Frequently Asked Questions (FAQs)
Accessing the Training Site
- Regional Information Sharing Systems (RISS) members may access the training through the secure RISS portal. Instructions may be found here: https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_RISS.pdf.
- Members with a secure account through the Federal Bureau of Investigation’s (FBI) Law Enforcement Enterprise Portal (LEEP) may log in to LEEP to access the training. Instructions may be found here: https://28cfr.ncirc.gov/documents/Accessing_28CFRPart23_training_LEEP.pdf.
- If your agency was previously provided with a preauthorization code, you may register for the training using that code by selecting the “LOG IN or SIGN UP” menu button located on the top left side of the home page. Enter your email address and password, then select “Preauthorization Registration.” (Note: New preauthorization codes are no longer being issued.)
Agency information—Prior to taking the training, users are encouraged to familiarize themselves with the following agency information to better understand how to implement regulation requirements within their agency.
- The agency’s policies and procedures
- The agency’s standard definitions of need to know and right to know
Technical specifications—Training modules incorporate the use of graphics and video. To ensure the best experience, refer to the following recommended technical specifications:
- Web Browsers: Use the most current version available. Google Chrome, Microsoft Edge, and Apple Safari are preferred. Internet Explorer is no longer supported.
- Internet Speed: A solid and fast broadband internet connection will reduce buffering and time spent waiting for content to load.
- Devices: Laptops or desktop computers provide the best format for viewing the modules. While the training can be completed on a mobile device, such as a smartphone or tablet, not all mobile devices are compatible with the training platform. Outdated devices or operating systems may also affect performance.
Completion of modules—Please complete each module in the order shown.
- Self-Paced Completion: Modules are self-paced, allowing users to complete them in multiple sessions.
- Locked Module Topics: A topic menu is located on the left-hand side of each module’s viewing window. Menu items are locked until the user views that topic in its entirety. Once the topic has been viewed, users may reselect the topic to review the information again before moving on to other topics or to the module quiz.
Completion Statuses: After each module is completed and the system processes the completion status, a check mark will appear next to that module. If a check mark does not appear, refresh the page.
- Quizzes: Each module contains a brief quiz, for which users must receive a 100 percent score. For any incorrect answers, the module will provide reviews of missed content and will repeat quiz questions.
- Exiting Modules: To exit a module at any time, close out the browser window (select “X”) to return to the training modules page. Your progress will be saved.
- Certificate of Completion: A certificate of completion will be earned and displayed on this page once all modules are complete with 100 percent quiz scores. If the certificate does not appear, refresh the page.
The regulation defines an “intelligence project” (or “project”) as “the organizational unit which operates:
- An intelligence system on behalf of or for the benefit of a single agency; or
- An interjurisdictional intelligence system on behalf of a group of participating agencies.”
Users of criminal intelligence systems may recognize a project by another name. Other commonly used names for a project include “center,” such as a RISS Center, and “unit,” such as a gang unit. Sometimes, a gang unit may operate an intelligence system and serve as a project.
The project typically manages the criminal intelligence system. Most criminal intelligence databases are “pointer index” systems containing subject and crime identification information (structured), while others are narrative or report-based (unstructured) criminal intelligence databases. 28 CFR Part 23 applies to both types of databases.
The regulation defines a “participating agency” as “a local, state, or federal agency or governmental unit which:
- Exercises law enforcement or criminal investigation authority; and
- Is authorized to submit and receive criminal intelligence information through an interjurisdictional intelligence system.”
A law enforcement or homeland security agency may be a participating agency.
Users may recognize this entity (participating agency) by other names. Commonly used names include “member agency” and “nonmember agency.”
Only criminal intelligence information records are in the system’s criminal intelligence database. However, the 1998 Bureau of Justice Assistance Policy Clarification expressly states that an inquiry to a criminal intelligence system may trigger searches of additional databases or information systems that result in the dissemination of information or intelligence from those other databases or systems; therefore, any criminal intelligence information that is disseminated must be clearly labeled to identify it as such.
Projects may conduct federated searches, accessing information on subjects across a spectrum of non-intelligence information sources such as:
- Criminal history records
- Wants and warrants
- Case investigative files
- Case management systems
- Records Management System data
- Records Management System data
- Deconfliction systems
- Identification systems
- Tips and leads, including suspicious activity reporting
Such federated searches may be conducted without those systems being brought under 28 CFR Part 23. This also means that multiple databases and applications may be maintained on the same computer system, although 28 CFR Part 23 only applies to the system’s database that contains criminal intelligence information. The 1998 Policy Clarification therefore requires the two types of data (i.e., criminal intelligence information and non-intelligence information) to be separated and identified in a manner to make it clear to operators and users of the information when criminal intelligence information is being accessed. A range of mechanisms may be utilized to provide such notice, including:
- Using multiple windows.
- Employing different color schemes for the different types of data.
- Clearly labeling the nature of the information displayed.
Applicability and Scope of 28 CFR Part 23
- The information is illegally obtained.
- The information is irrelevant.
- The information identifies a noncriminal individual or organization, unless entered and identified as noncriminal identifying information.
- The information is subject to civil rights and civil liberties protection.
Only criminal intelligence information records that meet the reasonable suspicion criteria and other 28 CFR Part 23 operating principles and are shared between agencies by an intelligence project are subject to the regulation. Fact-based or uncorroborated information (case investigative files, case management systems, incident/offense reports, field interview cards or contact files, criminal history records, arrest blotters, Records Management System data, tips and leads, including Suspicious Activity Reports, etc.) and other types of information or intelligence gathered/collected and shared by state, local, tribal, or territorial law enforcement and intelligence agencies are not subject to 28 CFR Part 23.
An investigator, for example, might start the process of developing a criminal case using the information contained in a tips and leads file. Investigating the tips and leads information could produce adequate information that, when analyzed, meets the reasonable suspicion standard. If it meets the reasonable suspicion standard, a record on that subject could be entered into a criminal intelligence database. The information from the tips and leads file, as well as any other investigative information gathered, would need to be kept as supporting documentation for that record.
Generally, subjects—whether individuals or organizations—of criminal intelligence information are or have been involved in an active investigation. While no accepted definition of a “person of interest” exists, it is safe to say that all criminal intelligence information subjects who are individuals are “persons of interest” to law enforcement. Under these circumstances (and assuming that the regulation applies to the intelligence system), the retention and/or dissemination of the subject’s criminal intelligence information record would be subject to the requirements in 28 CFR § 23.20.
On the other hand, many “persons of interest” in criminal investigations do not qualify as criminal subjects under 28 CFR Part 23 because the investigator cannot make the requisite reasonable suspicion determination. Under these circumstances, 28 CFR Part 23 would not be applicable.
First, a criminal intelligence information submission requires that the criminal subject be currently involved in a criminal activity or enterprise. If the prison gang is a criminal organization and, based on a determination of reasonable suspicion, involved in current criminal activity and that gang is the subject of a criminal intelligence information record, then the parolee can be included in a criminal intelligence system. Absent that circumstance, unless the parolee’s criminal activity is occurring outside of the prison, he or she cannot be entered into the system’s criminal intelligence database. Second, 28 CFR Part 23 does not allow for “temporary” files absent reasonable suspicion of involvement in a current activity or enterprise.
It should be noted that an individual’s status as an inmate, probationer, parolee, or registered sex offender is insufficient to support a criminal intelligence information submission on its own. There must be reasonable suspicion that the individual is currently involved in a definable criminal activity or enterprise to support a submission of criminal intelligence information.
A criminal gang may qualify as an “organization” for purposes of 28 CFR § 23.20(c). When a criminal gang is identified as the subject of the record, this record is considered criminal intelligence information that is subject to 28 CFR Part 23 if the record is entered into the system’s criminal intelligence database.
Criminal gangs are often defined by certain attributes and activities under state law, and if that is the case, a project must follow that law in identifying a criminal gang. If not defined by law, a criminal gang must, at a minimum, be determined to be primarily or significantly involved in a definable criminal activity or enterprise that meets project submission criteria. Once a criminal gang has been identified and entered into the system’s database, any individual identified as a member of that gang—again using state law criteria or, if there is no law, project-established criteria—can be entered into the criminal intelligence system as a criminal subject without individualized reasonable suspicion. Consequently, if the criminal gang were to go out of existence or its retention period were to expire without being validated for a new retention period, those members identified as criminal subjects by reason of their membership in the criminal gang would need to be purged from the database or individualized reasonable suspicion would need to be established.
This line of reasoning applies to any type of criminal organization and its members, employees, etc.
Information Gathering and Submission/Collection
The “level of sensitivity” refers to how the intelligence information should be disseminated. Typically, the submitter sets a designation to classify how the information will be released. The following is an example of how a project may opt to set three levels of dissemination based on the sensitivity of the intelligence:
- Open—Disseminate the criminal intelligence information record to the inquirer when there is a hit, with no further action required.
- Release Agency Name Only—Provide only the controlling agency name and contact information.
- Restricted—Do not disseminate the criminal intelligence information record or even indicate that there has been a hit. Notify the controlling agency.
Projects will develop the levels of sensitivity and train all participating agencies as to the usage of each level. The “level of confidence” gives the recipient an indication of how the submitter assesses the content of the record. Level of confidence is a two-part process:
- “Source reliability” refers to the reliability of the source of the information.
- “Content validity” refers to the accuracy or truthfulness of the information.
Most projects will establish a range for source reliability and content validity. The following are examples of those ranges:
- Reliable—The reliability of the source is unquestioned or has been well tested in the past.
- Usually Reliable—The source can usually be relied upon.
- Unreliable—The reliability of the source has been sporadic in the past.
- Unknown—The reliability of the source cannot be judged.
- Confirmed—The information has been corroborated by an investigator or another reliable source.
- Probable—The information is consistent with past accounts.
- Doubtful—The information is inconsistent with past accounts.
- Cannot Be Judged—The information cannot be judged.
These codes allow the inquirer to assess the value of the record. For example, if an inquirer gets a hit and reads a record from a Regional Information Sharing Systems (RISS) Center that has source reliability and content validity codes of 1 or 2, using the above examples, then the recipient should deduce this to be very solid intelligence. It should be noted that a combination of source reliability “Unreliable” or “Unknown” and content validity “Doubtful” or “Cannot Be Judged” would not meet the 28 CFR Part 23 reasonable suspicion standard and that the information should not be entered into a criminal intelligence database.
Yes. The 1998 Bureau of Justice Assistance Policy Clarification of 28 CFR Part 23 allows for the inclusion of such information as “noncriminal identifying information” under the following circumstances:
- The information is relevant to the identification of a criminal subject or the criminal activity.
- Appropriate disclaimers or labels must accompany the information noting that it is strictly identifying information carrying no criminal connotation.
- Identifying information may not be used as an independent basis to meet the requirement of reasonable suspicion of involvement in criminal activity necessary to create a record in a criminal intelligence system.
- The individual who is the criminal subject identified by this information must meet all requirements of 28 CFR Part 23.
The noncriminal identifying information may be added to an existing or new record of a criminal subject in the database. Also, note that noncriminal identifying information that pertains to a subject’s political, religious, or social views, associations, or activities can be entered only if it directly relates to the criminal activity or involvement in which the subject is reasonably suspected of being engaged.
User Access to and Use of Criminal Intelligence Information
Source Agency Documentation
Storage and Retention, Including Security
Once a decision is made to store and maintain a criminal intelligence information record, the record is entered into the criminal intelligence system (paper or electronic). The project must have the following safeguards in place:
- Administrative, technical, and physical safeguards (including audit trails) to ensure against unauthorized access and against intentional or unintentional damage (28 CFR § 23.20(g))
- Additional security requirements, including (1) where appropriate, effective and technologically advanced computer software and hardware designs to prevent unauthorized access to information in the system; (2) access to facilities, operating environment, and documentation is restricted to organizations and personnel authorized by the project; (3) information is stored in the system in a manner such that it cannot be modified, destroyed, accessed, or purged without authorization; (4) procedures to protect criminal intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or manmade disaster; and (5) rules and regulations based on good cause for implementing the project’s authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system (28 CFR § 23.20(g)(1)–(5))
- Procedures to ensure that the information retained has relevancy and importance, including periodic review of the information and the destruction of any information that is misleading, obsolete, or otherwise unreliable. Any information retained as a result of the review must reflect the name of the reviewer, date of review, and explanation of the decision to retain (28 CFR § 23.20(h)).
- A system for the review and validation or purge of each submission to the system prior to the expiration of its retention period (up to five years) (28 CFR §23.20(h))
Agencies should consider implementing different features that address training, policy adoption and implementation, supervision, and oversight. Specific items might include annual training requirements, staff-written acknowledgement of agency policy, and regular system audits and inspections of member agencies and users. Proper management of criminal intelligence information records and investigative files involves agency classification of information and the implementation of an effective process to ensure that a valid law enforcement purpose exists for the collection of all information and intelligence (a criminal nexus or authorized purpose, such as a background check or deconfliction). To demonstrate your commitment to privacy and civil liberties, consider:
- Adopting a comprehensive privacy, civil rights, and civil liberties (P/CRCL) policy.
- Posting your P/CRCL policy on your website.
- Entering into a dialogue with your community about your agency’s mission and goals.
Key provisions related to dissemination include:
- Criminal intelligence information can only be disseminated when there is a need to know and a right to know the information in the performance of a law enforcement activity (28 CFR § 23.20(e)).
- Recipients of criminal intelligence information must agree to follow procedures regarding receipt, maintenance, security, and further dissemination of the information that are consistent with the operating principles set forth in the regulation (28 CFR § 23.20(f)(1)). However, an assessment of the information (with no personally identifiable information) can be disseminated to a government official or any other individual when necessary to avoid imminent danger to life or property (28 CFR § 23.20(f)(2)).
- The project must maintain a record of who has been given information, the reason for the release, and the date of each dissemination outside the project (28 CFR § 23.20(g)).
- Information that is disseminated must be labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials (28 CFR § 23.20(g)).
The maximum retention period is five years. A record must be either purged at the end of the established retention period or undergo a review and validation process before the end of the retention period. If a record is purged, then it must be removed from the criminal intelligence system.
If a record is reviewed and validated, it will receive a new retention period of up to five years. This may occur at any time during the retention period. For a record to be validated, the submitting agency must determine that the subject is still reasonably suspected of involvement in current criminal activity. Simply updating the identifying information about the subject during the retention period is not enough, by itself, to indicate that the subject is still reasonably suspected of involvement in current criminal activity. In other words, the submitting agency must determine that the record continues to meet the 28 CFR Part 23 submission criteria. The submitter can do so by providing additional information about the subject, such as a new criminal associate or involvement in a different criminal activity, or updating information about the criminal activity. Through this process, the submitter can validate the record for a new retention period of up to five years.
Protecting Privacy, Civil Rights, and Civil Liberties
One common mistake is agency personnel accessing information and intelligence who do not have a “need to know” the information, including accessing information and intelligence out of curiosity or for personal purposes.
Another common mistake is, for 28 CFR Part 23, an agency’s failure to properly train personnel and participating agencies, to audit records to ensure that the information contained is relevant when submitted and continues to be relevant, and to purge or validate criminal intelligence information in a timely manner.
Requests/Demands for Criminal Intelligence Information
Records on Juveniles
No 28 CFR Part 23 operating policies are unique to juvenile criminal subjects. However, some states—such as Wisconsin, Texas, and California—have enacted statutes that potentially impact how criminal intelligence information on juveniles is handled (e.g., Wisconsin Juvenile Code § 938.396; Texas Code of Criminal Procedure—CRIM P Art. 61.08; and California Penal Code §§ 186.34–36). While these statutes do not prescribe a specified period for retention of such records, the Wisconsin statute requires that law enforcement records pertaining to juveniles be stored separately from adult records and both the Texas and California statutes provide a right to review a juvenile’s record and contest whether it meets 28 CFR Part 23’s reasonable suspicion standard. If not, the record must be purged from the criminal intelligence database.
It is up to the project to ensure that any relevant state laws are being followed and to consider any policy-based limitations on criminal intelligence information related to juveniles. State laws of interest may include provisions related to the confidentiality of juvenile arrest and juvenile court records. Even though Florida does not have a statutory minimum age for juvenile court jurisdiction, the project may want to consider the issue of whether, as a matter of policy, it should establish a minimum age to enter information on a juvenile subject into the criminal intelligence database.