals or organizations—of criminal intelligence information are or have been involved in an active investigation. While no accepted definition of a “person of interest” exists, it is safe to say that all criminal intelligence information subjects who are individuals are “persons of interest” to law enforcement. Under these circumstances (and assuming that the regulation applies to the intelligence system), the retention and/or dissemination of the subject’s criminal intelligence information record would be subject to the requirements in 28 CFR § 23.20.

On the other hand, many “persons of interest” in criminal investigations do not qualify as criminal subjects under 28 CFR Part 23 because the investigator cannot make the requisite reasonable suspicion determination. Under these circumstances, 28 CFR Part 23 would not be applicable.

Generally speaking, correctional agencies do not collect and share criminal intelligence information. However, inmate and threat group information may be collected for offender management and officer safety purposes. Identified threat groups are usually not limited to criminal organizations, and the determination of a “threat” is not based on a determination of reasonable suspicion. Consequently, this type of information generally does not meet the criteria for criminal intelligence information and would not need to comply with the regulation. However, instances may occur where a correctional investigative or intelligence unit undertakes the function of evaluating information for a determination of reasonable suspicion and either has a separate database that houses only criminal intelligence information or submits a record to an intelligence project, such as a Regional Information Sharing Systems (RISS) project, but generally, 28 CFR Part 23 is too restrictive for broader correctional system needs.

First, a criminal intelligence information submission requires that the criminal subject be currently involved in a criminal activity or enterprise. If the prison gang is a criminal organization and, based on a determination of reasonable suspicion, involved in current criminal activity and that gang is the subject of a criminal intelligence information record, then the parolee can be included in a criminal intelligence system. Absent that circumstance, unless the parolee’s criminal activity is occurring outside of the prison, he or she cannot be entered into the system’s criminal intelligence database. Second, 28 CFR Part 23 does not allow for “temporary” files absent reasonable suspicion of involvement in a current activity or enterprise.

It should be noted that an individual’s status as an inmate, probationer, parolee, or registered sex offender is insufficient to support a criminal intelligence information submission on its own. There must be reasonable suspicion that the individual is currently involved in a definable criminal activity or enterprise to support a submission of criminal intelligence information.

A criminal gang may qualify as an “organization” for purposes of 28 CFR § 23.20(c). When a criminal gang is identified as the subject of the record, this record is considered criminal intelligence information that is subject to 28 CFR Part 23 if the record is entered into the system’s criminal intelligence database.

Criminal gangs are often defined by certain attributes and activities under state law, and if that is the case, a project must follow that law in identifying a criminal gang. If not defined by law, a criminal gang must, at a minimum, be determined to be primarily or significantly involved in a definable criminal activity or enterprise that meets project submission criteria. Once a criminal gang has been identified and entered into the system’s database, any individual identified as a member of that gang—again using state law criteria or, if there is no law, project-established criteria—can be entered into the criminal intelligence system as a criminal subject without individualized reasonable suspicion. Consequently, if the criminal gang were to go out of existence or its retention period were to expire without being validated for a new retention period, those members identified as criminal subjects by reason of their membership in the criminal gang would need to be purged from the database or individualized reasonable suspicion would need to be established.

This line of reasoning applies to any type of criminal organization and its members, employees, etc.

The Global Justice Information Sharing Initiative (Global), a U.S. Department of Justice Federal Advisory Committee, issued the Fusion Center Privacy, Civil Rights, and Civil Liberties Policy Development Template, Version 3.0 to assist agencies in the development of comprehensive privacy, civil rights, and civil liberties protection policies that include references to 28 CFR Part 23 for criminal intelligence information.

The regulation applies to fusion center liaison officers in the same manner as it does any other user.

State laws that are more restrictive than the regulation apply to a criminal intelligence system subject to the state law. If a state’s law is less restrictive or conflicts with the regulation, 28 CFR Part 23 governs that aspect of the operation of the system. (See King v. Smith, 392 U.S. 309 (1968).)

Information Gathering and Submission/Collection

28 CFR Part 23 does not apply directly to the gathering of information by an investigative or intelligence agency but rather to a project’s collection of criminal intelligence information. The project has the responsibility to ensure that (1) criminal intelligence information it collects meets the reasonable suspicion standard (delegable to a submitting agency); (2) the information is relevant to the criminal activity or the identification of the criminal subject; (3) the information was not obtained in violation of applicable local, state, or federal laws or ordinances (delegable to a submitting agency); and (4) the information is labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials.

The “level of sensitivity” refers to how the intelligence information should be disseminated. Typically, the submitter sets a designation to classify how the information will be released. The following is an example of how a project may opt to set three levels of dissemination based on the sensitivity of the intelligence:

  1. Open—Disseminate the criminal intelligence information record to the inquirer when there is a hit, with no further action required.
  2. Release Agency Name Only—Provide only the controlling agency name and contact information.
  3. Restricted—Do not disseminate the criminal intelligence information record or even indicate that there has been a hit. Notify the controlling agency.

Projects will develop the levels of sensitivity and train all participating agencies as to the usage of each level. The “level of confidence” gives the recipient an indication of how the submitter assesses the content of the record. Level of confidence is a two-part process:

  1. “Source reliability” refers to the reliability of the source of the information.
  2. “Content validity” refers to the accuracy or truthfulness of the information.

Most projects will establish a range for source reliability and content validity. The following are examples of those ranges:

Source Reliability:

  1. Reliable—The reliability of the source is unquestioned or has been well tested in the past.
  2. Usually Reliable—The source can usually be relied upon.
  3. Unreliable—The reliability of the source has been sporadic in the past.
  4. Unknown—The reliability of the source cannot be judged.

Content Validity:

  1. Confirmed—The information has been corroborated by an investigator or another reliable source.
  2. Probable—The information is consistent with past accounts.
  3. Doubtful—The information is inconsistent with past accounts.
  4. Cannot Be Judged—The information cannot be judged.

These codes allow the inquirer to assess the value of the record. For example, if an inquirer gets a hit and reads a record from a Regional Information Sharing Systems (RISS) Center that has source reliability and content validity codes of 1 or 2, using the above examples, then the recipient should deduce this to be very solid intelligence. It should be noted that a combination of source reliability “Unreliable” or “Unknown” and content validity “Doubtful” or “Cannot Be Judged” would not meet the 28 CFR Part 23 reasonable suspicion standard and that the information should not be entered into a criminal intelligence database.

Yes. The 1998 Bureau of Justice Assistance Policy Clarification of 28 CFR Part 23 allows for the inclusion of such information as “noncriminal identifying information” under the following circumstances:

  • The information is relevant to the identification of a criminal subject or the criminal activity.
  • Appropriate disclaimers or labels must accompany the information noting that it is strictly identifying information carrying no criminal connotation.
  • Identifying information may not be used as an independent basis to meet the requirement of reasonable suspicion of involvement in criminal activity necessary to create a record in a criminal intelligence system.
  • The individual who is the criminal subject identified by this information must meet all requirements of 28 CFR Part 23.

The noncriminal identifying information may be added to an existing or new record of a criminal subject in the database. Also, note that noncriminal identifying information that pertains to a subject’s political, religious, or social views, associations, or activities can be entered only if it directly relates to the criminal activity or involvement in which the subject is reasonably suspected of being engaged.

With a few exceptions, espousing violent acts is protected speech that, by itself, is not sufficient to make a group a criminal organization. Consequently, the individual cannot be identified as a criminal subject by virtue of his or her affiliation with the group.

No. Holding sovereign citizen (or other non-mainstream) beliefs is protected under the First Amendment. It is only when those beliefs result in criminal conduct or activity, including criminal threats, that there is a valid law enforcement purpose for gathering information on that individual and, if reasonable suspicion is established, submitting/collecting criminal intelligence information.

Reasonable suspicion, as defined in 28 CFR Part 23, is the standard for making a submission of criminal intelligence information to a system’s criminal intelligence database. Probable cause is a higher standard that applies to searches, arrests, and prosecutions in criminal courts. However, as expressly defined in applicable law, it essentially means there is a reasonable belief that something is more likely than not based on articulable facts.

This is a matter of participating agency and project policies.

Yes, an individual’s personal notes, like the underlying investigative or other files, are not subject to the regulation. Rather, they are subject to the agency’s internal policies and procedures.

No, although the project needs to have a backup system to prevent a loss of criminal intelligence record information in the event of a natural or manmade disaster (28 CFR § 23.20(g)(4)).

If it is a crime under state law, it can be entered if eligible under project submission criteria.

User Access to and Use of Criminal Intelligence Information

No threshold exists to make an inquiry other than a valid law enforcement purpose. Reasonable suspicion does not need to exist to make an inquiry. The criteria in the regulation is that information will be disseminated only in response to an inquiry when there is a need to know and a right to know the information in the performance of a law enforcement activity.

The recipient must agree to treat the disseminated criminal intelligence in a manner consistent with the operating principles established by 28 CFR Part 23 and the project as reflected in the project’s operating policies and procedures.

A federal agency participating in a criminal intelligence system subject to 28 CFR Part 23 must follow project-established participation requirements based on the regulation’s operating principles in the same manner as any other participating or member agency.

U.S. Department of Justice, Office of Justice Programs, legal opinions hold that federal and state homeland security agencies engage in “law enforcement activity,” as that term is used in 28 CFR § 23.20(e), in describing authorized recipients of criminal intelligence information. If your agency and your job function fall within the “right to know” and “need to know” definitions of your fusion center or other intelligence project for its criminal intelligence system, your agency and you (if you are an authorized user) may access criminal intelligence information as a member or participant in the intelligence project.

Generally, fire service and other non-law enforcement or homeland security agencies are not eligible to submit and access criminal intelligence information, except to the extent that their personnel have law enforcement authority, such as an arson investigator, and a need to know the information in the performance of their job function. However, a fire service agency and its personnel can receive an intelligence assessment related to the agency’s mission that does not identify specific criminal subjects and is based, in whole or in part, on an analysis of criminal intelligence information.

That would be a matter of the other agencies’ user participation policies.

The regulation does not govern how long an investigative file can remain open or be retained by a user agency. These are matters of project and recipient agency policies.

Source Agency Documentation

Source documentation (generally an investigative or case file) that supports a criminal intelligence information record submission must be maintained by the agency that submits the record to the project. This responsibility ends when the intelligence record is purged from the system. Source documentation may be kept in whatever format the agency would normally keep such information; it is not part of a criminal intelligence information record. The source documentation is not otherwise subject to the regulation, and its disposition is a matter of agency policy and applicable state and/or local record retention, storage, and purge requirements. The Bureau of Justice Assistance is not aware of any case studies of liability for improper record retention.

Storage and Retention, Including Security

Once a decision is made to store and maintain a criminal intelligence information record, the record is entered into the criminal intelligence system (paper or electronic). The project must have the following safeguards in place:

  • Administrative, technical, and physical safeguards (including audit trails) to ensure against unauthorized access and against intentional or unintentional damage (28 CFR § 23.20(g))
  • Additional security requirements, including (1) where appropriate, effective and technologically advanced computer software and hardware designs to prevent unauthorized access to information in the system; (2) access to facilities, operating environment, and documentation is restricted to organizations and personnel authorized by the project; (3) information is stored in the system in a manner such that it cannot be modified, destroyed, accessed, or purged without authorization; (4) procedures to protect criminal intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or manmade disaster; and (5) rules and regulations based on good cause for implementing the project’s authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system (28 CFR § 23.20(g)(1)–(5))
  • Procedures to ensure that the information retained has relevancy and importance, including periodic review of the information and the destruction of any information that is misleading, obsolete, or otherwise unreliable. Any information retained as a result of the review must reflect the name of the reviewer, date of review, and explanation of the decision to retain (28 CFR § 23.20(h)).
  • A system for the review and validation or purge of each submission to the system prior to the expiration of its retention period (up to five years) (28 CFR §23.20(h))

Intelligence, other than criminal intelligence information, is not subject to 28 CFR Part 23. It may, however, be governed by other laws, regulations, or policies.

Agencies should consider implementing different features that address training, policy adoption and implementation, supervision, and oversight. Specific items might include annual training requirements, staff-written acknowledgement of agency policy, and regular system audits and inspections of member agencies and users. Proper management of criminal intelligence information records and investigative files involves agency classification of information and the implementation of an effective process to ensure that a valid law enforcement purpose exists for the collection of all information and intelligence (a criminal nexus or authorized purpose, such as a background check or deconfliction). To demonstrate your commitment to privacy and civil liberties, consider:

  • Adopting a comprehensive privacy, civil rights, and civil liberties (P/CRCL) policy.
  • Posting your P/CRCL policy on your website.
  • Entering into a dialogue with your community about your agency’s mission and goals.

No. Criminal intelligence information records continue to be subject to a retention period of up to five years, as established by the intelligence project, at the end of which the information must either be purged from the system or validated for a new retention period in accordance with the regulation and the project operating policy.

Supporting documentation can be stored in an RMS. No separate database or file system is required for criminal intelligence information if it is labeled as criminal intelligence information to distinguish it from other information and the regulation’s provisions can be appropriately implemented.

Dissemination

Key provisions related to dissemination include:

  • Criminal intelligence information can only be disseminated when there is a need to know and a right to know the information in the performance of a law enforcement activity (28 CFR § 23.20(e)).
  • Recipients of criminal intelligence information must agree to follow procedures regarding receipt, maintenance, security, and further dissemination of the information that are consistent with the operating principles set forth in the regulation (28 CFR § 23.20(f)(1)). However, an assessment of the information (with no personally identifiable information) can be disseminated to a government official or any other individual when necessary to avoid imminent danger to life or property (28 CFR § 23.20(f)(2)).
  • The project must maintain a record of who has been given information, the reason for the release, and the date of each dissemination outside the project (28 CFR § 23.20(g)).
  • Information that is disseminated must be labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials (28 CFR § 23.20(g)).

Efficient dissemination that protects privacy includes (1) use of direct remote terminal access with appropriate audit trails (who, what, when, and why) and adoption of the additional security requirements (28 CFR § 23.20(i)) outlined in the 1993 Regulation Commentary and (2) use of encryption in the exchange of criminal intelligence information.

In addition to the key provisions noted above, an appropriate information sharing agreement should exist between the projects. One example of the type of sharing is when a state, local, tribal, or territorial project’s criminal intelligence database is a node on a Regional Information Sharing Systems (RISS) project and the entire database is periodically downloaded to the RISS Criminal Intelligence Database (RISSIntel). This reduces the need for multiple searches and facilitates broader sharing of criminal intelligence information.

Validation/Purge

The maximum retention period is five years. A record must be either purged at the end of the established retention period or undergo a review and validation process before the end of the retention period. If a record is purged, then it must be removed from the criminal intelligence system.

If a record is reviewed and validated, it will receive a new retention period of up to five years. This may occur at any time during the retention period. For a record to be validated, the submitting agency must determine that the subject is still reasonably suspected of involvement in current criminal activity. Simply updating the identifying information about the subject during the retention period is not enough, by itself, to indicate that the subject is still reasonably suspected of involvement in current criminal activity. In other words, the submitting agency must determine that the record continues to meet the 28 CFR Part 23 submission criteria. The submitter can do so by providing additional information about the subject, such as a new criminal associate or involvement in a different criminal activity, or updating information about the criminal activity. Through this process, the submitter can validate the record for a new retention period of up to five years.

Submission or maintenance of a criminal intelligence information record does not depend upon whether an investigation is underway or whether an investigation is open or closed. At the end of the retention period, it is up to the submitter to validate the information (and update the record, as needed) based on reasonable suspicion of the subject’s current or continuing involvement in an identified criminal activity or enterprise that meets project submission requirements. If the record cannot be validated for a new retention period, it must be purged from the system.

Yes, every criminal intelligence system subject to 28 CFR Part 23 must have a purge policy and procedure. It can be as simple as an automatic purge from the system, with no notice to the submitter, at the end of the project’s retention period.

When criminal intelligence information is purged from a 28 CFR Part 23-compliant database, the intelligence project must ensure that the criminal intelligence information record can no longer be disseminated (shared) outside of the project; i.e., it is removed from an electronic or paper system such that it cannot be disseminated from the system.

Although the regulation does not provide for an “inactive” status, it requires the project to remove the record from the system so that it can no longer be shared outside the project or return it to the submitting agency. Generally, projects either destroy the record, return it to the submitter, or keep only identifier information and delete the substance of the record (data minimization). The key is to ensure that the record is not searchable or accessible as a criminal intelligence information record.

Yes. No provision exists in 28 CFR Part 23 for tolling (suspending) the retention period during a period of incarceration.

Protecting Privacy, Civil Rights, and Civil Liberties

Law enforcement recognizes that the public is concerned about what types of and how much information is being collected, as well as when and how that information is being used and shared. The events of September 11, 2001, have made the average American aware that law enforcement must collect and share information and intelligence. Conversely, the public is concerned about the scope of collecting and sharing information and its impact on civil liberties and privacy. The National Criminal Intelligence Sharing Plan, Version 2.0, offers an approach to protecting civil liberties by confining, structuring, and checking discretion through the establishment of sound policies, systematic training, and vigorous oversight. Also, law enforcement agencies should be prepared to answer the public’s questions on law enforcement information practices and be ready to show the public that they are very concerned with the rights of individuals and the need to protect the confidentiality of information. Additional information, resources, and guidance regarding privacy, civil rights, and civil liberties protections can be found at https://www.it.ojp.gov/PrivacyLiberty.

The term “civil rights” refers to those rights and privileges of equal protection that government entities must afford to all individuals in the United States regardless of race, ethnicity, gender, national origin, religion, sexual orientation, gender identity, or other characteristics unrelated to the worth of the individual. Protection of civil rights means that government entities will take action to ensure that individuals are not discriminated against on the basis of any federal- or state-protected characteristic. Generally, the term “civil rights” involves positive (or affirmative) government action to protect against infringement, while the term “civil liberties” involves restrictions on government. The Fourteenth Amendment to the U.S. Constitution establishes that the rights to due process and equal protection guaranteed under the law apply equally to the states. These rights can be implicated if criminal intelligence information is based on protected characteristics through such activities as racial profiling or if erroneous information is collected and shared that leads to a loss of the rights of citizenship. Consequently, 28 CFR Part 23 prohibits the inclusion of information about the political, religious, or social views, associations, or activities of any individual or any organization unless such information directly relates to the criminal conduct or activity.

Religious affiliation information can only be included in a criminal intelligence information record if it directly relates to the subject’s criminal activity. For example, the use of a religious facility to plan criminal activity or to launder illegally obtained funds can be included in a record of the related criminal activity.

If a law enforcement agency receives notice of an expungement order that includes all law enforcement records pertaining to the defendant/petitioner, then the criminal intelligence information record and the investigative file need to be purged and the project needs to notify all recipients of the information of the change in the status of the record.

Agency Liability

28 CFR Part 23 requires that either an organizational unit within an agency or an organization that operates the criminal intelligence system on behalf of multiple organizations or jurisdictions will be ultimately responsible for compliance with the regulation. This unit or organization is referred to as the intelligence project. The project develops operating policies and procedures for the criminal intelligence system and conducts audits and inspections to ensure participating agency compliance.

One real-life example occurred when a multistate intelligence project subject to 28 CFR Part 23 delegated its responsibility to establish the existence of reasonable suspicion to member agencies but failed to provide required training to the agencies on determining reasonable suspicion and did not carry out the routine inspection and audit procedures that were required by both the regulation and project policy and procedure (28 CFR § 23.20(d)). The result was that individuals were improperly identified as criminal subjects, and the project was unaware of this pattern of violations of the regulation. A major lawsuit followed, agencies were subject to adverse publicity and loss of public and governmental confidence, employees were disciplined, and legislative restrictions were considered. The project implemented aggressive steps to identify and address the failures.

Legal ramifications may include litigation and a consent decree or limitations or restrictions on collection methods (such as the U.S. Supreme Court ruling requiring a warrant for cell phone searches). Other ramifications may include fines of up to $10,000 for each instance of noncompliance, as provided by the Crime Control Act; personal or agency embarrassment; loss of public confidence; loss of authority to operate a criminal intelligence system; and even criminal charges.

One common mistake is agency personnel accessing information and intelligence who do not have a “need to know” the information, including accessing information and intelligence out of curiosity or for personal purposes.

Another common mistake is, for 28 CFR Part 23, an agency’s failure to properly train personnel and participating agencies, to audit records to ensure that the information contained is relevant when submitted and continues to be relevant, and to purge or validate criminal intelligence information in a timely manner.

The project is required to promulgate rules and regulations based on good cause for implementing its authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system (28 CFR § 23.20(g)(5)) and to adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system (28 CFR § 23.20(m)). Sanctions might include suspension or expulsion of an agency or user from participation in the project, retraining, and referral for prosecution for mishandling official government information.

Requests/Demands for Criminal Intelligence Information

Dissemination or sharing of information in a criminal intelligence system is limited to recipients who have a “need and right to know the information in the performance of a law enforcement activity” (28 CFR §23.20(e)). When a participating agency in a criminal intelligence system submits a record on a criminal subject, it is usually agreeing to share the information with other participating agencies with a need and right to know the information. However, access to records can be restricted, even for authorized system users, through the use of the project’s sensitivity codes; for example, by providing that only a notification of a hit occur (with contact information provided) or that only the submitting agency be notified of a hit. In that way, the submitting agency can ultimately determine whether to contact the inquirer and, if so, what information would be appropriate and necessary to share.

The answer to this question depends in part on whether the criminal intelligence system is subject to 28 CFR Part 23 or whether the agency has voluntarily adopted the tenets of the regulation as a matter of sound policy. Dissemination or sharing of information in a criminal intelligence system is limited to recipients who have a “need and right to know the information in the performance of a law enforcement activity” (28 CFR §23.20(e)). Consequently, the subject of a criminal intelligence record would not qualify to receive the information from a system that is subject to the regulation. However, if the agency decides to adopt the operating principles of 28 CFR Part 23 as a matter of policy, then state open records laws would govern the right of a subject of a record to access the information. Such laws typically restrict access (through an exception or exemption) because the record qualifies as a law enforcement record or an investigative or intelligence file.

The federal Freedom of Information Act is not applicable to state or local criminal intelligence systems unless made applicable by state law. However, each state (and some local jurisdictions) has public access or open records statutes and other laws that govern access to and release of public agency information to the public. While these laws apply to criminal intelligence information maintained by a state or local agency in that state, 28 CFR Part 23 limits the dissemination of criminal intelligence information to individuals with a “need to know” the information in agencies that have a “right to know” the information, as these terms are defined by the project. Consequently, in projects that are subject to the regulation as a matter of law, 28 CFR Part 23 prohibits the dissemination or release of the information by the project on a voluntary basis or involuntarily, even if the information is otherwise subject to release under state law (see King v. Smith, 392 U.S. 309 (1968)).

Such records are occasionally the subject of a discovery request but have, without exception to date, been determined to be protected by the restrictions of the regulation or by state public records laws. However, in training on 28 CFR Part 23, it is suggested that no official actions be taken by law enforcement (search or arrest warrant, penalty enhancement, etc.) based on a criminal intelligence information record, but rather on the information in an investigative file or other underlying documentation.

Records on Juveniles

No 28 CFR Part 23 operating policies are unique to juvenile criminal subjects. However, some states—such as Wisconsin, Texas, and California—have enacted statutes that potentially impact how criminal intelligence information on juveniles is handled (e.g., Wisconsin Juvenile Code § 938.396; Texas Code of Criminal Procedure—CRIM P Art. 61.08; and California Penal Code §§ 186.34–36). While these statutes do not prescribe a specified period for retention of such records, the Wisconsin statute requires that law enforcement records pertaining to juveniles be stored separately from adult records and both the Texas and California statutes provide a right to review a juvenile’s record and contest whether it meets 28 CFR Part 23’s reasonable suspicion standard. If not, the record must be purged from the criminal intelligence database.

It is up to the project to ensure that any relevant state laws are being followed and to consider any policy-based limitations on criminal intelligence information related to juveniles. State laws of interest may include provisions related to the confidentiality of juvenile arrest and juvenile court records. Even though Florida does not have a statutory minimum age for juvenile court jurisdiction, the project may want to consider the issue of whether, as a matter of policy, it should establish a minimum age to enter information on a juvenile subject into the criminal intelligence database.

The International Association of Chiefs of Police (IACP), with funding from the Office of Juvenile Justice and Delinquency Prevention, has established a Juvenile Justice Training and Technical Assistance Program. The program provides training and guidance on interviewing juveniles.

Use of Social Media

No unique 28 CFR Part 23 provisions related to social media searches exist. However, intelligence projects need to be mindful that inclusion of social media links in criminal intelligence records can improperly incorporate information identifying individuals who are not criminal subjects.

Interested individuals should download and read resources developed by the Global Justice Information Sharing Initiative entitled Developing a Policy on the Use of Social Media in Intelligence and Investigative Activities and Real-Time Open Source Analysis (ROSA) Resource Guide.

28 CFR Part 23 and Suspicious Activity Reporting

No. SARs and information sharing environment-suspicious activity reports (ISE-SARs) are not criminal intelligence information because they do not need to meet the “reasonable suspicion” standard for criminal intelligence information.

Suspicious activity reports (SARs) determined to be terrorism-related under the two-part vetting process (ISE-SARs) detailed in the Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard must (1) meet one or more of 16 terrorism-related pre-operational behaviors and (2) considering all the available context, facts, and circumstances of the SAR, be determined by a trained analyst or investigator to have a potential nexus to terrorism.

A SAR or information sharing environment-suspicious activity report (ISE-SAR) that is determined to meet criminal intelligence information submission standards, including a determination of reasonable suspicion, also can be submitted to a criminal intelligence system. The Nationwide SAR Initiative (NSI) provides for SARs to be submitted to fusion centers or directly to eGuardian—but not to multiagency task forces other than Joint Terrorism Task Forces. Other multiagency task forces may submit or receive ISE-SARs as participants in the NSI.