Press Alt + R to read the document text or Alt + P to download or print.
This document contains no pages.
cp07-10-2012 cCouncil Workshop — Review of 2011 Audit- 4: 00 p. m.
AGENDA
REGULAR MEETING — HUTCHINSON CITY COUNCIL
TUESDAY, JULY 10, 2012
1. CALL TO ORDER — 5:30 P.M.
2. INVOCATION — Hutchinson Evangelical Free Church
3. PLEDGE OF ALLEGIANCE
4. RECOGNITION OF GIFTS, DONATIONS AND COMMUNITY SERVICE TO THE CITY
5. PUBLIC COMMENTS
6. MINUTES
(a) REGULAR MEETING OF JUNE 26, 2012
Action — Motion to approve as presented
7. CONSENT AGENDA (Purpose: only for items requiring Council approval by external entities that would otherwise
ave een a egate tot e Ciry Administrator. Traditionally, items are not discussed.)
(a) RESOLUTIONS AND ORDINANCES
1. RESOLUTION NO. 14027 — RESOLUTION DESIGNATING THE LOCATION OF POLLING
PLACE FOR ALL CITY PRECINCTS AND APPOINTING JUDGES FOR THE 2012 CITY OF
HUTCHINSON AND STATE PRIMARY AND GENERAL ELECTIONS
2. RESOLUTION NO. 14028 - RESOLUTION SETTING INCOME GUIDELINES FOR DEFERRED
ASSESSMENTS
3. ORDINANCE NO. 12 -0691 — AN ORDINANCE AMENDING CHAPTER 31 OF THE
HUTCHINSON CITY CODE PERTAINING TO BOARDS AND COMMISSIONS (WAIVE FIRST
READING AND SET SECOND READING AND ADOPTION FOR JULY 10, 2012)
4. ORDINANCE NO. 12 -0690 - AN AMENDMENT TO THE ZONING ORDINANCE SECTION
154.064(C) AND SECTION 154.004 ALLOWING DOG DAYCARE BY CONDITIONAL USE
PERMIT IN THE C -4 (FRINGE COMMERCIAL DISTRICT) AND ADDING THE DEFINITION
OF DOG DAYCARE TO SECTION 154.004 REQUESTED BY ADULT TRAINING AND
HABILITATION CENTER, PROPERTY OWNER (SECOND READING AND ADOPTION)
5. ORDINANCE NO. 12 -0689 - AN AMENDMENT TO THE ZONING ORDINANCE SECTION
154.063(C) ALLOWING TATOO ESTABLISHMENTS BY CONDITIONAL USE PERMIT IN
THE C -3 (CENTRAL COMMERCIAL DISTRICT) REQUESTED BY DOUGLAS MOULTON,
APPLICANT (SECOND READING AND ADOPTION)
(b) CONSIDERATION FOR APPROVAL OF ISSUING SHORT -TERM 3.2 MALT LIQUOR LICENSE
TO MCLEOD COUNTY AGRICULTURAL ASSOCIATION ON AUGUST 15 — 19, 2012, FOR THE
CITY COUNCIL AGENDA —JULY 10, 2012
MCLEOD COUNTY FAIR
(c) CONSIDERATION FOR APPROVAL OF ISSUING TEMPORARY LIQUOR LICENSE TO ST.
ANASTASIA CATHOLIC CHURCH ON SEPTEMBER 8 & 9, 2012
(d) CONSIDERATION FOR APPROVAL OF IMPROVEMENT PROJECT CHANGE ORDERS AND
SUPPLEMENTAL AGREEMENTS
- CHANGE ORDER NO. 5 —LETTING NO. 1, PROJECT NO. 11 -02 (SCHOOL ROAD NW)
- CHANGE ORDER NO. 3 —LETTING NO. 3, PROJECT NO. 11 -04 (2011 PAVEMENT
MANAGEMENT PROGRAM -PHASE 1)
(e) CONSIDERATION FOR APPROVAL OF CITY /SCHOOL DISTRICT AGREEMENTS
- AGREEMENT RELATING TO THE ESTABLISHMENT AND OPERATION OFA JOINTLY
SPONSORED PARKS, RECREATION AND COMMUNITY EDUCATION PROGRAM
- AGREEMENT RELATING TO THE ESTABLISHMENT AND OPERATION OF A JOINTLY
SPONSORED GROUNDS MAINTENANCE PROGRAM
- AGREEMENT RELATING TO USE OF FACILITIES
- LEASE AGREEMENT WITH PARK ELEMENTARY
(fl CLAIMS, APPROPRIATIONS AND CONTRACT PAYMENTS
Action — Motion to approve consent agenda
8. PUBLIC HEARINGS — 6:00 P.M.
(a) LES KOUBA PARKWAY IMPROVMENTS PHASE 2 PROJECT — LETTING NO. 8, PROJECTNO. 12-
09
Action — Motion to reject — Motion to approve
9. COMMUNICATIONS RE UESTS AND PETITIONS (Purpose: to provide Council with information
necessary to cra t wise po icy. A ways looking towar t e uture, not monitoring past)
10. UNFINISHED BUSINESS
(a) CONSIDERATION FOR APPROVAL OF UPPER MIDWEST ALLIS CHALMERS CLUB EVENT
SIGNAGE REQUEST
Action — Motion to reject — Motion to approve
11. NEW BUSINESS
(a) SUMMARY REVIEW OF 2011 AUDITED FINANCIAL STATEMENTS
Action —
(b) CONSIDERATION FOR APPROVAL OF RESOLUTION NO. 14029 - A RESOLUTION APROVING
AND AGREEING TO ENTER INTO AN ADMINISTRATIVE CONTRACT WITH THE HUTCHINSON
HRA FOR THE SCDP NORTHEAST NEIGHBORHOOD AND SW NEIGHBORHOOD HOUSING
REHABILITATION PROJECT FOR CDAP -11- 0023 -0 -FY 12 AND APPROVALF OF PROCEDURAL
GUIDELINES FOR SCDP OWNER OCCUPIED HOUSING REHABILITATION PROGRAM FOR THE
NORTHEAST NEIGHBORHOOD AND SW NEIGHBORHOOD AND APPROVAL OF CITY OF
HUTCHINSON SECTION 3 PLAN RELATING TO THE SCDP GRANT CDAP -11- 0023 -0 -FY 12 AND
CITY COUNCIL AGENDA —JULY 10, 2012
APPROVAL OF EXECUTION OF SMALL CITIES DEVELOPMENT PROGRAM GRANT
AGREEMENT CDAP -11- 0023 -O -FY 12
Action — Motion to reject — Motion to approve
(c)CONSIDERATION FOR APPROVAL OF CITY OF HUTCHINSON NETWORK SECURITY POLICY
Action — Motion to reject — Motion to approve
(d) CONSIDERATION FOR APPROVAL OF CRIMINAL JUSTICE INFORMATION SERVICES
SECURITY POLICY
Action — Motion to reject — Motion to approve
(e) DISCUSSION OF REGULATING BODY ART
Action —
(fl CONSIDERATION FOR APPROVAL OF RE- SETTING AUGUST 14, 2012, CITY COUNCIL MEETING
DUE TO 2012 PRIMARY ELECTION
Action — Motion to reject — Motion to approve
12. GOVERNANCE (Purpose: to assess past organizational performance, develop policy thatguides the organization and
Councie the logistics of the Council. May include monitoring reports, policy development and governance
process items.)
(a) HUTCHINSON UTILITIES COMMISSION MINUTES FROM MAY 30, 2012
(b) HUTCHINSON HOUSING & REDEVELOPMENT AUTHORITY BOARD MINUTES FROM MAY 15,
2012
(c) FIRE DEPARTMENT MONTHLY REPORT FOR JUNE 2012
13. MISCELLANEOUS
14. ADJOURN
MINUTES
REGULAR MEETING — HUTCHINSON CITY COUNCIL
TUESDAY, JUNE 26, 2012
1. CALL TO ORDER — 5:30 P.M.
Mayor teve oo ca e t meeting to order. Members present were Mary Christensen, Bill Arndt, Eric Yost
and Chad C e zmowski. Others present were Jeremy Carter, City Administrator, Kent Exner, City Engineer and
Marc Sebora, City Attorney.
2. INVOCATION — Rev. Pasche, Peace Lutheran Church, delivered the invocation.
3. PLEDGE OF ALLEGIANCE
4. RECOGNITION OF GIFTS. DONATIONS AND COMMUNITY SERVICE TO THE CITY
Mayor Cook recognized 3M on their 65`h anniversary in the City of Hutchinson. The grand opening of Crow
River Winery and the Jaycee Water Carnival were also recognized.
5. PUBLIC COMMENTS
6. MINUTES
(a) REGULAR MEETING OF JUNE 12, 2012
Motion by Christensen, second by Arndt, to approve the minutes as presented. Motion carried unanimously.
7. CONSENT AGENDA (Purpose: onlyfor items requiring Council approval by external entities that would otherwise
ave een e egate tot e City Administrator. Traditionally, items are not discussed.)
(a) RESOLUTIONS AND ORDINANCES
1. RESOLUTION NO. 14015 — A RESOLUTION GRANTING APPROVAL TO CHANGE STREET
NAME FROM EAU CLAIRE STREET SE TO EAU CLAIRE AVENUE SE LOCATED IN THE
SUMMERSET SECOND ADDITION PLAT
2. ORDINANCE NO. 12 -0691 — AN ORDINANCE AMENDING CHAPTER 31 OF THE
HUTCHINSON CITY CODE PERTAINING TO BOARDS AND COMMISSIONS (WAIVE FIRST
READING AND SET SECOND READING AND ADOPTION FOR JULY 10, 2012)
3. ORDINANCE NO. 12 -0692 — AN ORDINANCE AMENDING CHAPTERS OF THE
HUTCHINSON CITY CODE PERTAINING TO DELEGATION OF ISSUING LICENSES AND
PERMITS (WAIVE FIRST READING AND SET SECOND READING AND ADOPTION FOR
JULY 10, 2012)
(b) PLANNING COMMISSION ITEMS
1. CONSIDERATION OF A ONE -LOT PRELIMINARY AND FINAL PLAT OF LYNAUGH'S
NORTHVIEW ADDITION SUBMITTED BY MATT AND TERRI LYNAUGH, PROPERTY
OWNERS, WITH FAVORABLE PLANNING COMMISSION RECOMMENDATION (ADOPT
RESOLUTION NO. 14018)
(ko-)
CITY COUNCIL MINUTES —JUNE 26, 2012
2. CONSIDERATION OF AN AMENDMENT TO THE ZONING ORDINANCE SECTION
154.064(C) AND SECTION 154.004 ALLOWING DOG DAYCARE BY CONDITIONAL USE
PERMIT IN THE C -4 (FRINGE COMMERCIAL DISTRICT) AND ADDING THE DEFINITION
OF DOG DAYCARE TO SECTION 154.004 REQUESTED BY ADULT TRAINING AND
HABILITATION CENTER, PROPERTY OWNER, WITH FAVORABLE PLANNING
COMMISSION RECOMMENDATION (WAIVE FIRST READING AND SET SECOND
READING AND ADOPTION OF ORDINANCE NO. 12 -0690 FOR JULY 10, 2012)
CONSIDERATION OF A CONDITIONAL USE PERMIT TO ALLOW CONSTRUCTION OF A
578 SQUARE FOOT ADDITION TO AN EXISTING 581 SQUARE FOOT DETACHED
GARAGE LOCATED AT 529 MONROE STREET SE FOR A TOTAL GARAGE AREA OF 1159
SQUARE FEET REQUESTED BY ROGER JOHNSON, APPLICANT, WITH FAVORABLE
PLANNING COMMISSION RECOMMENDATION (ADOPT RESOLUTION NO. 14020)
4. CONSIDERATION OF A CONDITIONAL USE PERMIT REQUESTED BY THE EDA TO
ALLOW CONSTRUCTION OF A FARMERS MARKET STRUCTURE AND TO RELOCATE
THE DEPOT IN THE I/C DISTRICT AT 25 ADAMS STREET SE WITH FAVORABLE
PLANNING COMMISSION RECOMMENDATION (ADOPT RESOLUTION NO. 1402 1)
(c) CONSIDERATION FOR APPROVAL OF IMPROVEMENT PROJECT CHANGE ORDERS AND
SUPPLEMENTAL AGREEMENTS
(d) CONSIDERATION FOR APPROVAL OF ITEMS FOR LES KOUBA PARKWAY IMPROVEMENTS
PHASE 2 PROJECT (LETTING NO. 8, PROJECT NO. 12 -09)
(e) CONSIDERATION FOR APPROVAL OF ISSUING TEMPORARY LIQUOR LICENSE TO
HUTCHINSON HOCKEY ASSOCIATION ON OCTOBER 20, 2012, AT HUTCHINSON CIVIC
ARENA
(f) CONSIDERATION FOR APPROVAL OF ISSUING TEMPORARY LIQUOR LICENSE TO
SUSTAINABLE FARMING ASSOCIATION FOR THE MINNESOTA GARLIC FESTIVAL ON
AUGUST 11, 2012, AT MCLEOD COUNTY FAIRGROUNDS
(g) CONSIDERATION FOR APPROVAL OF ISSUING SHORT TERM 3.2 MALT LIQUOR LICENSE
TO NATIONAL ALLIANCE ON MENTAL ILLNESS AT THE MCLEOD COUNTY
FAIRGROUNDS ON SEPTEMBER 22, 2012
(h) CONSIDERATION FOR APPROVAL OF ISSUING TRANSIENT MERCHANT LICENSES
- GERALD BREYER TO SELL FIREWORKS IN HUTCHINSON MALL PARKING LOT FROM
JUNE 27 — JULY 5, 2012
- KEITH HEIKES OF FACTORY DIRECT TO HOLD FURNITURE SALE IN HUTCHINSON
MALL PARKING LOT FROM JULY 25 — AUGUST 5, 2012
- RAFAEL JIMENEZ TO OPERATE AN ICE CREAM TRUCK THROUGHOUT CITY STREETS
(i) CLAIMS, APPROPRIATIONS AND CONTRACT PAYMENTS
Items 7(a)1, 7(a)3, 7(b)2, 7(b)3 and 7(d) were pulled for separate discussion.
CITY COUNCIL MINUTES — JUNE 26, 2012
Motion by Czmowski, second by Yost, to approve consent agenda with the exception of the items noted
above. Motion carried unanimously.
7(a)l had further discussion. Council Member Christensen asked the reasoning for renaming the street from
Eau Claire Street SE to Eau Claire Avenue. Dan Jochum, Planning Director, explained that streets are
north/south and avenues are east/west. This roadway runs east/west. It was noted that the plat was incorrect
but the street signage is correct.
Motion by Christensen, second by Arndt, to approve Item 7(a)1. Motion carried unanimously.
Item 7(a)3 had further discussion. Mayor Cook suggested reviewing all licensing ordinances notjust related
to delegation but rather overall revisions. Mayor Cook voiced he wants to ensure that items are followed
through and consistent.
Motion by Czmowski, second by Christensen to table Item 7(a)3. Motion carried unanimously.
Item 7(b)2 had further discussion. Mayor Cook asked about the "daytime hours" language in the ordinance.
He suggested perhaps having structured hours listed since "daytime hours" could vary. Dan Jochum,
Planning Director, noted setting specific hours would be acceptable. The main notion was to indicate that
this ordinance does not pertain to overnight care.
Council Member Arndt asked about the difference between the animal shelter on the south end of town and
the proposed dog daycare. Mr. Jochum explained that the zoning districts are different from each other
which allows for different uses.
The applicant, Jason Telander, presented before the Council. Mr. Telander explained that the main purpose
of the application is to allow therapeutic resources for ATHC's clients in caring for dogs.
Mayor Cook suggested adding language such as "no overnight stays ". Mr. Jochum explained that allowing
overnight stays would get more into a kennel or boarding -type situation. If more requests come forward for
more extended hours, the Council could consider amending the ordinance. Kennels are currently allowed in
11 and 12 districts.
Motion by Arndt, second by Christensen, to approve first reading of Ordinance No. 12 -0690, amending
language to read "no overnight stays ". Motion carried unanimously.
Item 7(b)3 had further discussion. Mayor Cook suggested it would be helpful to add language stating the
small older garage would be removed upon construction of the new garage. This language will be added to
the conditions on the Conditional Use Permit.
Motion by Yost, second by Cook, to approve Item 7(b)3 with the additional language that the old garage will
be removed following construction of the new garage. Motion carried unanimously.
Roger Johnson, 529 Monroe Street, presented before the Council. Mr. Johnson noted that he is attempting
to construct an attached garage to the home and will demolish the current older garage on the property.
Item 7(d) had further discussion. Council Member Yost asked why improvements are being made on Les
Kouba Parkway at this time when it is low on the priority list. Kent Exner, City Engineer, noted that these
improvements may fit well with current projects and was suggested from the Resource Allocation
Committee. An alternative funding source may be available to help support the project. This project has
been on the improvement list for the last several years and has been removed each time.
Motion by Arndt, second by Christensen, to approve Item 7(d). Motion carried unanimously.
8. PUBLIC HEARINGS — 6:00 P.M.
(a) CONSIDERATION OF COMMENTS AND INPUT ON THE STORM WATER POLLUTION
PREVENTION PLAN (SWPPP) FOR THE CITY OF HUTCHINSON
� Ca)
CITY COUNCIL MINUTES — JUNE 26, 2012
John Paulson, Environmental Specialist, presented before the Council. Mr. Paulson explained that the
MPCA requires that the City have a public hearing and consider comments prior to submitting the Storm
Water Pollution Prevention Plan (SWPPP) Annual Report for 2011. All cities that maintain a municipal
separate storm sewer system must meet this requirement. Mr. Paulson briefly reviewed the various pieces
that make up the SWPPP.
Motion by Yost, second by Arndt, to close public hearing. Motion carried unanimously.
Motion by Arndt, second by Yost, to approve SWPPP for the City of Hutchinson. Motion carried
unanimously.
9. COMMUNICATIONS RE UESTS AND PETITIONS (Purpose: to provide Council with information
necessary to craft wise policy. A ways looking toward t e uture, not monitoring past)
(a) UPDATE BY CITY OF HUTCHINSON FACILITIES COMMITTEE
Dan Jochum, Planning Director, and John Paulson, Environmental Specialist, presented before the Council.
Mr. Jochum provided an update on the Facilities Plan, including a list of projects by priority ranking, a list of
projects by proposed completion year and the funding plan. Mr. Jochum provided an overview on the
various work the Facilities Committee completed on establishing the Plan. This included a condition index
system and a project ranking system. The projects were then scheduled a completion year based on this
information. Mr. Jochum reviewed the projects scheduled for 2012 and 2013. For 2012, the projects
scheduled include the east rink roof, Event Center roof, Library roof, City Center VAV boxes, Cemetery
roof, Civic Arena sidewalk, east rink front doors and senior dining sidewalk with a total project cost of
$445,175. The projects scheduled for 2013 include the park garage, City Center carpet, senior dining
parking lot and Recreation Center air handlers with a total project cost of $557,660. These projects and
those scheduled further into the future will be included in the capital improvement plan.
Mary Haugen, PRCE Facilities Manager, spoke of the east rink roof and the repairs that it needs.
Council Member Czmowski voiced that by following this plan, and putting the funds into these projects, it
puts a fork in the City- School District Committee's work on crafting a master plan for some of these
facilities' replacement. Staff and the Committee have discussed keeping in mind Joint efforts with the
school district. Mayor Cook suggested bringing the City's facilities plan to the City- School District Joint
Facilities Committee to see if there are opportunities available.
(b) DISCUSSION AND REVIEW OF PROPOSED FIVE -YEAR CAPITAL IMPROVEMENT PLAN
Jeremy Carter, City Administrator, presented before the Council. Mr. Carter reviewed summary reports for
the five -year capital improvement plan. The capital improvement plan is meant to be a guide for Council
and management but does not give authorization for the projects until formally approved based on
purchasing authorization thresholds. The five -year capital improvement plan gets updated on an annual
basis. Some projects get pushed back to later years, some projects drop off and some projects move up years
depending on priorities.
Council Member Yost spoke of the priority listings listed on the plan. Mr. Carter explained that regardless
of the scheduled year, the priority ranking should truly reflect the priority of the project.
10. UNFINISHED BUSINESS
(a) CONSIDERATION FOR APPROVAL OF DOWNTOWN ACTION PLAN CONTRACT WITH
HOISINGTON KOEGLER GROUP INC.
Dan Jochum, Planning Director, presented before the Council. Mr. Jochum explained that this item was
tabled at the last Council meeting to allow for some revisions to be made to the agreement with the
consultant. The purpose of the plan is to continue the revitalization efforts that have been occurring
downtown and develop a plan to shape the future of downtown and the river corridor in Hutchinson. It is
proposed that the EDA would fund half of the project and the City would look at some partnership
opportunities to fund the other half of the project. The goal of this project is to spur the economy and create
ka-)
CITY COUNCIL MINUTES — JUNE 26, 2012
more growth opportunity. General discussion was held regarding how the reconstruction of Hwy 15 could
affect the downtown plan.
Motion by Czmowski, second by Yost, to approve downtown action plan contract with Hoisington Koegler
Group, Inc. Motion carried unanimously.
11. NEW BUSINESS
(a) CONSIDERATION OF AN AMENDMENT TO THE ZONING ORDINANCE SECTION 154.063(C)
ALLOWING TATOO ESTABLISHMENTS BY CONDITIONAL USE PERMIT IN THE C -3
(CENTRAL COMMERCIAL DISTRICT) REQUESTED BY DOUGLAS MOULTON, APPLICANT,
WITH PLANNING COMMISSION SPLIT VOTE (4 -1) (WAIVE FIRST READING AND SET
SECOND READING AND ADOPTION OF ORDINANCE NO. 12 -0689 FOR JULY 10, 2012)
Dan Jochum, Planning Director, presented before the Council. Mr. Jochum explained the discussions held
by the Planning Commission and staff pertaining to tattoo establishments. Mr. Jochum noted that tattoo
establishments are currently allowed in the 1 -1, I -2 and C -4 districts. The C -3 district includes the downtown
area. C -4 is general commercial, such as near the mall on Hwy 15 South or Hwy 7 West. Mayor Cook noted
that salons and other service establishments are allowed downtown and he expressed that he doesn't feel that
tattoo establishments should be treated any differently from them. Mayor Cook did mention that the City's
tattoo ordinance needs to be updated, however it doesn't pertain to the zoning portion of tattoo
establishments.
Council Member Arndt expressed that he does not wish to have tattoo establishments allowed in the
downtown area.
Motion by Czmowski, second by Christensen, to waive first reading and set second reading and adoption for
July 10, 2012. Roll call vote: Christensen — aye; Arndt — nay; Yost — aye; Czmowski — aye; Cook — aye.
Motion carried 4 to 1.
(b) CONSIDERATION OF A VARIANCE TO REDUCE FRONT AND SIDE YARD SETBACK TO
ALLOW CONSTRUCTION OF AN ATTACHED GARAGE ADDITION AT 529 MONROE STREET
SE REQUESTED BY ROGER JOHNSON, APPLICANT, WITH UNFAVORABLE PLANNING
COMMISSION RECOMMENDATION (ADOPT RESOLUTION NO. 14019)
Dan Jochum, Planning Director, presented before the Council. Mr. Jochum noted that the Planning
Commission denied this request due to the request not meeting the State's definition of practicable
difficulties. The Planning Commission and staff both expressed that there are options available for the
applicant to construct a garage without reducing the setbacks.
Roger Johnson, applicant, presented before the Council. Mr. Johnson asked if any discussion had been held
regarding the language difference between R -1 and R -2 districts. This language addresses averages of front
yard setback percentages. Mr. Johnson provided information about percentages of the front yard setback in
R -1 and it is not addressed at all in R -2 districts. Mr. Johnson requested that he would remain at 6 feet on
the sideyard setback but requested that the front yard setback would allow for 23 feet. Mr. Jochum noted
that these issues are two separate items and if Mr. Johnson's interpretation is correct, a variance would not
be required, but could rather be allowed through staff action via the City code (154.023).
Motion by Czmowski, second by Christensen, to approve Resolution No. 14019 denying the variance
application. Motion carried unanimously.
(c) CONSIDERATION FOR APPROVAL OF TRUNK HWY 15 RETAINING WALL RECONSTRUCTION
ENGINEERING SERVICES AMENDMENT (LETTING NO. 5, PROJECT NO. 12 -06)
Kent Exner, City Engineer, presented before the Council. Mr. Exner explained that Mn/DOT has allocated
up to $200,000 for the construction of the Hwy 15 retaining wall project. Due to a more detailed,
6(a-)
CITY COUNCIL MINUTES —JUNE 26, 2012
comprehensive project, additional engineering services are required to complete the project in a manner that
meets Mn/DOT's and the City's expectations. Therefore, the original design fee of $26,600 has increased to
$53,700. The Resource Allocation Committee has reviewed the proposed design fee increase and the
general consensus was that it seemed to be appropriate and acceptable. They additional fees are due to
additional project work pertaining to the expansion of the intersection radii at 5` Avenue and Main Street to
accommodate truck turning movements and stripping options; developing plans and specifications for
lighting improvements on the west side of Main Street from 4 Avenue to 5` Avenue; temporary easements;
developing design and plans for reconstruction of Wall B; Retaining Wall A scope changes; existing service
line review and hydraulic analysis of runoff volume and corresponding spread on Main Street.
Motion by Yost, second by Cook, to approve Trunk Hwy 15 Retaining Wall Reconstruction Engineering
Services Amendment. Motion carried unanimously.
(d) CONSIDERATION OF ORDINANCE NO. 12 -0684 - AN ORDINANCE AMENDING CHAPTER 52
(WATER) OF THE CITY OF HUTCHINSON CODE OF ORDINANCES ADDING LANGUAGE IN
SECTION 52.12 AND 52.13; CONNECTION REQUIRED AND PRIVATE WELLS FOR DOMESTIC
USE (WAIVE FIRST READING AND SET SECOND READING AND ADOPTION AND PUBLIC
HEARING FOR JULY 24, 2012)
Kent Exner, City Engineer, presented before the Council. Mr. Exner asked that a public hearing be set
for July 24, 2012, to review details of the ordinance. Mr. Exner pointed out basic additions to the
proposed ordinance in Section 52.13. Mayor Cook suggested that the approval of private wells come
forward to the Planning Commission or the City Council as opposed to a decision made by the City
Engineer. Mr. Exner and John Paulson both noted that an applicant always has the option to come to the
Council should the decision not be favorable to them. The ordinance also addresses a connection
requirement to city water utilities.
Motion by Czmowski, second by Arndt, to waive first reading and set second reading and adoption and
public hearing of Ordinance No. 12 -0684 for July 24, 2012. Motion carried unanimously.
(e) CONSIDERATION OF ORDINANCE NO. 12 -0685 - AN ORDINANCE AMENDING CHAPTER 92
(NUISANCES; HEALTH AND SANITATION) OF THE CITY OF HUTCHINSON CODE OF
ORDINANCES ADDING LANGUAGE IN 92.5; THE USE OF COAL TAR -BASED SEALER
PRODUCTS WITHIN THE CITY OF HUTCHINSON (WAIVE FIRST READING AND SET
SECOND READING AND ADOPTION AND PUBLIC HEARING FOR JULY 24, 2012)
Kent Exner, City Engineer, presented before the Council. Mr. Exner explained that this ordinance
pertains to adding language to Chapter 92 prohibiting the use of undiluted coal tar based sealer products.
John Paulson, Environmental Specialist, explained that extensive studies have been conducted by State
and Federal agencies and have found that undiluted coal tar contain polycyclic aromatic hydrocarbons
that do not break down. In 2009, the Minnesota legislature enacted a ban on coal tar -based sealcoats
used by State agencies starting July 1, 2010. Some large national retailers no longer sell undiluted coal
tar sealers and others do not carry the product in large volumes. The local commercial sealing applicator
has communicated that they will transition voluntarily to asphalt based sealers this spring in light of the
results of recent PAH studies.
Motion by Christensen, second by Yost, to waive first reading and set second reading and adoption and
public hearing of Ordinance No. 12 -0685 for July 24, 2012. Motion carried unanimously.
(f) CONSIDERATION FOR APPROVAL OF CITY OF HUTCHINSON POLICY 1.23- MANAGEMENT
4(a)
CITY COUNCIL MINUTES — JUNE 26, 2012
INFORMATION SYSTEMS AND CONSIDERATION FOR APPROVAL OF ABOLISHING CITY OF
HUTCHINSON POLICIES 1.17- ORGANIZATIONS - REQUESTS AND 1.21 -PETS WITHIN VETERANS
MEMORIAL BASEBALL FIELD;
Jeremy Carter, City Administrator, presented before the Council. Mr. Carter explained that Policy No. 1.23
has minor revisions pertaining to the IT Director language amendments as opposed to an IT Coordinator and
IT Committee. Mr. Carter clarified that the IT policy itself is reviewed on an annual basis.
Mr. Carter is recommending that Policy Nos. 1.17 and 1.21 be abolished from the City's record. These
policies no longer pertain to City practice.
Motion by Czmowski, second by Yost, to approve Policy 1.23 and abolish Policy 1.17 and Policy 1.21.
Motion carried unanimously.
(g) CONSIDERATION FOR APPROVAL OF RESOLUTION NO. 14022 — A RESOLUTION RELATING TO
PUBLIC UTILITY REVENUE REFUNDING BONDS, SERIES 2012A; APPROVING THE
AMENDMENT TO RESOLUTION NO. 13996 RELATED THERETO
Jeremy Carter, City Administrator, noted that this item amends Resolution No. 13996 which amends the
$1,000,000 threshold of net value savings. Instead, the net value savings of not less than $700,000 will be
revised in the Resolution.
Bruce Kimmel, Ehlers & Associates, explained that this is an opportunistic refunding and not a necessary
refinancing. Therefore, a savings of $700,000 is still a healthy savings.
Motion by Arndt, second by Yost, to approve Resolution No. 14022. Motion carried unanimously.
Item 13(b) was considered at this time. See minutes below.
(h) CONSIDERATION FOR APPROVAL OF SETTING COUNCIL WORKSHOP FOR JULY 10, 2012, TO
REVIEW THE 2011 AUDITED FINANCIAL STATEMENTS
Motion by Czmowski, second by Christensen, to set Council workshop for July 10, 2012, at 4:00 p.m. to
review 2011 audited financial statements. Motion carried unanimously.
12. GOVERNANCE (Purpose: to assess past organizational performance, develop policy that guides the organization and
Counci�e the logistics of the Council. May include monitoring reports, policy development and governance
process items)
(a) PIONEERLAND LIBRARY SYSTEM BOARD MINUTES FROM APRIL 19, 2012
(b) RESOURCE ALLOCATION COMMITTEE MEETING MINUTES FROM JUNE 5, 2012
(c) CITY OF HUTCHINSON FINANCIAL REPORT FOR MAY 2012
(d) CITY OF HUTCHINSON INVESTMENT REPORT FOR MAY 2012
(e) CITY OF HUTCHINSON WEED REPORT FOR MAY 2012
(f) PLANNING COMMISSION MINUTES FROM MAY 15, 2012
(g) JOINT PLANNING BOARD MINUTES FROM MAY 16, 2012
Council Member Yost commented on the large number of properties on the weed notice report. Kent Exner
noted that this was more than likely due to it being early in the season.
� (00
CITY COUNCIL MINUTES — JUNE 26, 2012
13. MISCELLANEOUS
(a) RESOLUTION NO. 14023 — RESOLUTION AUTHORIZING APPLICATION TO DEED BUSINESS
DEVELOPMENT CAPITAL GRANTS PROGRAM
Miles Seppelt, EDA Director, presented before the Council. Mr. Seppelt explained that within the last two
weeks, the Minnesota DEED announced a grant program available for economic development projects. Mr.
Seppelt would like to submit an application for funds to aid in the development of a business incubator
protect.
Motion by Arndt, second by Christensen, to approve Resolution No. 14023. Motion carried unanimously.
(b) RESOLUTION NO. 14024 — RESOLUTION AUTHORIZING ISSUANCE, AWARDING THE SALE,
PRESCRIBING THE FORM AND DETAILS AND PROVIDING FOR THE PAYMENT OF GENERAL
OBLIGATION REFUNDING BONDS, SERIES 2012B
Bruce Kimmel, Ehlers & Associates, presented before the Council. Mr. Kimmel distributed the sale report
of $4,795,000 General Obligation Refunding Bonds, Series 2012B. Bids were received earlier today with
the low bid coming in at 1.7730% from BAIRD. This interest rate is a bit higher than what was estimated a
month ago. A savings of 4.5% is still being seen with this true interest rate. A little over $30,000 per year
will be saved for the remainder of the debt service. Maintaining the fund balance allows for the better
ratings that the City continually receives.
Motion by Arndt, second by Czmowski, to approve Resolution No. 14024. Motion carried unanimously.
Mary Christensen — Council Member Christensen noted that she received a complaint about smoking in
Evergreen Apartments.
Council Member Christensen also commented on her disappointment on the vandalism made to the
Hutchinson Brothers statute in Library Square.
Bill Arndt — Coun, jl Member Arndt commented on the success of the small play held in the church located
On the corner of 2 Avenue SE and Hassan Street.
Kent Exner — Open House set for Hwy 15 /CSAH 18 /Airport Road roundabout project on July 11, 2012,
5:00 — 7:30 p.m. at the Hutchinson Event Center.
Motion by Arndt, second by Christensen, to set public meeting for July 11, 2012, at 5:00 p.m. at the
Hutchinson Event Center. Motion carried unanimously.
South Grade Road bridge project with McLeod County will be unveiled in mid -July.
Mayor Cook — Mayor Cook commented on the construction of the Habitat for Humanity house on Franklin
Street. The elevation appears to be much higher than the surrounding homes. Mr. Carter will have the
building official check into it.
14. ADJOURN
Motion by Arndt, second by Christensen, to adjourn at 8:40 p.m. Motion carried unanimously
�(O_)
RESOLUTION NO, 14027
RESOLUTION DESIGNATING THE LOCATION OF POLLING PLACE FOR ALL CITY
PRECINCTS AND APPOINTING JUDGES FOR THE 2012 CITY OF HUTCHINSON AND
STATE PRIMARY AND GENERAL ELECTIONS
WHEREAS, Chapter 204B, Section 204B.16, Subd. 1 and Section 20413.2 1, Subd. 2 of
the Laws of Minnesota states that the governing body of any municipality, by resolution adopted
prior to the giving of notice of the election, may designate the location of polling place of all
precincts (one, two, and three) and naming of judges for the City and School District Election.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY
OF HUTCHINSON, MINNESOTA:
That the polling place to be used during the 2012 Elections for all precincts will
be in the Recreation Center located at 900 Harrington Street S.W., Hutchinson,
Minnesota.
2. That the Election Judges are hereby appointed in accordance with the attached
list.
The City Council also authorizes the City Administrator to make emergency
appointments of election judges to fill last- minute vacancies.
Adopted by the City Council this 10`h day of July, 2012.
Steven W. Cook, Mayor
ATTEST:
Jeremy J. Carter, City Administrator
769-)1
CITY OF HUTCHINSON AND STATE PRIMARY /GENERAL ELECTIONS 2012
LEANN ANDERSON
DONNA BAYSINGER
ELAINE BLACK
DIANE BOBIER
FRANKLIN BOLLER
JANET CONNER
DORIS DAGGETT
GAIL FRANSEN
NELLIE GEHRKE
MELISSA JACOBSEN
ROXANNEJENSEN
JOELLEN KIMBALL
JANET KLOCKMANN
DARLEEN KNIGGE
ROB KUENZI
ELIZABETH KURTH
VANESSA LAHR
JEANNE LANGAN
MARK LEWANDOWSKI*
GLADYS PILGRIM
RYAN POWELL
CATHERINE PRELLWITZ*
DENNIS SCHROEDER*
PEARL SEALE
ROGER TIEDE
SANDY TRAXLER
WILLIAM WEGNER
PHYLLIS WESELOH
*indicates head judge
-7(d -)1
M4911-
CITY OF 14UTCHINSON
RESOLUTION NO. 14028
AMENDING RESOLUTION NO. 13741 ESTABLISHING INCOME
GUIDELINES & ASSET LIMITATIONS, FOR SENIOR, DISABLED CITIZENS,
ACTIVE DUTY MILITARY RESERVES OR NATIONAL GUARD DEFERRED
ASSESSMENTS AND SENIOR & DISABLED CITIZENS REDUCED REFUSE
RATE
WHEREAS, the Minnesota Statutes provide tax deferral of homestead property for senior
citizens, 65 years of age or older, or a person(s) on disability as defined by the Social Security
administration, or for members of the National Guard or military reserves in active service for
whom it would be a hardship to make payments, and
WHEREAS, the home owner can make application for deferred payment of special
assessments on forms which can be obtained from the City Administrator's office, and
WHEREAS, the home owner /renter can make application for reduced refuse rate on
forms, which can be obtained from the City Administrator's office;
NOW THEREFORE, the City Council has established the following income guidelines,
asset limitations, and verification requirements for applications of deferred assessments and/or
reduced refuse rates:
To be granted to person(s) with a low income of $25,400.00 per year for one person
and $29,000.00 per year for a married couple.
2. To be granted to person(s) with an asset limitation of not to exceed $30,000, excluding
the homestead and automobile.
3. Deferred assessment and/or reduced refuse requests may only be applied for if the
following documents are submitted at the time of said application.
A. Federal Income Tax Form 1040,1040A, 1040EZ; or
7(60 Z
Page 2, Resolution 14028
Senior & Active Military Reserves Deferred Assessments
Senior Citizens reduced Refuse Rate
B. Minnesota Property Tax Refund Form M -1PR
Every two years the city can request said information to continue reduced
refuse charges; existing reduced refuse accounts shall submit the same
documentation to continue the reduced charges.
4. The right of deferment is automatically terminated if:
A. The owner dies and the spouse is not otherwise qualified;
B. The property or any part thereof is sold, transferred or subdivided;
C. The property should lose its homestead status; or
D. If for any reason the City determines that there would be no hardship to require
immediate or partial payment.
Adopted by the City Council this 10th day of July 2012.
ATTEST:
Jeremy J. Carter Steven W Cook
City Administrator Mayor
G:IASSESSMEICITY RESOLUTION
ORDINANCE NO. 12 -0691
AN ORDINANCE AMENDING CHAPTER 31 OF THE HUTCHINSON CITY
CODE PERTAINING TO BOARDS AND COMMISSIONS
THE CITY OF HUTCHINSON ORDAINS:
§ 31.20 ORGANIZATION AND APPOINTMENT.
(A) All board and commission appointments authorized by ordinance or
resolution shall be made by the Mayor, and each appointment confirmed by the Council.
The term of each appointee shall be established and stated at the time of his or her
appointment. Except for the Economic Development Authority, no board or commission
member shall be appointed to more than two consecutive full terms, exclusive of the
fulfullment of an unexpired term or partial term previously served, but shall again be
eligible for service following a break in service of not less than one year. New
appointees shall assume office on the first day of the first month following their
appointment and qualification, or on the first day of the first month following the
expiration of the prior term and qualification, whichever shall occur last. Provided,
however, that all appointees to boards and commissions shall hold office until their
successor is appointed and qualified. All vacancies shall be filled in the same manner as
for an expired term, but the appointment shall be only for the unexpired term.
(B) All appointed board and commission members shall serve without
remuneration, but may be reimbursed for out -of- pocket expenses incurred in the
performance of their duties when those expenses have been authorized by the Council
before they were incurred.
(C) The chair and the secretary shall be chosen from and by the board or
commission membership annually to serve for one year. Provided, however, that no chair
shall be elected who has not completed at least one year as a member of the board or
commission.
(D) Any board or commission member may be removed by a four -fifths
majority vote of the Council for misfeasance, malfeasance or non- feasance in office and
his or her position filled as any other vacancy.
(E) Each board and commission shall hold its regular meeting at a time
established by it.
(F) Except as otherwise provided, this section shall apply to all boards
and commissions.
All ex- officio members to City boards and commissions shall be non-
voting members of the board or commission
§ 31.21 PLANNING COMMISSION.
(A) Establishment and composition. A Planning Commission is hereby
established. The Planning Commission shall be composed of seven members of which
six shall be residents of the city, but not members of a public body, who shall serve
76x03
staggered five -year terms, and one member of the Council shall be appointed by the
Mayor to serve terms expiring on March 31 of each year. The Mayer and the City
Attorney shall be ex- officio members.
§ 31.27 CITY TREE BOARD.
(A) Establishment and composition. A City Tree Board is hereby established.
The Board shall be composed of five members, four of whom shall serve staggered three -
year terms and one of whom shall be a member of the Council and designated by the
Council. The Git� -ate Natural Resource Coordinator, or equivalent position, shall
serve as an ex- officio member.
§ 31.26 LIBRARY BOARD.
A Library Board ^..mpesed of seven members all of ..::.,....,hall be residents 0
the city w:.d shall serve stagge - °a three year- terms, is hereby established. The Library
Board shall consist of seven members, six of whom shall be residents of the city and
serve staggered three year term and one of whom shall be a member of the Council and
designated by the Council
§ 31.24 PARKS, RECREATION AND COMMUNITY EDUCATION ADVISORY
BOARD.
(A) Establishment and composition.
(1) A Parks, Recreation and Community Education Advisory Board is
hereby established under the Joint Powers Agreement entered into on September 1, 1993,
between the city and the Independent School District No. 423, in this county. The Board
shall be composed of 4-3 7 representatives eensisting of ten positions from the community
at large, one representative from the School Board, and one representative from the City
Council. and one yeu esenWive e se w t..
Adopted by the Hutchinson City Council this 10`h day of July, 2012
Steven W. Cook
Mayor
Jeremy J. Carter
City Administrator
7(a.) 3
PUBLICATION NO.
ORDINANCE NO. 12 -0690
AN ORDINANCE AMENDING SECTION 154.064 (C) AND SECTION 154.004 ALLOWING DOG DAYCARE
BY CONDITIONAL USE PERMIT IN THE C -4 (FRINGE COMMERCIAL DISTRICT) AND ADDING THE
DEFINITION OF DOG DAYCARE TO SECTION 154.004 REQUESTED BY ADULT TRAINING AND
HABILITATION CENTER
THE CITY COUNCIL OF THE CITY OF HUTCHINSON, MINNESOTA ORDAINS:
Section 1. Notice of hearing was duly given and publication of said hearing was duly made and was made to appear to the
satisfaction of the City Council that it would be in the best interests of the City to amend Sections 154.004 and 154.064
(C) of the City Code to allow dog daycare facilities in the C -4 District as follows:
154.004 DEFINITIONS.
DOG DAYCARE. The boarding and regular care for dogs (no holidays, weekends or over - nights) with indoor and
outdoor enclosed kennel runs. There would be no more than 12 dogs on the Property at any one time.
154.064 C -4, FRINGE COMMERCIAL DISTRICT.
(C) Conditional permitted uses.
(1) Permitted uses listed in the C -2 district but not including used car, farm machinery, marine or manufactured home
sales;
(2) Commercial parking structures;
(3) Churches and houses of worship and related facilities;
(4) Storage units; and
(5) Tattoo establishments and adult- oriented businesses.
(6) Towing company offices with fenced impound lots, subject to providing a completely fenced and screened enclosure.
Fences must be a minimum of six feet high and constructed of wood or equivalent materials.
(7) Dog Daycare
EFFECTIVE DATE OF ORDINANCE. This ordinance shall take effect upon is adoption and publication.
Adopted by the City Council this 10`h day of July, 2012.
Attest:
Jeremy J. Carter Steven W. Cook
City Administrator Mayor
'7(a)
PUBLICATION NO.
ORDINANCE NO. 12 -0689
AN ORDINANCE AMENDING
SECTION 154.063 (C) ALLOWING TATOO ESTABLISHMENTS BY CONDITIONAL USE PERMIT IN THE
C -3 (CENTRAL COMMERCIAL DISTRICT)
THE CITY COUNCIL OF THE CITY OF HUTCHINSON, MINNESOTA ORDAINS:
Section 1. Notice of hearing was duly given and publication of said hearing was duly made and was made to appear to the
satisfaction of the City Council that it would be in the best interests of the City to amend Section 154.063 (C) of the City
Code to allow tattoo establishments in the C -3 District as follows:
§ 154.063 C -3, CENTRAL COMMERCIAL DISTRICT.
(C) Conditional permitted uses.
(1) Commercial parking ramps for passenger vehicles only, provided a reservoir space is provided within the
structure for holding cars awaiting entrance, which reservoir space shall have a capacity of no less than two vehicles;
(2) New or used automobile sales; indoor display area only;
(3) Motor fuel and service stations, excluding major repair operation. See Appendix B to this chapter for the off -
street parking schedule;
(4) A state licensed residential facility serving from seven through 16 persons;
(5) Group homes up to 5, 000 square feet;
(6) All licensed day care facilities which are not permitted principal uses under state law;
(7) Single-family residences applying for additions, decks, garages, remodeling, or other single-family related
uses.
(8) (a) Drive - through windows (specific considerations of traffic impact, accessibility to appropriate
roadways, site plan consideration and other relevant information would be part of the application review).
(b) Conditions for residential facilities, group homes, crisis shelters and licensed day care facilities shall not
be imposed which are more restrictive than those imposed on conditional uses or other multi family residential property
in the same district, unless the additional conditions are necessary to protect the health or the safety of the residents of the
residential facility.
(9) The requirements of § 154.115 of this code shall apply to the conditional uses described in this section.
(I0) Tattoo Establishments
EFFECTIVE DATE OF ORDINANCE. This ordinance shall take effect upon is adoption and publication.
Adopted by the City Council this 10'h day of July, 2012.
Attest:
Jeremy J. Carter Steven W. Cook
City Administrator Mayor
7(A')6
W Short Term 3.2 Malt Liquor
Fee: $125.00
111 Hassan Street Southeast
Hutchinson, MN 55350 VV'' ..\
(320) 587 -5151 /Fax: (320) 234 -4240 jt_
City of Hutchinson
APPLICATION FOR SHORT TERM 3.2 MALT LIQUOR LICENSE - ON SALE
In provisions of the City of Hutchinson Municipal Code Chapter 112
All applications must be received at least 10 days before City Council Meeting in order to be considered
Applicant Information
WLeo4 GotvtH AgViu. R14yoj
a Sao •5$7 a
Busi ss /Or anization Name
Phone Number
QD t3o I40- , 1340 Cek?4-1 q /4-ye-
ffhtkWvtSgJ -,mO— -Jb
Business /Organization Address
City State Zip
Lee4?A_ C-0" t, - l �A112-
_m6
Ty e of Business /Or aniz tion
C L4-G K
Sao 583 - '79 S
Applicant Name
Phone Number
22�5 fAcl rIN SC SE
*1kr1%h§6 INA-1
Applicant Address
Ci State zip
Officer(s)/Owner(s) of the Or anization/Business ffnecessm,
list additional names on se orate sheet
Scot'' -
i?j zrsi d-e `+
Name
Title
,�/' II
t !t L7r-Nj
JI W r
V1ce- — i:�eeS! oAG11^i
Name
Title
-e— 1,d I-YI 119.Gr C
_rlit1rSN e e A."
Name
Title
3.2 Malt Liquor Sales Information
Mi�-Ltod 6vonk -k1 Tiair GrawndS Wed he, *4 615 - _<;W
Locatioh of Sales Date(s) oflSalest
Ofo Ce- ;ifltnl Aleti C_ .4,cleJ IkVC1.
Address (Iontact Person
The following items need to be completed and/or attached in order for the application to
Application fee paid in full (check or money order): �I yes Ll no
Application comnleted in full and siened by applicant: )I ves ❑ no
-9 9
The above listed business hereby applies for a license to sell short-term 3.2 MALT LIQUOR for consumption "ON" those .
certain premises in the City of Hutchinson described above and to that end represents and state as follows:
That said applicant is a citizen of the United States; of good moral character and repute; and has attained the age of 21
years; that he /she is proprietor of this establishment for which the license will be issued if this application is granted.
That no manufacturer of such non - intoxicating malt liquors has any ownership, in whole or in part, in said business of
said applicant or any interest therein.
Cary of hzachnison
Application for ShortTenn 3.2 ,Ltalt
Liquor License - On -Sale
Page 1 of 2
That said applicant makes this application pursuant and subject to all the laws of the State of Minnesota and the
ordinances and regulations of said City of Hutchinson applicable thereto, which are hereby made a part hereof, and
hereby agrees to observe and obey the same.
Each Applicant further states that he /she is not now the holder of, nor has he /she made application for, nor does he intend to
make application for a Federal Retail Dealer's Special tax stamp for the sale of intoxicating liquor.
I declare that the information I have provided on this application is truthful, and I authorize the City of Hutchinson to
investigate the information submitted.
Fi ',r1"ANA!?t //
' �; [ -em l0 ifs /O�—
ignature ofauthor..ed a icant Dal
Police Chief Recommendation
❑ approved ❑ denied Notes:
Police Chief Signature Date
-7(b)
Report Page 1 of 1
City of Hutchinson
06/27/2012 12:52:02 PM Order ID: 3934002
Bill To Ship To
Mcleod County Ag Assn Mcleod County Ag Assn
40 Century Ave 640 Century Ave
PO Box 142 PO Box 142
Hutchinson , MN 55350 Hutchinson , MN 55350
SKU Product Description Price Qty
To
LIC NONINTOX- License - Non Intoxi, Temp License $ 125.00 1.00
$ 125.
OE
Sub Total
$ 125.
Tax Total
$ 0.
Shipping Total
$ 0.
Handling Total
$ 0.
Conv. Fee Total
$ 0.
X
* * * Payment Info * * *
Grand Total $ 125.
Type Visa Cardholder Name MCLEOD COUNTY AG ASSN Number xxxxxxxxxxxx4298
Authorization 163262 Receipt ID 4110
IMPORTANT -Retain this copy for your records
© Copyright 2011 RevTrak Inc. All Rights Reserved.
062712012 12.50.5:
7(b)
https: / /secure.revtrak. net / hutch / admin/ StimRptBridge /StimRptBridge.aspx ?sr _print =6433 c... 6/27/2012
Minnesota Department of Public Safety
ALCOHOL AND GAMBLING ENFORCEMENT DIVISION
444 Cedar Street Suite 133, St. Paul MN 55101 -5133
(651) 201 -7507 Fax (651) 297 -5259 TTY (651) 282 -6555
W W W.DPS.STATE.MN.US
APPLICATION AND PERMIT
FOR A 1 TO 4 DAY TEMPORARY ON -SALE LIQUOR LICENSE
ON
PYPE OR PRINT INFORMATI
NAME OF ORGANIZATION
DATE ORGANIZED
TAX EXEMPT NUMBER
jf 'N 3r5 (�4 Ytoc• OC1
STREET ADDRESS
CITY
STATE ZIP CODE
"/&9 4,4o a iv
u L /, Sd t
.S` G
NAME OFJJ PERSON MAKING APPLICATION
BUSINESS PHONE
HOME PHONE �}
DATES LIQUOR WILL BE SO L
TYPE OF ORGANIZATION
G
col
T
OFFICER'S NAME
ADDRESS}}
ORGANIZATION
11,E t). G�I�<ILD S. M&/04-
/ /CG1E / tl6.Sw-tXIT� /il/lr5'GN, �IN
ORGANIZATION OFFICER'S NAME
ADDRESS
ORGANIZATION OFFICER'S NAME
ADDRESS
Location license will be used. If an outdoor area, describe
%N FlZC N7 C F �CtFrJa�
(iCllC d i NG UN Gr2C�u t/)0-S
Will the applicant contract for intoxicating liquor service? If so, give the name and address of the liquor licensee providing the service.
Will the app)icam carViquor liability insurance? If so, please rovide the carrier's name and amounts of coverage.
t 1 F5 l' A-i716- tC, 7l%( rGl
A-L mot? - y,�— iYl A- r+rl•� I%E
APROVAL
APPLICATION MUST BE APPROVED BY CITY OR COUNTY BEFORE SUBMITTING TO ALCOHOL & GAMBLING
ENFORCEMENT
CITY /COUNTY
DATE APPROVED
CITY FEE AMOUNT
LICENSE DATES
DATE FEE PAID
SIGNATURE CITY CLERK OR COUNTY OFFICIAL
APPROVED DIRECTOR ALCOHOL AND GAMBLING ENFORCEMENT
I dd
NOTE: Submit this form to the city or county 30 days prior to event. Forward application signed by city and /or county tot ea ress
above. If the application is approved the Alcohol and Gambling Enforcement Division will return this application to be used as the License for the event
PS-09079 (05;06)
7(c)
TO: Mayor & City Council
FROM: Kent Exner, DPW /City Engineer
RE: Consideration of Improvement Project Change Orders
DATE: 07/10/2012
As construction has proceeded on the below listed projects there has been additional work, project scope revisions,
and/or construction staging changes. The items specified below have been identified and deemed necessary to
satisfactorily complete the projects. The following Change Orders are proposed as noted:
• Change Order No. 5— Letting No. 1/Project No. 11-02— School Rd NW
This Change Order addresses the incentive /disincentive for bituminous pavement as outlined within MnDOT
Specification 2360. The additional cost results in an increase to the contract in the amount of$1, 908.16
• Change Order No. 3 — Letting No. 3/1roject No. I1 -04 — 2011 Pavement Management Program— Phase t
This Change Order addresses the incentive/disincentive for bituminous pavement as outlined within MnDOT
Specification 2360. The additional cost results in an increase to the contract in the amount of$360.71.
We recommend that the attached project Change Orders be approved.
cc: Jeremy Carter, City Administrator
_ HUTCHINSON CITY CENTER
9 ^1 ENGINEERING DEPARTMENT
111 HASSAN STREET SE, HLITCINSON MN 55350
PHONE: 320-234-4209 FAX: 320-234-4240
LETTING NO. 1 - PROJECT NO. 11 -01
Dated: 0612812012 CHANGE ORDER NO. 5 Page 1 of 1
Project
Location:
School Road NW
CONTRACTOR: Wm Mueller 8 Sons Inc, 831 Park Ave, P O Box 247, Hamburg MN 55339
Contract
Amount
$1,417,670.48
Completion Date: 08!30/20114
Revised Completion Date: 0513112012
Description
of Change:
Item No. Spec. Ref.
This Change Order addresses the incentive /disincentive for bftuminous pavement as outlined within MNDOT Specification 2360. The
additional cost results in an increase to the contract in the amount of $2,908.16.
Item Name Unit Quantity Percent
to ity Unit Price Amount
INCREASE ITEMS:
34
2360.503
TYPE SPWEA240C WEARING COURSE MIXTURE - STREET
(31/2 " -2 LIFTS) (1.5/3.5x$13.74 = $5.89)
SY
12180
$13.74
123
LOT 10 - DENSITY INCENTIVE PER SPECIFICATION - 1.F LIFT
(1.5/3.5 x $13.74 = $5.89 x 4060' 7.1612%= 290.74 SY)
SY
4060
7.1612%
$5.891
$1,712.4
290.74
124
LOT 11 - DENSITY INCENTIVE PER SPECIFICATION - 1.5" LIFT
(1.5/3.5 x $13.74 = $5.89)
SY
4060
3.00%
$5.89
$717.4
121.80
125
LOT 12 - DENSITY INCENTIVE PER SPECIFICATION - 1.5' LIFT
(1.5/3.5 x $13.74 = $5.89)
SY
4060
2.00 °h
$5.89
$478.2
81.20
TOTAL INCREASE ITEMS
$2,908.1
DECREASE ITEMS:
$0.0
TOTAL DECREASE ITEMS
$2,808'1
NET INCREASE
$2,908.15
In accordance with the Contract and Specifications, the contract amount shall be adjusted in the amount of $ 2.908.15 (add)1(deduet).
n extension of - - -- days shall be allowed for completion.
ORIGINAL PREVIOUS ADDITIONSIDEDUCTIONS THIS ADDITIONIDEDUCT ON TOTAL
CONTRACT AMOUNT
$1,417,870.48
$34,660.08
$2,90&15
$1,455,238.71
Approved:
Approved:
Contractor - Wm Mueller 8: Sons Inc
Dated:
City of Hutchinson - Mayor: Steven W Cook
Dated: 07/10/2012
Pproved:
Approved:
City of Hutchinson - City Engineer: Kent Exner
Dated: 07110!2012
City of Hutchinson - City Administrator: Jeremy J Carter
Dated: 07110/2012
70 )
HUTCHINSON CITY CENTER
ENGINEERING DEPARTMENT
111 HASSAN STREET SE, HUTCINSON MN $5350
PHONE: 320-234-4209 FAX: 320-234-4240
LETTING NO. 3 - PROJECT NO. 11 -04
Dated: 0612612012 CHANGE ORDER NO. 3 Page 1 of 1
Protect
Location:
2011 Pavement Management Program - Phase 1
CONTRACTOR: Wm Mueller & Sons, Inc, 831 Park Ave, PO Box 247, Hamburg MN 55339 Phone: 952467.2720
Contract
A mount:
$427,513.50
Completion Date: 0910912014
Revised Completion Date: 0611512012
Description
of Change:
This Change Order addresses the incentive /disincentive for bituminous pavement as outlined within Mn/DOT Specification 2360. The
additional cost results in an increase to the contract in the amount of $360.73.
Item No.
Spec. Ref.
Item Name
UnK
QuantKy
uaanntity
Unit Price
Amount
INCREASE ITEMS:
62
2360.503
TYPE SPWEA240C WEARING COURSE MIXTURE -STREET
SY
1927
6595
$6.24
68
LOT 5 - DENSITY INCENTIVE PER SPECIFICATION - 1.5' LIFT
SY
1927
3.0000%
$6.24
$360.7
57.81
TOTAL INCREASE ITEMS
$360.7
DECREASE ITEMS:
$0.0
TOTAL DECREASE ITEMS
$360.7
NET INCREASE IL
$380.72
In accordance with the Contract and Specifications, the contract amount shall be adjusted in the amount of 360.72 (add)/(deduet).
n extension of - - -- days shall be allowed for completion.
ORIGINAL PREVIOUS ADDITIONSIDEDUCTIONS THIS ADDITION/DEDUCTION
CONTRACT AMOUNT
TOTAL
$427,513.50
$9,688.75
$360.72
$437,562.97
pproved:
Approved:
Contractor - Wm Mueller & Sons Inc
Dated:
City of Hutchinson - Mayor. Steven W Cook
Dated: 07/10/2012
Approved:
Approved:
City of Hutchinson - City Engineer. Kent Exner
Dated: 07/10/2012
City of Hutchinson - City Administrator: Jeremy J Carter
Dated: 0 711 0/2 01 2
-76:4)
AGREEMENT BETWEEN THE CITY OF HUTCHINSON AND ISD 423 RELATING TO
THE ESTABLISHMENT AND OPERATION OF A JOINTLY SPONSORED PARKS,
RECREATION AND COMMUNITY EDUCATION PROGRAM
AGREEMENT, made as of Julylst, 2012, between the CITY OF HUTCHINSON, A
MINNESOTA MUNICIPAL CORPORATION ( "City ") and INDEPENDENT SCHOOL
DISTRICT NO. 423, MCLEOD COUNTY, MINNESOTA, A MINNESOTA MUTUAL
CORPORATION ( "School District ").
WHEREAS, the School District is organized for the purpose of providing public school
education, including at its discretion Community Education programs and associated recreation
programs within its geographical boundaries; and
WHEREAS, the City is authorized to and does provide parks, recreation and civic programs
to citizens within its geographical boundaries, and
WHEREAS, the School District and the City (hereinafter sometimes collectively called the
"Sponsors ") within their respective powers, desire to cooperate in the establishment and operation of
a total Parks, Recreation and Community Education Program, as that term is defined in Article 1 (a)
within the total area encompassed by the boundaries of the City and the School District.
NOW, THEREFORE, the Sponsors hereby agree with the other as follows
PURPOSE OF AGREEMENT:
The Sponsors shall severally, jointly and cooperatively, pursuant to the broad authority
contained in Section 471.15 through 471.19, inclusive, and Section 471.59, of Minnesota Statutes
and other applicable statutes and their respective express and implied powers, establish and operate a
Parks, Recreation and Community Education Program.
The term Parks, Recreation and Community Education Program is defined, for the purposes
hereof to mean the following:
A program of academic improvement, enrichment, vocational improvement, leisure and
recreation services, program coordination, and social action utilizing School District
physical plants, City Parks and recreation facilities, private resources, if and when
available, for all ages, for all social and economic groups residing within the geographic
boundaries of the Sponsors.
2. The Sponsors shall be responsible for the operation and maintenance of the Parks,
Recreation and Community Education Program, except as otherwise set forth herein.
Recommendations shall be received by the School Board and the City Council from time
to time, concerning the programming and the operation of the programs from the Parks,
Recreation and Community Education Advisory Council.
PARKS, RECREATION AND COMMUNITY EDUCATION ADVISORY COUNCIL:
The Parks, Recreation and Community Education Advisory Council shall consist of nine (9)
members who shall be from the following groups:
One (1) member to be selected from the School Board annually.
2. One (1) member to be selected from the City Council annually.
3. Seven (7) members at large to be appointed jointly by the School Board and the City
Council.
"At large" positions shall be for a term of three (3) years. No "at large" member shall serve on the
Council for more than two (2) consecutive terms. The Parks, Recreation and Community Education
Advisory Council shall include public advertising of the "at large" position with all candidates names
forwarded to the Mayor and the School Board Chairperson respectively for City Council and School
Board approval. The terms of office shall end on August 31" of each proper year. In case of a vacancy
during the term of an "at large" member, the School Board and City Council shall jointly appoint a new
member to serve the remainder of the term. In case of the vacancy of a permanent member, (School Board
representative or City Council representative) the appropriate unit shall appoint a new member. Besides
the nine (9) voting members, a member of the Hutchinson High School Student Council and the Parks,
Recreation and Community Education Director shall serve as an ex- officio members with the Director
appointing staff as secretary to the Board. The Board shall annually elect one (1) member to serve as
chairperson and it may adopt such rules of procedure as it deems compatible.
DUTIES OF THE PARKS, RECREATION AND COMMUNITY EDUCATION ADVISORY
COUNCIL:
1. Serve as official advisory council responsible for all aspects of parks, recreation and
community education.
2. Plan and establish a joint parks, recreation and community education program for the School
District and City.
3. Review the annual budget and develop recommendations that shall be submitted to the
School District and City.
4. Develop programs and recommend policies on parks, recreation and community education
according to the needs of the community.
5. Endeavor to secure citizen group participation on all matters of parks, recreation and
community education.
6. Perform all other duties and functions as may be requested by the School Board and the City
Council.
PROGRAM RESPONSIBILITIES:
The Parks, Recreation and Community Education Director shall administer the program
established by the Board. Prepare annual budgets and submit them for review to the Advisory Council.
Upon review and development of recommendations by the Advisory Council, the budgets shall then be
submitted to the School Superintendent and the City Administrator for review /revision and presentation to
the respective School Board and City Council for their review, revision and approval.
We)
The approved annual budget shall be submitted to the School Superintendent and the City
Administrator each year as requested by the School Superintendent and City Administrator.- The cost of
the program will then be allocated to each of the participating parties. The costs of the Parks, Recreation
and Community Director's salary, benefits and training will be on an equal obligation of the parties hereto
with the School District purchasing those services from the City of Hutchinson. In addition, the school
superintendent shall determine the amount, if any, of performance pay the director may be entitled to
under the compensation guidelines of the school district. If agreement on the budget is not reached by
December 1, operation of the current program will continue on the previous year's amount until approval
is reached.
Land, playground equipment and supplies furnished by either party hereto shall remain the
property of the party so furnished or supplying the same except that nothing herein shall be construed so
as to prohibit the purchase of recreational supplies or equipment with the use of joint funds if so agreed to
by the parties. It is agreed that the maintenance of City park property and facilities shall remain a function
of the city and the maintenance of School District land facilities shall remain a function of the School
District.
The Director shall strive, to the extent possible, to devote equal working time to both the School
District and the City. However, both the City and the School District recognize that an exactly equal
apportionment of the director's time is impossible due to city and school schedules, and fluctuations in
the requests for services made of the director from the City, School District and members of the public.
LIABILITY INSURANCE:
Each Sponsor shall maintain public liability insurance coverage upon its public resources made
available for the Parks, Recreation and Community Education Program.
DIRECT SUPERVISION OF PROGRAM:
All activities of the Director in charge of the Community Education Program will be under the
direct supervision of the Superintendent of Schools. All activities of the Director in charge of the Parks
and Recreation programs will be under the direct supervision of the City Administrator.
LENGTH OF AGREEMENT - WITHDRAWAL
This Agreement shall remain in force and effect for a three year period ending on June 30", 2015.
However, this Agreement may be terminated by either party hereto by written notice to the other party
giving at least one (1) year notice prior to the date of desired termination. In the event of such
termination, an accounting shall be completed in a manner mutually satisfactory to the parties.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by the
respective duly authorized officers of the City Council of Hutchinson and the School Board of
Independent School District No. 423.
INDEPENDENT SCHOOL DISTRICT NO. 423 CITY OF HUTCHINSON
7 (e)
McLeod County, Minnesota McLeod County, Minnesota
School Board Chairperson
Superintendent of Schools
Mayor
City Administrator
7Ce)
AN AGREEMENT BETWEEN THE CITY OF HUTCHINSON,
MINNESOTA AND HUTCHINSON INDEPENDENT SCHOOL DISTRICT
#423 RELATING TO THE ESTABLISHMENT AND OPERATION OF A
JOINTLY SPONSORED GROUNDS MAINTENANCE PROGRAM
THIS AGREMENT entered into this 1s` day of July, 2012, between the CITY OF
HUTCHINSON, A MINNESOTA MUNICIPAL CORPORATION ( "City") and
INDEPENDENT SCHOOL DISTRICT NO. 423, MCLEOD COUNTY, MINNESOTA, A
MINNESOTA MUTUAL COPORATION ( "School District').
WHEREAS, the School District is organized for the purpose of providing public school
education and does provide extra curricular activities for which it maintains expenses;
playgrounds, ball fields and practice facilities and has adjacent to its buildings, parking areas and
sidewalks that it maintains; and
WHEREAS, the City is authorized to and does provide and maintain parks, recreation
areas, parking areas and sidewalks adjacent to the building that it owns; and
WHEREAS, the School District and the City (collectively called the "Sponsors ") within
their respective powers, recognizing that through economies of scale there will be cost savings to
both the City and School District through a joint agreement to maintain recreation areas and they
desire to cooperate in the establishment of operation of a Joint Grounds Maintenance Program.
NOW, THEREFORE, the Sponsors hereby agree with each other as follows:
PURPOSE OF AGREEMENT:
The Sponsors shall severally, jointly and cooperatively, pursuant to the broad authority
contained in Minnesota Statute §471.59 and other applicable statutes and their respective express
and implied powers, establish and operate a Joint Grounds Maintenance Program.
The term Joint Grounds Maintenance Program is defined, for the purposes hereof to mean
the following:
A program of shared equipment, materials and labor between the Sponsors to more
effectively and cost efficiently maintain the parks and recreation areas of each of the
Sponsors and the parking areas and sidewalks adjacent to buildings owned by the
respective Sponsors.
2. To plan and establish a Grounds Maintenance Program for the green areas of the
Sponsors to implement a program mowing; fertilization; herbicide /pesticide
treatment; tree pruning; watering; aeration/top dressing; stripping /demarcation of lots
and fields; and sign installation. (Parking lot paint by District)
-7
3. To plan and establish a Program for snow and ice removal from the parking lots and
sidewalks adjacent to the buildings of the Sponsors and to establish a schedule or time
table for such snow and ice removal. (Snow hauling by District)
4. To plan and establish a Maintenance Program of the athletic fields and playgrounds
of the Sponsors, including tennis courts, baseball /softball fields, and soccer /football
fields, which are the real property of the respective Sponsors. (Playground
replacement parts by District)
5. Real property, equipment, supplies and employees furnished by either party hereto
shall remain the property and/or employees of the party so furnishing them, except
that nothing herein shall be construed as to prohibit the purchase of grounds
maintenance supplies or equipment with the use of joint funds, if so agreed by the
parties.
LIABILITY INSURANCE:
Each sponsor shall maintain public liability insurance coverage upon its public resources,
including its land, buildings, machinery and employees in an amount at least as great as any
statutorily imposed exposure. Employees of, and machinery and materials owned by the
respective sponsors shall be deemed to remain the employee and resource of that Sponsor for
insurance and liability purposes. The Sponsors agree to obtain a separate liability insurance
policy to insure the Joint Grounds Maintenance Program, if necessary.
SUPERVISION OF PROGRAM:
All activities of the grounds Maintenance Program shall be under the direct supervision
of the Superintendent of Schools and the City Administrator.
LENGTH OF AGREEMENT AND WITHDRAWL:
This Agreement shall remain in force and effect for a period of two (2) years from July 1,
2012 thru June 30, 2014. However, this Agreement may be terminated by either party hereto by
written notice to the other party with at least one (l) year notice prior to the date of desired
termination.
CONSIDERATION:
The School District agrees to provide a cash payment to the City of Hutchinson in the
amount of $72,000.00 annually for the term of this Agreement in consideration for the ground
program services identified within the Agreement and provided by the City of Hutchinson.
This consideration shall be reviewed annually as part of the budget development process.
2
(e)
ACCOUNTING:
Each party to this Agreement agrees to make all financial documents available for
inspection by the other, if requested, with a three (3) day written notice.
IN WITNESS WHEREOF, the parties hereto have caused this agreement to be
executed by the respective duly authorized officers of the City Council of Hutchinson, Minnesota
and School Board of Independent School District No. 423.
INDEPENDENT SCHOOL DISTRICT NO. 423 CITY OF HUTCHINSON
McLeod County, Minnesota McLeod County, Minnesota
School Board Chairperson
Superintendent of Schools
Attest:
School Board Clerk
Dated:
Mayor
City Administrator
Finance Manager
Dated:
7(e)
USE OF FACH TI'IES
HUTCHINSON SCHOOL DISTRICT
AND CITY OF HUTCHINSON
2013 -2014
Recreation Center
It shall be the policy of the School District and the City of Hutchinson to rent the Recreation Center
Building /Burich Arena dry floor facilities at a cost of $40 per hour with the rentee providing a minimum of one
building supervisor.
Roberts Park/Linden Park (Softball)
Estimate 40 days of use, which includes 40 softball games — 10 "A" squad games, 10 "JV squad games, 10 "C"
squad games and 10 middle level games
As soon as weather permits, usually the first week in April, practice is moved outdoors to Linden and Roberts
Park. The above - mentioned 40 days does not account for any inclement weather cancellations.
It shall be the policy of the School District and the City of Hutchinson that the school district will rent
Roberts /Linden Park for $2,600 per softball season for the above - mentioned use. This cost is based on 40 days
X 6 fields. This includes material, labor and use of City equipment.
VMF Field (Baseball)
Use of Veteran's Memorial Field shall be $1,200 for the season, which includes games and practices.
General Guidelines
When use of facilities or cancellation is needed because of inclement weather, a contact must be made by noon
to the city's PRCE Director by the School Activities Director, and facilities can be used only upon approval of
the above - mentioned directors.
Renters shall always follow the approved time schedule.
Renters shall assist in setup for activities or for the next activities.
Renters shall leave the facilities in good condition.
The renter's supervisor of the activity must stay until all participants have left the building including emergency
situations.
7 (1)
2
LEASE AGREEMENT
HUTCHINSON SCHOOL DISTRICT
Burich Arena
THIS AGREEMENT, made this first day of July 2012 by the City of Hutchinson, a municipal corporation,
hereinafter called First Party, and the Independent School District No. 423 of McLeod County, hereinafter
called Second Party, WITNESSETH:
WHEREAS, the First Party has assumed the operation and maintenance of Burich Arena, through the guidance
and recommendation(s) of the Civic Arena Board;
WHEREAS, it is the desire of the Second Party to rent Burich Arena for programming to be conducted and
sponsored through its physical education program and/or extra - curricular programs;
NOW, THEREFORE, in consideration of the premises and the terms and covenants hereinafter set forth, the
parties hereby mutually agree as follows:
1. PREMISES: The First Party agrees to lease and hereby does lease, and the Second Party agrees
to take and hereby does take Burich Arena, east rink and west rink.
2. TERMS OF LEASE: This lease shall be from the term of July 1, 2012 through June 30, 2014.
3. RENTAL PAYMENT AND GAME RECEIPTS: The Second Party agrees to pay the First Party
a rental payment for the premises as shown below:
2012 -13 2013 -14 TOTAL TOTAL
Practice Ice 225 hours $155. $160. $34,875. $36,000.
20 Games Varsity /J.V. $675. $700. $13,500. $14,000.
TOTAL $48,375 $50,000
Each yearly total amount will be paid on or before April I" of 2013 and 2014 respectively. All
game admission receipts shall be the property and responsibility of the Second Party. Hockey
games in excess of 20 Varsity /J.V shall be billed at the agreed upon game rates.
4. DEFINITIONS
a. "Ice- time" - The period of time the ice is on the floor of the premises and utilized for
hockey games and/or practices.
b. "Non- Ice - Time" - The period of time no ice is on the floor and utilization is for sports
other than hockey, i.e., tennis, track, softball, soccer, baseball.
C. Exclusive use - The time the Second Party is in possession of the premises for "ice- time"
and "non- ice - time" use, without interference from the First and /or Second Party(s),
except for normal maintenance of the building.
5. USE OF FACILITIES: The First Party agrees to lease the premises for exclusive use at the
following designated times and activities.
7 «)
3
a. The Second Party shall be allotted 225 hours of ice time per school year. In the event
more than 225 hours practice ice time is used, the Second Party shall be billed at the
agreed hourly rate.
b. All practice time(s) for Boys Squads and Girls Squads shall be scheduled as agreed upon
between the city's Facilities & Operations Manager and School Activities Director.
C. Game ice -time shall be set by schedule. All hockey games shall be Monday through
Saturday, excluding holidays. All regularly scheduled hockey games and dates are set
forth in a schedule and may be canceled and/or rescheduled only after mutual
consultation of the First Party and the Second Party, or their respective representatives.
d. In the event the facility is rendered unfit for hockey use due to fire or any other cause, the
Second Party's obligation for rent shall be adjusted on a pro -rata basis and the party of
the first part shall refund within 30 days after termination that portion of the rent covering
the period of non -use. If the damage cannot be repaired within 30 days, the Second Party
may exercise the option to terminate.
6. FIRST PARTY RESPONSIBLITIES:
a. To provide all utilities, including heat, light, water, sewer, refuse; maintain all ice - making
and cleaning equipment and machines; flooding the ice rinks; cleaning of the ice
surfaces; maintaining the parking lot; and the normal maintenance, repair and
replacement of dasherboards, goals and nets; and make all necessary structural
alterations, repairs and maintenance.
b. To provide janitor service for cleaning of the locker and shower area and cleaning of the
bleacher area, storage area and upper arena areas as needed.
C. To operate, maintain and receive revenues from all concessions and/or vending machines,
unless otherwise assigned in whole or part.
7. SECOND PARTY RESPONSIBILITIES:
a. To provide personnel and supplies for the sale and collection of admission tickets.
b. To provide for payment of any Minnesota sales tax for admission.
C. To provide towel and laundry service.
d. To designate personnel to supervise students at any time the building is being used by its
students under this agreement, and to designate one individual to be responsible for
key(s) for use of the building while in use by its students.
e. To be responsible for loss or theft of school and /or personnel property while stored or
otherwise within the premises.
f To make all arrangements and /or payment for announcer(s), scoreboard operator(s),
referees and supervisory personnel.
g. To designate the coach or supervisor for seeing all pieces of equipment and supplies of
the school and players are picked up and properly stored in the areas and cabinets, as
provided by the First Party, and to see that all students are out of the building by one -half
(1/2) hour after close of practice or game.
7(e)
4
8. RULES AND REGULATIONS:
The rules and regulations of Independent School District No. 423 pertaining to student conduct
shall be in effect during all times this building is used by the school. Additional policies
governing the conduct of students may be developed as needed by Burich Arena and the school
administration. The policies, rules and regulations shall be enforced by school personnel as
assigned by the school administration and the city personnel as assigned by the city's Facilities
& Operations Manager.
9. INSURANCE:
The First Party agrees to pay a sum equal to the actual expense for bodily injury and property
damage insurance.
10. INDEMNIFICATIONS:
The Second Party agrees to save harmless, protect and indemnify the First Party from any and all
claims, not fully covered by Section 9 Insurance, of every kind and nature whatsoever arising out
of the personal injury or property damage on the leased premises while it is under control of and
being used by the party of the second part. Each party agrees to name the other as an "additional
insured party" in liability insurance policies.
11. SUCCESSORS AND ASSIGNS:
All provisions of the lease, herein stated, are binding upon the successors or assigns of the
respective parties.
IN WITNESS WHEREOF, the parties have signed this agreement to be effective the day and year above
written.
In presence of:
CITY OF HUTCHINSON
BY
Mayor
BY
City Administrator
INDEPENDENT SCHOOL
DISTRICT NO. 423
BY
Chairman
BY
Clerk
Lease
This lease agreement is made and entered into this 1 st day of July, 2012, by and between
the City of Hutchinson a Minnesota municipal corporation (Lessor) and Independent
School District #423 (Lessee).
Whereas, Lessee operates an elementary school adjacent to the leased premises; and,
Whereas, Lessee currently utilizes the leased premises for the purposes of conducting
educational and school related activities; and,
Whereas, from time to time school personnel have intervened in situations involving
students and members of the general public for the purposes of protecting students; and,
Whereas, as currently structured, Lessee, its administrators and other personnel have
limited authority to prevent undesirable interaction between students and the public
during school hours because the leased premises is owned by the City; and,
Whereas, it is the desire of the Lessor and Lessee to ensure the safety of students at the
school and, by leasing the premises, school personnel would have authority over third
parties that are on the premises,
Therefore, for one dollar ($1.00) and other good and valuable consideration, the parties
agree as follows:
Leased premises. The Lessor, in consideration of all the conditions, and some premises
contained herein does hereby lease to the Lessee the following described property in the
City of Hutchinson, McLeod County, Minnesota:
North Park excepting therefrom the North 412.5 feet of the South 478.5 feet of the East
264 feet, South Half City of Hutchinson
Lessee's Use of the Leased Premises. The Lessee agrees that the leased premises shall
be used only for those uses commonly associated with the education of students. Such
uses shall include, but not be limited to, recess, physical education classes, scientific and
other experiments and other educational uses.
Hours of Use. Lessee agrees that they shall have the ability to operate under the terms of
and for the purposes of this lease between the hours of 7:00 a.m. and 4:00 p.m. each day
that school is in session. Additionally, these terms are applicable one hour preceding and
following school activities outside the normal hours of operation.
Exclusive Use. Lessor agrees that Lessee shall have the exclusive use of the leased
premises during the hours mentioned above. Lessee agrees, however, that it will use
sound discretion in restricting the use of the leased premises by members of the general
`{i e )
public. Both parties recognize that the Lessee shall have the ability to limit the use of the
leased premises by third parties during the above - stated hours.
Subleases. The parties agree that the Lessee does not have the ability to sublease the
premises to third parties.
Term. The term of this lease shall be from the last date signed below until June 30,
2016, unless terminated earlier by the parties.
Improvements. Lessee shall not make improvements to the leased premises without the
permission of the Lessor. All improvements so made shall become the property of the
Lessor.
Termination. This lease may be terminated for any reason by either party by giving the
other a 90 day notice of its intention to do so.
Insurance. Lessee shall have in full force and effect a policy of liability insurance for
the full term of this lease naming the Lessor as an additional injured in an amount of not
less than $1,200,000.00. The Lessee shall provide a certificate of said insurance policy at
the time this lease is entered into.
Independent School District #423
By
Its
By
Its
Date
City of Hutchinson
Its
a
_7(e)
PAYROLL ELECTRONIC FUNDS TRANSFERS
PAYROLL DATE: 06/29/2012
Period Ending Date: 06/23/2012
$58,666.64 IRS - Withholding Tax Account
Federal Withholding
Employee /Employer FICA
Employee /Employer Medicare
$11,989.42 MN Department of Revenue
State Withholding Tax
$39,352.43 Public Employee Retirement Association
Employee /Employer PERA/DCP Contributions
$2,115.32 TASC
Employee Flex Spending Deductions
$6,348.52 TASC
Employee Contributions to Heath Savings Account
$575.00 MNDCP
Employee Contributions - Deferred Comp
$1,440.00 ING
Employee Contributions - Deferred Comp
$1,230.00 ICMA Retirement Trust
Employee Contributions - Deferred Comp
$477.61 MN Child Support System
Employee Deductions
$0.00 MSRS - Health Savings Plan
Employee Deductions to Health Savings Plan
$122,194.94 Total Electronic Funds Transfer
7(f)
0 0 0
R55CKREG LOG22001VO
Check # Ck Date
171319 7/10/2012
171320 7/10/2012
171321 7/10/2012
171322 7/10/2012
171323 7/10/2012
171324 7/10/2012
171325 7/10/2012
171326 7/10/2012
171327 7/10/2012
171328 7/10/2012
171329 7/10/2012
171330 7/10/2012
171331 7/10/2012
171332 7/10/2012
171333 7/10/2012
171334 7/10/2012
171335 7/10/2012
171336 7/10/2012
171337 7/10/2012
171338 7/10/2012
171339 7/10/2012
171340 7/10/2012
171341 7/10/2012
171342 7/10/2012
171343 7/10/2012
171344 7/10/2012
171345 7/10/2012
171346 7/10/2012
171347 7/10/2012
6/27/12 - 7/10/12
Amount Vendor/ Explanation
326.09 ACE HARDWARE
136.83 AEM MECHANICAL SERVICES, INC
37.41 AG SYSTEMS
134.17 AMERICAN FAMILY INS CO.
6.55 AMERICAN MESSAGING
576.60 AMERICAN SOLUTIONS FOR BUSINES
104.38 AMERICINN
1.81
ARAMARK UNIFORM SERVICE
698.10
ARCTIC GLACIER PREMIUM ICE INC
111.14
ARROWHEAD SCIENTIFIC INC
357.02
ASPEN EQUIPMENT CO
838.07
B & C PLUMBING & HEATING INC
2,162.97
1,359.09
1,610.56
50.00
25,000.00
393.18
876.42
4,090.25
2,148.19
100.00
814.50
2,118.06
1,955.11
40,111.25
I:ATirATilXU]L[C7
CITY OF HUTCHINSON
Council Check Register
Account Description
Business Unit
OPERATING SUPPLIES
CIVIC ARENA
CONTRACT REPAIR & MAINTENANC LIQUOR OPERATIONS
CENTRAL GARAGE REPAIR
PARK ADMINISTRATION
ACCRUED LIFE INSURANCE
PAYROLL FUND B/S
COMMUNICATIONS
INFORMATION SERVICES ADMIN
PRINTING & PUBLISHING
FINANCE - ADMINISTRATION
TRAVEL SCHOOL CONFERENCE
WASTEWATER ADMINISTRATION
CONTRACT REPAIR & MAINTENANC LIQUOR OPERATIONS
CLEANING SUPPLIES
HATS OPERATIONS
COST OF MIX & SOFT DRINKS
LIQUOR OPERATIONS
OPERATING SUPPLIES
INVESTIGATION
CENTRAL GARAGE REPAIR
STREETS & ALLEYS
PROFESSIONAL SERVICES
EVENTS CENTER ADM.
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
BAILEY NURSERIES, INC
REPAIR & MAINTENANCE SUPPLIES PARK ADMINISTRATION
BERNICK'S
FOOD PRODUCTS - CONCESSION
CONCESSIONS
BERRY, DAWN
OTHER REVENUES
RECREATION BLDG. & POOL
BIOBUSINESS ALLIANCE OF MN
OTHER CONTRACTUAL
UNALLOCATED GENERAL
BLACK GOLD ENVIRONMENTAL SERVI
REPAIR & MAINTENANCE SUPPLIES
HATS OPERATIONS
BRANDON TIRE CO
CENTRAL GARAGE REPAIR
PARK ADMINISTRATION
BRAUN INTERTEC CORP
PROFESSIONAL SERVICES
LET #111-01 School Rd NW Imp
BROCK WHITE CO
REPAIR & MAINTENANCE SUPPLIES AIRPORT
BROWN, MELANIE
OTHER REVENUES
RECREATION BLDG. & POOL
BRYAN STREICH TRUCKING
FREIGHT
COMPOST MANUFACTURING
BUSHMAN, RAQUEL
OPERATING SUPPLIES
TOURNAMENTS
BUSINESSWARE SOLUTIONS
CONTRACT REPAIR & MAINTENANC POLICE ADMINISTRATION
C & L DISTRIBUTING
COST OF SALES -BEER
LIQUOR OPERATIONS
349.50 CALIFORNIA CONTRACTORS SUPPLIE REPAIR & MAINTENANCE SUPPLIES STREETS & ALLEYS
27.87 CENTRAL HYDRAULICS RECEIVED NOT VOUCHERED COMPOST FUND B/S
0 0
171348
7/10/2012
76.95
WASTEWATER ADMINISTRATION
CENTRAL LANDSCAPE SUPPLY
171349
7/10/2012
5,268.96
AUTOMOTIVE REPAIR
CHEMISOLV CORP
171350
7/10/2012
454.23
MENS SLOWPITCH SOFTBALL
CMK SERVICES LLC
171351
7/10/2012
64.00
CONTRACT REPAIR & MAINTENANC EVERGREEN BLDG ADM
COFFEE COMPANY
171352
7/10/2012
50.88
SMALL TOOLS
CROW RIVER AUTO & TRUCK REPAIR
171353
7/10/2012
24.05
COMPOST FUND B/S
CROW RIVER GLASS & SIGNS
171354
7/10/2012
5,360.00
TRAVEL SCHOOL CONFERENCE
CROW RIVER OFFICIALS ASSN
171355
7/10/2012
2,682.00
PARK ADMINISTRATION
CROW RIVER SIGNS
171356
7/10/2012
350.00
CITY ENGINEER
CUSTOMIZED FIRE RESCUE TRAININ
171357
7/10/2012
270.76
OPERATING SUPPLIES
DAAK REFRIGERATION
171358
7/10/2012
3,794.35
RECREATION BLDG. & POOL
DAY DISTRIBUTING
171359
7/10/2012
1,313.34
ACCRUED DEFERRED COMP
DPC INDUSTRIES INC
171360
7/10/2012
173.24
DYNA SYSTEMS
171361
7/10/2012
132.95
EBERT, DICK
171362
7/10/2012
131.46
ECOLAB PEST ELIM
171363
7/10/2012
4,485.00
EHLERS & ASSOCIATES INC
171364
7/10/2012
919.02
ELECTRO WATCHMAN
171365
7/10/2012
2,142.84
ESS BROTHERS & SONS
171366
7/10/2012
292.05
EXNER, KENT
171367
7/10/2012
630.00
EXTREME BEVERAGE LLC
171368
7/10/2012
36.21
FARM -RITE EQUIPMENT
171369
7/10/2012
386.67
FAST WATER PROMOTIONS LLC
171370
7/10/2012
306.24
FASTENAL COMPANY
171371
7/10/2012
261.84
FINANCE & COMMERCE
171372
7/10/2012
4,794.00
FIRE SAFETY USA, INC
171373
7/10/2012
45.10
FIRST CHOICE FOOD & BEVERAGE 5
171374
7/10/2012
57.03
G & K SERVICES
171375
7/10/2012
107.25
GEB ELECTRICAL INC
171376
7/10/2012
129.95
GENIE DRAIN CLEANING
171377
7/10/2012
70.56
GODFATHER'S PIZZA
171378
7/10/2012
87.32
GOODIN COMPANY
171379
7/10/2012
44.07
GRAINGER
171380
7/10/2012
552.65
H.A.R.T.
171381
7/10/2012
404.34
HACH COMPANY
0
OPERATING SUPPLIES
TREE INVENTORY
CHEMICALS & PRODUCTS
WASTEWATER ADMINISTRATION
OTHER CONTRACTUAL
STREETS & ALLEYS
OPERATING SUPPLIES
HCDC -EDA
AUTOMOTIVE REPAIR
POLICE PATROL ADMINISTRATIO
BUILDING REPAIRS
CHURCH - 105 2nd Ave SE
OTHER CONTRACTUAL
MENS SLOWPITCH SOFTBALL
OPERATING SUPPLIES
YOUTH BASEBALL AND SOFTBALI
TRAVEL SCHOOL CONFERENCE
FIRE - ADMINISTRATION
CONTRACT REPAIR & MAINTENANC EVERGREEN BLDG ADM
COST OF SALES -BEER
LIQUOR OPERATIONS
CHEMICALS & PRODUCTS
WATER ADM
SMALL TOOLS
WASTEWATER ADMINISTRATION
UNIFORMS & PERSONAL EQUIP
WATER ADM
RECEIVED NOTVOUCHERED
COMPOST FUND B/S
PROFESSIONAL SERVICES
TAX INCREMENT B/S
CONTRACT REPAIR & MAINTENANC LIQUOR OPERATIONS
REPAIR & MAINTENANCE SUPPLIES WASTEWATER ADMINISTRATION
TRAVEL SCHOOL CONFERENCE
CITY ENGINEER
COST OF MIX & SOFT DRINKS
LIQUOR OPERATIONS
CENTRAL GARAGE REPAIR
PARK ADMINISTRATION
OPERATING SUPPLIES
RECREATION BLDG. & POOL
REPAIR & MAINTENANCE SUPPLIES STREETS & ALLEYS
ADVERTISING
CITY ENGINEER
SMALL TOOLS
RURAL FIREFIGHTERS
OFFICE SUPPLIES
WATER ADM
OPERATING SUPPLIES
REFUSE& RECYCLING
CONTRACT REPAIR & MAINTENANC CIVIC ARENA
CONTRACT REPAIR & MAINTENANC EVERGREEN BLDG ADM
OPERATING SUPPLIES
RECREATION BLDG. & POOL
EQUIPMENT PARTS
WATER ADM
SAFETY SUPPLIES
HATS OPERATIONS
ACCRUED DEFERRED COMP
PAYROLL FUND B/S
PROFESSIONAL SERVICES
WASTEWATER ADMINISTRATION
0
0
0
171382
7/10/2012
426.27
HANNEMAN, MARK
TRAVEL SCHOOL CONFERENCE
POLICE PATROL ADMINISTRATIO
171383
7/10/2012
40.00
HANSEN, ANGIE
CIVIC ARENA -FEES & RENTS
CIVIC ARENA
171384
7/10/2012
1,460.00
HANSON & VASEK CONSTRUCTION
CONTRACT REPAIR & MAINTENANC
STREETS & ALLEYS
171385
7/10/2012
2,708.40
HAWKINS INC
CHEMICALS & PRODUCTS
RECREATION BLDG. & POOL
171386
7/10/2012
1,704.53
HENRYS FOODS INC
FOOD PRODUCTS- CONCESSION
CONCESSIONS
171387
7/10/2012
4,816.24
HILLER CARPET
CONTRACT REPAIR & MAINTENANC
HATS OPERATIONS
171388
7/10/2012
153.62
HILLYARD / HUTCHINSON
REPAIR & MAINTENANCE SUPPLIES
EVENTS CENTER ADM.
171389
7/10/2012
137.84
HIRSHFIELD'S INC
REPAIR & MAINTENANCE SUPPLIES
CIVIC ARENA
171390
7/10/2012
183,046.39
HJERPE CONTRACTING
IMPROV OTHER THAN BLDGS
LET #112-01 5TH AVE NW IMPRI
171391
7/10/2012
2,378.92
HOLT MOTORS INC
CENTRAL GARAGE REPAIR
STREETS & ALLEYS
171392
7/10/2012
500.00
HUTCHINSON AREA CHAMBER OF COP REFUNDS & REIMBURSEMENTS
UNALLOCATED GENERAL
171393
7/10/2012
4,324.00
HUTCHINSON AREA HEALTH CARE
COMMON AREA MAINTENANCE
EVENTS CENTER ADM.
171394
7/10/2012
5,786.54
HUTCHINSON CONVENTION & VISITO
LODGING TAX REIMBURSEMENT
UNALLOCATED GENERAL
171395
7/10/2012
1,828.41
HUTCHINSON SENIOR ADVISORY BOA
OTHER CONTRACTUAL
SENIOR CITIZENS CENTER
171396
7/10/2012
503.23
HUTCHINSON WHOLESALE
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
171397
7/10/2012
5.00
HUTCHINSON, CITY OF
MISCELLANEOUS
POLICE BUILDING MAINTENANCI
171398
7/10/2012
4,000.00
HUTCHINSON, CITY OF
MISCELLANEOUS
ATM MACHINE
171399
7/10/2012
29.68
HYVEE FLORAL SHOP
MISCELLANEOUS
CITY ADMINISTRATOR - ADM
171400
7/10/2012
500.00
INH PROPERTY MANAGEMENT & EASI
CONTRACT REPAIR & MAINTENANC WATER ADM
171401
7/10/2012
348.20
INTERSTATE BATTERY SYSTEM MINN
EQUIPMENT PARTS
STREETS & ALLEYS
171402
7/10/2012
807.18
JACK'S UNIFORMS & EQUIPMENT
UNIFORMS & PERSONAL EQUIP
POLICE PATROL ADMINISTRATIO
171403
7/10/2012
19,474.66
JEFF MEEHAN SALES INC.
ACCRUED COMMISSIONS PAYABLE
COMPOST FUND B/S
171404
7/10/2012
187.05
JIM'S GARDEN SERVICE
OTHER CONTRACTUAL
STREETS & ALLEYS
171405
7/10/2012
784.65
JJ TAYLOR DIST OF MN
COST OF SALES -BEER
LIQUOR OPERATIONS
171406
7/10/2012
125.00
JOCHUM, DANIEL
SAFETY SUPPLIES
BUILDING INSPECTION
171407
7/10/2012
128.50
JOES SPORT SHOP
OPERATING SUPPLIES
TOURNAMENTS
171408
7/10/2012
30.00
JURGENSON, NANCY
RENTS -REC BLDG
RECREATION BLDG. & POOL
171409
7/10/2012
34.00
KABLE, ELISABETH
RECREATION ACTIVITY FEES
RECREATION BLDG. & POOL
171410
7/10/2012
312.60
KEEPRS, INC
OPERATING SUPPLIES
POLICE PATROL ADMINISTRATIO
171411
7/10/2012
209.99
KRAMES STAYWELL LLC
OPERATING SUPPLIES
RECREATION BLDG. & POOL
171412
7/10/2012
377.67
L & P SUPPLY CO
CENTRAL GARAGE REPAIR
PARK ADMINISTRATION
171413
7/10/2012
2,566.49
LANDSCAPE CONCEPTS, INC
CONTRACT REPAIR & MAINTENANC STREETS & ALLEYS
171414
7/10/2012
90.00
LAUER, BURNELL
OTHER CONTRACTUAL
SOCCER
171415
7/10/2012
4,080.00
LEAGUE OF MN CITIES -INS TRUST
INSURANCE- DEDUCTIBLE COST
UNALLOCATED GENERAL
0
171416
171417
171418
171419
171420
171421
171422
171423
171424
171425
171426
171427
171428
171429
171430
171431
171432
171433
171434
171435
171436
171437
171438
171439
171440
171441
171442
171443
171444
171445
171446
171447
171448
171449
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
7/10/2012
147.44
185.00
35.00
24,241.26
1,586.77
701.13
104.34
1,130.11
925.06
1,024.35
128.45
2,077.60
3,120.00
4,
2,
11,
1,
MCLEOD COOP POWER ASSN
0
AIRPORT
0
2,706.57
LEAGUE OF MN CITIES -INS TRUST
INSURANCE - DEDUCTIBLE COST
UNALLOCATED GENERAL
50.00
LENZ, LANA
OTHER REVENUES
RECREATION BLDG. & POOL
895.00
LEVINE, ERIC
TRAVEL SCHOOL CONFERENCE
WATER ADM
34,350.85
LOCHER BROTHERS INC
COST OF SALES -BEER
LIQUOR OPERATIONS
533.20
LTP ENTERPRISES
CONTRACT REPAIR & MAINTENANC WATER ADM
94.39
M -R SIGN
SIGNS & STRIPPING MATERIALS
STREETS & ALLEYS
147.44
185.00
35.00
24,241.26
1,586.77
701.13
104.34
1,130.11
925.06
1,024.35
128.45
2,077.60
3,120.00
4,
2,
11,
1,
MCLEOD COOP POWER ASSN
UTILITIES
AIRPORT
MCLEOD COUNTY COURT ADMINISTR� OTHER REVENUES
POLICE ADMINISTRATION
MCLEOD COUNTY FAIR
ADVERTISING
LIQUOR OPERATIONS
MCLEOD COUNTY HIGHWAY DEPT.
STREET MAINT.MATERIALS
STREETS & ALLEYS
MCLEOD COUNTY SHERIFF'S OFFICE
SMALLTOOLS
POLICE ADMINISTRATION
MCRAITH, JOHN
OTHER CONTRACTUAL
SPECIAL EVENTS
MEHR, BRIAN TRAVEL SCHOOL CONFERENCE
MENARDS HUTCHINSON RECEIVED NOT VOUCHERED
METRO ATHLETIC SUPPLY INC OPERATING SUPPLIES
METRO SWIM SHOP OPERATING SUPPLIES
MIDWEST MACHINERY CO
MINNESOTA VALLEY TESTING LAB
MIX MANUFACTURING
275.00
MWOA
410.00
NORTH SHORE ANALYTICAL INC
337.27
NORTHERN BUSINESS PRODUCTS
273.59
NORTHERN STATES SUPPLY INC
340.99
NU- TELECOM
560.65
NUSS TRUCK & EQUIPMENT
190.10
O'REILLYAUTO PARTS
256.46
OFFICE DEPOT
114.30
OFFICE OF ENTERPRISE TECHNOLOG
663.39
OUTDOOR MOTION
146.48
PAUSTIS & SONS WINE CO
416.45
PHILLIPS WINE & SPIRITS
881.71
PINE VALLEY ECO PRODUCTS
11100
PIONEER
500.00
POSTMASTER
RECEIVED NOT VOUCHERED
OTHER CONTRACTUAL
RECEIVED NOT VOUCHERED
TRAVEL SCHOOL CONFERENCE
OTHER CONTRACTUAL
OPERATING SUPPLIES
EQUIPMENT PARTS
COMMUNICATIONS
CENTRAL GARAGE REPAIR
CENTRAL GARAGE REPAIR
OFFICE SUPPLIES
COMMUNICATIONS
OPERATING SUPPLIES
COST OF SALES- LIQUOR
COST OF MIX & SOFT DRINKS
CHEMICALS & PRODUCTS
SIGNS & STRIPPING MATERIALS
1:161ir_TC14
WASTEWATER ADMINISTRATION
COMPOST FUND B/S
GIRLS FASTPITCH SOFTBALL
RECREATION BLDG. & POOL
COMPOST FUND B/S
WASTEWATER ADMINISTRATION
COMPOST FUND B/S
WASTEWATER ADMINISTRATION
WASTEWATER ADMINISTRATION
LIQUOR OPERATIONS
STREETS & ALLEYS
POLICE ADMINISTRATION
STREETS & ALLEYS
PARK ADMINISTRATION
STREETS & ALLEYS
MOTOR VEHICLE - ADMINISTRAT
POLICE PATROL ADMINISTRATIO
LIQUOR OPERATIONS
LIQUOR OPERATIONS
STREETS & ALLEYS
PARK ADMINISTRATION
STORM WATERADMINISTRATIOI
0 0
171450
7/10/2012
2,003.89
COMPOST FUND B/S
PREMIER TECH PACKAGING
171451
7/10/2012
138.46
FREIGHT
PRO AUTO & TRANSMISSION REPAIR
171452
7/10/2012
1,467.39
CONCESSIONS
PRO CARE SERVICES INC
171453
7/10/2012
116.29
TRAVEL SCHOOL CONFERENCE
QUILL CORP
171454
7/10/2012
1,934.30
HATS OPERATIONS
R.J.L. TRANSFER
171455
7/10/2012
10,553.41
CONTRACT REPAIR & MAINTENANC
RAPIDS PROCESS EQUIPMENT INC
171456
7/10/2012
228.00
STORM WATER ADMINISTRATIOI
ROCK STAR GOURMET INC
171457
7/10/2012
961.52
TRAVEL SCHOOL CONFERENCE
RUNNING'SSUPPLY
171458
7/10/2012
50.00
PARK ADMINISTRATION
RUTKOWSKI, FRANK
171459
7/10/2012
75.00
OPERATING SUPPLIES
SAFE KIDS WORLDWIDE
171460
7/10/2012
2,592.89
PARK ADMINISTRATION
SAM'S CLUB
171461
7/10/2012
23,340.33
CONTRACT REPAIR & MAINTENANC POLICE BUILDING MAINTENANCI
SCHMELING OIL CO
171462
7/10/2012
34.00
CONTRACT REPAIR & MAINTENANC STREETS & ALLEYS
SCHUETZ, MOLLIE
171463
7/10/2012
35.00
SCHWANKE, MAVIS
171464
7/10/2012
428.25
SCOTT'S WINDOW CLEANING SERVIC
171465
7/10/2012
66.60
SEBORA, MARC
171466
7/10/2012
2,677.94
SEH
171467
7/10/2012
68.00
SETLEY, MELANIE
171468
7/10/2012
6,893.16
SOUTHERN WINE & SPIRITS OF MN
171469
7/10/2012
10.00
SOUTHWEST MN CHAPTER OF ICC
171470
7/10/2012
2,244.30
SPRINT
171471
7/10/2012
756.23
STAPLES ADVANTAGE
171472
7/10/2012
72.80
STAR TRIBUNE
171473
7/10/2012
1,000.00
STEELE COUNTY COURT ADMIN
171474
7/10/2012
523.66
STRATEGIC EQUIPMENT
171475
7/10/2012
267.69
STROBES N MORE
171476
7/10/2012
125.00
SZYMANSKI, THOMAS
171477
7/10/2012
20.00
TAPS -LYLE SCHROEDER
171478
7/10/2012
84.78
TARGET BANK
171479
7/10/2012
2,999.00
TEK MECHANICAL
171480
7/10/2012
250.52
TIMBERLAKE LODGE
171481
7/10/2012
441.69
TIMBERLAKE LODGE
171482
7/10/2012
2,922.19
TRI -CITY PAVING
171483
7/10/2012
50.00
TWARDY, STACY
9
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
CONTRACT REPAIR & MAINTENANC
HATS OPERATIONS
OFFICE SUPPLIES
INVESTIGATION
FREIGHT
LIQUOR OPERATIONS
PROFESSIONAL SERVICES
WASTEWATER ADMINISTRATION
FOOD PRODUCTS- CONCESSION
CONCESSIONS
SAFETY SUPPLIES
WASTEWATER ADMINISTRATION
OTHER REVENUES
RECREATION BLDG. & POOL
TRAVEL SCHOOL CONFERENCE
POLICE PATROL ADMINISTRATIO
FOOD PRODUCTS - CONCESSION
CONCESSIONS
MOTOR FUELS & LUBRICANTS
HATS OPERATIONS
RECREATION ACTIVITY FEES
RECREATION BLDG. & POOL
PARK FEES
PARK ADMINISTRATION
CONTRACT REPAIR & MAINTENANC
LIQUOR OPERATIONS
TRAVEL SCHOOL CONFERENCE
LEGAL
PROFESSIONAL SERVICES
STORM WATER ADMINISTRATIOI
RECREATION ACTIVITY FEES
RECREATION BLDG. & POOL
COST OF SALES- LIQUOR
LIQUOR OPERATIONS
TRAVEL SCHOOL CONFERENCE
BUILDING INSPECTION
COMMUNICATIONS
POLICE PATROL ADMINISTRATIO
CLEANING SUPPLIES
PARK ADMINISTRATION
DUES & SUBSCRIPTIONS
POLICE ADMINISTRATION
OTHER REVENUES
POLICE ADMINISTRATION
OPERATING SUPPLIES
LIQUOR OPERATIONS
REPAIR & MAINTENANCE SUPPLIES
CITY FIRE
UNIFORMS & PERSONAL EQUIP
PARK ADMINISTRATION
PROFESSIONAL SERVICES
EVENTS CENTER ADM.
OPERATING SUPPLIES
RECREATION BLDG. & POOL
CONTRACT REPAIR & MAINTENANC POLICE BUILDING MAINTENANCI
TRAVEL SCHOOL CONFERENCE
WASTEWATER ADMINISTRATION
TRAVEL SCHOOL CONFERENCE
WASTEWATER ADMINISTRATION
CONTRACT REPAIR & MAINTENANC STREETS & ALLEYS
OTHER REVENUES
RECREATION BLDG. & POOL
171484
7/10/2012
1,893.57
MOTOR VEHICLE - ADMINISTRAT
URBAN COMMUNICATIONS
171485
7/10/2012
1,076.87
CONCESSIONS
USPS - HASLER
171486
7/10/2012
69.95
OPERATING SUPPLIES
VERTECH SOLUTIONS & SERVICES
171487
7/10/2012
17,627.40
COMPOST FUND B/S
VIKING BEER
171488
7/10/2012
3,160.50
TRAVEL SCHOOL CONFERENCE
VIKING COCA COLA
171489
7/10/2012
247.83
LET #3 11 -04 2011 Pavement ME
VINOCOPIA INC
171490
7/10/2012
38.00
EQUIPMENT PARTS
VISSER, SHANNON
171491
7/10/2012
96.62
WAL -MART COMMUNITY
171492
7/10/2012
3,825.00
WCCO -AM
171493
7/10/2012
4,316.00
WEBB PALLET
171494
7/10/2012
10,750.00
WELLNESS INC.
171495
7/10/2012
7,356.00
WESTAFER ENTERPRISES
171496
7/10/2012
298.32
WILLERS, KARL
171497
7/10/2012
3,137.40
WINE COMPANY, THE
171498
7/10/2012
14,731.52
WM MUELLER & SONS
171499
7/10/2012
152,780.30
WM MUELLER & SONS
171500
7/10/2012
1,364.65
WORK CONNECTION, THE
171501
7/10/2012
966.22
ZEP MANUFACTURING CO
171502
7/10/2012
35.20
ZIEGLER, DOREEN
Grand Total
Payment Instrument Totals
Check Total
753,087.81
Total Paymei
753,087.81
0
RENTALS
CIVIC ARENA
POSTAGE
MOTOR VEHICLE - ADMINISTRAT
CONTRACT REPAIR & MAINTENANC EVERGREEN BLDG ADM
COST OF SALES -BEER
LIQUOR OPERATIONS
FOOD PRODUCTS- CONCESSION
CONCESSIONS
COST OF SALES -WINE
LIQUOR OPERATIONS
RECREATION ACTIVITY FEES
RECREATION BLDG. & POOL
OPERATING SUPPLIES
FIRE DEPT SHARED COST
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
RECEIVED NOT VOUCHERED
COMPOST FUND B/S
PROFESSIONAL SERVICES
SELF INSURANCE FUND B/S
ACCRUED COMMISSIONS PAYABLE
COMPOST FUND B/S
TRAVEL SCHOOL CONFERENCE
POLICE PATROL ADMINISTRATIO
COST OF SALES -WINE
LIQUOR OPERATIONS
IMPROV OTHER THAN BLDGS
LET #3 11 -04 2011 Pavement ME
IMPROV OTHER THAN BLDGS
LET #1 11 -01 School Rd NW Imp
OTHER CONTRACTUAL
COMPOST MANUFACTURING
EQUIPMENT PARTS
STREETS & ALLEYS
CIVIC ARENA -FEES & RENTS
CIVIC ARENA
R
TO: Mayor & City Council
FROM: Kent Exner, DPW /City Engineer
RE: Public Hearing for Les Kouba Parkway Improvements Phase 2
(Letting No. 8 /Project No. 12 -09)
DATE: July 10, 2012
City staff has met with property owners adjacent to the proposed project referenced above. At these meetings, project
design details and estimated assessment amounts were provided to them and any questions or comments were addressed.
Following a project overview by City staff and potential public comments, we will request that the City move forward
with the final preparation of project plans /specifications and future advertisement for bids. The anticipated bid opening
date is August 9, 2012, at 10:30 AM.
We recommend that the attached Resolutions be approved.
cc: Jeremy Carter, City Administrator
$ Ca-)
RESOLUTION NO. 14025
RESOLUTION ORDERING IMPROVEMENT
AND PREPARATION OF PLANS AND SPECIFICATIONS
LETTING NO. 8/PROJECT NO. 12 -09
WHEREAS, a resolution of the City Council adopted the 26th day of June, 2012, fixed a date for a
Council Hearing on the following improvements:
Les Kouba Parkway NW (Montana to Lind) and Lind Street NW (Les Kouba Pkwy to 3rd Ave)
roadway construction and utility infrastructure installations by construction of storm sewer, drain tile,
reclamation /removals, grading, aggregate base, concrete curb and gutter, bituminous base,
bituminous surfacing, street lighting, landscaping, restoration and appurtenances.
NOW THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF HUTCHINSON,
MINNESOTA:
1. Such improvement is necessary, cost - effective, and feasible as detailed in the feasibility report.
2. Such improvement is hereby ordered as proposed in the resolution adopted the 26th day of June
2012.
3. Such improvement has no relationship to the comprehensive municipal plan.
4. Kent Exner is hereby designated as the engineer for this improvement. The engineer shall prepare
plans and specifications for the making of such improvement.
5. The City Council declares its official intent to reimburse itself for the costs of the improvement from
the proceeds of tax exempt bonds.
Adopted by the Council this 10th day of July 2012.
Mayor: Steven W. Cook
City Administrator: Jeremy J. Carter
15 (a)
RESOLUTION NO. 14026
RESOLUTION APPROVING PLANS AND SPECIFICATIONS
AND ORDERING ADVERTISEMENT FOR BIDS
LETTING NO.8 /PROJECT NO. 12 -09
WHEREAS, the Directorof Engineering /Public Works has prepared plans and specifications for the following
described improvement:
Les Kouba Parkway NW (Montana to Lind) and Lind Street NW (Les Kouba Pkwy to 3rd Ave)
roadway construction and utility infrastructure installations by construction of storm sewer, drain
tile, reclamation /removals, grading, aggregate base, concrete curb and gutter, bituminous base,
bituminous surfacing, street lighting, landscaping, restoration and appurtenances.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF HUTCHINSON,
MINNESOTA:
1. Such plans and specifications, a copy of which is attached hereto and made a part hereof, are hereby
approved.
2. The Director of Engineering /Public Works shall prepare and cause to be inserted in the official newspaper,
the City of Hutchinson Web -Site and in Finance and Commerce, an advertisement for bids upon the making of
such improvements under such approved plans and specifications. The advertisement shall be published for
three weeks, shall specify the work to be done, shall state that bids will be received by the Director of
Engineering /Public Works until 10:30 am on Thursday, August 9, 2012, at which time they will be publicly
opened in the Council Chambers of the Hutchinson City Center by the City Administrator and Director of
Engineering /Public Works, will then be tabulated, and the responsibility of the bidders will be considered by the
Council at 6:00 pm on Tuesday, September 11, 2012 in the Council Chambers of the Hutchinson City
Center, Hutchinson, Minnesota.
Any bidder whose responsibility is questioned during consideration of the bid will be given an opportunity to
address the Council on the issue of responsibility. No bids will be considered unless sealed and filed with the
Director of Engineering /Public Works and accompanied by cash deposit, cashier's check, bid bond or certified
check payable to the City of Hutchinson for 5 percent of the amount of such bid.
Adopted by the Hutchinson City Council this 10th day of July 2012.
Mayor: Steven W Cook
City Administrator: Jeremy J. Carter
SCa-)
0
C
TO: Mayor & City Council
FROM: Dan Jochum, Planning Director
RE: Allis Chalmers Show Signage Request
DATE: July 10, 2012
Please see the attached map regarding where the Upper Midwest Allis Chalmers Show would
like to place off - premise signage to direct people to the Fairgrounds for the Orange Spectacular.
This is the first year the show is being held at the Fairgrounds and the Club wants to make sure
visitors are able to find the Fairgrounds since they are not right off of the Highway.
• The Club is requesting two signs that will be no larger than 4'x4'. The first sign is proposed to
be located at Highway 15 South and Century Avenue and will say "A -C Show Main Entrance ".
The second sign is proposed to be at Highway 15 South and Denver Avenue and will say "A -C
Show Camper Entrance ".
Staff discussed with the AC Club that these signs should not be advertising signs but rather
directional signage to the event. Staff feels that the proposed signs are directional in nature and
not advertising in nature.
Staff recommends approval of the signage request to allow two off - premise signs to the Upper
Midwest Allis Chalmers Club with the following conditions:
1) The signs can be no larger than 4'x4'
2) The signs will say "A -C Show Main Entrance" and "A -C Show Camper Entrance" and be
placed according to the attached map.
3) Any signs placed in MnDOT right -of -way will need to be approved by MnDOT.
4) The signs shall be removed at the conclusion of the show.
I�
Memo
TO: Mayor and City Council
From: Jean Ward, HRA Executive Director °f ✓/ ��
Date: June 27, 2012
Re: Consideration of Resolution to approve Hutchinson HRA administration of NE
Neighborhood and SW Neighborhood SCDP, approval of Procedural Guidelines for
Owner Occupied Rehab Northeast and SW Neighborhood Project, approval of City
of Hutchinson Section 3 Plan relating to NE Neighborhood and SW neighborhood
Project and approval of execution of Small Cities Development Program Grant
Agreement CDAP -11- 0023 -0-FY12
The Department of Employment and Economic Development has approved our SCDP short
application to rehab ten homes in the Northeast or SW Neighborhoods of Hutchinson. In order
to proceed with the project, we need to execute the grant agreement, approve the administrative
contract between the City of Hutchinson and Hutchinson HRA, approve updated Procedural
Guidelines for the Northeast Neighborhood, and approve a Section 3 Plan relating to
implementation of SCDP Grant CDAP -11 -0023 -0-FY12. Attached for your review and
consideration is:
1. An updated administrative contract between the City of Hutchinson and the
Hutchinson HRA for administration of this grant and all program income.
2. Updated Procedural Guidelines for the NE and SW Neighborhood
3. City of Hutchinson Section 3 Plan related to SCDP Grant #CDAP -11 -0023 -0-FY12
4. The State of Minnesota Department of Employment and Economic Development Small
Cities Development Program Grant Agreement # CDAP -11 -0023 -0-FY12.
5. Resolution to Approve Administrative Contract, Approve Procedural Guidelines for
Owner Occupied Rehab Northeast and SW Neighborhoods, approve Section 3 Plan,
and execute Grant Agreement for SCDP CDAP -11 -0023 -0-FY12.
The next step is to obtain environmental clearance approval from DEED. Our goal is to start
owner occupied rehab construction in late summer. Thank you for your consideration of these
items.
II(b)
RESOLUTION 14029
APPPROVING AND AGREEING TO ENTER INTO AN ADMINISTRATIVE CONTRACT
WITH THE HUTCHINSON HRA FOR THE SCDP NORTHEAST NEIGHBORHOOD and SW
NEIGHBORHOOD HOUSING REHABILITATION PROJECT FOR CDAP -11- 0023- 0-FY12
AND
APPROVAL OF PROCEDURAL GUIDELINES FOR SCDP OWNER OCCUPIED HOUSING
REHABILITATION PROGRAM FOR THE NORTHEAST NEIGHBORHOOD AND SW
NEIGHBORHOOD
AND
APPROVAL OF CITY OF HUTCHINSON SECTION 3 PLAN RELATING TO THE SCDP
GRANT CDAP -11- 0023- 0-FY12
AND
APPROVAL OF EXECUTION OF SMALL CITIES DEVELOPMENT PROGRAM GRANT
AGREEMENT CDAP -I1- 0023 -0-FY 12
WHEREAS, the Housing and Redevelopment Authority in and for the City of Hutchinson,
Minnesota submitted an SCDP owner occupied rehab application on behalf of the City of
Hutchinson, Minnesota, which has been approved for funding;
WHEREAS, the Northeast Neighborhood and SW Neighborhood Owner Occupied Housing
Rehabilitation Project will be funded via the Small cities Development Program administered by
the Minnesota Department of Employment and Economic Development;
NOW THEREFORE BE IT RESOLVED that the City of Hutchinson, Minnesota hereby
approves the Administrative Contract Amendment with the HRA to administer the SCDP NE
Neighborhood project.
BE IT FURTHER RESOLVED that the City of Hutchinson approves the Owner Occupied Rehab
Procedural Guidelines for the SCDP Northeast Neighborhood and SW Neighborhood project, and
BE IT FURTHER RESOLVED that the City of Hutchinson approves the City of Hutchinson
Section 3 Plan relating to the SCDP NE Neighborhood and SW Neighborhood project, and
BE IT FURTHER RESOLVED that the City of Hutchinson approves execution of the Small
Cities Program Grant Agreement CDAP -09- 0077 -0-FY 10.
Adopted by the Hutchinson City Council this 10th day of July, 2012
ATTEST:
Jeremy Carter
City Administrator
Steve Cook
Mayor
G: /HRA/DTED & SCDP Programs/2012 /CC Resoludon for SCDP NE Neighborhood
I I Cb)
ADMINISTRATIVE CONTRACT BY AND BETWEEN
CITY OF HUTCHINSON, MINNESOTA
AND
HOUSING AND REDEVELOPMENT AUTHORITY
IN AND FOR THE CITY OF HUTCHINSON
THIS CONTRACT for Administrative Services is between the City of Hutchinson, MN hereinafter
referred to as the "City" and the Housing and Redevelopment Authority In and For the City of
Hutchinson, Minnesota, hereinafter referred to as the "HRA ".
WITNESSETH: In consideration of the mutual convenience and agreements contained herein, the City
and the HRA agree as follows:
I. This contract will commence on July 17, 2012 and will continue until terminated by either party
according to Paragraph XVII.
II. The HRA agrees to act as the administrative agent for the City of Hutchinson to implement the
City's Owner Occupied Housing Rehab Program for the Northeast Neighborhood funded through
the Small Cities Development Program, CDAP -11- 0023- 0-FY12. In addition, all program
income /generated income from all Housing SCDP programs will be administered by the HRA.
III. The HRA will receive financial reimbursement from the administrative fees associated with the
grant from the City of Hutchinson's Small Cities Development Program funds.
IV. As the administering agent for the above described grant, the HRA agrees to perform all tasks
enumerated below in a manner which will meet or exceed the terms and conditions imposed
upon the City in the Small Cities Development Program Grant Agreement dated the I" of June,
2012, copies of which are attached as Exhibit A.
A. Citizen Participation. Comply with all State and Federal participation requirements.
B. Compliance with Federal Regulations. Ensure that the following Federal acts or
regulations are complied with:
1. Title VI of the Civil Rights Act of 1964 (P.L> 88 -352) which provides that no
person in the United States shall on the grounds of race, color, or national origin, be
excluded from participation in, be denied the benefits of, or be subjected to
discrimination under any program or activity receiving Federal financial assistance.
2. Title VIII of the Civil Rights Acts of 1968 (P.L. 90 -284), known as the Fair
Housing Act of 1968, stating that it is the policy of the United States to provide, within
constitutional limitations, for fair housing throughout the United States and prohibits any
person from discrimination in the sale or rental of housing, the financing of housing, or
the provision of brokerage services, including in any way making unavailable or denying
a dwelling to any person because of race color, religion, sex or national origin.
II(b)
Page 1 of 4
C. Project Planning. Coordinate the preparation of program guidelines, contacts, budgets,
and other agreements in a manner consistent with applicable State and Federal laws and
regulations for all project activities.
D. Implementation. The HRA will implement programs authorized under the Small Cities
Development Program Grant within the respective limitations of the grant monies
provided and/or in accordance with State and Federal requirements.
Homeowner Rehabilitation Financing: Develop procedural guidelines for
homeowner rehabilitation and implement them in accordance with Federal and
State Standards. This would include, but not be limited, to determination of
eligibility, and coordination with housing partners; i.e., lenders, contractors, and
homeowners.
E. Coordination of other funding sources for the project. The HRA will coordinate other
applicable programs for the project such as, but not limited to, rehab funds from
Minnesota Housing Finance Agency, Greater Minnesota Housing Fund, Southwest
Minnesota Housing Partnership and Rural Development.
F. Compliance with Equal Opportunity Regulations. Ensure that compliance with Section 3
of the Housing and Urban Development Act of 1968, Federal Equal Employment
Opportunity Act and Executive Orders, and Civil Rights Acts of 1964 is maintained.
Also responsible for all Fair Housing and Equal Opportunity recordkeeping requirements
by the State of Minnesota.
G. Financial Recordkeeping and Control. Keep complete and accurate records of all claims
and disbursements in accordance with the following procedures:
The HRA will examine each claim and verify that the work has been done and/or
materials actually provided for the project.
2. Requisitions for the checks will be prepared by the HRA and submitted to the City
Finance Director for payment.
3. The City will issue all checks.
4. The HRA will submit a voucher and supporting documentation to the City
Finance Director for review who will obtain proper signatures and submit
requisitions to the State.
V. The City and HRA mutually agree that a mortgage shall be executed in the name of the City of
Hutchinson as mortgagee for each loan of monies provided under the Small Cities Development
Program to individuals for the purpose of home rehabilitation. In regard to such mortgages and
assignments, the HRA shall prepare all documents and obtain all necessary signatures required
I I ( h)
Page 2 of 4
for proper execution of such documents and file a secured interest with the McLeod County
Recorder's Office.
VI. For the purposed of this contract, the HRA shall be deemed an independent contractor and not an
employee of the City. Any and all employees of the HRA or other persons who engages in the
performance of any work or services required by the HRA under this contract, shall not be
considered employees of the City and any and all claims that may or might arise on be half of
said employees or other persons as a consequence of any act or admission on the part of said
employees or the HRA shall in no way be the obligation or responsibility of the City.
VII. The HRA will subcontract with the City of Hutchinson Building Department to provide
inspections, work write -ups, and construction oversight in the implementation of the grant
program. The HRA will subcontract with R & S Inspections, Inc. for lead inspections or lead
assessment and clearances.
VIII. The HRA specifically agrees to comply with the requirements of 24 CFR 135.20 and to provide
such copies of said regulations as may be necessary for the information of parties to contracts as
required to contain the Section III clause as set forth in 24 CFR 135.20.
IX. Any alteration, variation, modification, or waiver of the provisions of this contract shall be valid
only after is has been provided in writing, duly signed by both parties, and attached to the
original of this contract.
X. The waiver of any of the rights and/or remedies arising under the terms of this contract on any
occasion by either party hereto shall not constitute a waiver of any rights and/or remedies in
respect to any subsequent breach or default of the terms of this contract. The rights and remedies
provided or referred to under the terms of this agreement are cumulative and not mutually
exclusive.
XI. This contact shall constitute the entire agreement between the parties and shall supersede all prior
or written negotiations.
XII. The City shall have full access to all records relating to the performance of this agreement.
XIII. In performing the provisions of this contract, the HRA agrees to comply with all Federal, State,
or local laws all applicable rules, regulations, or standards established by any agency of such
governmental units which are now or hereafter promulgated.
XIV. In consideration of the prompt and efficient carrying out of the above, the City agrees to
reimburse the HRA, for project administration related costs in carrying out the above activities
up to an amount not to exceed the maximum allowable as specified by the State of Minnesota,
Department of Employment and Economic Development, Community Development Division.
During the term of the contract, said monies are to come solely from the Administration funds
totally available for the administration for the City of Hutchinson's Small Cities Development
Page 3 of 4 1\ M
Program, Northeast Neighborhood Rehabilitation Project. For the purposes of this contract,
project administration related costs are defined as follows:
A. Approved project administration fee of $2,600 per owner occupied rehab project to cover
project administration duties including, but not limited to, applicant and loan file, HQS
inspection, work write -ups, construction inspection fees, bid solicitation, contract
administration, and draw requests. Lead inspection and lead clearance tests are included
in the project loan costs. After close out of the grant, project administration fees to
administer the rehab revolving loan fund, may be amended by revising the fee schedule
on a yearly basis.
XV. Should any of the above provisions be subsequently determined by a court of competent
jurisdiction to be in violation of any Federal or State laws or to be otherwise invalid, both parties
agree that only those provisions so adjudged shall be invalid and that the remainder of this
contract shall remain in full force and effect.
XVI. ANTITRUST. Contractor (HRA) hereby assigns to the State of Minnesota any and all claims for
overcharges as to goods and/or services provided in connection with this contract resulting from
antitrust violations which arise under the antitrust laws of the United States and the antitrust laws
of the State of Minnesota.
XVII. The City reserves the right to terminate this contract if the HRA inexcusably fails to perform any
of the provisions hereof. Such termination shall occur thirty (30) days after receipt by the HRA
of written notice specifying the grounds thereof, unless, prior to that date, the HRA has cured the
alleged non - performance of the provisions of this contract. The HRA may terminate this contract
with thirty (30) days written notice.
IN WITNESS WHERE OF, the parties here to have caused this contract to be duly executed.
CITY OF HUTCHINSON
MAYOR, CITY OF HUTCHINSON
ATTEST:
:•
BY: BY:
CITY ADMINISTRATOR
G:/HRA /DTED & SCDP Programs/2012 SCMADWNCONTRACT
HOUSING & REDEVELOPMENT
AUTHORITY IN & FOR THE
CITY OF HUTCHINSON, MN
HRA CHAIRPERSON
HRA EXECUTIVE DIRECTOR
Page 4 of 4 /
CITY OF HUTCHINSON, MINNESOTA
SCDP OWNER OCCUPIED HOUSING REHABILITATION PROGRAM
NORTHEAST NEIGHBORHOOD OR SW
PROCEDURAL GUIDELINES
The City of Hutchinson through the NE Neighborhood or the SW Neighborhood SCDP owner
occupied housing rehabilitation program will provide assistance to eligible applicants for the
rehabilitation of properties utilizing Small Cities Development Program funds. The methods of
program distribution and eligibility criteria are incorporated in this procedural guide. No person
or business will be denied participation in the rehabilitation program due to their race, color,
creed, religion, national origin, sex, marital status, reliance on public assistance, age, disability,
or familial status.
The Hutchinson Housing and Redevelopment Authority, on behalf of the City of Hutchinson, has
been appointed Project Administrator.
PROGRAM OBJECTIVES
FEDERAL OBJECTIVE: The primary objective is to provide financial assistance to
low to moderate - income individuals who reside in the target area whose homes are in
need of rehabilitation.
2. SECONDARY IMPACTS: Secondary impact is to encourage the preservation of
housing and to improve the Northeast Neighborhood.
PROGRAM ADMINISTRATION
1. GENERAL ADMINISTRATOR: The City of Hutchinson is contracting with the
Hutchinson Housing & Redevelopment Authority (HRA). The Hutchinson HRA is
responsible for all phases of the administration of this Small Cities Development single
purpose program. The City of Hutchinson will be the Fiscal Agent and responsible for all
financial and progress reports. The Hutchinson HRA will have principle responsibility for
completion of the Environmental Assessment and development/submission of all
required policies and procedures prior to commencement of program delivery.
2. FIELD ADMINISTRATOR: The Hutchinson HRA will be providing the field
administration services. The Hutchinson HRA is responsible overall for program delivery
including: determination of household eligibility, application completion and loan
approval, and rehab loan administration. The Hutchinson HRA has a contract with the
City of Hutchinson Building Department for HQS inspection services, work write -ups,
rehab project interim and final inspections. The Hutchinson HRA also has a contract
with R & S Inspection, Inc. for lead inspections or lead assessments and lead clearance
tests.
3. FEDERAL COMPLIANCE: The City and the Hutchinson HRA will share
responsibility to comply with Federal Regulations regarding the implementation and
administration of this Small Cities Development Project.
4. DATA PRIVACY: Information on program Applicants shall be gathered and released in
accordance with the Minnesota Data Practices Act. All information including names,
addresses, and the amount of assistance received are considered public data under the
Minnesota Data Practices Act. Any other information provided to the program is
considered private data. Private data may be released to the following agencies or
organizations: City Council of Hutchinson, City of Hutchinson auditors, the Hutchinson
HRA, Minnesota Housing Finance Agency, Greater Minnesota Housing Fund, Rural
Page 1 of 19 11 (0
Development, SWMNHSP, Lending Institutions and other matching fund agencies,
DEED, and HUD. Private data cannot be released to anyone else unless a consent form is
completed granting permission.
5. EVIDENCE OF FRAUD: Any administering party participating in the Program shall
refer evidence of fraud, misrepresentation, collusion or other misconduct on the part of
the Applicant or contractors in connection with the operation of the Program to the State
of Minnesota Attorney General for investigation and possible legal action.
CONFLICT OF INTEREST
1. GENERAL CONDITIONS: No current or member within the last twelve months of the
governing body of the locality and no official, employee, or agent of the local
government, nor the Hutchinson HRA, who exercises policy decision - making function or
responsibilities in connection with the planning and implementation of the program shall
directly or indirectly benefit from this program with the following exception: The
authority may make a grant or loan from these funds to a member of the local governing
body or public officer of the authority who applies, if the public officer first discloses, as
part of the official minutes of a meeting of the authority, that the public officer has
applied for the funds, the public officer abstains from voting on the public officer's
application and that the City Attorney and DEED have approved an exception to the
conflict of interest rules.
This prohibition shall continue for one year after an individual's relationship with the
Local Government or the Hutchinson HRA ceases. Specific prohibitions are as follows:
a. Program Participation: No member of the governing body of the locality, no
official, employee, or agent of the local unit of government or the Hutchinson
HRA, as defined above, shall accrue direct or indirect program benefits.
b. Contractual Relationships: No member of the governing body of the locality, no
official, employee, or agent of the local unit of government or the Hutchinson
HRA, as defined above, shall obtain direct or indirect interest in any contract,
subcontract, or agreement in any activity in this program that provides financial
compensation for services.
C. Prohibition Extensions: This prohibition extends to contracts or direct benefits
in which a spouse, minor child or business partner may have personal or financial
interest.
2. DETERMINATION OF CONFLICT OF INTEREST: When questions arise or a
situation is unclear an initial Opinion of Conflict of Interest shall be sought from the City
Attorney. That Attorney's Opinion will utilize the Conflict of Interest Worksheet
(Appendix A) attached to these guidelines and will outline areas that the situation is
within or outside applicable Federal Regulations 24 CFR 570, Uniform Administration
Requirements and State Statutes 412.311 or 471 -87 through 471.89. The Attorney's
Opinion shall be forwarded to DEED Staff, and at DEED's discretion, shall be forwarded
to the Minnesota Attorney General for the State's Legal Opinion.
ELIGIBLE PROPERTIES
SCDP funds will be used to improve properties that meet the following criteria:
Page 2 of 19 1 1 CV)
The property must be located in the Northeast Neighborhood or SW Neighborhood
Housing Rehabilitation Project Area. The specific project boundaries are shown in
Appendix B of this procedural Guide.
The property must be a homeowner occupied residential structure.
Owner Occupied Duplex Housing: Where SCDP funds are granted for rehabilitation of
owner occupied duplex units, funds may only be used for:
a. Rehabilitation of the structural components of the dwelling
b. The internal components of the Owner Occupied portion of the dwelling
Funds may not be used for the internal components of the non -owner occupied rental unit
of the duplex. If the rental unit is in need of rehabilitation, the owner will be referred to
the MHFA HOME Rental Rehabilitation Program or the MHFA 6% Rental
Rehabilitation Loan Program.
The property to be improved must be a permanent structure.
The property to be rehabilitated must be considered suitable for rehab under local
definition. No property deemed to be not suitable may be rehabilitated with SCDP funds.
Rehabilitation is not remodeling. Remodeling is for convenience or cosmetic purposes.
Rehabilitation deals with, in order of priority:
(1) health issues and safety issues, including identified lead hazards; and
(2) energy conservation, as well as certain long -term preservation of structures such as
siding, roofs and foundations.
Certain types of rehabilitation can be viewed as lack of maintenance or deferred
maintenance. Other types of rehabilitation needs can be viewed as items that wear out or
need replacements because of obsolescence.
Rehabilitable Building:
A building is suitable for rehabilitation when it is structurally sound. To be rehabilitable,
a building should be vertically plumb within three degrees and shall have no significant
rot on the majority of the floor joists, studs or rafters that are weight bearing.
Foundations and basement walls shall not be deteriorated to the extent or so out of
alignment that they do not adequately support the building and can not be corrected
without complete replacement. Any proposed rehab /modifications to a pre - manufactured
home will need prior approval by the manufacturer.
If the improvement costs for a structure are 50% more than the County Assessor's Office
market value, the dwelling may be deemed not suitable for rehabilitation, at the discretion
of the City of Hutchinson Building Department and Hutchinson HRA. An unsuitable
unit is a substandard unit with serious defects and is not able to meet a majority of local
standards and rehabilitation is neither practical nor economically feasible.
Page 3 of 19 1100)
The City /HRA would be placing the following two restrictions as to the use of SCDP
funds:
a. Maximum SCDP funding per property is $24,999.
b. The structure must be suitable for rehabilitation.
6. The property must be occupied by low /moderate income households as defined herein.
Property that is rehabilitated under this program will meet HQS as a minimum standard.
Rehab work will also need to meet the current State Building Code adopted by the City of
Hutchinson.
8. No property located within a floodplain will be rehabilitated under this program.
9. No property may receive SCDP rehabilitation project funds if the property has real estate
taxes due and payable.
10. No property may receive SCDP rehabilitation project funds unless the home is insured.
ELIGIBLE IMPROVEMENTS
Improvements made with SCDP funds shall satisfy the following requirements:
Health and safety needs and concerns within the housing units to be rehabilitated will
always be considered the top priority for funding using SCDP funds.
2. Each improvement must be a permanent general improvement. Permanent general
improvements shall include alteration, renovation or repairs upon and in connection with
existing structures, which correct defects and deficiencies in the property affecting
directly the safety, habitability, energy consumption, or aesthetics of the property.
3. Upon completion of the improvements, the structure must comply with the requirements
of the current State Building Code adopted by the City of Hutchinson and HUD Section 8
Housing Quality Standards.
4. If the structure has been determined historically significant by the Minnesota Historical
Society, plans for exterior improvements to the structure must be reviewed and
commented on by the Minnesota Historical Society. Buildings participating in the
program and constructed 50 years prior to the current calendar year will be evaluated in
accordance with the guidelines received from the Minnesota Historical Society.
Each improvement must be made in compliance with all applicable health, fire
prevention, and building codes, provided, however, that no application shall be denied
solely because the improvement will not bring such property into full compliance with
these codes.
No SCDP funds shall be used in whole or in part for the purpose of refinancing or paying
off an existing indebtedness. All such funds must be used to finance improvements
begun after program application.
Page 4 of 19 ' 1 r p\
Other Eligible Project Costs
Homes built prior to 1978 are required to have a lead hazard risk assessment or lead paint
inspection at the discretion of the HRA; this cost as well as lead clearance costs are considered
eligible project costs. Energy audits are considered eligible project costs upon request of the
homeowner or other funding sources.
INELIGIBLE COSTS
The following list of items is examples of what can not be funded with SCDP funds as part of the
rehabilitation program. Ineligible improvements include, but are not limited to:
1. Air conditioning; except if verified by a physician ordered for a medical condition.
• Central, new installation.
• Room air conditioning.
2. Landscaping. *Excavation to correct drainage around the house will be considered an
eligible cost.
3. Fireplaces.
4. New construction.
5. Wind generation devices.
6. Window /Door coverings: blinds, curtains, drapes, shades.
7. Out buildings, including sheds, utility buildings, barns, silos, new garages, etc.
8. Wood burning stoves.
9. Heat systems located outside the living space of the structure.
10. Recreational or entertainment facilities including swimming pools, tennis courts, saunas,
decks and patios.
11. Assessments for public improvements.
12. Improvements begun prior to approval of the program application.
13. Upgrades to specifications above standard grade for rehabilitation.
14. Appliances
15. Other items deemed not appropriate to the program.
ELIGIBLE RECIPIENTS
Ownership Requirements: The homeowner must individually or in aggregate have a
qualifying interest in the property consisting of at least:
a. A 1/3 interest in the Fee Title. Such interests must be subject to a mortgage, and
must demonstrate the ability to secure the signatures off all remainder men and
spouses with interest in the property as loan guarantors and must appear on record
with McLeod County;
b. A 1/3 interest as Purchaser in a Contract for Deed. Such interests must secure the
signatures of all parties and spouses that have interest in the property both as
Contract Vendor(s) and Contract Vendee(s) and must appear on record with
McLeod County;
C. A valid Life Estate. Life Estates must appear in the records of McLeod County
with all remainder men listed. Two Thirds (2/3) of the remainder men must sign
the mortgage as loan guarantors;
Page 5 of 19 11 (19) b)
Ownership by any form of Trust and ownership subject to a reverse mortgage does not meet the
ownership requirement.
2. The housing rehabilitation program is designed to be of 100 percent benefit to households
of low to moderate incomes. This will be achieved by following the gross income limits
as set by the Department of Housing and Urban Development for the Section 8 Existing
Housing Program. The 2009 income limits as adjusted for family size are listed below.
These limits shall be adjusted periodically upon HUD notification of income revisions.
3. Eligible recipients for housing rehab must have household incomes that do not exceed
current 80% HUD McLeod County income limits adjusted for family size, revised yearly
by HUD. The current income guidelines are listed below:
4. Household Size Maximum Household Income
1 $40,600
2 $46,400
3 $52,200
4 $58,000
5 $62,650
6 $67,300
7 $71,950
8 $76,600
5. Income for the purpose of this rehabilitation program shall be defined as gross annual
income projected for the next twelve months, whenever possible, including salary,
commissions, bonuses, interest, dividends, tips, capital gains or sale of securities,
annuities, pensions, IRAs, rental property income (adjusted as allowed by the IRS),
partnerships, estate or trust income, child support, alimony, social security, aid for
families with dependent children and miscellaneous income. Gross annual income from
self employment shall be deemed to be the average net profit from said self employment,
as declared by the applicant in Schedule C, F or E, Part 111, as appropriate, of the United
States Internal Revenue Service Form 1040, or any other such schedule as may be
hereafter promulgated, but including all depreciation as income, for the past two years.
6. All income shall be verified in writing. The following examples listed below are
considered acceptable.
a. An income verification sheet that is signed by a third party at the source of
income. Pay stubs may be used as a back up source of verification if the third
party income verification form needs further clarification.
b. The previous two years tax returns shall be used for those applicants who are self -
employed or having variable incomes.
C. Signed third party verifications from banks, savings and loans, insurance
companies, etc.
d. There will be no asset limitation associated with the SCDP loans.
Page 6of19 1l (b)
The main and foremost improvement priority for this rehabilitation program is directed to the
health/safety of project residents. The priorities are as follows:
Prioritv No. 1
Health and safety improvements are the primary emphasis of the rehabilitation efforts to be
conducted in the project area. As such, they are mandatory requirements. These improvements
are as follows in their sub - categorical ranking:
1. Fire detection/safe and obstructed egress
2. Electrical code violations
3. Lead based paint hazards
4. Radon mitigation
5. Surface impermeability to weather, water and rodents
6. Plumbing violations /deficiencies
7. Adequate and sanitary food preparation areas
8. Accessibility modifications for physically handicapped household member(s).
Priority No. 2
Energy improvements are also a primary improvement to be conducted in conjunction with
health and safety improvements. Improvement priorities are based upon the improvement's
estimated energy cost savings per year that will be provided to the household after rehab.
*1. Furnace replacement
2. Attic insulation
3. Wall insulation
4.
Storm doors
5.
Storm Windows
6.
Rim joist insulation
7.
Door /window weather- stripping
* Furnace replacement could, very well, be placed as a No. 1 Priority depending upon the
nature and severity of the existing defects. If it is deemed to be a threat to health/safety
of the housing occupants, it will receive a No. 1 Priority.
Priority No. 3
Basic housing quality components are secondary improvements to be conducted after the
health/safety and energy improvements are addressed. These improvements are generally
deferred maintenance items and major improvements which will need attention in the immediate
future, but which are functional at the present time. They include items such as the following:
*I. Roofing
2. Painting
3. Window replacement
* Roofing could be a No. 2 Priority depending upon the nature and severity of the project.
Page 7 of 19 1 1 (b)
APPLICATION AND APPLICATION SELECTION
The City /HRA will be approving applications from homes/homeowners, on a first come first
serve basis, based on the date and time an executed application is received by the HRA office.
Immediate health/safety emergency housing deficiencies determined by the Project Coordinator
may receive priority, depending upon severity of deficiency and whether the emergency can be
abated temporarily. (Failing furnace in winter, elevated blood lead levels in children etc.)
PROJECT FUNDING
LOW TO MODERATE INCOME - up to 80% of Area Median Income adjusted for family size.
70% Deferred SCDP Loan - 0% interest; 10 Year term. (10% forgiven per year)
30% owner match required.
Non -SCDP financing shall be funds or financing received from private lenders,
weatherization programs, City of Hutchinson revolving rehab loan program, MHFA
rehabilitation loan program funds, community action agency funds, RD grant/loan funds,
MHFA home improvement loan funds, matching funds through SWMNHSP, or any
combination of these and other sources of financing or funding. The use of Non -SCDP
financing will help promote the cost - effective use of SCDP City Revolving Funds.
a. Coordination of available funds will be done by the HRA.
b. The decision, as to which Non -SCDP funds may be available, will be based on
each applicant's individual financial situation and the requirements of the Non -
SCDP funding source.
2. The owner must agree to have all Non -SCDP funds for the rehabilitation work deposited
in an escrow account controlled by the project administrator for disbursements to the
contractor when the work is satisfactorily completed. Withdrawals can be made only
upon written authorization from both the property owner and the Project Administrator.
An exception is made if matching funds require direct disbursement to the contractor.
REPAYMENT OF SCDP FUNDS
SCDP Deferred Loan/Grants shall be secured by a Mortgage and Repayment agreement.
2. In the case of the deferred loan/grant, all persons who signed the application for a
deferred loan/grant must enter into an agreement with the City of Hutchinson for
repayment of the loan/grant. The agreement shall provide that:
In the event that the improved property is sold, transferred or otherwise conveyed within
ten years from the date of SDCP loan closing, the recipient shall repay all or a portion of
such SCDP deferred loan/grant in accordance with the schedule below:
a. 70% Deferred SCDP Loan up to $24,999
30% Owner Match (this includes costs of all changes orders)
Owner responsible for project costs $25,000 and over
Page 8 of 19 1 1 V
If the recipient sells or vacates the property, the repayment terms are as follows:
1) 0 —12 months 100% Repayment
2) 13 — 24 months 90% Repayment
3) 25 — 36 months 80% Repayment
4) 37 — 48 months 70% Repayment
5) 49 — 60 months 60% Repayment
6) 61 - 72 months 50% Repayment
7) 73 - 84 months 40% Repayment
8) 85 - 96 months 30% Repayment
9) 97 - 108 months 20% Repayment
10) 109 - 120 months 10% Repayment
11) 121 months forgiven
b. That deferred loan/grant funds due upon sale of the property prior to the official
close -out of the grant shall be paid directly to City of Hutchinson, to be used for
further rehabilitation projects and shall be deducted from the draw down requests
as required by DEED.
C. That deferred loan/grant funds due upon sale of property after the official closeout
of the grant shall be paid directly to the City of Hutchinson.
d. The repayment agreement shall be subordinate to funds provided by private
lending institutions and other leveraging sources.
e. That if the SCDP funds are used for purposes other than an eligible improvement
upon an eligible property, or if the application is found to contain a material
misstatement of fact, then the recipient of the deferred loan/grant shall be liable
for 100 percent repayment of the deferred loan/grant.
f. That the recipient of a deferred loan/grant shall be required to notify the City of
Hutchinson immediately upon the sale, transfer or conveyance of the improved
property.
g. That if the recipient no longer occupies the property, the recipient would be
obligated to pay the deferred loan/grant in full at that time.
3. SCDP deferred loans /grants shall be secured by a mortgage.
Page 9 of 19 1(hi
MARKETING
The program administrator, on behalf of the City of Hutchinson, will conduct outreach in
the targeted area and will solicit applications for the Northeast Neighborhood Housing
Rehabilitation Program utilizing the below listed methods as necessary and/or
appropriate:
a. Issue press releases advertising community meetings regarding project both to
local print and broadcast media.
b. Direct mail program information to the homeowners in the target area, regarding
program availability.
C. Develop posters and brochures and post them in prominent areas in the
community.
d. Place program flyers door to door in project area.
INSPECTIONS OF PROPERTY
Process for Lead Hazard Reduction
a. At the time of the homeowner's application, each applicant must receive the lead
hazard brochure "Renovate Right" Rehabilitation files must indicate that
homeowners have received a copy of the brochure.
b. All houses built before 1978 must have a risk assessment, performed by a
certified lead risk assessor or a lead paint inspection at the discretion of the HRA.
The Risk Assessment Report or Lead Inspection will be part of the rehabilitation
project file. The Hutchinson HRA has contracted with R &S Inspection, Inc. to
conduct the lead risk assessments, but the HRA reserves the right to contract with
the lowest responsible provider, if the contract is terminated.
C. All homeowners must receive the HUD Notice "Summary Risk Assessment
Notice ". Rehabilitation files must show receipt of the Notice.
d. Work write ups /specifications will incorporate (or reference by addendum) the
required lead hazard reduction options identified within the Risk Assessment
Report. The write up /specification will include language on required lead safe
work practices, site preparation, prohibited practices and cleaning. This can be
accomplished in the work write -ups by reference to MN Rules 4761.1170 -1190,
Hazard Reduction Methods.
e. Owner- contractor contract language must include prohibition of use of lead -based
paint; requirement for trained workers /supervisors and conducting work by MN
Dept of Health approved training providers.
f According to the lead paint Final Rule requirements for lead safe work practices
the following circumstances do not require occupant relocation:
1) Treatment will not disturb lead -based paint or lead contaminated dust, or
2) Treatment of the interior will be completed within one period in eight
daytime hours, the site will be contained, and the work will not create
other safety, health, or environmental hazards, or
3) Only the building's exterior will be treated; the windows, doors,
ventilation intakes, and other openings near the worksite are sealed during
Page 10 of 19 140
hazard reduction activities and cleaned afterward; and a lead -free entry is
provided, or
4) Treatment will be completed within five calendar days; the work area is
sealed; at the end of each day, the area within 10 feet of the containment
area is cleared of debris; at the end of each day, occupants have safe
access to sleeping areas, bathroom, and kitchen facilities; and treatment
does not create other safety, health, or environmental hazards.
5) The Risk Assessor will make a recommendation, based upon the above
criteria and the ages of children residing in the household, whether
temporary relocation is required.
g. Residents must receive a Hazard Reduction Completion Notice, when lead hazard
work has been carried out on the property. The rehabilitation files must show
receipt of the Notice.
h. Only licensed workers and supervisors will carry out lead hazard reduction work.
i. All units must receive clearance examination, where risk assessment was
conducted and lead hazard reduction was carried out. Trained Sampling
Technicians may conduct clearance examinations. A copy of the clearance must
be in the project file.
j. If temporary relocation is required for homeowner occupants, the homeowner is
asked to make arrangements to stay with family or friends. If arrangements with
family or friends are not possible, rehabilitation funds may provide for
hotel /motel stay for up to 5 nights and is paid out of the total cost of
rehabilitation. Therefore, SCDP will pay for 70% of the cost incurred. The
homeowner is limited to $100 per night for hotel /motel and mileage at the Federal
rate.
k. For emergencies whereby high levels of lead have been found or children are
contaminated, the City will provide up to $3,000 per household, using program
income, for immediate evacuation, temporary shelter, additional housing costs,
and mileage costs.
2. HQS Inspection
Once an applicant has been determined eligible for SCDP funds:
a. The HRA contracted Housing Inspectors will conduct the Lead Risk Assessment
and a Housing Quality Standards (HQS) property inspection.
b. The Housing Inspectors will determine the work necessary to bring the property
into compliance with:
1) Generally Accepted Community Standards
2) Minnesota Energy Efficiency Standards as is practical
3) Other standards as required by the Grant Agreement
C. The HRA Housing Coordinator will then prepare a Scope of Work (work write -
up) that will rectify violations to the housing standards, and local codes. The
Scope of Work shall contain the following:
1) Instructions to the bidder
2) Bid proposal
Page 11 of 19 11 Cf/�
3) Program warranties
4) General conditions
5) Language for the use of Lead Safe Practices
6) Special Conditions
7) Diagrams and layouts as appropriate or needed
8) Cost estimate for the file
Any ineligible cost (not stated in the Scope of Work) that is done during the rehabilitation
process shall be paid for by the owner, over and above what the SCDP funds are being
used for.
REHAB LOAN REVIEW PROCEDURE
1. Each individual rehabilitation project will be presented to a Representative of the HRA
Loan Review Committee for approval after eligibility requirements have been
investigated, the property has been inspected, work write -ups have been completed,
bidding process is complete, project cost has been determined and, if necessary, outside
financing for owner match secured. The HRA Loan Review Committee will be presented
with a Project Presentation Form that will discuss the project, but not divulge any
information that would violate privacy requirements. The Project Presentation Form is
attached to the back of the procedural guide.
2. An HRA Loan Review Committee member and the HRA Executive Director will sign the
Project Presentation form, which will be presented to the HRA Board for formal loan
approval.
3. After approval by the HRA Board, a date for loan closing shall be set. If the project fails
to meet an eligibility requirement or is not approved by the HRA Loan Review
Committee, the applicant shall be informed in writing by the Housing Rehabilitation
Loan Coordinator within ten working days and shall be informed of the appeal process.
At the time of loan closing, the owner match will be required and put into an escrow
account.
ELIGIBLE CONTRACTORS AND BIDDING PROCEDURES
All General Contractors must complete a Contractor's Application to participate in the
Small Cities Development Program and must furnish the HRA with copies of: Certificate
of Insurance and Contractor's Licensing or Certificate of Exception. Upon HRA review
and approval of the above documents, the contractor may then be awarded a contract.
2. When lead hazard reduction is required by the risk assessor, lead trained workers will be
required on the project. Certification of training must be on file at the HRA office.
3. The contract is between the applicant and the contractor. The applicant will be provided
a list of the HRA approved contractors to choose from. However, an applicant is free to
choose any licensed contractor whom the applicant may desire.
Page 12 of 19 10)
4. Contractors will be allowed to bid on any and all rehabilitation projects. However, no
single contractor will be allowed to work on more than three rehabilitation projects at one
time.
The contract shall be awarded to the lowest base bid unless one of the following
circumstances occurs:
a. The bid is determined to be unrealistically low by the HRA and the contractor
agrees to withdraw the bid.
b. The contractor has failed to follow the procedures as outlined in the instructions
to the bidders.
c. The homeowner does not want the low contractor to perform the work and agrees
to pay the difference between the lowest bid and the preferred contractor's bid.
d. There appears to have been collusion between two or more contractors in which
case all bids under question will be thrown out and different contractors solicited
for bids.
e. The contractor fails to bid according to the specifications and it proves impossible
to compare that contractor's bid with the other contractor bids.
f. If two bids are tied, preference will be given to the Section 3 Certified Contractor,
unless the homeowner refuses.
6. A minimum of two bids shall be solicited for each improvement project. Bidding shall be
done on a general contractor basis, unless under certain cases, it will be a significant cost
benefit to the homeowner to bid out the individual projects separately. The HRA
Housing Rehabilitation Coordinator will make this decision. In the event only one bidder
responds, the bid will be compared to the cost estimate to determine whether the bid is
reasonable and can be accepted. The HRA Housing Rehab Coordinator /Inspector will
make this decision on a case by case basis.
7. The HRA will periodically do press releases about the project to encourage contractor
participation. Encouragement of women and minority -owned business to participate will
be included in the press releases.
8. All portions of the work must be performed by a contractor.
BID SUMMATION AND FINANCIAL PACKAGING
Bids will be presented to the property owner.
2. Upon acceptance of a bid by an applicant, the HRA will, working with the property
owner, package the project according to:
a. Eligibility of the property owner
b. Availability of Non -SCDP program funds
Page 13 of 19 1'( )
C. Other available funds, and
d. The appropriate level of SCDP funding
The loan package shall include:
a. The applicant's household composition
b. Applicant's gross income
C. Estimated market value of the property
d. Property location
e. Applicant's equity in the property
f. Proposed rehabilitation activities
g. SCDP funding requested
h. Other funding to be used in the project
4. The necessary repayment agreements, mortgage and other legal necessary documentation
are prepared by the HRA staff.
A mortgage shall be placed on the property for the full amount of the SCDP dollars spent
on the project. There is a limit of $25,000 of SCDP funding per project. Change orders
resulting in a project cost over $25,000 will not be covered by SCDP funds.
Homeowners will be expected to finance project costs over $25,000. The HRA Loan
Review Committee, during review of a project, reserves the right to where appropriate,
waive the $25,000 SCDP limit. Justification will be documented in the file. Sources of
owner matches include the MHFA Deferred Loan Program, USDA Rural Development
504 Home Repair Program, Heartland Community Action Agency, Inc. Weatherization
Program, AHP, GMHF, City of Hutchinson Housing Rehabilitation Revolving Loan
Fund, Hutchinson HRA Rehab Loan — NE Neighborhood or SW Neighborhood, MHFA
CFUF and FUF and any other leverage sources that may become available through the
Southwest Minnesota Housing Partnership. Financing packages will be assembled by the
HRA Program Coordinator based on income eligibility, financing amount available with
various sources, and financing tenns. City of Hutchinson Revolving Rehabilitation loan
and the HRA Rehab loan funds will be reserved for families between 60 -80% of AMI,
because other rehab financing sources will be used first for families at or below 60%
AMI.
6. The property owner shall be responsible for paying the recording fee of the mortgage.
Closing will then take place with the property owner and other appropriate parties to the
closing.
Three days after closing the HRA will issue a Notice to Proceed to the accepted
contractor(s).
CONTRACT PERFORMANCE
The Notice to Proceed allows the contractor 90 days to complete, except that weather
dependent work on projects where the notice to proceed is issued too late in the building
season will allow additional days as determined by the HRA. Change Orders are required
to extend ALL contracts.
Page 14 of 19 1 1 ( 0
2.
4.
Change orders to the contract:
a. Require the signatures of the:
1) Homeowner
2) Contractor
3) HRA Housing Program Coordinator
4) The Housing Inspector
b. Will be allowed only for the following reasons:
1) To rectify hidden deficiencies that are discovered once the work has
begun.
2) To change an approved work specification due to unforeseen difficulties
arising after the work has begun that force a delay.
3) To address a deficiency that was inadvertently dropped from the project
during project packaging.
4) The work is weather dependent and weather conditions have not allowed
the completion of the work.
5) The homeowner preferred contractor is too heavily committed to perform
the work within the allotted time and the contractor requests an extension
along with a work schedule acceptable to the homeowner and HRA.
6) Unforeseen difficulties develop with the approved work and force a delay.
C. Any additional Owner Match funds will be required to be deposited in an escrow
account.
Interim inspections may be performed by the HRA or City Building Department to
monitor work progress and quality of workmanship.
If a dispute arises between a property owner and a contractor, the HRA Housing
Rehabilitation Coordinator will advise the property owner and contractor to resolve the
issue according to the contract and work specifications. If a clarification of the contract
and specifications is needed, the HRA Housing Program Coordinator will render an
opinion based on the facts presented and the contract. If a solution cannot be found,
either party may then appeal the HRA Loan Review Committee and the Project Director -
their decision will be final.
A contractor's contract may be terminated for any of the following reasons
a. Poor work performance on the job site and the demonstrated inability to rectify
the poor workmanship. The cost of repairing poor workmanship shall be
deducted from any amount owed to the initial contractor for work completed.
b. Causing undue damages to a homeowner's property and the inability or
unwillingness to correct the damages. The cost of repairing the damages will be
deducted from any money owed the contractor for work already completed.
C. The contractor lacks sufficient insurance coverage.
d. The inability of the contractor to perform the work within the allotted time.
Page 15 of 19 t0)
e. Irreconcilable and unreasonable differences between the contractor and the
property owner.
f The contractor requests to be removed from the contract. There will be no
penalty associated with this request as long as the request is made within 30 days
of receiving the Notice to Proceed.
g. Contractors who are removed from a contract shall be removed from the approved
contractor's list and shall be prohibited from being awarded any contracts with
this program until such time as the problem has been corrected and HRA might
reinstate their approved status.
PAYMENT
1. All contractors will agree to the payment schedule contained within the contractor's
application, which is as follows:
a. No pre - payments are allowed for any reason.
b. Partial payments will be allowed only for completed portions of the project and a
portion of the payment may be subject to retainage payable upon completion of
the entire project.
C. Payments will be made only after the work is completed according to the
specifications contained within the Scope of Work and meets with the approval of
the applicant and the HRA after inspection.
d. Payments will be made only upon presentation of the following documents:
Billing statement
1) Lien waiver
2) Sworn Construction statement
3) Completion Certificate
4) Lead Clearance
PROJECT FILES
The Housing Rehab Coordinator shall maintain files on each applicant throughout the duration of
the project. Those files shall include the following:
1. Section A - File Checklist
a. Homeowner Application
b. Property Presentation Form/Approved by HRA Loan Review Committee
C. Application and Rehabilitation Process Form
d. Income Verification Form
1) Employment Verification
2) Second Employment Verification
3) Self - employment Income
4) Bank Verification
Page 16 of 19 No)
5) Ul /General Assistance /AFDC Grant Verification
6) Social Security Verification
7) Pension/Retirement Verification
8) Child Support
e. Historical Society Clearance
f Property Tax Verification
g. Title Verification Form
h. Property Insurance Verification
i. Photo Release Form
j. Lead Based Paint Statement/Lead Based Paint Assessment Requirement
k. Property Owner Conditions
1. Property Inspection Completed
m. Guidelines for Subordination Requests
n. Fair Housing Certification Form
o. Eligibility/Non- Eligibility Letter
2. Section B - File Checklist
a. Change Orders (if applicable)
b. Specifications for Rehabilitation (Notice to Bid)
C. Notice to Proceed
d. Contractor /Property Owner Agreement/Property Owner Conditions
e. Contractor Award Notice
f. Contractor Non -Award Notice
g. Proposal Form/Bid Specification
h. Copies of Proposals Received
i. Bid Tabulation
3. Section C - File Checklist
a. SCDP Deferred Loan Mortgage and Repayment Agreement
b. Documentation of Non -SCDP Finances (if applicable)
• Escrow Agreement for Owner Match
C. Notice of Right of Recision
d. Truth in Lending Statement
4. Section D - File Checklist
a.
Preconstruction Conference Report
b.
Notice to Proceed
C.
Contractor Payment Request
d.
Sworn Construction Statement
e.
Completion Certificate
f.
Lien Waiver
g.
Field Inspection Report
5. Section E - File Checklist
a. Owner Evaluation
b. Lead Clearance
C. Hazard Reduction Completion Notice
d. Copy of Filed Repayment Agreement
Page 17 of 19 1 1w)
6. Copies of forms as appropriate are appended.
7. HRA at its option may accept documentation and verification from other agencies
working with the same applicant. Other agencies at this time are:
a. MHFA
b. Heartland
C. Rural Development
d. Southwest Minnesota Housing Partnership
APPEALS
If an applicant/property owner's application is denied for any reason or is dissatisfied
with the level of assistance received, the following procedure is to allow for a
standardized appeal /complaint process for all applicants of the Small Cities Development
Program.
2. In the event of denial or a complaint, the applicant /complaint:
a. Will be informed of the appeal process.
b. Will be given a copy of the appeal process.
C. Will be given a written notice clearly stating under what condition that the
application was denied.
3. The applicant who wishes to appeal the denial of benefits must submit their appeal within
14 days of receipt of denial either orally or in writing to the Housing Rehab Loan
Coordinator. That appeal must state:
a. The reason(s) for the appeal.
b. Information that the applicant believes is pertinent to the appeal.
4. If the applicant is not satisfied with the decision of the Housing Rehab Coordinator, an
appeal may made in writing to the Project Director, within 14 days of decision by the
Housing Rehab Coordinator. The Project Director shall review all written appeals with
the HRA Loan Review Committee.
5. Further appeal may be made to the HRA Loan Review Committee by appearing in person
before the committee. The Project Director shall respond to the applicant in writing
within 15 working days of appearing before the committee:
a. The results of the review
b. An explanation of the findings
C. The next step the applicant can take if not satisfied with the response
Page 18 of 19 lo)
6. If the applicant is denied assistance by the BRA Loan Review Committee; final appeal
may be made to:
Minnesota Department of Employment and Economic Development
I" National Bank Building
332 Minnesota Street Suite E 200
St. Paul, MN 55101 -1351
GENERAL CONDITIONS
No project may be started until:
a. Grant dollars are made available
b. The program is officially up and running
C. The application process has been approved
d. HRA/homeowner has issued a Notice to Proceed
Any work done on a project prior to these steps will mean that part of the project is
ineligible for funding.
The proceeds received from the repayment of Rehabilitation loans originated SCDP
funds will go into a revolving loan fund to provide funds for rehabilitation projects on an
ongoing basis.
AMENDMENTS
These procedural guidelines may be amended in whole or in part or supplemented by the
Hutchinson Housing and Redevelopment Authority as deemed appropriate and/or needed
and will be effective on the date of issue.
G: /HRA /DTED & SCDP Programs /2012 SCDP NE Neighborhood/Procedural Guide 2012
Page 19 of 19 10)
City of Hutchinson Section 3 Plan
The City of Hutchinson, in conjunction with Small Cities Development Program Grant 4CDAP-
11- 0023- 0-FY12, has the following plan to direct employment and other economic opportunities
generated by HUD financial assistance for housing and community development programs, to
the greatest extent feasible, toward low and very low income persons, particularly those who are
recipients of government assistance for housing.
Section 3 is a HUD requirement that is intended to ensure that when employment or contracting
opportunities are available on HUD funded projects, preference is given to low and very low
income persons or businesses, whenever possible.
The City of Hutchinson will attempt to recruit Section 3 Businesses and low income area
residents as new hires for the project through: signs regarding the project placed at City Center,
the Hutchinson library, Park Towers Apartments, and contact with the local workforce center.
The City of Hutchinson will require that all contracts between the homeowner and the contractor
providing rehab services will contain the following Equal Opportunity provisions:
• Equal Employment Opportunity: "The contractor shall provide equal employment
opportunity to all persons without discrimination as to race, color, creed, religion,
national origin, sex, age or disability."
• Affirmative Action: "To the extent possible and practical, the contractor will take
affirmative action to provide employment opportunities to all persons without regard to
race, color, creed, religion, national origin, sex, age, or disability."
• Section 3: "To the extent feasible, the contractor shall provide opportunities for training
and employment to lower income residents of the area, particularly residents of public or
federally assisted housing."
The City of Hutchinson will require all contractors to complete and submit the Section 3
Business Certification Form prior to awarding contracts. While being a Section 3 business is not
required for the program, the City of Hutchinson will give preference, whenever possible and
within the guidelines of the City of Hutchinson procurement policy to qualified, competitive
Section 3 businesses.
J t(b)
STATE OF MINNESOTA
DEPARTMENT OF EMPLOYMENT AND ECONOMIC DEVELOPMENT
BUSINESS AND COMMUNITY DEVELOPMENT DIVISION
Small Cities Development Program
Grant Agreement
CDAP -11- 0023- 0-FY12
This Agreement is made on June 1, 2012 between the State of Minnesota acting through the Department of Employment
and Economic Development (hereinafter the Grantor) and the City of Hutchinson, 1 I I Hassan Street SE, Hutchinson, MN
55350 -2522 (hereinafter the Grantee).
The Grantor has been allocated funds by the United States Department of Housing and Urban Development under the
Community Development Block Grant Program (CDBG) and is authorized to administer the funds pursuant to Minnesota
Statutes l I6J.401(2). Under Minn. Stat. I I6J.402, the Grantor is empowered to enter into contracts as necessary to
perform the Commissioner's duties.
The Grantee has made application to the Grantor for the purpose of administering a Small Cities Development Program
(SCDP) project for the City of Hutchinson in the manner described in Grantee's "APPLICATION," which is incorporated
into this agreement by reference.
In consideration of mutual promises set forth below, the parties agree as follows:
The Grantor shall grant to the Grantee the total sum of ONE HUNDRED SEVENTY -FIVE THOUSAND FOUR
HUNDRED DOLLARS ($175,400), which shall be federal funds appropriated to the State of Minnesota under the CDBG.
The Grantee shall perform the activities that are proposed in the application and further are specified under Grant
Conditions during the period from June 1, 2012 through December 31, 2014 in accordance with all applicable provisions
of Title 1 of the Housing and Community Development Act of 1974, as amended, its implementing regulations
particularly federal statutes identified in Title 24 of the Code of Federal Regulations, Part 570, guidelines provided by
Grantor and all other applicable state and federal laws.
Grantee agrees to complete the project in accordance with the approved budget and within the time frames specified in the
application and agreement. Any change in the scope of the project, the budget, or the completion date must be approved
in writing by the Grantor.
Funds made available pursuant to this agreement shall be used only for expenses incurred in performing and
accomplishing such purposes and activities during the grant period described above. Notwithstanding all other provisions
of this agreement, it is understood that any reduction or termination of Housing and Urban Development funds provided
to the Grantor may result in a like reduction to the Grantee.
Where provisions of the Grantee's application are inconsistent with other provisions of this agreement, the other
provisions of this agreement shall take precedence over the provisions of the application.
1p)
Grant Number: CDAP -11- 0023- 0-FY12
GRANT CONDITIONS
The following activities, goals, and budget costs are approved by the Grantor. Any modifications to the budget
must have written Grantor approval prior to implementation.
2. Successors and Assignees: The Grantee may neither assign nor transfer any rights or obligations under this grant
contract without the prior consent of the Grantor and a fully executed grant agreement executed and approved by
the same parties whom executed and approved the grant, or their successors in office. This agreement shall be
binding upon any successors or assignees of the parties.
3. Amendments: Any amendment to this grant contract, with the exception of Grant Adjustment Notices (GANs),
must be in writing and will not be effective until it has been executed and approved by those parties authorized by
resolution to enter into this contract, their successors and assigns, or other party authorized by the Grantee through a
formal resolution of its governing body. GANs must be approved by the Grantor in writing, and require a written
change request by the Grantee.
4. Waiver: If the state fails to enforce any provisions of this grant agreement that failure does not waive the provisions
or its right to enforce it.
5 Pre - Agreement Costs: Grantee may incur administrative costs for this grant prior to the executed grant agreement.
This does not include the award of construction contracts prior to environmental clearance.
6. Environmental Compliance: Unless the Grantor indicates otherwise, the Grantee is required to conduct an
environmental review on project activities, to comply with the National Environmental Policy Act of 1969 (NEPA),
as amended. Disbursement of funds will not occur until Grantee has provided assurances that all NEPA
requirements will be met.
Environmental clearance must be received by the Grantor and other agencies prior to committing funds for
activities. Grantee must maintain environmental review documentation and records.
The Grantee may enter into a programmatic agreement with the Minnesota State Historic Preservation Office
(MnSHPO) that allows the grantee to not seek further consultation from MnSHPO on eligible properties in eligible
rehabilitation projects.
Timeliness: The Grantor may cancel this Grant Agreement if it determines that the progress towards completion of
the activities is not reasonable.
8. Drug -free Workplace/Drug-Free Workplace Awareness Program: The Grantee agrees to provide a drug -free
workplace by notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a
controlled substance is prohibited in the Grantee's workplace and specifying actions that will be taken against
employees for violation of such prohibition. The Grantee must have an Awareness Program, or establish a
drug -free workplace awareness program to inform employees about the dangers of drug abuse, the availability of
drug counseling and penalties for violations of the drug -free workplace policy. Prior to release of funds, Grantee
2 10)
Number of
Number of
LMI
households
households
Fed. Activity
Unit /persons
/persons
SCDP
Other
Obj Code
Activity Title
Goal served
served
Funds
Funds
Total
LMH 14A
Res Owner Rehab
10 10
10
$149,400
$64,030
$213,430
21A
Administration
26,000
0
26,000
Totals
$175,400
$64,030
$239,430
2. Successors and Assignees: The Grantee may neither assign nor transfer any rights or obligations under this grant
contract without the prior consent of the Grantor and a fully executed grant agreement executed and approved by
the same parties whom executed and approved the grant, or their successors in office. This agreement shall be
binding upon any successors or assignees of the parties.
3. Amendments: Any amendment to this grant contract, with the exception of Grant Adjustment Notices (GANs),
must be in writing and will not be effective until it has been executed and approved by those parties authorized by
resolution to enter into this contract, their successors and assigns, or other party authorized by the Grantee through a
formal resolution of its governing body. GANs must be approved by the Grantor in writing, and require a written
change request by the Grantee.
4. Waiver: If the state fails to enforce any provisions of this grant agreement that failure does not waive the provisions
or its right to enforce it.
5 Pre - Agreement Costs: Grantee may incur administrative costs for this grant prior to the executed grant agreement.
This does not include the award of construction contracts prior to environmental clearance.
6. Environmental Compliance: Unless the Grantor indicates otherwise, the Grantee is required to conduct an
environmental review on project activities, to comply with the National Environmental Policy Act of 1969 (NEPA),
as amended. Disbursement of funds will not occur until Grantee has provided assurances that all NEPA
requirements will be met.
Environmental clearance must be received by the Grantor and other agencies prior to committing funds for
activities. Grantee must maintain environmental review documentation and records.
The Grantee may enter into a programmatic agreement with the Minnesota State Historic Preservation Office
(MnSHPO) that allows the grantee to not seek further consultation from MnSHPO on eligible properties in eligible
rehabilitation projects.
Timeliness: The Grantor may cancel this Grant Agreement if it determines that the progress towards completion of
the activities is not reasonable.
8. Drug -free Workplace/Drug-Free Workplace Awareness Program: The Grantee agrees to provide a drug -free
workplace by notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a
controlled substance is prohibited in the Grantee's workplace and specifying actions that will be taken against
employees for violation of such prohibition. The Grantee must have an Awareness Program, or establish a
drug -free workplace awareness program to inform employees about the dangers of drug abuse, the availability of
drug counseling and penalties for violations of the drug -free workplace policy. Prior to release of funds, Grantee
2 10)
will provide evidence of a drug -free workplace to the Grantor.
9. Prohibition of Excessive Force Policy: The Grantee agrees to adopt and enforce a policy to prohibit the use of
excessive force by law enforcement agencies within its jurisdiction against any individuals engaged in nonviolent
civil rights demonstrations (P.L. 101 -144, Section 519). Prior to release of funds, Grantee will provide evidence of
a Prohibition of Excessive Force Policy to the Grantor.
10. Residential Anti - displacement and Relocation Assistance Plan: The Grantee agrees to adopt, make public and
follow a "residential anti - displacement and relocation assistance plan" in accordance with Section 104(d) of the
Housing and Community Development Act of 1974, as amended. This plan must include steps to minimize
displacement of residents caused by project activities. Prior to release of funds, Grantee will provide evidence of a
Residential Anti - displacement and Relocation Assistance Plan to the Grantor.
11. Fair Housing: Grantee agrees to abide by and promote all Fair Housing Regulations during the grant period,
including conducting at least one unique activity to affirmatively further fair housing each year that the grant
remains open. Activity(ies) must be reported via the Grantor's Annual Report annually.
12. Policies and Procedures: Where applicable and prior to release of funds, Grantee must approve policies and
procedures which are consistent with the Application and consistent with current SCDP guidance and policy. All
policies and procedures must adhere to federal and /or state requirements.
13. Federal Labor Standards: When applicable, Grantee must comply with all federal Davis Bacon and Related Act
requirements and must submit "Notice of Contract Award" required by the Grantor before using grant funds to pay
contractors or subcontractors.
14. Reporting: Grantee shall submit reports annually during the grant period, to Grantor by October 15, or the date
designated by the Grantor. All other reports must be in accordance with the reporting requirements set forth in
Minnesota Rule 4300.3200. Grantee shall use the reporting forms provided by the Grantor.
15. Accounting: For all expenditures of funds made pursuant to this agreement, Grantee shall keep financial records,
including invoices, contracts, receipts, vouchers, and other documents sufficient to evidence in proper detail the
nature and propriety of the expenditure. Accounting methods shall be in accordance with "The Common Rule,"
Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments, at
24 CFR, Part 85, as amended.
16. Procurement: The Grantee must maintain documentation that shows that professional services were procured in
accordance with "The Common Rule," Uniform Administrative Requirements for Grants and Cooperative
Agreements to State and Local Governments, at 24 CFR, Part 85, as amended. Services obtained from units of
government such as HRA, RDC, or nonprofit organizations do not have to be procured by competitive negotiation,
but contracts for these services must only be on a cost - reimbursement basis, accounted for in accordance with "The
Common Rule."
All construction contracts will require competitive bidding, unless waived by the Grantor
17. Audit and Inspection: The Grantee shall comply with the requirements of the Single Audit Act Amendments of
1996 (P.L. 104 -156). When a Grantee expends over $500,000 in federal funds during their fiscal year, an A -133
audit is required. Accounts and records related to the funds provided under this agreement shall be accessible to
authorized representatives of the Grantor for purposes of examination and audit. In addition, Grantee will give the
U.S. General Accounting Office, the U.S. Department of Housing and Urban Development, State of Minnesota,
Department Of Employment and Economic Development, the Legislative Auditor, and State Auditor's Office,
through any authorized representatives, access to and the right to examine all records, books, papers, and documents
related to the grant for a minimum of six years from the end of this Grant Agreement. The Catalogue of Federal
Domestic Assistance (CFDA) number for grants made available from Small Cities is: 14.228.
Iwo)
18. Liability: Grantee agrees to indemnify and save and hold Grantor, its agents and employees harmless from any and
all claims or causes of action arising from the performance of the Grant by Grantee or Grantee's agents or
employees. This clause shall not be construed to bar any legal remedies Grantee may have for the Grantor's failure
to fulfill its obligations pursuant to this Agreement.
19. Data Practices Act: The Grantee shall comply with the Minnesota Government Data Practices Act, Chapter 13.
20. Conflict of Interest: The Grantee shall comply with the conflict of interest provisions of Minnesota Statutes
Sections 471.87- 471.88, and Subpart K of 24 CFR, Part 570.611 of the Code of Federal Regulations.
21. Payment/Disbursements: Grantor shall disburse funds to the Grantee pursuant to this agreement, based upon a
payment request submitted by the Grantee and reviewed and approved by the Grantor. Payment requests will be
processed on a bi- weekly calendar provided by Grantor. The amount of grant funds requested must be two
thousand dollars ($2,000) or more (except for the final draw).
Grantor has authority to withhold administrative funds if adequate progress on contractual goals is not being met.
22. Program Income and local income generated: Program Income is defined as any income equal to or exceeding
$35,000 in a federal fiscal year (10/1 -9/30) received by the Grantee from the CDBG (SCDP and federal Minnesota
Investment Fund). Any income received from a SCDP grant under $35,000 in a federal fiscal year, is not Program
Income, but must be reused for an approved purpose.
If a Grantee has an open SCDP grant and receives income (Program Income or not) from that SCDP grant, or
previous SCDP grants that are now closed, the amount received must be used for grant activities prior to drawing
awarded funds. Program Income will be subtracted from the amount requested on the Disbursement Request Form
(DRF).
Grantee agrees to have a "Program Income and Local Funds Generated Plan" on file that states how Program
Income and local funds generated from the grant will be reused. This plan should state funds will be reused for an
approved SCDP purpose and be consistent with the Grantee's application. If the funds received by the Grantee
cannot be utilized by the Grantee within a reasonable amount of time, it must be returned to Grantor.
Annual Reporting: Following grant closeout, the Grantee must report Program Income funds available at the
beginning of the year, Program Income received, Program Income expended, and the Program Income funds
balance at the end of the year. This reporting is completed on -line. If the Grantee receives income from a grant of
less than $35,000 in a federal fiscal year, it is NOT Program Income and the report should report $0 for Program
Income. Grantees must complete the report annually even if there is no Program Income. Annual Program Income
reporting will be required as long as the Grantee has Program Income or has outstanding loans for grant funds or
Program Income funds.
If Program Income is expended, when it is not on an open grant, the Post Closeout Program Income Expenditure
Reporting Form must be completed to show accomplishments achieved with those and leveraged funds.
23. The Grantee must comply with Minnesota Statutes, Section 290.9705 by either:
A. Depositing with the State, eight percent of every payment made to non - Minnesota construction contractors,
where the contract exceeds $100,000; or
B. Receiving a waiver from this requirement from the Minnesota Department of Revenue.
24. Anti - Lobbying: The Grantee must not use SCDP funds to pay any person for influencing or attempting to influence
an officer or employee of a federal agency, a member of Congress, an officer or employee of Congress, or any
employee of a member of Congress in connection with the awarding of any federal contract, the making of a federal
grant, the making of a federal loan, the entering into of any cooperative agreement, and the extension, continuation,
renewal, amendment, or modification of any federal contract, grant, loan, or cooperative agreement. If the Grantee
110 b)
uses non - federal funds to conduct any of the aforementioned activities, the Grantee must complete and submit
Standard Form LLL, "Disclosure Form to Report Lobbying." Further the Grantee must include the language of this
provision in all contracts and subcontracts and all contractors and subcontractors must comply accordingly.
25. Equal Employment & Section 3: Grantee must include Executive Order 11246 (Standard Federal Equal
Employment Opportunity Construction Contract Specifications) as well as the Section 3 Clause § 135.38, notice
regarding economic opportunities for low and very low income persons in all Grantee bidding and contract
documents for which the construction costs exceed $100,000. All Grantees must have a Section 3 plan documenting
how they will promote Section 3 and collect the SCDP Section 3 Contractor Certification form when applicable.
26. Uniform Relocation Assistance and Real Property Acquisition Policies Act: Permanent easements of land required
for any public facilities improvement made using SCDP funds, or in conjunction with SCDP activities, must be
acquired in conformance with the provisions of the Uniform Relocation Assistance and Real Property Acquisition
Policies Act of 1970, as amended (49 CFR 24). Budget modification, if necessary to achieve compliance, must be
approved in writing by the Grantor.
Unless otherwise approved in writing by Grantor, use of SCDP funds to purchase real property is limited to the
value established by appraisal(s) conducted in accordance with the Uniform Relocation Assistance and Real
Property Acquisition Policies Act of 1970, as amended.
Reuse of real property that is acquired with SCDP funds must be approved by Grantor.
27. Assessments: Grantee will not assess the SCDP funds share of any public facilities project.
28. Provision for Contracts and Subcontracts: Grantee shall include in any contract or subcontract such provisions as to
assure contractor and subcontractor compliance with applicable state and federal laws.
29. Eligible Contractors: Grantees are required to verify that all contractors, subcontractors and sub - recipients are not
listed on the Federal publication that lists debarred, suspended and ineligible contractors. Evidence of this
determination must be readily available to the Grantor throughout the life of the project.
30. Reduction in Actual Costs: On projects that involve construction of public facilities, new housing construction,
conversion for new housing, or rehabilitation of 8 housing units or more under one site: If bids are significantly
lower than estimated project costs presented in the Grantor's application, Grantee must contact Grantor. Grant
amount may be reduced.
31. Termination and Cancellation: This Grant may be cancelled by the Grantor at any time, upon thirty (30) days
written notice to the Grantee. In the event of such cancellation, Grantee shall be entitled to payment, determined on
a pro rata basis, for work or services satisfactorily performed.
32. Worker's Compensation: The grantee certifies that it is in compliance with Minnesota Statute 176.181 Subd.02,
pertaining to worker's compensation insurance coverage. The Grantee's employers and agents will not be
considered state employees. Any claims that may arise under the Minnesota Worker's Compensation Act on behalf
of these employees and any claims made by any third party as a consequence of any act or omission on the part of
these employees are in no way the State's obligation or responsibility.
33. Governing Law, Jurisdiction and Venue: Minnesota law, without regard to its choice for law provisions, governs
this grant contract. Venue for all legal proceedings out of this grant contract, or its breach, must be in the
appropriate state or federal court with competent jurisdiction in Ramsey County, Minnesota.
34. Monitoring: Grantee will be monitored through an on -site visit at least once during the grant period.
35. Public Hearing: The Grantee will hold a second public hearing (first was held for submission of Application)
midway through the implementation period to solicit public feedback on grant progress and results. The public
hearing must be publicly advertised and minutes from the hearing and evidence that the hearing was publicly
ll�b)
advertised will be provided to the Grantor after the hearing is held. This documentation will be provided by
October 15, 2013.
36. Bid Specifications: For projects that involve construction of public facilities, new housing construction, conversion
for new housing, or rehabilitation of 8 housing units or more under 1 site: Grantee will provide Grantor with bid
specifications (not maps or architectural drawings) for review and approval.
37. Allowable Costs — Grant funds will only be used to reimburse costs that are eligible and allowable under the CDBG
program. Grantor will require that Grantee refund any unallowable costs to Grantor.
38. Rental Development Agreement — When applicable and prior to release of funds, the Grantee will provide the
Grantor with a development agreement between the Grantee and developer and, if applicable, the Management
Company. The agreement(s) will include provisions to ensure that rents charged for housing units and incomes of
tenants are adequate to satisfy a National Objective. If applicable, the agreement would also ensure against the
economic displacement of any current housing tenants.
lo)
The Grantor and Grantee acknowledge their assent to this agreement and agree to be bound by its terms through their
signatures entered below.
GRANTEE: We have read and we agree to all of
the above provisions of this agreement.
By
Title
Date
By
Title
Date
City of Hutchinson
Grant #CDAP -11- 0023- 0-FY12
Awards /2012Awards /2012C..t. sdw
STATE OF MINNESOTA by and through the
Department of Employment and Economic Development
°mil
Title DEPUTY COMMISSIONER
Date
ENCUMBERED:
Department of Employment and Economic Development
M
(Name)
Date Encumbered
[Individual signing certifies that funds have been
encumbered as required by Minnesota Statute 16A.]
�0)
Utilizing the following chart, provide the status of the current open grant for which you are completing the
Short Form Application:
All activities in the current open award in which the Short Form Application is requesting funds for must be in either
the implementation or completed stage.
Key: Units @ Startup Stage: Working on eligibility requirements, inspections, work write -ups, etc.
Units @ Implementation Stage: Contractor work on property has begun and in process
Units Completed: All work has been completed
Use the following format t6 provide specific Information on the activity(s) proposed in your Short Form Application. DEED will give stronger
consideration to those Applications whose administrative request per activity is equal to or less than 15% of SCDP hard costs. If the amount of SCDP
administration is greater than 15% per activity, justification will be required. Remember to include Program Income as leveraged funds.
Fed.
Obi.
Codes"
Use the Key below to Identify Progress
Grantee
SCDP
Cost Per
unit
SCDP Cost/
without
admin
Total
SCDP
Admin
SCDP
Admin %
Total
SCDP
Costs
Total
Leveraged
Resources
Source of
Leveraged
Funds
(Mwk(c)if
funds..
co,nnned' -.)
Totals
LAII
Name and
10
14,940
149,400
!49,400
64,030
Owner
match
113,430
Funding
SCDP Activity
SCDP
Percentage
Grant
Unit
Units
Units @
Units
Year
SCDP
Activity
of SCDP
End Date
Goal
@
Completed
Activity
Funds
Funds
Startup
Implementation
Budget
Remaining
Disbursed
Stage
Stage
City of
Owner
Hutchinson
Occupied
399,100
91,321
7711
1131112
20
3
4
17
1010
Rehab /Admin
All activities in the current open award in which the Short Form Application is requesting funds for must be in either
the implementation or completed stage.
Key: Units @ Startup Stage: Working on eligibility requirements, inspections, work write -ups, etc.
Units @ Implementation Stage: Contractor work on property has begun and in process
Units Completed: All work has been completed
Use the following format t6 provide specific Information on the activity(s) proposed in your Short Form Application. DEED will give stronger
consideration to those Applications whose administrative request per activity is equal to or less than 15% of SCDP hard costs. If the amount of SCDP
administration is greater than 15% per activity, justification will be required. Remember to include Program Income as leveraged funds.
Fed.
Obi.
Codes"
Activity
p of
units/goals
SCDP
Cost Per
unit
SCDP Cost/
without
admin
Total
SCDP
Admin
SCDP
Admin %
Total
SCDP
Costs
Total
Leveraged
Resources
Source of
Leveraged
Funds
(Mwk(c)if
funds..
co,nnned' -.)
Totals
LAII
Owner Rehab
10
14,940
149,400
!49,400
64,030
Owner
match
113,430
Owner Rehab
Admin
10
1,600
16,000
1 17.4%
16.000
1
1 16.000
slim
Totals
149,400
16,000
175,400
64,030
139,430
' The following are the Federal Objective codes to be used in the above table in the first column. See "Federal
Objectives for Applicants," in the SCDP A- Z Guide, for requirements.
• Low to Moderate income persons /households: LIM
• Prevent or eliminate slum and blight conditions: S & B
• Alleviate urgent community development needs: URG
•' Committed funds must be accompanied by a signed letter of commitment, verifying the amount.
� lCb)
N
CITY OF HUTCHINSON
HOUSING REHABILITATION PROGRAM FACT SHEET
• The City of Hutchinson has been awarded funding for homeowners interested in improving their homes
from the Minnesota Department of Employment & Economic Development, Small Cities Development
Program (SCDP).
• This assistance to Homeowners is in the form of a 0% Interest, Deferred Loan forgiven after 10 years. If the
property is sold, title is transferred, or the Borrower no longer lives in the home before the 10 -year forgiveness
date, 10% will be forgiven each full year in the home.
• The SCDP Loan amount is 70% of the repair costs. 30% of project cost is an Owner Match. Match
funds can be obtained from other products available through the Hutchinson HRA.
• The maximum SCDP Loan amount available is $24,999, per property. Any costs exceeding this amount
will be the responsibility of the Homeowner.
• The Main Purpose of the Program is to address Health & Safety Issues, along with other improvements such as
Repair or Replacement of the following:
✓ Defective plumbing, heating or electric systems
✓ Roofing, windows and doors
✓ Exterior carpentry such as rotting siding, porches and steps, etc.
✓ Interior carpentry such as stair railing and patching walls & ceilings
✓ Handicap Accessibility Issues
• A Minnesota licensed general contractor that is on file at the HRA office will have to do the rehab work
and depending if your home has lead -based paint, a Lead - Certified Contractor may be needed.
• To Qualify:
✓ You must live in the NE Neighborhood (HWY 15 - North High Dr. — Bluff -HWY 7) or the SW
Neighborhood (Main - Sought Grade Rd. - Dale St. - 2nd Ave.)
✓ You must own the home free and clear of debt OR have 1/3 fee title interest in the property, through a
Mortgage, Contract of Deed or Life Estate that is on record at the McLeod County Recorder's Office.
✓ You must be current on House Payments and Property Taxes.
✓ You must be able to acquire an Owner Match of 30% of the project cost. Match funds can be
obtained from other products available through the Hutchinson HRA.
✓ Your Gross Annual Total Household Income for the SCDP Loan, of any person age 18 or older,
including ALL SOURCES of income, cannot exceed the following limits:
FAMILY SIZE
1
2
1 3
4
1 5
6
7
8
INCOME LIMIT
40,600
46,400
52,200
1 58,000
62,650
1 67,300
71,950
76,600
C:\ Users \jward\AppData \Local\ Microsoft \Windows \Temporary Internet Files\ Content. Outlook \03Q610AM\Rehabilitation Fact
Sheet 2011.docx
1o)
HOUSING REHAB EXAMPLE FINANCING
Tom & Mary Smith are owners of a single - family home within the rehab target area
and have two children. Their house inspection shows a need for $18,000 in repairs:
Roof repair
$ 8,000
Insulation
31000
Smoke detectors
300
Gutters
500
I
Electrical
200
Heating System
3000
Lead Abatement
3000
Total $18,000
The family's income is less than $58,000 (80% AMI for a family of four), so they
qualify for rehab funds for the repairs.
To pay for the repairs they can access:
♦ 0% deferred rehab loan for 70% of the repair costs ($12,600).
10% of the loan will be forgiven each full year.
No principal remains if the family stays in the home for 10 years.
♦ Owner match or other funding for the remaining 30% of repair costs
($5,400).
Cash, bank loans and other 0% loans through the Hutchinson HRA can make up
the remaining.
This is how Tom & Mary will pay for their repairs:
$12,600 deferred rehab loan
5.400 low- interest loan from MN Housing Finance Agency*
$18,000 Total
E] (Check Here) I have read and understand this rehabilitation financing summary sheet. I
understand the terms of the program and understand this is not a remodeling program. I have
indicated my interest in rehabilitation by signing this pre- application.
(Sign Here)
* Match funds will vary in their sources and terms. The source of the funds will depend upon your household income,
availability of funds, etc. The match funds will be determined with your application. The low interest loan is only an
example of the products available.
Area Median Family Income Limits (80 %):
1 person $40,600 / 2 persons $46,400 / 3 persons $52,200 / 4 persons $58,000
(these amounts are adjusted each spring)
IlCb) . ,
Rehab Owner Match Options
Loan M_ ax. j $5,000
0 %d Monthly
Interest
City
Rate
Payments
Revolving /
1
Term (upto)!
-?
HRA
Credit
Family Size
4 Rehab
CRV
_
Record'g
86 OZ of AMI
60% of AMI
1
$401600
$30,480
2
1$_46,400
$34,800
3
_�
$52,200
1$39,180
-
4
I$58,000
I$43,500
$25,200-
;$62,650
;$46,9_80
-5
6
1$67,300
$501460
7
$71,950
$53,940
8
-
$76,600
'$57,420
-
f- - -
� -
Only evadable it
$31,300
'$96,500
not eligible for a
' 48,125
- -
- --
I $47,850
FUF Loan
Loan M_ ax. j $5,000
0 %d Monthly
Interest
, Principle
Rate
Payments
115 %n SMI
GMHF
Term (upto)!
-?
10 years_
Credit
Don't
Check
Check
_
Record'g
30 %M/St Pa
-
$17,700 6 0
$50I
'
Fee
$46
I $29,000
- _
� $2Q200
$7,650
0%
Deferred
0% 0 %, 0 %,
Deferred j Forgivable-_]_ 1 %d ARP Forgivable
1 SWHP
Discount
MFHA
115 %n SMI
GMHF
AHP
RD
Deferred
L�CFUF
60 - of AMI
--% --- -
$30,480
MRB
I$36,450
50% of AMI
1$25,400 1
30 %M/St Pa
-
$17,700 6 0
$50I
'
-
$34 800
$36,450
I $29,000
- _
� $2Q200
1-
I $96,500
C$39,180
1$36,450
-
$32,650-
:,$22,700
$96,500
$43,500
1$36,450
$36,250
$25,200-
-
!$96,500
$46,980
'09,375
$39150
$27,100
$96,500
$50 460
$42,3.00
$421050
$29,100
$96,500
$53 940
- _- ,
� $45,200
$44 950
'
$31,300
'$96,500
-
$57 420
-
' 48,125
- -
- --
I $47,850
$33,300
- -- - -
1$96,500
-f
*HH w/ Children
i
iiMaz $10,000
i
LTV 100%
:.Assets non-
retirement
LTV 110%
$7,500
-
$15,000
1' $5,000
$20,000
$24,999
'1 $35,000
f
0% 0 %, 0 %,
Deferred j Forgivable-_]_ 1 %d ARP Forgivable
CFUF -
Unsecured
Discount
5 yrs -1 /60th
115 %n SMI
1$96,500
$85,000
forgiven
30 years
$96,500
30 years
each 30 days; 20 years
Don't
Don't
!Needs to
Check
Check
Don't Check_ be good!
_ -
$46 &tax 4
$92
$92
1$12.42
Green
admin add to'
Criteria ;
loan -
4 units
'6 Units
$5,400
CFUF -
Unsecured
Discount
FUF
115 %n SMI
1$96,500
$85,000
t$96,500
$85,000
$96,500
T$85,000
1$96,500
I $85,00
$96,500
$___ ____1
85,000
$96,500
$85,000
1$96,500
j$85,000
,$96,500
11$85,000
1$96,500
*One energy
improvement _- -
$20,000
75 %+ 1
fees
15 years 20 years
Don't t
r Check 620
$46 -'1$92
-f -
Green
Criteria
4 %d + fees
1
�10 years
4620
1$92
10 units
No LTV
$10,000
6.99% (6.49%
Auto debit)
10 years - -
$92 -
Community Fix -Up Fund
Targeted.Areas
Gross Annual Household Income Limits
1. SCDP Target Area Rehab in Hutchinson Discount Energy Loan Program in Hutchinson
$96,500 5 00
Interest Rate (Subordinate Lien)
----www.mnhousing.gov/consumers/rates/inde,x.aspx
5.75% * Check MHFA webpage for current rate.
4.00%
_
Term
Maximum 20 years
Maximum 10 years
Loan Limit
$2,000 - $35,000
$20,000.00
Debt to Income Ratio (Housing expense +
installment loans + revolving accounts + new
loan payment)
48%
48%
Maximum Loan to Value
110% of after-improved value of property
110% of after- improved value of property
Business Use of Home
No greater than 49%
No greater than 49% _
Mobil Homes
No
No
Separated Spouse Si nature re uirement
Mort gage Only
Mortgage Only
Fees that can he charged to borrower
(but not financed by loan proceeds)
* $15 credit report fee
* Mortgage/document recording fees - —$92
* $15 credit report fee
* Mort age /document recording fees - $92
Fees that can be financed by loan proceeds
Loan Origination Fee - 1% of Loan Amount
Loan Origination Fee - 1% of Loan Amount
Title & Lien Search - $25
Title & Lien Search - $25
Loan Document Preparation Fee - $50
Loan Document Pre aration Fee - $50
Rehab advising fee
IRehab advisin fee
----
Revised 6 -14 -2012
—
G:/HRA/MHFA CFUF &FUF /Information Sheet
- - - -- - --
G: /HRA/MHFA CFUF &FUF /Information Sheet
4
New Features and Program Summary
The following new program features (highlighted in yellow) will be effective beginning on the date found on Minnesota Housing's web page.
Page 1
• Basic energy conservation: Energy Star rated furnace,
Improve the basic livability or energy
air conditioner, water heater, light fixtures; insulation;
Improve the basic livability or energy
efficiency of the property, y, including
air sealing
efficiency of the property, including
additions, alterations, renovations
• Basic accessibility: Ramp; widening doorways/
additions, alterations, renovations and/
Eligible Improvements
and /or repairs, or bring a property
hallways; moving electrical outlets and switches,
modifying hardware; installing fire alarms, smoke
or repairs, or bring a property into
into compliance with housing
detectors and other alerts; handrails, grab bars, stair
compliance with housing maintenance
maintenance codes or other public
lifts; and bathroom fixture modifications
codes or other public standards applicable
standards applicable to housing.
. For more expansive projects than items listed above, use
to housing.
the regular Fix -up Fund, Secured or Unsecured option
Maximum Loan Amount
$35,000
$7,500
$10,000
Minimum Loan Amount
$2,000
$2,000
$2,000
Loan to Value
Up to 110% of after improved value
Up to 110% of after improved value
N/A
• Combined unsecured loan balances
• Combined secured and unsecured
•Combined secured and unsecured Fix -up Fund
cannot exceed $10,000
Combined Loan Balance/
Fix -up Fund loan balances cannot
loan balances cannot exceed $35,000
• Combined secured and unsecured Fix -
Fix-
exceed $3
up Fund loan balances cannot exceed
Loan Consolidation Limits
.May consolidate balance of
•May not consolidate balance of previously
$35,000
previously received Fix -up Fund loan
received Fix -up Fund loan
• May not consolidate balance of
previously received Fix -up Fund loan
Interest
subordinate lien
5.99%
4'99%
6.99%
1st lien
as posted on www.mnhousing.gov
Rate*
6.49% for borrowers choosing to complete
Auto -Pay Incentives
N/A
N/A
an Authorization Agreement for Monthly
Automatic Payment ( "auto debit") at closing
Maximum Repayment Term
Up to $10,000: 10 years
$10,001- $35,000: 20 years
10 years
10 years
Minimum Repayment Term
1 year
1 year
3 years
Page 1
*Minnesota Housing interest rates are subject to change. The interest rates listed in this reference sheet are correct as of the revision date of this sheet Please visit our
website at www.mnhousing.gov for the most curren t effective in terest ra tes.
This reference sheet does not contain all the information needed to originate loans for sale to Minnesota Housing. Seethe Minnesota Housing Fix -up Fund Program
Procedural Manual at www.mnhousing.gov for complete information.
6 Minnesota Housing 1400 Sibley Street, Suite 300 ) Saint Paul, MN 55101 -1998 ) 800.710.8871) 651.296.8215 ) mnhousing.gov Page 2 05.11.2012 10
SECURED LOANS
TOPIC
. LOANS
Conservation andlor Basic Accessibility improvements
MN Housing
$400 $400 $250
Lender Processing Fee
—
Compensation Origination/
1 % origination fee and other eligible costs 1 % origination fee and other eligible costs (see Lender can not charge origination fee. For
Allowable Fees
(see Procedural Manual) Procedural Manual) allowable fees, (see Procedural Manual)
Minimum Credit Score
(borrower and co- borrower/
• 620
. Alternate credit option when
• 620
• Alternate credit option when borrower does not
• 680
•Alternate credit option not available
borrower does not have score
have score
Minimum 18 months following discharge
Minimum 18 months following discharge of
Minimum 18 months following discharge
Bankruptcy Requirements
of Chapter 7 or completion of repayment
Chapter 7 or completion of repayment plan on
of Chapter 7 or completion of repayment
plan on Chapter 13
Chapter 13
plan on Chapter 13
Foreclosure Requirements
Minimum 18 months following
Minimum 18 months following completion of
Minimum 18 months following
completion of Redemption Period
Redemption Period
completion of Redemption Period
Loan Documentation
No older than 120 days
No older than 120 days
No older than 120 days
Debt to Income
48%
48%
48%
Documentation of
Documented contact with County
Documented contact with County Recorder/
Property tax statement and a copy of the
Pro Ownership
Property p
Recorder /Registrar of Title or with an
Registrar of Title or with an Owners and
homeowner's deed
Owners and Encumbrances Report
Encumbrances Report
Prepayment Penalty
No
No
No
Type of Note
Secured. Includes reference to MN
Secured. Includes reference to MN State Statute
Unsecured OR Unsecured with Automated
Payment. Includes reference to MN State
State Statute 47.20
47.20
Statute 334.01A
• Homeowner Labor Agreement: Executed by borrower
when loan proceeds are for a "materials only" item,
Homeowner Labor Agreement:
and the borrower will be responsible for the work.
Homeowner Labor Agreement. Executed
New Forms
Executed by borrower when loan
proceeds are fora "materials only"
. Accessibility Evaluation Form for Reduced Interest
by borrower when loan proceeds are for
"materials
item, and the borrower will be
Rate: Request prior approval on an item not listed in
a only" item, and the borrower
responsible for the work.
procedural manual
will be responsible for the work.
• Energy Improvements for Reduced Interest Rate:
Resource for establishing product eligibility
*Minnesota Housing interest rates are subject to change. The interest rates listed in this reference sheet are correct as of the revision date of this sheet Please visit our
website at www.mnhousing.gov for the most curren t effective in terest ra tes.
This reference sheet does not contain all the information needed to originate loans for sale to Minnesota Housing. Seethe Minnesota Housing Fix -up Fund Program
Procedural Manual at www.mnhousing.gov for complete information.
6 Minnesota Housing 1400 Sibley Street, Suite 300 ) Saint Paul, MN 55101 -1998 ) 800.710.8871) 651.296.8215 ) mnhousing.gov Page 2 05.11.2012 10
TO: Mayor and City Council
FROM: Tom Kloss, Director of Information Technology
RE: City of Hutchinson Network Security Policy
DATE: 7/10/2012
Attached is the City of Hutchinson Information Technology Policy dated July 2012 and intended
to replace the existing City of Hutchinson Information Technology Policy of 2006. As is
customary, the policy has been reviewed by staff and recommended updates have been
incorporated into the proposed policy.
A copy of the proposed policy is included for your review. The areas of the policy that have
been significantly revised are highlighted for your reference.
It is requested that the Council consider the approval of the amended policy at the July 10
Council meeting. I will be in attendance at the meeting to address any questions.
11<<)
City of 11 tuchinson
Information Technology
G
P ic oly
JULY 2012
SECTION 1— INFORMATION TECHNOLOGY POLICY INTRODUCTION
1.1 Purpose /Overview
1.2 Reporting
1.3 No Expectation of Privacy
1.4 Disciplinary Action
1.5 Separation of Employees
SECTION 2 — INFORMATION TECHNOLOGY DEFINITIONS
SECTION 3 — INFORMATION TECHNOLOGY USE
3.1 Hardware and Software Acquisition/Purchasing
3.2 Installation, Downloads, and Configuration
3.3 Support
3.4 Licensing
3.5 Data Management and Protection
3.6 Portable Information Systems
3.7 Electronic Mail (Email) — Records Retention/Data Practices
3.8 Internet
3.9 Intranet
3.10 Cell Phones and Pagers - Operational Parameters
3.11 Personal Use of Information Technology Equipment
3.12 Prohibited - Inappropriate Non - business Use
3.13 Violation of Policies or Requirements
SECTION 4 — INFORMATION TECHNOLOGY SECURITY
4.1 Purpose
4.2 Logins and Passwords
4.3 Physical Security
4.4 Shut Down Procedures
4.5 Virus Protection
4.6 Remote Network Access
4.7 Mobile Devices
4.8 Wireless Access
4.9 Social Engineering
Appendix A Incident Response Plan
2
City of Hutchinson
Information Technology Policy
Section 1— Information Technology Policy General Information
1.1 Purpose/ Overview:
The purpose of this policy is to inform and provide direction to all users regarding
appropriate use and management of the City's Information Technology (IT) systems and
resources. The intent is to provide a clear understanding of what is expected of
employees and management in the area of information technology. All users must be
authorized to use City IT systems through the approval of the user's department
supervisor and IT Department.
Use of City technology equipment is intended for business - related purposes. All
computers and peripherals are the property of the City and should be respected as such by
all users.
Further, the policy sets standards to protect the City of Hutchinson's IT Systems from
business interruption, unauthorized or inappropriate access, and to maintain security.
This policy applies to all staff, vendors, consultants, volunteers, interns, and all others
who have access to or use the City's electronic systems in any form or manner. This
policy shall apply equally to all that have access.
IT systems include, computers, E -Mail, Internet, Intranet, printers, software, telephones,
voice mail, cell phones, pagers, and similar equipment as deemed appropriate. All users
are responsible for reading and following information that may be distributed from time -
to -time by the IT department about appropriate precautions to protect City IT systems.
City employees /users given access to the City's information technology network and
computing systems are granted such access to conduct official City business. Such
systems have been purchased, installed, and maintained by the City to facilitate the
conduct of job responsibilities in the delivery of City services.
The City Administrator and the Technology Director are authorized to interpret and /or
grant written exceptions to this policy. The written exemptions will be filed in the IT
department accompanied by a written request for exemption by a department director.
3
1.2 Reporting
Responsibility to Notify
Employees should notify their immediate supervisor, the IT Director, the Human
Resources Director, the City Administrator or any member of management upon learning
of violations of this policy. Employees who violate this policy will be subject to
disciplinary action, up to and including termination of employment.
Supervisor's Responsibility
Managers and supervisors are responsible for ensuring the appropriate use of computers,
E -Mail, voicemail, and internet access through training, supervising, coaching, and taking
disciplinary action, when necessary. Supervisors shall report any misuse involving any
technology system to the IT Director, HR director or City Administrator immediately
upon learning of any misuse.
1.3 No Expectation of Privacy
The City reserves and intends to exercise the right to monitor and audit contents of E-
Mail communications, voice mail communications, use of internet services, and other
means of electronic transfer of information for any business purpose. The Information
Technology Director will periodically review employee communications to ensure
compliance with City policies or to detect policy violations. Directors and supervisors
may review electronic communications of the employees they supervise to determine
whether there have been any security breaches, violations of City policy, or other
violations of duty on the part of employees.
1.4 Disciplinary Action
Violation of this policy may be grounds for disciplinary action, up to and including
termination of employment with the City of Hutchinson. Discipline does not preclude
separate criminal penalties resulting from an employee's illegal use of any IT systems. In
signing the acknowledgement form, the employee acknowledges that this document has
been read and reviewed and that he /she understands the policy.
1.5 Separation of Employees
When an employee leaves employment through resignation or termination, the supervisor
is responsible to immediately notify IT. To ensure security and confidentiality for the
City's technology systems, IT will disable the user's account and notify Local
Government Information Services (LOGIS) to disable the user's account and access to all
LOGIS systems and applications.
Section 2 — Information Technology Definitions
Unless otherwise indicated, the following words and terms have the meanings indicated below:
Blog — is short for Web log. A log is a Web page that serves as a publicly accessible personal
journal for an individual. Blogs often reflect the personality of the author.
City — Refers to the City of Hutchinson
Configuration — is the way a system is set up or the assortment of components that make up the
system. Configuration can refer to either hardware or software or the combination of both.
Download — is a copy of data or software from a main source to a computer device. The term is
often used to describe the process of copying a file or software from an online service or bulletin
board service to a computer. Downloading can also refer to the copying of a file from a network
file server to a computer on the network.
Electronic Mail (E -Mail) - is a network application that allows users to exchange messages over
networks.
Emoticons — electronic facial expressions used to indicate emotions (i.e. smiles -:) or (D)
File Server — is an enhanced computer with network operating software that is used for file
storage, application functionality, and managing network resources.
Information Technology (IT) — manages the process and use of information on multiple
platforms.
Information Technology (IT) Systems — includes, computers, printers, software, E -Mail,
Internet, Intranet, telephones, voice mail, and similar equipment as deemed appropriate.
Internet — is the global network connecting millions of computers and networks around the
world.
Intranet - is network base web site accessible only within an organization. Intranet Web sites
look and act just like any other Web site, but firewall security restricts external access.
Installation — is the process of connecting and configuring IT systems hardware and software.
Licensing — is the legal compliancy of IT systems hardware and software assets.
Local Area Network (LAN) — connects computers and buildings together.
5
PDA — is a Personal Digital Assistant (i.e. handheld devices such as Palm Pilots, Windows
Pocket PC, B1ackBerry, Treo, HP IPaq, Dell Axim).
Peripheral — is a computer or device, internal or external such as a CD -ROM drive, printer,
keyboard, mouse, monitor that is not part of the computer itself.
Phishing — is the act of sending an E -Mail to a user falsely claiming to be an established
legitimate enterprise in an attempt to scam the user into surrendering private information that
will be used for identity theft.
Portable Equipment — is the hardware that is small, lightweight and mobile (i.e. laptop
computers, tablet pc's, hand -held computers, Personal Data Assistants, projectors, flash drives
and digital cameras).
Social Engineering — is the act of obtaining or attempting to obtain otherwise secure data by
conning an individual into revealing secure information. Phishing is a type of security attack that
relies on social engineering.
Software — system software includes the operating system and all utilities that enable the
computer to function. Application software includes programs that assist users (i.e. word
processors, spreadsheets, and database management systems).
SPAM — is electronic junk mail or junk newsgroup postings.
Spoofing (E -Mail) — is the forging of an E -Mail to make it appear as if it came from somewhere
or someone other than the actual source.
Users — regular, part -time, and temporary employees, vendors, consultants, volunteers, interns,
and other authorized users.
0
Section 3 - Information Technology Use
3.1 Hardware and Software Acquisition/Purchasing
The IT Department must approve all hardware and software purchases prior to
acquisition to ensure consistency and compatibility with the City's IT network and other
systems. No hardware device may be plugged into the City network or connected to a
City network- connected device without prior approval from the IT Department. All
hardware and software must be owned by the City. Software applications not required
for official City business are prohibited.
3.2 Installation, Downloads, and Configuration
All users are prohibited from installing and /or downloading software, including product
demonstrations, without prior written approval from the IT Director. Written form can be
E -Mail.
Users are not allowed to manipulate or change hardware and software standard
configurations controlling basic computer functioning. Software installed and setup on
the computer by IT staff shall not be re- configured by the user. Re- configuring includes
any modifications to the operating system configuration files; config.sys, autoexec.bat,
initialization files for Windows, or application setup files. Customizing a personal
computer is to be limited to items including wallpaper, screen savers, icons, toolbars, and
colors. Customizing will be limited to the original software build. No downloading of
screensavers or wallpaper will be allowed. Information Technology staff must always be
contacted for hardware support.
City employees are prohibited from downloading, acquiring, or installing any software
(personal, Internet, E -Mail, outside vendor) on hardware including but not limited to;
desktops, laptops PDA's, Memory sticks, wireless devices, and servers without prior
consent and approval from the IT Department.
3.3 Support
The IT Department should be contacted for hardware and software support by utilizing
the City's help desk software. Users unable to gain access to the help desk through
normal channels and who require immediate assistance, should contact the IT help desk
at Ext. 4200.
3.4 Licensing
To ensure license compliancy with Federal Law, all software must be purchased by and
licensed to the City of Hutchinson and maintained by the City IT Department. Software
7
is licensed to an organization for specific pieces of equipment. If there is any question
about the legality of the software usage, contact the IT Department.
1. Development
Any software programs, developed for use by the City, become the property of
the City. These software programs may not be sold or distributed. This includes,
but is not limited to, macros and templates created for word processing,
spreadsheets, presentations, and databases.
29 Copyright Laws
Most computer software programs, applications and templates are copyrighted,
and it is illegal to make copies. Under no circumstances may users make copies of
City or privately owned software.
City employees are required to abide by federal copyright laws and to abide by all
such licensing agreements. If there is any question about the legality and
appropriate use of the software, it should be directed to the IT Staff.
To avoid violation of the City's license agreements with software vendors,
at no time shall any software purchased by the City be installed on any computer
that is not owned by the City, or be removed from City offices without
authorization by the IT Director.
To prove legal ownership of software, the City must have the original
diskette s/CD s/DVD and manuals stored on City property. IT staff may
periodically check for software that may be in violation of the above policy.
3.5 Data Management and Protection
Under the provisions of the Minnesota Data Practices Act, all data stored on computer
media owned, leased, or rented by the City is considered to be owned by the City. Data
is subject to the Minnesota Data Practices Act and its use and dissemination must be
consistent with the data classification under the Minnesota Data Practices Act. Review
and investigation of this data will be consistent with those classifications and related
requirements. The City's Administration Department should be contacted with questions
regarding the classification of public or private data.
1. Data Ownership
All software, programs, applications, templates, E -Mail messages, data, and data
files, and voicemail messages residing on municipal computer systems or storage
media or developed on municipal computer systems are the property of the City
of Hutchinson. The city retains the right to access, copy, modify, destroy, delete
or erase this property.
0
2. Data Storage
Each network user is assigned an individual directory (H:), and workgroup
common directory (G:), a city -wide shared directory (I:), and possibly other
specialized directories which can be used for storing city business files.
The IT Department backs up all data except for any files that are stored on the
hard drive of the individual workstation. Employees are encouraged to keep any
necessary files on the network. Any files on the local computer will not be the
responsibility of IT department. Employees are also expected to delete old files
regularly to help maintain adequate system storage capacity.
The City reserves the right to delete old files that have not been used for a period
of two years.
3. Portable Media Files
To facilitate off -site work, users may copy appropriate work files to and from
portable media such as diskettes, CD's, or portable drives. No other files or
information may be copied to or from the City computers. A current copy of the
portable file(s) must be maintained on the City server. Portable media that leaves
the City property should only be used to temporarily store data and only City
owned media may be used for City data storage. Safekeeping is of the highest
priority for portable media containing City data.
4. Password Protection
If any software product that the City has purchased has the option to have files
password protected, the password must always be shared with the user's
appropriate supervisory personnel and the City IT staff. This is the only
exception to sharing of IT related passwords. Password protection of files must
be approved by the user's supervisor and IT, however, it is not recommended by
the IT staff. In any event, the IT Department must be notified that the password
option is being activated.
3.6 Portable Information Systems:
Portable personal computer(s), laptops, digital cameras, projectors, and other City owned
portable equipment can be used for City business, outside of City facilities. When
employees check out portable equipment they are expected to provide appropriate
"common sense" protection against theft, accidental breakage, environmental damage
and other risks. Desktop computers and attached devices are not to be removed from City
buildings. The user is responsible for the back up of or loss of any data stored on the
standalone or portable computer. IT staff is available to assist in the development of
procedures for disaster recovery.
9
3.7 Electronic Mail (E- Mail)- Record Retention/ Data Practices
This section of the policy establishes practices to protect the City's E -Mail records and to
adhere to the Minnesota Data Practices Act and the General Records Retention Schedule
for Minnesota Cities.
1. Purpose
The E -Mall system is a City -owned tool and is to be used for matters directly related to
the business activities of the City of Hutchinson and as a means to further the City's
mission by providing services that are efficient, accurate, timely and complete. In order to
provide excellent services, the City promotes strong working relationships among
employees and a supportive working environment. For example, news about employees
or notices of department events would be considered as City business.
Employees are responsible for adhering to City standards when E -Mail is created, sent,
forwarded or saved. Failure to adhere puts the City and the individual at risk for legal or
financial liabilities, potential embarrassment and other consequences. E -Mail documents
are generally considered to be public documents.
Use of the City's E -Mail system is a privilege, not a right, which may be revoked at any
time for abusive or any inappropriate conduct as determined by the City.
2. Public /Private E -Mail records
The contents of E -Mail messages determine whether an E -Mail is public or non-
public /private. It is the responsibility of the employee sending an E -Mail to determine
whether the E -Mail is public or non - public /private. In the case of E -Mails received from
outside of the organization, it is the responsibility of the employee receiving the E -Mail
to determine whether it is public or non public /private. If an employee is uncertain
whether an E -Mail is public, he /she should contact the Administration Department.
When an E -Mail is sent or received externally and it is determined that it is public
information, the E -Mail and any attachments to the E -Mail must be retained in order to
document the transaction. Therefore, all public E -Mails must be either printed and filed
as a hard copy or moved to the City's network Servers. All public E- Mails, whether in
hard copy form or contained on the network's drives, must be managed according to the
Minnesota Data Practices Act and the General Records Retention Schedule for Minnesota
Cities. The content of an E -Mail determines how long the message needs to be retained.
E -Mail is intended as a medium of communication, not for information storage; therefore,
the E -Mail system should not be used for the storage or maintenance of official City
records or other City information. Likewise, E -Mails stored on the network should be
limited only to public E -Mails that must be retained according to the Records Retention
Schedule.
Users are not allowed to auto - forward E -Mail outside the City to a personal E -Mail
account (i.e. Hot Mail, Yahoo, etc.).
10
3.8 Internet
Access to the Internet through City equipment and connections is a resource and a tool
that is provided and is to be used for matters directly related to City business activities.
Employees are expected to exercise good judgment. Use of the Internet through City
computers is a privilege, not a right, which may be revoked at any time for abusive or any
inappropriate conduct as determined by the City.
The Internet is available to the City employees for research, education, and
communications directly related to the mission, statutory requirements, or work tasks of
the City. City employees must honor copyright laws regarding protected commercial
software or intellectual property. Individual users of the Internet should minimize
unnecessary network traffic that might interfere with the ability of others to make
effective use of this shared network resource. Employees are responsible for adhering to
City standards when browsing the Internet. Failure to adhere puts the City and the
individual at risk for legal or financial liabilities, potential embarrassment and other
consequences.
The City retains the right to use management software to monitor end user activity. This
software may monitor and limit Internet activity in order to ensure the most efficient use
of our valuable resources. Access to specific Internet sites may be blocked at the sole
discretion of the City.
Inappropriate non - business uses include, but are not limited to: audio, live /internet radio,
graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg,
AVI, etc.); games; jokes; instant messaging; content of an offensive or pornographic
nature; copyrighted material and large data files not directly related to City business.
These items must not be downloaded from the Internet. These types of files can be large
and affect the network or PC performance or carry viruses. Instant messaging is not
allowed because it is not protected /encrypted and lacks anti - malware filtering. If
additional access is required for the job, the employee must contact thher supervisor.
3.9 Intranet
Future Section
3.10 Cell Phones
Management reserves the right to determine whether City employees are required to have
a cell phone, pager, and /or PDA available depending upon their position and job
responsibilities. The City reserves the right to manage its employees, its resource
allocation, and its equipment per all existing and subsequent agreements and policies.
Department Directors are responsible for implementation of and compliance with this
policy.
II
1. The use of city assigned and personal cellular/ wireless phones on-the-job has
restrictions for use during the following activities due to the distraction and lack
of concentration that they present to safe work performance:
a) Operating a moving vehicle. Your first responsibility is to safely
operate the vehicle. Cellular and other wireless conversations should be
kept to an absolute minimum. Any lengthy conversation will require that the
vehicle be brought to a stop at a safe location, preferably off the main
road. Conversations, taking notes, dialing, answering or reading of
displays must be avoided while moving on very busy streets, highways,
interchanges, during rush hours or in other heavy or congested traffic.
b) Operating maintenance /construction equipment. Use of any cellular
phone or other wireless device (to include hands free devices) will not be
authorized while operating a moving and/or in gear motorized off road
(maintenance /construction) piece of equipment.
c) Work site. Use of cellular phones or other wireless devices that
will be a distraction to the user and or present an unsafe work environment is
not authorized. Such work sites include but are not limited to: Road repair,
maintenance and construction, operating or repairing energized equipment
such as electrical panels, motors, or energized circuits.
d)
Use of cellular phones for personal conversations is restricted to
non -duty time, such as breaks, lunch, etc. Supervisors will have the
authority to restrict or prohibit use of personal cellular phones at any
time on-the-job when they consider such situations and use may present a
distraction or safety hazard to the employee, co- workers, contractors and /or
general public and city or private property.
e) Emergency calls. Use of cellular phones or other wireless devices
to call for help or to help others in an emergency is permitted. If you
observe a serious accident, crime in progress or other serious emergency
situation where lives are in danger, call 911, give the exact location and
stay on the line as long as the dispatcher requires. However, do not place
yourself or others in danger while doing so. If operating a vehicle, pull
off the road before placing the call.
3.11 Personal Use of Information Technology Equipment
12
1. General
The City of Hutchinson offers users the privilege of personal use of its
technology. Personal use of the City technology is not private. Recognizing that
users will benefit from using technology, personal use is allowed using the
following requirements:
• Only City users are to use the computers and computer related peripherals.
• Personal use is permitted only during non -work hours.
• Users must use their own media (disks, CD's, portable disk drives) and paper.
No personal files or data are to be stored on the City file servers or computer
hard drives.
• Personal use must not interfere with use of the technology for City business.
• City technology may not be used for personal use outside City facilities (i.e.
no take home use of City technology).
• Users will not use City owned equipment for personal gain or profit.
2. E -Mail
During working hours, E -Mail will be used exclusively for City business.
Employees may write, send and read personal E -Mail correspondence only during
non - business hours. Non - business hours are defined as, before 8 am and after 4:30
pm Monday through Friday and weekends.
The City retains the right to monitor all E -Mall activity. Using the City E -Mail to
participate in any kind of non - business related list servers, broadcast mailing or
chain mailing is prohibited. Personal web posting from a City E -Mail account is
prohibited.
3. Internet
Employees are cautioned that obscene, offensive or other inappropriate
information may be encountered while using the Internet. The City and its support
contractors cannot entirely prevent this from occurring. City employees and
contractors employed by the City are expected to refrain from disseminating such
information. Internet use by individuals may be monitored by the IT Department
or by department management. This includes external links and services being
accessed by employees and City contractors through the City provided Internet
service.
During working hours, the internet will be used exclusively for City business.
Employees may access the internet at the end of a shift only. Personal use of the
internet will not be allowed before a shift begins or during breaks and lunch.
Personal use at the end of a shift will be allowed but only if the equipment being
used is not needed by the next shift and the personal use is not disruptive to others
working in the area.
13
4. Desks Telephones
The Finance Department will monitor all phone activity and audit for excessive
personal use. In the event of excessive personal use, the employee may be
required to reimburse for all costs associated with the personal calls and may have
phone use privileges revoked.
5. Cellular Telephones
The issuance and use of City -owned cellular telephones will be determined by the
department head. The City does recognize that occasionally users may need to
use the City issued cellular telephone for personal use. City cellular telephones
may be used for personal use as long as it does not interfere with the normal
duties for the user. The Finance Department will monitor all phone activity and
audit for excessive personal use. In the event of excessive personal use, the
employee may be required to reimburse for all costs associated with the personal
calls and may have phone use privileges revoked.
6. Copiers
Employees will reimburse the City of Hutchinson for personal copies at the rate
listed in the fee schedule, including two sided copies. Personal copies need to be
reimbursed within 24 hours from the date the expense was incurred.
2. Fax Machines
All personal faxes, sent or received, on City owned fax machines will be
reimbursed to the City of Hutchinson at the rate listed in the fee schedule.
Personal faxes need to be reimbursed within 24 hours from the time the expense is
incurred.
3. Printers
Employees will reimburse the City of Hutchinson for personal use of printers at
the rate listed in the fee schedule. Personal prints need to be reimbursed within 24
hrs from the time the expense is incurred.
4. Home Use License
The City Administrator, based on job description /function, will approve software
packages for home use. The Information Technology Director will provide license
information and procedures to the end user prior to installation.
Certain software packages have Home Use Licensing. With home use licensing
the Information Technology Director will provide account information and
procurement instructions upon City Administrator approval.
Software rules, regulations and agreements will be discussed and addressed on a case -by-
case basis.
14
3.12 Prohibited - Inappropriate Use
Use of City computers, software and peripherals for the following is strictly prohibited at
all times:
• Displaying, printing or transmitting sexually explicit images, messages, and
cartoons.
• Displaying of "Nude or Partially Denuded figures" as defined in the Hutchinson
Municipal Code.
• Displaying, printing, or transmitting racial or ethnic slurs or comments, racially
derogatory jokes, off -color jokes, or anything that might be construed as
harassment or disrespectful of others, including anything that fosters a hostile
work environment or perpetuates discrimination on the basis of race, creed, color,
age, religion, sex, marital status, status with regard to public assistance, national
origin, physical or mental disability or affectional preference.
• Reading other employees' E -Mail or documents without permission or without a
legitimate business reason.
• Using the City's computer systems or knowingly allowing another to use the
City's systems for personal profit, commercial product advertisement or partisan
political purposes. The E -Mail system may not be used to solicit anyone for
commercial ventures, religious or political causes.
• Infringing on third party copyrights or other intellectual property rights, license
agreements or other contracts; for example, illegally installing or making
available copyrighted software.
• Inappropriately copying, modifying, distributing, transmitting or displaying files
or other data or information resources.
• Sharing your user ID or password with any person who uses it to obtain
confidential or other information to which they would not normally have access.
Sharing your user ID or password with another person deems you solely
responsible for the actions of that other person.
• Deliberately damaging or disrupting a computing system (hardware or software),
altering its normal performance, or causing it to malfunction.
• Attempting to gain unauthorized access to internal, remote, or external computer
systems.
• Attempting to decrypt system or user passwords.
• Unauthorized copying of system files.
• Intentionally attempting to "crash" network systems or programs.
• Willfully introducing computer "viruses" or other disruptive/ destructive
programs into the organization network or into external networks.
• Sending anonymous E -Mail messages.
• Sending chain letters, advertisements, solicitations or non - business related mass
mailings.
• Concealing the identity of an E -Mail sender or taking someone else's identity.
• Participating in Internet "Chat Rooms /Groups" or "Use Net" at any time.
• Disclosing confidential proprietary City information via the electronic systems.
15
• Violation of any laws and regulations of the United States or any other nation, or
the laws and regulations of any state, city, province or other local jurisdiction in
any material way.
• Internet based radio is strictly prohibited. (These are sites that allow you to listen
to streaming radio or music over the internet)
• Any other use that the City deems inappropriate.
The policies related to E -Mail and Internet use have the same force and effect during
non - business hours as it does during business hours.
3.13 Violation of Policies or Requirements
Employees are responsible for adhering to the City's standards when using City systems.
Failure to adhere puts our City and the individual at risk for legal or financial liabilities,
potential embarrassment and other consequences.
Violation of any of these policies or requirements may result in the revocation of the
violator's use of any or all City IT systems and may be grounds for disciplinary action,
up to and including termination of employment with the City of Hutchinson. Discipline
does not preclude separate criminal penalties resulting from an employee's illegal use of
any IT systems.
SECTION 4 — Information Technology Security
4.1 Purpose
The purpose of this section is to ensure, secure, protect, and allow appropriate access to
City of Hutchison IT systems and resources.
4.2 Logins and Passwords
All users must use and maintain unique City- issued login IDs for computer and network
related access. Multi -user or generic login ID are permissible only in special
circumstances approved and maintained by IT. User passwords must adhere to the
following requirements:
1. Have a minimum of at least eight alphanumeric characters in length.
2. Must be changed every 180 days or as determined by the IT department.
3. Have a least one capital letter, one lower case letter and one numeric digit or
character.
4. Have not been previously used in the last ten password rotations.
5. Not include users first or last name.
6. Not be the same as a non -City password (i.e. personal banking account).
16
Appropriate network access shall be assigned by the IT department to each user login ID
and users may only log into computers and equipment with their own assigned login ID.
Passwords are not to be shared with anyone, and will be forced to change every 180 days
or as determined by the IT department. Passwords should not be easily guessed. Anyone
forgetting their password, or suspect that their password's security has been
compromised, should contact the IT department to be issued a new one, which must then
be changed immediately.
A user's account will be locked after three unsuccessful password attempts. The user
account will remained locked for 30 minutes. After that time, the user may sign in to
their account using the correct password.
Department heads or supervisors are required to notify IT of new and terminated users.
Users should only be granted the access needed to do their job.
The IT Director and staff along with the LOGIS network support personnel shall have
full network supervisory rights. The password for the Supervisor login will be known by
the IT Director and backup personnel only
Seasonal Employees will not be granted access to the network unless there is a unique
circumstance that requires the access as determined by the City Administrator after
consultation with the department director and the IT Director.
4.3 Physical Security
Users are expected to provide reasonable security to their computer workstations and
related IT equipment. This includes ensuring that passwords are not written down in
accessible places, removable media must be kept in a secured area, and that confidential
data is not displayed in such a manner that unauthorized personnel can view it.
All IT equipment is City property and must remain in the approved areas. Users may not
move IT equipment outside of its assigned area without prior approval from the IT
department. Designated portable equipment, such as projectors, laptop computers, and
digital cameras may be removed from City buildings only for City business. Unassigned
portable equipment must be reserved and checked out only to City users. Users are
expected to provide appropriate "common sense" protection against theft, breakage,
environmental damage, and other risks. Assigned portable network equipment must be
docked and connected to the City hard cabled network.
When leaving the workstation or building for an extended period, users should log out of
applications that access the network or allow communications with other network
systems.
Employees must immediately report to their IT staff any loss of hardware or software, or
compromise of systems. City IT staff will notify LOGIS immediately if applicable.
17
Compromise of the workstations include but are not limited to, viruses, spy ware,
passwords, etc.
4.4 Shut Down Procedures
Users are required to restart computers at the end of their workday. Network computers
should not be powered off. The procedure to exit a network computer is: Start, Shut
Down, Restart and power off monitor. Powering off the computer or failing to restart at
the end of the day can increase security vulnerabilities.
4.5 Virus Protection
All computer workstations, laptops and servers are protected from viruses using up -to-
date antivirus and antispyware software. Users may not alter the system's configuration
or take other steps to defeat virus protection. All files on removable media must be
scanned for viruses prior to opening the file(s) on a City computer. Any files suspected
or known to contain viruses must be immediately reported to the IT department for
proper handling.
4.6 Remote Network Access - VPN
Remote access is defined as the ability to connect to a computer or network from off -site,
such as from home, hotel, conference, Internet kiosk, etc. Remote access into the City's
network, or any City -owned device, may be granted upon meeting the following
conditions:
1. Business - related purpose requested by department head and approved by the City
Administrator and IT Manager. Requests must be in writing (email) with a detailed
explanation of need and costs associated.
2. Use of City IT approved standard encryption and /or City supported VPN (Virtual
Private Network) technology. This access must only be used on City approved
devices with the exception of Outlook Web Access.
3. Authentication and access control will be maintained via the City's domain. Valid
network login and passwords are required.
4. While remotely connected, no one but the authorized user may have access to the
computer making the connection.
5. The remote computer must comply with current anti - virus, firewall, operating system
patches, and security parameters as specified by the IT division.
All remote users are subject to the rules and regulations set forth in this entire policy for
all users. Users should follow proper data practices protocols as directed by Minnesota
State Statutes. Storing of business related information on a home computer is prohibited.
4.7 Mobile Devices
Mobile devices are defined as compact devices that can contain City owned data such as
email, files, pictures, etc. These devices are commonly known as Pocket PC's, Windows
Mobile, Itouch, Iphone, and Blackberry PDA's. Mobile devices storing city -owned data
(i.e. email, files, pictures, etc) will be purchased, configured, and supported by the City's
IT Department.
HD
Personal mobile devices are not supported by the City's IT department and should not
have a direct or wireless connection to the City's infrastructure, including but not limited
to the network, computers, laptops and servers. If email access is desired from a mobile
device that is not City- owned, users may connect to the Internet from a non -city- access
network and utilize Outlook Web Access (OWA) for PDA devices. The OWA address
can be obtained from the IT department.
All city -owned mobile devices will be recognized as a compliment to a PC /laptop and
will adhere to the same security policy measures, for instance regarding software
installation, portable media, and disposal. The City -owned mobile devices require an 8
character alphanumeric password that needs to be changed at a minimum of 180 days.
These devices will need to be connected to the City's email server or Blackberry server
for email synchronization. Storing City -owned data on a mobile provider's network is
strictly prohibited (e.g. Verizon Wireless Sync). If a mobile device is lost or stolen, the
end user will report this to the IT Department as soon as possible.
4.8 Wireless Access
Unauthorized wireless access into the City's computer network is strictly prohibited.
Wireless access, is defined but not limited to, 802.11 (WiFi), Bluetooth, WiMax and
cellular technologies. Users may not attempt to scan, connect to, or install any wireless
computing device on City equipment or property. Wireless access must be authorized
and configured by the City's IT department. Up -to -date virus protection, security patches,
and firewall hardware and /or software must be utilized. Any authorized wireless access
must utilize standards -based encryption approved by the City's IT department, and
conform to adopted security practices as governed by the City and /or state and federal
government requirements.
4.9 Social Engineering
At some point, an employee may be a victim of social engineering. Social engineering is
the act of manipulating people into performing actions or divulging confidential
information. While similar to a confidence trick or simple fraud, the term typically
applies to trickery or deception for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never comes face -to -face with the
victim.
Example: An employee may receive a phone call stating the caller is a support person
from a company the City deals with. They may ask for user names, passwords etc.
If this type of situation is encountered, contact the Director of IT or the direct supervisor,
immediately.
***Employees are required to sign off on the overall IT Policy to demonstrate their
willingness to adhere to the policy.
19
Employee Copy
Affidavit of Receipt
I (print name) have seen and been given the
City of Hutchinson "Information Technology Policy" (revised January, 2006) and
agree to abide by its terms. I fully understand that all information on the file server or
the local workstation is the property of the City of Hutchinson, and therefore will be
subject to periodic checks. I also understand that violation of any part of the policy
will lead to disciplinary action up to and including termination.
Signature
Affidavit of Receipt
Date
7/2012
Employer Copy
I (print name) have seen and been given the
City of Hutchinson "Information Technology Policy" (revised January, 2006) and
agree to abide by its terms. I fully understand that all information on the file server or
the local workstation is the property of the City of Hutchinson, and therefore will be
subject to periodic checks. I also understand that violation of any part of the policy
will lead to disciplinary action up to and including termination.
Signature
20
Date
7/2012
TO: Mayor and City Council
FROM: Tom Moss, Director of Information Technology
RE: Criminal Justice Information Services (CJIS) Security Policy
DATE: 7/10/2012
Attached is the Criminal Justice Information Services (CJIS) Security Policy dated June 9, 2011.
One of the requirements of accessing information from the CJIS network is to adhere to a strict
level of network security standards. This policy applies to all staff or computers systems that
access information from the CJIS network. (Entire Police Department, IT staff and Legal staff)
A copy of the proposed policy is included for your review. Staff is recommending adoption of
the CJIS security policy, as written, to comply with FBI requirements.
It is requested that the Council consider the approval of the Criminal Justice Information
Services (CJIS) Security Policy at the July 10 Council meeting. I will be in attendance at the
meeting to address any questions.
J� o)
U. S. Department of Justice
Federal Bureau of Investigation
Criminal Justice Information Services Division
.r 10
Criminal Justice Information Services (CJIS)
Security Policy
Version 5.0
2/09/2011
CJISD- ITS -DOC- 08140 -5.0
Prepared by:
CJIS Information Security Officer
Approved by:
CJIS Advisory Policy Board
11 0)
Law enforcement needs timely and secure access to services that provide data wherever and
whenever for stopping and reducing crime. In response to these needs, the Advisory Policy
Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal
Justice Information Services (CJIS) Division authorize the expansion of the existing security
management structure in 1998. Administered through a shared management philosophy, the
CJIS Security Policy contains information security requirements, guidelines, and agreements
reflecting the will of law enforcement and criminal justice agencies for protecting the sources,
transmission, storage, and generation of Criminal Justice Information (CJI). The Federal
Information Security Management Act of 2002 provides further legal basis for the APB
approved management, operational, and technical security requirements mandated to protect CJI
and by extension the hardware, software and infrastructure required to enable the services
provided by the criminal justice community.
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the
full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for
the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI
data. This policy applies to every individual— contractor, private entity, noncriminal justice
agency representative, or member of a criminal justice entity —with access to, or who operate in
support of, criminal justice services and information.
The CJIS Security Policy integrates Presidential directives, Federal laws, FBI directives and the
criminal justice community's APB decisions along with nationally recognized guidance from the
National Institute of Standards and Technology. The Policy is presented at both strategic and
tactical levels and is periodically updated to reflect the security requirements of evolving
business models. The policy features modular sections enabling more frequent updates to
address emerging threats and new security measures. The provided security criterion assists
agencies with designing and implementing systems to meet a uniform level of risk and security
protection while enabling agencies the latitude to institute more stringent security requirements
and controls based on their business model and local needs.
The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems
Agencies (CSA), including, in those states with separate authorities, the State Identification
Bureaus. Further, as use of criminal history record information for noncriminal justice purposes
continues to expand, the CJIS Security Policy becomes increasingly important in guiding the
National Crime Prevention and Privacy Compact Council and State Compact Officers in the
secure exchange of criminal justice records.
The policy describes the vision and captures the security concepts that set the policies,
protections, roles, and responsibilities with minimal impact from changes in technology. The
policy empowers CSAs with the insight and ability to tune their security programs according to
their needs, budgets, and resource constraints while remaining compliant with the baseline level
of security set forth in this policy. The CJIS Security Policy provides a secure framework of
laws, standards, and elements of published and vetted policies for accomplishing the mission
across the broad spectrum of the criminal justice and noncriminal justice communities.
2/09/2011 11 '
CJISD- ITS -DOC- 08140 -5.0 l
Mr. George A, White, FBI CJIS Information
Security Officer
Mr. Jean W. Archambauft Chief, Technical
Planning and Control Unit
Mr. William G. McKinsey, Chief, Information
Technology Management Section
Mr. Jerome M. Pander, Deputy Assistant
Director, FBI CJIS Division
Mr. Daniel D. Roberts, Assistant Director,
FBI CJIS Division
Captain Charles E- Bush, Vice - Chair, Security
and Access Subcommittee
Captain William M. Tatun, Chair, Security and
Access Subcommittee
Captain Thomas W. Turner, Second Vice- Chair;
Advisory Policy Board
Mr. William Casey, First Vice Chair, Advisory
Policy Board
Colonel Steven F. Cumoletti, Chairman,
Advisory Policy Board
2/09/2011
CJ I S D- I TS -DOC- 08140 -5.0
,
i t
U'
M
`01) ii
Executive Summaryi
Approvals......................................................................................................... ...............................
Tableof Contents .............................................................................................. ...............................
i
Listof Figures ................................................................................................. ...............................
vi
l
IIntroduction ............................................................................................... ...............................
1.1 Purpose ................................................................................................... ..............................1
1.2 Scope ...................................................................................................... ..............................1
1.3 Relationship to Local Security Policy and Other Policies ..................... ..............................1
1.4 Terminology Used in This Document .................................................... ..............................2
1.5 Distribution of the CJIS Security Policy ................................................ ..............................2
2 CJIS Security Policy Approach ................................................................. ..............................3
2.1 CJIS Security Policy Vision Statement .................................................. ..............................3
2.2 Architecture Independent ....................................................................... ..............................3
2.3 Risk Versus Realism .............................................................................. ..............................3
3 Roles and Responsibilities ......................................................................... ..............................4
3.1 Shared Management Philosophy
4
3.2 Roles and Responsibilities for Agencies and Parties ............................. ..............................4
3.2.1 CJIS Systems Agencies CSA
5
3.2.2 CJIS Systems Officer ( CSO) ........................................................ ..............................5
3.2.3 Terminal Agency Coordinator ( TAC) .......................................... ..............................6
3.2.4 Criminal Justice Agency ( CJA) .................................................... ..............................6
3.2.5 Noncriminal Justice Agency ( NCJA) ........................................... ..............................6
3.2.6 Contracting Government Agency CGA
7
3.2.7 Agency Coordinator AC ............................................... ...............................
3.2.8 CJIS System Agency Information Security Officer (CSA ISO) .. ..............................7
3.2.9 Local Agency Security Officer LASO ••••••••- ••••••••••••.••••.•••••••••••8
3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO ) .............................8
3.2.11 Repository Manager ............................................................... ...............................
3.2.12 Compact Of ficer ........................................................................... ..............................9
4 Criminal Justice and personally identifiable Information ......................... .............................10
4.1 Criminal Justice Information (CJI) ....................................................... .............................10
4.1.1 Criminal History Record Information ( CHRI) ............................ .............................10
4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI) and
NCICHot File Information ................................................................... .............................10
4.2.1 Terminology
10
4.2.2 Proper Access, Use, and Dissemination ...................................... .............................11
4.2.2.1 Proper Use of CHRI .............................................................. .............................11
4.2.2.2 Proper Use of Hot File Inf ormation ..................................... ..............................1
l
4.2.2.2.1 Use for Official Purposes ............................................. ............................... 11
4.2.2.2.2 Access and Dissemination for Other Authorized Purposes ........................ 11
4.2.2.2.3 CSO Authority in Other Circumstances ...................... ............................... 11
4.2.3 Storage ......................................................................................... .............................12
2/09/2011 '
C1ISD- ITS -DOC- 08140 -5.0
4.2.4 Justification and Penalties ........................................................... .............................12
4.2.4.1 Justification ........................................................................... .............................12
4.2.4.2 Penalties ................................................................................ .............................12
4.3 Personally Identifiable Information ( PII) .............................................. .............................12
5 Policy and Implementation ....................................................................... .............................13
5.1 Policy Area 1: Information Exchange Agreements .............................. .............................14
5.1.1 Information Exchange ................................................................. .............................14
5.1.1.1 Information Handling ............................................................ .............................14
5.1.1.2 State and Federal Agency User Agreements ........................ .............................14
5.1.1.3 Criminal Justice Agency User Agreements .......................... .............................15
5.1.1.4 Inter - Agency and Management Control Agreements ........... .............................15
5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum
.................15
5.1.1.6 Agency User Agreements ..................................................... .............................16
5.1.1.7 Security and Management Control Outsourcing Standard ... .............................16
5.1.2 Monitoring, Review, and Delivery of Services ........................... .............................17
5.1.2.1 Managing Changes to Service Providers .............................. .............................17
5.1.3 Secondary Dissemination ............................................................ .............................17
5.1.4 References / Citations / Directives .................................................. .............................17
5.2 Policy Area 2: Security Awareness Training ........................................ .............................18
5.2.1 Awareness Topics ....................................................................... .............................18
5.2.1.1 All Personnel ......................................................................... .............................18
5.2.1.2 Personnel with Physical and Logical Access ........................ .............................18
5.2.1.3 Personnel with Information Technology Roles .................... .............................19
5.2.2 Security Training Records ........................................................... .............................19
5.2.3 References / Citations / Directives .................................................. .............................20
5.3 Policy Area 3: Incident Response ......................................................... .............................21
5.3.1 Reporting Information Security Events ....................................... .............................21
5.3.1.1 Reporting Structure and Responsibilities .............................. .............................21
5.3.1.1.1 FBI CJIS Division Responsibilities ............................. ...............................
21
5.3.1.1.2 CSA ISO Responsibilities ............................................ ...............................
21
5.3.2 Management of Information Security Incidents .......................... .............................22
5.3.2.1 Incident Handling .................................................................. .............................22
5.3.2.2 Collection of Evidence .......................................................... .............................22
5.3.3 Incident Response Training ......................................................... .............................22
5.3.4 Incident Monitoring ..................................................................... .............................22
5.3.5 References/ Citations / Directives .................................................. .............................23
5.4 Policy Area 4: Auditing and Accountability ......................................... .............................24
5.4.1 Auditable Events and Content (Information Systems) ................ .............................24
5.4.1.1 Events .................................................................................... .............................24
5.4.1.1.1 Content ........................................................................... .............................24
5.4.2 Response to Audit Processing Failures ....................................... .............................25
5.4.3 Audit Monitoring, Analysis, and Reporting ................................ .............................25
5.4.4 Time Stamps ................................................................................ .............................25
5.4.5 Protection of Audit Information .................................................. .............................25
CJIS 011
CJISD- lTS -DOC- 08140 -5.0 ` J
5.4.6 Audit Record Retention ............................................................... .............................25
5.4.7 Logging NCIC and III Transactions ............................................ .............................25
5.4.8 Reserved for Future Use .............................................................. .............................26
5.4.9 Reserved for Future Use .............................................................. .............................26
5.4.10 References/ Citations / Directives .................................................. .............................26
5.5 Policy Area 5: Access Control .............................................................. .............................27
5.5.1 Account Management ................................................................. .............................27
5.5.2 Access Enforcement .................................................................... .............................27
5.5.2.1 Least Privilege ...................................................................... .............................27
5.5.2.2 System Access Control ......................................................... .............................28
5.5.2.3 Access Control Criteria ......................................................... .............................28
5.5.2.4 Access Control Mechanisms ................................................. .............................28
5.5.3 Unsuccessful Login Attempts ..................................................... .............................29
5.5.4 System Use Notification .............................................................. .............................29
5.5.5 Session Lock ............................................................................... .............................29
5.5.6 Remote Access ............................................................................ .............................30
5.5.6.1 Personally Owned Information Systems ............................... .............................30
5.5.6.2 Publicly Accessible Computers ............................................ .............................30
5.5.7 Wireless Access Restrictions ...................................................... .............................30
5.5.7.1 All 802.1Ix Wireless Protocols ............................................ .............................30
5.5.7.2 Legacy 802.11 Protocols ....................................................... .............................31
5.5.7.3 Cellular .................................................................................. .............................32
5.5.7.3.1 Cellular Risk Mitigations ............................................. ...............................
32
5.5.7.3.2 Voice Transmissions Over Cellular Devices ............... ...............................
33
5.5.7.4 Bluetooth ............................................................................... .............................33
5.5.8 References / Citations / Directives .................................................. .............................34
5.6 Policy Area 6: Identification and Authentication ................................. .............................36
5.6.1 Identification Policy and Procedures ........................................... .............................36
5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information
Exchanges..................................................................................... .............................36
5.6.2 Authentication Policy and Procedures ........................................ .............................36
5.6.2.1 Standard Authentication ( Password) ..................................... .............................37
5.6.2.2 Advanced Authentication ...................................................... .............................37
5.6.2.2.1 Advanced Authentication Policy and Rationale .......... ...............................
37
5.6.2.2.2 Advanced Authentication Decision Tree ..................... ...............................
38
5.6.3 Identifier and Authenticator Management .................................. .............................40
5.6.3.1 Identifier Management .......................................................... .............................40
5.6.3.2 Authenticator Management ................................................... .............................40
5.6.4 Assertions .................................................................................... .............................41
5.6.5 References / Citations / Directives .................................................. .............................41
5.7 Policy Area 7: Configuration Management .......................................... .............................44
5.7.1 Access Restrictions for Changes ................................................. .............................44
5.7.1.1 Least Functionality ................................................................ .............................44
5.7.1.2 Network Diagram .................................................................. .............................44
CJIS2/09/2011 iii1ra\
JISD- ITS -DOC- 08140 -5.0 1 ` )
5.7.2 Security of Configuration Documentation .................................. .............................44
5.7.3 References / Citations / Directives .................................................. .............................44
5.8 Policy Area 8: Media Protection ........................................................... .............................46
5.8.1 Media Storage and Access .......................................................... .............................46
5.8.2 Media Transport .......................................................................... .............................46
5.8.2.1 Electronic Media in Transit .................................................. .............................46
5.8.2.2 Physical Media in Transit ..................................................... .............................46
5.8.3 Electronic Media Sanitization and Disposal ............................... .............................46
5.8.4 Disposal of Physical Media ......................................................... .............................46
5.8.5 References/ Citations / Directives .................................................. .............................47
5.9 Policy Area 9: Physical Protection ....................................................... .............................48
5.9.1 Physically Secure Location ......................................................... .............................48
5.9.1.1 Security Perimeter ................................................................. .............................48
5.9.1.2 Physical Access Authorizations ............................................ .............................48
5.9.1.3 Physical Access Control ....................................................... .............................48
5.9.1.4 Access Control for Transmission Medium ........................... .............................48
5.9.1.5 Access Control for Display Medium .................................... .............................48
5.9.1.6 Monitoring Physical Access ................................................. .............................49
5.9.1.7 Visitor Control ...................................................................... .............................49
5.9.1.8 Access Records ..................................................................... .............................49
5.9.1.9 Delivery and Removal .......................................................... .............................49
5.9.2 Controlled Area ........................................................................... .............................49
5.9.3 References / Citations / Directives .................................................. .............................50
5.10 Policy Area 10: System and Communications Protection and Information Integrity
.......51
5.10.1 Information Flow Enforcement ................................................... .............................51
5.10.1.1 Boundary Protection ............................................................. .............................51
5.10.1.2 Encryption ............................................................................. .............................52
5.10.1.3 Intrusion Detection Tools and Techniques ........................... .............................52
5.10.1.4 Voice Over Internet Protocol ................................................ .............................52
5.10.2 Facsimile Transmission of CJI .................................................... .............................53
5.10.3 Partitioning and Virtualization .................................................... .............................53
5.10.3.1 Partitioning ............................................................................ .............................53
5.10.3.2 Virtualization ........................................................................ .............................53
5.10.4 System and Information Integrity Policy and Procedures ........... .............................54
5.10.4.1 Patch Management ................................................................ .............................54
5.10.4.2 Malicious Code Protection .................................................... .............................54
5.10.4.3 Spam and Spyware Protection .............................................. .............................54
5.10.4.4 Personal Firewall .................................................................. .............................55
5.10.4.5 Security Alerts and Advisories ............................................. .............................55
5.10.4.6 Information Input Restrictions .............................................. .............................55
5.10.5 References/ Citations / Directives .................................................. .............................56
5.11 Policy Area 11: Formal Audits ............................................................. .............................57
5.11.1 Audits by the FBI CJIS Division ................................................. .............................57
5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division ...... .............................57
5.11.1.2 Triennial Security Audits by the FBI CJIS Division ............ .............................57
5.11.2 Audits by the CSA ....................................................................... .............................57
2/09/2011 iv ���
CJISD- ITS -DOC- 08140 -5.0 ``
5.11.3
Special Security Inquiries and Audits ......................................... .............................57
5.11.4
References / Citations / Directives .................................................. .............................57
5.12 Policy Area 12: Personnel Security ...................................................... .............................59
5.12.1
Personnel Security Policy and Procedures .................................. .............................59
5.12.1.1
Minimum Screening Requirements for Individuals Requiring Access to CJI:..59
5.12.1.2
Personnel Screening for Contractors and Vendors ............... .............................60
5.12.2
Personnel Termination ................................................................ .............................60
5.12.3
Personnel Transfer ....................................................................... .............................60
5.12.4
Personnel Sanctions ..................................................................... .............................60
5.12.5
References /Citations /Directives .................................................. .............................61
Appendix A
Terms and Definitions .......................................................... ...............................
A -1
AppendixB
Acronyms ................................................................................. ............................B
-1
Appendix C
Network Topology Diagrams .................................................. ............................0
-1
Appendix D
Sample Information Exchange Agreements ........................ ...............................
D -1
Appendix E
Security Forums and Organizational Entities ....................... ...............................
E -1
Appendix F
IT Security Incident Response Form .................................... ...............................
F -1
AppendixG
Virtualization ....................................................................... ...............................
G -1
Appendix H
Security Addendum ............................................................. ...............................
H -1
AppendixI
References ................................................................................. ............................I
-1
Appendix J
Noncriminal Justice Agency Supplemental Guidance .............. ............................J
-1
Appendix K
Criminal Justice Agency Supplemental Guidance ............... ...............................
K -1
2/09/2011 v ����
CJISD- ITS- DOC- 08140 -5.0
Figure 1 - Overview Diagram of Strategic Functions and Policy Components ..............................4
Figure 2 - Information Exchange Agreements Implemented by a Local Police Department ........
17
Figure 3 - Security Awareness Training Implemented by a Local Police Department .................20
Figure 4 - Incident Response Process Initiated by an Incident in a Local Police Department
......23
Figure 5 - Local Police Department's Use of Audit Logs ................................. .............................26
Figure 6 - A Local Police Department's Access Controls ................................ .............................35
Figure 7 - A Local Police Department's Authentication Controls ................... .............................41
Figure 8 - Authentication Decision for Known Location ................................. .............................42
Figure 9 - Authentication Decision for Unknown Location ............................. .............................43
Figure 10 - A Local Police Department's Configuration Management Controls ..........................45
Figure 11 - A Local Police Department's Media Management Policies .......... .............................47
Figure 12 - A Local Police Department's Physical Protection Measures ......... .............................50
Figure 13 - A Local Police Department's Information Systems & Communications Protections.56
Figure 14 - The Audit of a Local Police Department ....................................... .............................58
Figure 15 - A Local Police Department's Personnel Security Controls ............ .............................61
2/09/2011 vi
C1ISD- ITS -DOC- 08140 -5.0 t
1 INTRODUCTION
This section details the purpose of this document, its scope, relationship to other information
security policies, and its distribution constraints.
1.1 Purpose
The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice
Agencies (NCJA) with a minimum set of security requirements for the access to Federal Bureau
of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and
information and to protect and safeguard Criminal Justice Information (CJI). This minimum
standard of security requirements ensures continuity of information protection. The essential
premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from
creation through dissemination; whether at rest or in transit.
The CJIS Security Policy integrates Presidential directives, Federal laws, FBI directives, the
criminal justice community's Advisory Policy Board (APB) decisions along with nationally
recognized guidance from the National Institute of Standards and Technology (KIST) and the
National Crime Prevention and Privacy Compact Council (Compact Council).
1.2 Scope
At the consent of the advisory process, and taking into consideration Federal law and state
statutes, the CJIS Security Policy applies to all entities with access to, or who operate in support
of, FBI CJIS Division's services and information. The CJIS Security Policy provides minimum
security requirements associated with the creation, viewing, modification, transmission,
dissemination, storage, or destruction of CJI.
Entities engaged in the interstate exchange of CJI data for noncriminal justice purposes are also
governed by the standards and rules promulgated by the Compact Council.
1.3 Relationship to Local Security Policy and Other Policies
The CJIS Security Policy may be used as the sole security policy for the agency. The local
agency may complement the CJIS Security Policy with a local policy, or the agency may develop
their own stand -alone security policy; however, the CJIS Security Policy shall always be the
minimum standard and local policy may augment, or increase the standards, but shall not detract
from the CJIS Security Policy standards.
The agency shall develop, disseminate, and maintain formal, documented procedures to facilitate
the implementation of the CJIS Security Policy and, where applicable, the local security policy.
The policies and procedures shall be consistent with applicable laws, Executive Orders,
directives, policies, regulations, standards, and guidance. Procedures developed for CJIS
Security Policy areas can be developed for the security program in general, and for a particular
information system, when required.
This document is a compendium of applicable policies in providing guidance on the minimum
security controls and requirements needed to access FBI CJIS information and services. These
policies include Presidential directives, Federal laws, FBI directives and the criminal justice
community's APB decisions. State, local, and Tribal CJA may implement more stringent
2/09/2011 I ]\
CJISD-ITS -DOC- 08140-5.0 11 � a
policies and requirements. Appendix I contains the references while Appendix E lists the
security forums and organizational entities referenced in this document.
1.4 Terminology Used in This Document
The following terms are used interchangeably throughout this document:
• Agency and Organization: The two terms in this document refer to any entity that submits
or receives information, by any means, to /from FBI CJIS systems or services.
Information and Data: Both terms refer to CJI.
• System, Information System, Service, or named applications like NCIC: all refer to
connections to the FBI's criminal justice information repositories and the equipment used
to establish said connections.
Appendix A and B provide an extensive list of the terms and acronyms.
1.5 Distribution of the CJIS Security Policy
The CJIS Security Policy is a publically available document and may be posted and shared
without restrictions.
2/09/2011 2
C1ISD- ITS -DOC- 08140 -5.0 `10
2 CJIS SECURITY POLICY APPROACH
The CJIS Security Policy represents the shared responsibility between FBI CJIS, CJIS Systems
Agency (CSA), and the State Identification Bureaus (SIB) of the lawful use and appropriate
protection of CJI. The policy provides a baseline of security requirements for current and
planned services and sets a minimum standard for new initiatives.
2.1 CJIS Security Policy Vision Statement
The executive summary of this document describes the vision in terms of business needs for
confidentiality, integrity, and availability of information. The APB collaborates with the FBI
CJIS Division to ensure that the policy remains updated to meet ever - changing business,
technology and security needs.
2.2 Architecture Independent
Due to advancing technology and evolving business models, the FBI CJIS Division is
transitioning from legacy stovepipe systems and moving toward a flexible services approach.
Systems such as National Crime Information Center (NCIC), National Instant Criminal
Background Check System (NICS), and Integrated Automated Fingerprint Identification System
(IAFIS) will continue to evolve and may no longer retain their current system platforms,
hardware, or program name. However, the data and services provided by these systems will
remain stable.
The CJIS Security Policy looks at the data (information), services, and protection controls that
apply regardless of the implementation architecture. Architectural independence is not intended
to lessen the importance of systems, but provide for the replacement of one technology with
another while ensuring the controls required to protect the information remain constant. This
objective and conceptual focus on security policy areas provide the guidance and standards while
avoiding the impact of the constantly changing landscape of technical innovations. The
architectural independence of the policy provides agencies with the flexibility for tuning their
information security infrastructure and policies to reflect their own environments.
2.3 Risk Versus Realism
Every "shall" statement contained within the CJIS Security Policy has been scrutinized for risk
versus the reality of resource constraints and real -world application. The purpose of the CJIS
Security Policy is to establish the minimum security requirements; therefore, individual agencies
are encouraged to implement additional controls to address agency specific risks.
2/09/2011 3
CISD- ITS -DOC- 08140 -5.0 I1 (C� `
3 ROLES AND RESPONSIBILITIES
3.1 Shared Management Philosophy
In the scope of information security, the FBI CJIS Division employs a shared management
philosophy with federal, state, local, and tribal law enforcement agencies. Although an advisory
policy board for the NCIC has existed since 1969, the Director of the FBI established the CJIS
APB in March 1994 to enable appropriate input and recommend policy with respect to CJIS
services. Through the APB and its Subcommittees and Working Groups, consideration is given
to the needs of the criminal justice and law enforcement community regarding public policy,
statutory and privacy aspects, as well as national security relative to CJIS systems and
information. The Advisory Process represents federal, state, local, and tribal law enforcement
and criminal justice agencies throughout the United States, its territories, and Canada.
The FBI has a similar relationship with the Compact Council, which governs the interstate
exchange of criminal history records for noncriminal justice purposes. The Compact Council is
mandated by federal law to promulgate rules and procedures for the use of the Interstate
Identification Index (III) for noncriminal justice purposes. To meet that responsibility, the
Compact Council depends on the CJIS Security Policy as the definitive source for standards
defining the security and privacy of records exchanged with noncriminal justice practitioners.
3.2 Roles and Responsibilities for Agencies and Parties
It is the responsibility of all agencies covered under this policy to ensure the protection of CJI
between the FBI CJIS Division and its user community. The following figure provides an
abstract representation of the strategic functions and roles such as governance and operations.
Figure 1- Overview Diagram of Strategic Functions and Policy Components
2/09/2011
CJI SD- ITS -DOC- 08140 -5.0
This section provides a description of the following entities and roles:
1. CJIS Systems Agency.
2. CJIS Systems Officer.
3. Terminal Agency Coordinator.
4. Criminal Justice Agency.
5. Noncriminal Justice Agency.
6. Contracting Government Agency.
7. Agency Coordinator.
8. CJIS Systems Agency Information Security Officer.
9. Local Agency Security Officer.
10. FBI CJIS Division Information Security Officer.
11. Repository Manager.
12. Compact Officer.
3.2.1 CJIS Systems Agencies (CSA)
The CSA is responsible for establishing and administering an information technology security
program throughout the CSA's user community, to include the local levels. The head of each
CSA shall appoint a CJIS Systems Officer (CSO). The CSA may impose more stringent
protection measures than outlined in this document. Such decisions shall be documented and
kept current.
3.2.2 CJIS Systems Officer (CSO)
The CSO is an individual located within the CSA responsible for the administration of the CJIS
network for the CSA. Pursuant to The Bylaws for the CJIS Advisory Policy Board and Working
Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to
subordinate agencies. The CSO shall set, maintain, and enforce the following:
1. Standards for the selection, supervision, and separation of personnel who have access to
CJI.
2. Policy governing the operation of computers, access devices, circuits, hubs, routers,
firewalls, and other components that comprise and support a telecommunications network
and related CJIS systems used to process, store, or transmit CJI, guaranteeing the priority,
confidentiality, integrity, and availability of service needed by the criminal justice
community.
a. Ensure appropriate use, enforce system discipline, and ensure CJIS Division
operating procedures are followed by all users of the respective services and
information.
b. Ensure state /federal agency compliance with policies approved by the APB and
adopted by the FBI.
2/09/2011 5 ( `
C11SD- ITS -DCC- 08140 -5.0 ,1`r
c. Ensure the appointment of the CSA ISO and determine the extent of authority to
the CSA ISO.
d. The CSO, or designee, shall ensure that a Terminal Agency Coordinator (TAC) is
designated within each agency that has devices accessing CJIS systems.
e. Ensure each agency having access to CJI has someone designated as the Local
Agency Security Officer.
f Approve access to FBI CJIS systems.
g. Assume ultimate responsibility for managing the security of CJIS systems within
their state and/or agency.
h. Perform other related duties outlined by the user agreements with the FBI CJIS
Division.
3. Outsourcing of Criminal Justice Functions
a. Responsibility for the management of the approved security requirements shall
remain with the CIA. Security control includes the authority to enforce the
standards for the selection, supervision, and separation of personnel who have
access to CJI; set and enforce policy governing the operation of computers,
circuits, and telecommunications terminals used to process, store, or transmit CJI;
and to guarantee the priority service needed by the criminal justice community.
b. Responsibility for the management control of network security shall remain with
the CJA. Management control of network security includes the authority to
enforce the standards for the selection, supervision, and separation of personnel
who have access to CJI; set and enforce policy governing the operation of circuits
and network equipment used to transmit CJIS data; and to guarantee the priority
service as determined by the criminal justice community.
3.2.3 Terminal Agency Coordinator (TAC)
The TAC serves as the point -of- contact at the local agency for matters relating to CJIS
information access. The TAC administers CJIS systems programs within the local agency and
oversees the agency's compliance with CJIS systems policies.
3.2.4 Criminal Justice Agency (CJA)
A CIA is defined as a court, a governmental agency, or any subunit of a governmental agency
which performs the administration of criminal justice pursuant to a statute or executive order and
which allocates a substantial part of its annual budget to the administration of criminal justice.
State and federal Inspectors General Offices are included.
3.2.5 Noncriminal Justice Agency (NCJA)
A NCJA is defined (for the purposes of access to CJI) as an entity or any subunit thereof that
provides services primarily for purposes other than the administration of criminal justice.
2/09/2011 6 \
C1ISD- ITS -DOC- 08140 -5.0 I 1 Ca/
3.2.6 Contracting Government Agency (CGA)
A CGA is a government agency, whether a CJA or a NCJA, that enters into an agreement with a
private contractor subject to the CJIS Security Addendum. The CGA entering into an agreement
with a contractor is to appoint an agency coordinator.
3.2.7 Agency Coordinator (AC)
An AC is a staff member of the CGA who manages the agreement between the Contractor and
agency. The AC shall be responsible for the supervision and integrity of the system, training and
continuing education of employees and operators, scheduling of initial training and testing, and
certification testing and all required reports by NCIC. The AC shall:
1. Understand the communications, records capabilities, and needs of the Contractor which
is accessing federal and state records through or because of its relationship with the CGA.
2. Participate in related meetings and provide input and comments for system improvement.
3. Receive information from the CGA (e.g., system updates) and disseminate it to
appropriate Contractor employees.
4. Maintain and update manuals applicable to the effectuation of the agreement, and provide
them to the Contractor.
5. Maintain up -to -date records of Contractor's employees who access the system, including
name, date of birth, social security number, date fingerprint card(s) submitted, date
security clearance issued, and date initially trained, tested, certified or recertified (if
applicable).
6. Train or ensure the training of Contractor personnel. If Contractor personnel access
NCIC, schedule the operators for testing or a certification exam with the CSA staff, or
AC staff with permission from the CSA staff. Schedule new operators for the
certification exam within six (6) months of assignment. Schedule certified operators for
biennial re- certification testing within thirty (30) days prior to the expiration of
certification. Schedule operators for other mandated class.
7. The AC will not permit an untrained/untested or non - certified Contractor employee to
access CH or systems supporting CJI where access to CJI can be gained.
8. Where appropriate, ensure compliance by the Contractor with NCIC validation
requirements.
9. Provide completed applicant fingerprint cards on each Contractor employee who accesses
the system to the CJA (or, where appropriate, CSA) for criminal background
investigation prior to such employee accessing the system.
10. Any other responsibility for the AC promulgated by the FBI.
3.2.8 CJIS System Agency Information Security Officer (CSA ISO)
The CSA ISO shall:
1. Serve as the security point of contact (POC) to the FBI CJIS Division ISO.
2/09/2011
C11SD- ITS -DOC- 08140 -5.0 �)
2. Document technical compliance with the CJIS Security Policy with the goal to assure the
confidentiality, integrity, and availability of criminal justice information to the user
community throughout the CSA's user community, to include the local level.
3. Document and provide assistance for implementing the security - related controls for the
Interface Agency and its users.
4. Establish a security incident response and reporting procedure to discover, investigate,
document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS
Division ISO major incidents that significantly endanger the security or integrity of CH.
3.2.9 Local Agency Security Officer (LASO)
Each LASO shall:
1. Identify who is using the CSA approved hardware, software, and firmware and ensure no
unauthorized individuals or processes have access to the same.
2. Identify and document how the equipment is connected to the state system.
3. Ensure that personnel security screening procedures are being followed as stated in this
policy.
4. Ensure the approved and appropriate security measures are in place and working as
expected.
5. Support policy compliance and ensure CSA ISO is promptly informed of security
incidents.
3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)
The FBI CJIS ISO shall:
1. Maintain the CJIS Security Policy.
2. Disseminate the FBI Director approved CJIS Security Policy.
3. Serve as a liaison with the CSA's ISO and with other personnel across the CJIS
community and in this regard provide technical guidance as to the intent and
implementation of operational and technical policy issues.
4. Serve as a point -of- contact (POC) for computer incident notification and distribution of
security alerts to the CSOs and ISOs.
5. Assist with developing audit compliance guidelines as well as identifying and reconciling
security - related issues.
6. Develop and participate in information security training programs for the CSOs and
ISOs, and provide a means by which to acquire feedback to measure the effectiveness
and success of such training.
7. Maintain a current ISO homepage on the Law Enforcement Online (LEO) network and
keep the CSOs and ISOs updated on pertinent information via the iso(&Ieo.gov email
address.
2,09,2011 8
C11SD- ITS -DOC- 08140 -5.0 �1
3.2.11 Repository Manager
The State Identification Bureau (SIB) Chief, i.e. Repository Manager, is the designated manager
of the agency having oversight responsibility for a state's fingerprint identification services. If
both state fingerprint identification services and CJIS systems control are managed within the
same state agency, the SIB Chief and CSO maybe the same person.
3.2.12 Compact Officer
Pursuant to the National Crime Prevention and Privacy Compact, each party state shall appoint a
Compact Officer who shall ensure that Compact provisions and rules, procedures, and standards
established by the Compact Council are complied with in their respective state.
2/09/2011 9 1
CJISD- ITS -DOC- 08140 -5.0 `I C t)
4 CRIMINAL JUSTICE AND PERSONALLY IDENTIFIABLE
INFORMATION _
4.1 Criminal Justice Information (CJI)
Criminal Justice Information is the term used to refer to all of the FBI CJIS provided data
necessary for law enforcement and civil agencies to perform their missions including, but not
limited to biometric, identity history, biographic, property, and case /incident history data. The
following categories of CJI describe the various data sets housed by the FBI CJIS architecture:
1. Biometric Data —data derived from one or more intrinsic physical or behavioral traits of
humans typically for the purpose of uniquely identifying individuals from within a
population. Used to identify individuals, to include: fingerprints, palm prints, iris scans,
and facial recognition data.
2. Identity History Data — textual data that corresponds with an individual's biometric data,
providing a history of criminal and/or civil events for the identified individual.
3. Biographic Data — information about individuals associated with a unique case, and not
necessarily connected to identity data. Biographic data does not provide a history of an
individual, only information related to a unique case.
4. Property Data — information about vehicles and property associated with crime.
5. Case /Incident History — information about the history of criminal incidents.
The intent of the CJIS Security Policy is to ensure the protection of the aforementioned CJI until
such time as the information is either released to the public via authorized dissemination (e.g.
within a court system or when presented in crime reports data), or is purged or destroyed in
accordance with applicable record retention rules.
4.1.1 Criminal History Record Information (CHRI)
Criminal History Record Information (CHRI), sometimes informally referred to as "restricted
data", is a subset of CJI. Due to its comparatively sensitive nature, additional controls are
required for the access, use and dissemination of CHRI. In addition to the dissemination
restrictions outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines CHRI
and provides the regulatory guidance for dissemination of CHRI. While the CJIS Security
Policy attempts to be architecturally independent, the III and the NCIC are specifically identified
in Title 28, Part 20, CFR, and the NCIC Operating Manual, as associated with CHRI.
4.2 Access, Use and Dissemination of Criminal History Record
Information (CHRI) and NCIC Hot File Information
This section describes the requirements for the access, use and dissemination of CHRI and NCIC
hot file information.
4.2.1 Terminology
Information obtained from the III is considered CHRI. Proper access to, and use and
dissemination of, data from these files shall be consistent with the use and dissemination policies
to
2/09/2011
0I S D-ITS- D OC- 08140 -5.0
concerning the III described in Title 28, Part 20, CFR, and the NCIC Operating Manual. The
following files shall be protected as CHRI:
1. Gang File.
2. Known or Appropriately Suspected Terrorist File.
3. Convicted Persons on Supervised Release File.
4. Immigration Violator File (formerly the Deported Felon File).
5. National Sex Offender Registry File.
6. Historical Protection Order File of the NCIC.
7. Identity Theft File.
The remaining NCIC files are considered "hot files."
4.2.2 Proper Access, Use, and Dissemination
4.2.2.1 Proper Use of CHRI
The III shall be accessed only for an authorized purpose. Further, CHRI shall only be used for
an authorized purpose consistent with the purpose for which III was accessed. Dissemination to
another agency is authorized if (a) the other agency is an Authorized Recipient of such
information and is being serviced by the accessing agency, or (b) the other agency is performing
personnel and appointment functions for criminal justice employment applicants.
4.2.2.2 Proper Use of Hot File Information
4.2.2.2.1 Use for Official Purposes
NCIC hot files may be accessed for any authorized purpose consistent with the inquiring
agency's responsibility. Information obtained may be re- disseminated to (a) other government
agencies or (b) private entities authorized by law to receive such information for any purpose
consistent with their responsibilities.
4.2.2.2.2 Access and Dissemination for Other Authorized Purposes
NCIC hot files may be accessed for other purposes consistent with the resources of the inquiring
agency; however, requests for bulk data are discouraged. Information derived from national hot
file records for other than law enforcement purposes can be used by authorized criminal justice
personnel only to confirm the status of a person or article (i.e., wanted or stolen). An inquiring
agency is authorized to charge a nominal administrative fee for such service. The commercial
dissemination of hot file information is prohibited.
4.2.2.2.3 CSO Authority in Other Circumstances
If no federal, state or local law or policy prohibition exists, the CSO may exercise discretion to
approve or deny dissemination of hot file information.
2/09/2011 1I
CJISD- ITS -DOC- 08140 -5.0 11C�)
4.2.3 Storage
When CHRI is stored, agencies shall establish appropriate administrative, technical and physical
safeguards to ensure the security and confidentiality of the information. These records shall be
stored for extended periods only when they are key elements for the integrity and/or utility of
case files and/or criminal record files. See section 5.9 for physical security controls.
4.2.4 Justification and Penalties
4.2.4.1 Justification
In addition to the use of purpose codes and logging information, all users shall provide a reason
for all III inquiries whenever requested by NCIC System Managers, CSAs, local agency
administrators, or their representatives.
4.2.4.2 Penalties
Improper access, use or dissemination of CHRI and Hot File information is serious and may
result in administrative sanctions including, but not limited to, termination of services and state
and federal criminal penalties.
4.3 Personally Identifiable Information (PII)
For the purposes of this document, PII is information which can be used to distinguish or trace an
individual's identity, such as name, social security number, or biometric records, alone or when
combined with other personal or identifying information which is linked or linkable to a specific
individual, such as date and place of birth, or mother's maiden name. Any FBI CJIS provided
data maintained by an agency, including but not limited to, education, financial . transactions,
medical history, and criminal or employment history may include PII. A criminal history record
for example inherently contains PII as would an N -DEx case file.
PII shall be extracted from CH for the purpose of official business only. Agencies shall develop
policies, based on state and local privacy rules, to ensure appropriate controls are applied when
handling PII extracted from CJI. Due to the expansive nature of PII, this policy does not specify
auditing, logging, or personnel security requirements associated with the life cycle of PII.
12
2/09/2011
CJI S D- ITS -DOC- 08140 -5.0
IM)
5 POLICY AND IMPLEMENTATION
The policy areas focus upon the data and services that the FBI CJIS Division exchanges and
provides to the criminal justice community and its partners. Each policy area provides both
strategic reasoning and tactical implementation requirements and standards.
While the major theme of the policy areas is concerned with electronic exchange directly with
the FBI, it is understood that further dissemination of CJI to Authorized Recipients by various
means (hard copy, e-mail, web posting, etc.) constitutes a significant portion of CJI exchanges.
Regardless of its form, use, or method of dissemination, CJI requires protection throughout its
life.
Not every consumer of FBI CJIS services will encounter all of the policy areas therefore the
circumstances of applicability are based on individual agency /entity configurations and usage.
Use cases within each of the policy areas will help users relate the policy to their own agency
circumstances. The policy areas are:
• Policy Area 1— Information Exchange Agreements
• Policy Area 2— Security Awareness Training
• Policy Area 3— Incident Response
• Policy Area 4— Auditing and Accountability
• Policy Area 5— Access Control
• Policy Area 6— Identification and Authentication
• Policy Area 7— Configuration Management
• Policy Area 8 —Media Protection
• Policy Area 9— Physical Protection
• Policy Area 10— Systems and Communications Protection and Information Integrity
• Policy Area 11— Formal Audits
• Policy Area 12— Personnel Security
2/09/2011 13
CISD- ITS -DOC- 08140 -5.0 j ( Cd
5.1 Policy Area 1: Information Exchange Agreements
The information shared through communication mediums shall be protected with appropriate
security safeguards. The agreements established by entities sharing information across systems
and communications mediums are vital to ensuring all parties fully understand and agree to a set
of security standards.
5.1.1 Information Exchange
Before exchanging CJI, agencies shall put formal agreements in place that specify security
controls. The exchange of information may take several forms including electronic mail, instant
messages, web services, facsimile, hard copy, and information systems sending, receiving and
storing CJI.
Information exchange agreements outline the roles, responsibilities, and data ownership between
agencies and any external parties. Information exchange agreements for agencies sharing CJI
data that is sent to and/or received from the FBI CJIS shall specify the security controls and
conditions described in this document.
Information exchange agreements shall be supported by documentation committing both parties
to the terms of information exchange. As described in subsequent sections, different agreements
and policies apply, depending on whether the parties involved are CJAs or NCJAs. See
Appendix D for examples of Information Exchange Agreements.
There may be instances, on an ad -hoc basis, where CJI is authorized for further dissemination to
Authorized Recipients not covered by an information exchange agreement with the releasing
agency. In these instances the dissemination of CJI is considered to be secondary dissemination.
See Section 5.1.3 for secondary dissemination guidance.
5.1.1.1 Information Handling
Procedures for handling and storage of information shall be established to protect that
information from unauthorized disclosure, alteration or misuse. Using the requirements in this
policy as a starting point, the procedures shall apply to the handling, processing, storing, and
communication of CJI. These procedures apply to the exchange of CJI no matter the form of
exchange.
The policies for information handling and protection also apply to using CJI shared with or
received from FBI CJIS for noncriminal justice purposes. In general, a noncriminal justice
purpose includes the use of criminal history records for purposes authorized by federal or state
law other than purposes relating to the administration of criminal justice, including — but not
limited to - employment suitability, licensing determinations, immigration and naturalization
matters, and national security clearances.
5.1.1.2 State and Federal Agency User Agreements
Each CSA head or SIB Chief shall execute a signed written user agreement with the FBI CJIS
Division stating their willingness to demonstrate conformity with this policy before accessing
and participating in CJIS records information programs. This agreement shall include the
standards and sanctions governing utilization of CJIS systems. As coordinated through the
particular CSA or SIB Chief, each Interface Agency shall also allow the FBI to periodically test
14
0!1
CJIS I!J\
GISD- ITS -DOC- 08140 -5.0 `G /
the ability to penetrate the FBI's network through the external network connection or system per
authorization of Department of Justice (DOJ) Order 2640.2F. All user agreements with the FBI
CJIS Division shall be coordinated with the CSA head.
5.1.1.3 Criminal Justice Agency User Agreements
Any CJA receiving access to FBI CJIS data shall enter into a signed written agreement with the
appropriate signatory authority of the CSA providing the access. The written agreement shall
specify the FBI CJIS systems and services to which the agency will have access, and the FBI
CJIS Division policies to which the agency must adhere. These agreements shall include:
1. Audit.
2. Dissemination.
3. Hit confirmation.
4. Logging.
5. Quality Assurance (QA).
6. Screening (Pre - Employment).
7. Security.
8. Timeliness.
9, Training.
10. Use of the system.
11. Validation.
5.1.1.4 Inter- Agency and Management Control Agreements
A NCJA (government) designated to perform criminal justice functions for a CJA shall be
eligible for access to the CJI. Access shall be permitted when such designation is authorized
pursuant to Executive Order, statute, regulation, or inter- agency agreement. The NCJA shall sign
and execute a management control agreement (MCA) with the CJA, which stipulates
management control of the criminal justice function remains solely with the CJA. The MCA
may be a separate document or included with the language of an inter - agency agreement. An
example of an NCJA (government) is a city IT department.
5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum
The CJIS Security Addendum is a uniform addendum to an agreement between the government
agency and a private contractor, approved by the Attorney General of the United States, which
specifically authorizes access to criminal history record information, limits the use of the
information to the purposes for which it is provided, ensures the security and confidentiality of
the information is consistent with existing regulations and the CJIS Security Policy, provides for
sanctions, and contains such other provisions as the Attorney General may require.
Private contractors who perform criminal justice functions shall meet the same training and
certification criteria required by governmental agencies performing a similar function, and shall
be subject to the same extent of audit review as are local user agencies. All private contractors
who perform criminal justice functions shall acknowledge, via signing of the CJIS Security
2/09/2011 15
C1ISD- ITS -DOC- 08140 -5.0 1 I (d
Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The
CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security
Addendum shall be enacted only by the FBI.
1. Private contractors designated to perform criminal justice functions for a CJA shall be
eligible for access to CJI. Access shall be permitted pursuant to an agreement which
specifically identifies the agency's purpose and scope of providing services for the
administration of criminal justice. The agreement between the CJA and the private
contractor shall incorporate the CJIS Security Addendum approved by the Director of the
FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7).
2. Private contractors designated to perform criminal justice functions on behalf of a NCJA
(government) shall be eligible for access to CJI. Access shall be permitted pursuant to an
agreement which specifically identifies the agency's purpose and scope of providing
services for the administration of criminal justice. The agreement between the NCJA and
the private contractor shall incorporate the CJIS Security Addendum approved by the
Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR
20.33 (a)(7).
5.1.1.6 Agency User Agreements
A NCJA (public) designated to request civil fingerprint -based background checks, with the full
consent of the individual to whom a background check is taking place, for noncriminal justice
functions, shall be eligible for access to CJI. Access shall be permitted when such designation is
authorized pursuant to federal law or state statute approved by the U.S. Attorney General. An
NCJA (public) receiving access to FBI CJIS data shall enter into a signed written agreement with
the appropriate signatory authority of the CSA/SIB providing the access. An example of a NCJA
(public) is a county school board.
A NCJA (private) designated to request civil fingerprint -based background checks, with the full
consent of the individual to whom a background check is taking place, for noncriminal justice
functions, shall be eligible for access to CJI. Access shall be permitted when such designation is
authorized pursuant to federal law or state statute approved by the U.S. Attorney General. An
NCJA (private) receiving access to FBI CJIS data shall enter into a signed written agreement
with the appropriate signatory authority of the CSA/SIB providing the access. An example of a
NCJA (private) is a local bank.
All NCJAs accessing CJI shall be subject to all pertinent areas of the CJIS Security Policy (see
Appendix J for supplemental guidance). Each NCJA that directly accesses FBI CJI shall also
allow the FBI to periodically test the ability to penetrate the FBI's network through the external
network connection or system per authorization of Department of Justice (DOJ) Order 2640.2F.
5.1.1.7 Security and Management Control outsourcing Standard
Channelers designated to request civil fingerprint -based background checks or noncriminal
justice ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal
justice functions shall be eligible for access to CJI. Access shall be permitted when such
designation is authorized pursuant to federal law or state statute approved by the U.S. Attorney
General. All Channelers accessing CJI shall be subject to the terms and conditions described in
16
2/09/2011
UISD- ITS -DOC- 08140 -5.0
the Compact Council Security and Management Control Outsourcing Standard. Each Channeler
that directly accesses CH shall also allow the FBI to conduct periodic penetration testing.
Channelers leveraging CJI to perform civil functions on behalf of an Authorized Recipient shall
meet the same training and certification criteria required by governmental agencies performing a
similar function, and shall be subject to the same extent of audit review as are local user
agencies.
5.1.2 Monitoring, Review, and Delivery of Services
As specified in the inter - agency agreements, MCAs, and contractual agreements with private
contractors, the services, reports and records provided by the service provider shall be regularly
monitored and reviewed. The CIA shall maintain sufficient overall control and visibility into all
security aspects to include, but not limited to, identification of vulnerabilities and information
security incident reporting/response. The incident reporting/response process used by the service
provider shall conform to the incident reporting/response specifications provided in this policy.
5.1.2.1 Managing Changes to Service Providers
Any changes to services provided by a service provider shall be managed by the CJA. This
includes provision of services, changes to existing services, and new services. Evaluation of the
risks to the agency shall be undertaken based on the criticality of the data, system, and the impact
of the change.
5.1.3 Secondary Dissemination
If CHRI is released to another authorized agency, and that agency was not part of the releasing
agency's primary information exchange agreement(s), the releasing agency shall log such
dissemination.
5.1.4 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 2 - Information Exchange Agreements Implemented by a Local Police Department
A local police department executed a Memorandum of Understanding (MOU) for the interface
with their state CSA. The local police department also executed an MOU (which included an
MCA) with the county information technology (IT) department for the day -to -day operations
of their criminal- justice infrastructure. The county IT department, in turn, outsourced
operations to a local vendor who signed the CJIS Security Addendum.
2/09/2011
CJI S D- ITS -DOC- 08140 -5.0
n
ItCC))
5.2 Policy Area 2: Security Awareness Training
Basic security awareness training shall be required within six months of initial assignment, and
biennially thereafter, for all personnel who have access to CJI. The CSO /SIB may accept the
documentation of the completion of security awareness training from another agency. Accepting
such documentation from another agency means that the accepting agency assumes the risk that
the training may not meet a particular requirement or process required by federal, state, or local
laws.
5.2.1 Awareness Topics
A significant number of topics can be mentioned and briefly discussed in any awareness session
or campaign. To help further the development and implementation of individual agency security
awareness training programs the following baseline guidance is provided.
5.2.1.1 All Personnel
At a minimum, the following topics shall be addressed as baseline security awareness training
for all authorized personnel with access to CJI:
1. Rules that describe responsibilities and expected behavior with regard to CJI usage.
2. Implications of noncompliance.
3. Incident response (Points of contact; Individual actions).
4. Media protection.
5. Visitor control and physical access to spaces — discuss applicable physical security policy
and procedures, e.g., challenge strangers, report unusual activity.
6. Protect information subject to confidentiality concerns — hardcopy through destruction.
7. Proper handling and marking of CJI.
8. Threats, vulnerabilities, and risks associated with handling of CJI.
9. Dissemination and destruction.
5.2.1.2 Personnel with Physical and Logical Access
In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline
security awareness training for all authorized personnel with both physical and logical access to
CJI:
1. Rules that describe responsibilities and expected behavior with regard to information
system usage.
2. Password usage and management — including creation, frequency of changes, and
protection.
3. Protection from viruses, worms, Trojan horses, and other malicious code.
4. Unknown e- mail /attachments.
5. Web usage — allowed versus prohibited; monitoring of user activity.
2/09/2011
CJ I S D-ITS -D OC- 08140 -5.0
is
I (CC)
6. Spam.
7. Social engineering.
8. Physical Security— increases in risks to systems and data.
9. Media Protection.
10. Handheld device security issues — address both physical and wireless security issues.
11. Use of encryption and the transmission of sensitive /confidential information over the
Internet — address agency policy, procedures, and technical contact for assistance.
12. Laptop security— address both physical and information security issues.
13. Personally owned equipment and software —state whether allowed or not (e.g.,
copyrights).
14. Access control issues — address least privilege and separation of duties.
15. Individual accountability — explain what this means in the agency.
16. Use of acknowledgement statements — passwords, access to systems and data, personal
use and gain.
17. Desktop security--discuss use of screensavers, restricting visitors' view of information
on screen (mitigating "shoulder surfing "), battery backup devices, allowed access to
systems.
18. Protect information subject to confidentiality concerns —in systems, archived, on backup
media, and until destroyed.
19. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and
services.
5.2.1.3 Personnel with Information Technology Roles
In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as
baseline security awareness training for all Information Technology personnel (system
administrators, security administrators, network administrators, etc.):
1. Protection from viruses, worms, Trojan horses, and other malicious code — scanning,
updating definitions.
2. Data backup and storage — centralized or decentralized approach.
3. Timely application of system patches —part of configuration management.
4. Access control measures.
5. Network infrastructure protection measures.
5.2.2 Security Training Records
Records of individual basic security awareness training and specific information system security
training shall be documented, kept current, and maintained by the CSO /SIB /Compact Officer.
Maintenance of training records can be delegated to the local level.
2/09/2011 19
CJISD- ITS -DOC- 08140 -5.0 I I(d
0
11
•
5.2.3 References/Citations/Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 3 - Security Awareness Training Implemented by a Local Police Department
A local police department with a staff of 20 sworn law- enforcement officers and 15 support
personnel worked with a vendor to develop role- specific security - awareness training, and
required all staff to complete this training upon assignment and every two years thereafter.
The local police department scheduled the sworn law- enforcement training to coincide with
their NCIC certification training. The vendor maintained the training records for the police
department's entire staff, and provided reporting to the department to help it ensure
compliance with the CJ1S Security Policy.
2/09/2011
CJISD- ITS -DOC- 08140 -5.0
20
110)
5.3 Policy Area 3: Incident Response
There has been an increase in the number of accidental or malicious computer attacks against
both government and private agencies, regardless of whether the systems are high or low profile.
Agencies shall: (i) establish an operational incident handling capability for agency information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user
response activities; (ii) track, document, and report incidents to appropriate agency officials
and/or authorities.
ISOs have been identified as the POC on security- related issues for their respective agencies and
shall ensure LASOs institute the CSA incident response reporting procedures at the local level.
Appendix F contains a sample incident notification letter for use when communicating the details
of an incident to the FBI CJIS ISO.
5.3.1 Reporting Information Security Events
The agency shall promptly report incident information to appropriate authorities. Information
security events and weaknesses associated with information systems shall be communicated in a
manner allowing timely corrective action to be taken. Formal event reporting and escalation
procedures shall be in place. Wherever feasible, the agency shall employ automated mechanisms
to assist in the reporting of security incidents. All employees, contractors and third party users
shall be made aware of the procedures for reporting the different types of event and weakness
that might have an impact on the security of agency assets and are required to report any
information security events and weaknesses as quickly as possible to the designated point of
contact.
5.3.1.1 Reporting Structure and Responsibilities
5.3.1.1.1 FBI CJIS Division Responsibilities
The FBI CJIS Division shall:
1. Manage and maintain the CJIS Division's Computer Security Incident Response
Capability (CSIRC).
2. Serve as a central clearinghouse for all reported intrusion incidents, security alerts,
bulletins, and other security - related material.
3. Ensure additional resources for all incidents affecting FBI CJIS Division controlled
systems as needed.
4. Disseminate prompt advisories of system threats and operating system vulnerabilities to
all CSOs and ISOs through the use of the isona,leo.eov e-mail account, to include but not
limited to: Product Security Bulletins, Virus Bulletins, and Security Clips.
5. Track all reported incidents and/or trends.
6. Monitor the resolution of all incidents.
5.3.1.1.2 CSA ISO Responsibilities
The CSA ISO shall:
2109/2011 21
CJ I S D- ITS -DOC- 08140 -5.0 �' (CO
I . Assign individuals in each state, federal, and international law enforcement organization
to be the primary point of contact for interfacing with the FBI CJIS Division concerning
incident handling and response.
2. Identify individuals who are responsible for reporting incidents within their area of
responsibility.
3. Collect incident information from those individuals for coordination and sharing among
other organizations that may or may not be affected by the incident.
4. Develop, implement, and maintain internal incident response procedures and coordinate
those procedures with other organizations that may or may not be affected.
5. Collect and disseminate all incident- related information received from the Department of
Justice (DOJ), FBI CJIS Division, and other entities to the appropriate local law
enforcement POCs within their area.
6. Act as a single POC for their jurisdictional area for requesting incident response
assistance.
5.3.2 Management of Information Security Incidents
A consistent and effective approach shall be applied to the management of information security
incidents. Responsibilities and procedures shall be in place to handle information security events
and weaknesses effectively once they have been reported.
5.3.2.1 Incident Handling
The agency shall implement an incident handling capability for security incidents that includes
preparation, detection and analysis, containment, eradication, and recovery. Wherever feasible,
the agency shall employ automated mechanisms to support the incident handling process.
Incident - related information can be obtained from a variety of sources including, but not limited
to, audit monitoring, network monitoring, physical access monitoring, and user /administrator
reports. The agency incorporates the lessons learned from ongoing incident handling activities
into the incident response procedures and implements the procedures accordingly.
5.3.2.2 Collection of Evidence
Where a follow -up action against a person or agency after an information security incident
involves legal action (either civil or criminal), evidence shall be collected, retained, and
presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).
5.3.3 Incident Response Training
The agency shall ensure general incident response roles responsibilities are included as part of
required security awareness training.
5.3.4 Incident Monitoring
The agency shall track and document information system security incidents on an ongoing basis.
The CSA ISO shall maintain completed security incident reporting forms until the subsequent
22
2/09/2011 `
CJISD- ITS -DOC- 08140 -5.0
FBI triennial audit or until legal action (if warranted) is complete; whichever time -frame is
greater.
5.3.5 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 4 - Incident Response Process Initiated by an Incident in a Local Police Department
A state ISO received a notification from a local police department that suspicious network
activity from a known botnet was detected on their network. The state ISO began the process
of collecting all pertinent information about this incident, e.g. incident date /time, points -of-
contact, systems affected, nature of the incident, actions taken, etc. and requested that the local
police department confirm that their malware signatures were up to date. The state ISO
contacted both the FBI CJIS ISO and state CSO to relay the preliminary details of this
incident. The FBI CJIS ISO instructed the involved parties to continue their investigation and
to submit an incident response form once all the information had been gathered. The FBI CJIS
ISO contacted the lead for the FBI CSIRC to inform them that an incident response form was
forthcoming. The state ISO gathered the remainder of the information from the local police
department and submitted a completed incident response form to the FBI CJIS ISO who
subsequently provided it to the FBI CSIRC. The FBI CSIRC notified the Department of
Justice Computer Incident Response Team (DOJCIRT). The state ISO continued to monitor
the situation, passing relevant details to the FBI CJIS ISO, ultimately determining that the
botnet was eliminated from the local police department's infrastructure. Subsequent
investigations determined that the botnet was restricted to the department's administrative
infrastructure and thus no CJI was compromised.
2/09/2011
23r,
C1ISD- ITS -DOC- 08140 -5.0
, (�.)
5.4 Policy Area 4: Auditing and Accountability
Agencies shall implement audit and accountability controls to increase the probability of
authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess
the inventory of components that compose their information systems to determine which security
controls are applicable to the various components.
Auditing controls are typically applied to the components of an information system that provide
auditing capability (servers, etc.) and would not necessarily be applied to every user -level
workstation within the agency. As technology advances, more powerful and diverse
functionality can be found in such devices as personal digital assistants and cellular telephones,
which may require the application of security controls in accordance with an agency assessment
of risk.
5.4.1 Auditable Events and Content (information Systems)
The agency's information system shall generate audit records for defined events. These defined
events include identifying significant events which need to be audited as relevant to the security
of the information system. The agency shall specify which information system components
carry out auditing activities. Auditing activity can affect information system performance and
this issue must be considered as a separate factor during the acquisition of information systems.
The agency's information system shall produce, at the application and/or operating system level,
audit records containing sufficient information to establish what events occurred, the sources of
the events, and the outcomes of the events. The agency shall periodically review and update the
list of agency - defined auditable events. In the event an agency does not use an automated
system, manual recording of activities shall still take place.
5.4.1.1 Events
The following events shall be logged:
1. Successful and unsuccessful system log -on attempts.
2. Successful and unsuccessful attempts to access, create, write, delete or change permission
on a user account, file, directory or other system resource.
3. Successful and unsuccessful attempts to change account passwords.
4. Successful and unsuccessful actions by privileged accounts.
5. Successful and unsuccessful attempts for users to access, modify, or destroy the audit log
file.
5.4.1.1.1 Content
The following content shall be included with every audited event:
1. Date and time of the event.
2. The component of the information system (e.g., software component, hardware
component) where the event occurred.
3. Type of event.
2/09/2011 24
CJISD - ITS -DOC- 08140 -5.0 I I CCO
4. User /subject identity.
5. Outcome (success or failure) of the event.
5.4.2 Response to Audit Processing Failures
The agency's information system shall provide alerts to appropriate agency officials in the event
of an audit processing failure. Audit processing failures include, for example: software/hardware
errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or
exceeded.
5.4.3 Audit Monitoring, Analysis, and Reporting
The responsible management official shall designate an individual or position to review /analyze
information system audit records for indications of inappropriate or unusual activity, investigate
suspicious activity or suspected violations, to report findings to appropriate officials, and to take
necessary actions. Audit review /analysis shall be conducted at a minimum once a week. The
frequency of review /analysis should be increased when the volume of an agency's processing
indicates an elevated need for audit review. The agency shall increase the level of audit
monitoring and analysis activity within the information system whenever there is an indication of
increased risk to agency operations, agency assets, or individuals based on law enforcement
information, intelligence information, or other credible sources of information.
5.4.4 Time Stamps
The agency's information system shall provide time stamps for use in audit record generation.
The time stamps shall include the date and time values generated by the internal system clocks in
the audit records. The agency shall synchronize internal information system clocks on an annual
basis.
5.4.5 Protection of Audit Information
The agency's information system shall protect audit information and audit tools from
modification, deletion and unauthorized access.
5.4.6 Audit Record Retention
The agency shall retain audit records for at least 365 days. Once the minimum retention time
period has passed, the agency shall continue to retain audit records until it is determined they are
no longer needed for administrative, legal, audit, or other operational purposes. This includes,
for example, retention and availability of audit records relative to Freedom of Information Act
(FOIA) requests, subpoena, and law enforcement actions.
5.4.7 Logging NCIC and III Transactions
A log shall be maintained for a minimum of one (1) year on all NCIC and III transactions. The
III portion of the log shall clearly identify both the operator and the authorized receiving agency.
III logs shall also clearly identify the requester and the secondary recipient. The identification on
the log shall take the form of a unique identifier that shall remain unique to the individual
requester and to the secondary recipient throughout the minimum one year retention period.
2/09/2011 25
CJISD- ITS- DOC-08140 -5.0 11 P 1
5.4.8 Reserved for Future Use
5.4.9 Reserved for Future Use
5.4.10 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 5 - Local Police Department's Use of Audit Logs
A state CSO contacted a local police department regarding potentially inappropriate use of
CHRI that was retrieved using the local department's ORI. The state CSO requested all
relevant information from the police department to reconcile state NCIC and III logs against
local police department logs. The police department provided the combination of their CJI
processing application's logs with relevant operating system and network infrastructure logs to
help verify the identity of the users conducting these queries. The review of these logs
substantiated the CSO's suspicion.
2109/2011 26
CJISD- ITS -DOC- 08140 -5.0 I I (d)
5.5 Policy Area 5: Access Control
Access control provides the planning and implementation of mechanisms to restrict reading,
writing, processing and transmission of CJIS information and the modification of information
systems, applications, services and communication configurations allowing access to CJIS
information.
5.5.1 Account Management
The agency shall manage information system accounts, including establishing, activating,
modifying, reviewing, disabling, and removing accounts. The agency shall validate information
system accounts at least annually and shall document the validation process. The validation and
documentation of accounts can be delegated to local agencies.
Account management includes the identification of account types (i.e., individual, group, and
system), establishment of conditions for group membership, and assignment of associated
authorizations. The agency shall identify authorized users of the information system and specify
access rights /privileges. The agency shall grant access to the information system based on:
1. Valid need -to -know /need -to -share that is determined by assigned official duties.
2. Satisfaction of all personnel security criteria.
The agency responsible for account creation shall be notified when:
1. A user's information system usage or need -to -know or need -to -share changes.
2. A user is terminated or transferred or associated accounts are removed, disabled, or
otherwise secured.
5.5.2 Access Enforcement
The information system shall enforce assigned authorizations for controlling access to the system
and contained information. The information system controls shall restrict access to privileged
functions (deployed in hardware, software, and firmware) and security- relevant information to
explicitly authorized personnel.
Explicitly authorized personnel include, for example, security administrators, system and
network administrators, and other privileged users with access to system control, monitoring, or
administration functions (e.g., system administrators, information system security officers,
maintainers, system programmers).
Access control policies (e.g., identity -based policies, role -based policies, rule -based policies) and
associated access enforcement mechanisms (e.g., access control lists, access control matrices,
cryptography) shall be employed by agencies to control access between users (or processes
acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains)
in the information system.
5.5.2.1 Least Privilege
The agency shall approve individual access privileges and shall enforce physical and logical
access restrictions associated with changes to the information system; and generate, retain, and
review records reflecting all such changes. The agency shall enforce the most restrictive set of
2/09/2011 27
CJISD- ITS -DOC- 08140 -5.0 1 t( d)
rights /privileges or access needed by users for the performance of specified tasks. The agency
shall implement least privilege based on specific duties, operations, or information systems as
necessary to mitigate risk to CJI. This limits access to CJI to only authorized personnel with the
need and the right to know.
Logs of access privilege changes shall be maintained for a minimum of one year or at least equal
to the agency's record retention policy — whichever is greater.
5.5.2.2 System Access Control
Access control mechanisms to enable access to CJI shall be restricted by object (e.g., data set,
volumes, files, records) including the ability to read, write, or delete the objects. Access controls
shall be in place and operational for all IT systems to:
1. Prevent multiple concurrent active sessions for one user identification, for those
applications accessing CJI, unless the agency grants authority based upon operational
business needs. Agencies shall document the parameters of the operational business
needs for multiple concurrent active sessions.
2. Ensure that only authorized personnel can add, change, or remove component devices,
dial -up connections, and remove or alter programs.
5.5.2.3 Access Control Criteria
Agencies shall control access to CJI based on one or more of the following:
1. Job assignment or function (i.e., the role) of the user seeking access.
2. Physical location.
3. Logical location.
4. Network addresses (e.g., users from sites within a given agency may be permitted greater
access than those from outside).
5. Time -of -day and day -of- week/month restrictions.
5.5.2.4 Access Control Mechanisms
When setting up access controls, agencies shall use one or more of the following mechanisms:
1. Access Control Lists (ACLs). ACLs are a register of users (including groups, machines,
processes) who have been given permission to use a particular object (system resource)
and the types of access they have been permitted.
2. Resource Restrictions. Access to specific functions is restricted by never allowing users
to request information, functions, or other resources for which they do not have access.
Three major types of resource restrictions are: menus, database views, and network
devices.
3. Encryption. Encrypted information can only be decrypted, and therefore read, by those
possessing the appropriate cryptographic key. While encryption can provide strong
access control, it is accompanied by the need for strong key management. If encryption
of stored information is employed as an access enforcement mechanism, the
28
2,/09/2011
CJI S D- ITS -DOC- 08140 -5.0 �, r�
cryptography used is Federal Information Processing Standards (FIPS) 140 -2 (as
amended) compliant (see section 5.10.1.2 for encryption requirements).
4. Application Level. In addition to controlling access at the information system level,
access enforcement mechanisms are employed at the application level to provide
increased information security for the agency.
5.5.3 Unsuccessful Login Attempts
Where technically feasible, the system shall enforce a limit of no more than 5 consecutive invalid
access attempts by a user (attempting to access CJI or systems with access to CJI). The system
shall automatically lock the account /node for a 10 minute time period unless released by an
administrator.
5.5.4 System Use Notification
The information system shall display an approved system use notification message, before
granting access, informing potential users of various usages and monitoring rules. The system
use notification message shall, at a minimum, provide the following information:
1. The user is accessing a restricted information system.
2. System usage maybe monitored, recorded, and subject to audit.
3. Unauthorized use of the system is prohibited and maybe subject to criminal and/or civil
penalties.
4. Use of the system indicates consent to monitoring and recording.
The system use notification message shall provide appropriate privacy and security notices
(based on associated privacy and security policies or summaries) and remain on the screen until
the user acknowledges the notification and takes explicit actions to log on to the information
system.
Privacy and security policies shall be consistent with applicable laws, Executive Orders,
directives, policies, regulations, standards, and guidance. System use notification messages can
be implemented in the form of warning banners displayed when individuals log in to the
information system. For publicly accessible systems: (i) the system use information is available
and when appropriate, is displayed before granting access; (ii) any references to monitoring,
recording, or auditing are in keeping with privacy accommodations for such systems that
generally prohibit those activities; and (iii) the notice given to public users of the information
system includes a description of the authorized uses of the system.
5.5.5 Session Lock
The information system shall prevent further access to the system by initiating a session lock
after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user
reestablishes access using appropriate identification and authentication procedures. Users shall
directly initiate session lock mechanisms to prevent inadvertent viewing when a device is
unattended. A session lock is not a substitute for logging out of the information system. In the
interest of officer safety, devices that are: (1) part of a police vehicle; or (2) used to perform
dispatch functions and located within a physically secure location, are exempt from this
requirement. Note: an example of a session lock is a screen saver with password.
2/09/2011 29
CJISD- ITS -DOC- 08140 -5.0 It V
5.5.6 Remote Access
The agency shall authorize, monitor, and control all methods of remote access to the information
system. Remote access is any temporary access to an agency's information system by a user (or
an information system) communicating temporarily through an external, non - agency - controlled
network (e.g., the Internet).
The agency shall employ automated mechanisms to facilitate the monitoring and control of
remote access methods. The agency shall control all remote accesses through managed access
control points. The agency may permit remote access for privileged functions only for
compelling operational needs but shall document the rationale for such access in the security
plan for the information system.
5.5.6.1 Personally Owned Information Systems
A personally owned information system shall not be authorized to access, process, store or
transmit CJI unless the agency has established and documented the specific terms and conditions
for personally owned information system usage.
This control does not apply to the use of personally owned information systems to access
agency's information systems and information that are intended for public access (e.g., an
agency's public website that contains purely public information).
5.5.6.2 Publicly Accessible computers
Utilizing publicly accessible computers to access, process, store or transmit CJI is prohibited.
Publicly accessible computers include but are not limited to: hotel business center computers,
convention center computers, public library computers, public kiosk computers, etc.
5.5.7 Wireless Access Restrictions
The agency shall: (i) establish usage restrictions and implementation guidance for wireless
technologies; and (ii) authorize, monitor, control wireless access to the information system.
Wireless technologies, in the simplest sense, enable one or more devices to communicate without
physical connections— without requiring network or peripheral cabling.
Examples of wireless technologies include, but are not limited to: 802.11x, cellular networks,
Bluetooth, satellite and microwave. Wireless technologies require at least the minimum security
applied to wired technology and, based upon the specific technology, may require some
additional security controls as described below.
5.5.7.1 All 802.11x Wireless Protocols
Agencies shall:
1. Perform validation testing to ensure rogue APs (Access Points) do not exist in the
802.11 Wireless Local Area Network (WLAN) and to fully understand the wireless
network security posture.
2. Maintain a complete inventory of all Access Points (APs) and 802.11 wireless
devices.
30
2/09/2011 )
C11SD4TS -DOC- 08140 -5.0 14 C�
3. Place APs in secured areas to prevent unauthorized physical access and user
manipulation.
4. Test AP range boundaries to determine the precise extent of the wireless coverage
and design the AP wireless coverage to limit the coverage area to only what is needed
for operational purposes.
5. Enable user authentication and encryption mechanisms for the management interface
of the AP.
6. Ensure that all APs have strong administrative passwords and ensure that all
passwords are changed in accordance with section 5.6.2.1.
7. Ensure the reset function on APs is used only when needed and is only invoked by
authorized personnel. Restore the APs to the latest security settings, when the reset
functions are used, to ensure the factory default settings are not utilized.
8. Change the default service set identifier (SSID) in the APs. Disable the broadcast
SSID feature so that the client SSID must match that of the AP. Validate that the
SSID character string does not contain any agency identifiable information (division,
department, street, etc.) or services.
9. Enable all security features of the wireless product, including the cryptographic
authentication, firewall, and other privacy features.
10. Ensure that encryption key sizes are at least 128 -bits and the default shared keys are
replaced by unique keys.
11. Ensure that the ad hoc mode has been disabled unless the environment is such that the
risk has been assessed and is tolerable. Note: some products do not allow disabling
this feature; use with caution or use different vendor.
12. Disable all nonessential management protocols on the APs and disable hypertext
transfer protocol (HTTP) when not needed or protect HTTP access with
authentication and encryption.
13. Enable logging (if supported) and review the logs on a recurring basis per local
policy. At a minimum logs shall be reviewed monthly.
14. Segregate, virtually (e.g. virtual local area network (VLAN) and ACLs) or physically
(e.g. firewalls), the wireless network from the operational wired infrastructure. Limit
access between wireless networks and the wired network to only operational needs.
15. When disposing of access points that will no longer be used by the agency, clear
access point configuration to prevent disclosure of network configuration, keys,
passwords, etc.
5.5.7.2 Legacy 802.11 Protocols
Wired Equivalent Privacy (WEP) and Wi -Fi Protected Access (WPA) cryptographic algorithms,
used by all pre- 802.11i protocols, do not meet the requirements for FIPS 140 -2 and are to be
used only if additional security controls are employed.
2/09/2011 31
C1ISD4TS -DOC- 08140 -5.0 I I f J )
Agencies shall follow the guidelines below regarding wireless implementation and cases where
the WEP and WPA security features are used to provide wireless security in conjunction with the
CJIS required minimum encryption specifications.
1. Deploy media access control (MAC) access control lists (ACL); however, MAC
ACLs do not represent a strong defense mechanism by themselves because they are
transmitted in the clear from WLAN clients to APs so they can be captured easily.
2. Enable WEP/WPA.
3. Ensure the default shared keys are replaced by more secure unique keys.
4. Enable utilization of key - mapping keys rather than default keys so that sessions are
unique when using WEP.
5.5.7.3 Cellular
Cellular telephones, smartphones (i.e. Blackberry, iPhones, etc.), personal digital assistants
(PDA), and "aircards" are examples of cellular handheld devices or devices that employ cellular
technology. Additionally, cellular handheld devices typically include Bluetooth, infrared, and
other wireless protocols capable of joining infrastructure networks or creating dynamic ad hoc
networks. Cellular devices are at risk due to a multitude of threats and consequently pose a risk
to the enterprise.
Threats to cellular handheld devices stem mainly from their size, portability, and available
wireless interfaces and associated services. Examples of threats to cellular handheld devices
include:
1. Loss, theft, or disposal.
2. Unauthorized access.
3. Malware.
4. Spam.
5. Electronic eavesdropping.
6. Electronic tracking (threat to security of data and safety of law enforcement officer).
7. Cloning (not as prevalent with later generation cellular technologies).
8. Server- resident data.
5.5.7.3.1 Cellular Risk Mitigations
Organizations shall, at a minimum, ensure that cellular devices:
1. Apply available critical patches and upgrades to the operating system.
2. Are configured for local device authentication.
3. Use advanced authentication.
4. Encrypt all CJI resident on the device.
5. Erase cached information when session is terminated.
6. Employ personal firewalls.
32
2/09/2011 �Q�
CJ ISD- ITS -DOC- 08140 -5.0
7. Employ antivirus software.
5.5.7.3.2 Voice Transmissions Over Cellular Devices
Any cellular device used to transmit CJI via voice is exempt from the encryption and
authentication requirements when an officer determines there is an immediate need for the CJI to
further an investigation or situations affecting the safety of an officer or the general public.
5.5.7.4 Bluetooth
Bluetooth is an open standard for short-range radio frequency (RF) communication and is used
primarily to establish wireless personal area networks (WPAN), commonly referred to as ad hoc
networks or piconets. A piconet is composed of two or more Bluetooth devices in close physical
proximity that operate on the same channel using the same frequency hopping sequence and can
scale to include up to seven active slave devices and up to 255 inactive slave devices. Bluetooth
voice and data transfer technology has been integrated into many types of business and consumer
devices, including cellular phones, personal digital assistants (PDA), laptops, automobiles,
printers, and headsets.
Bluetooth does not provide end -to -end, audit, or non - repudiation security services. If such
services are needed, they shall be provided through additional, higher -layer means in addition to
the Bluetooth specification and 802.11 standards.
The cryptographic algorithms employed by the Bluetooth standard are not FIPS approved. When
communications require FIPS- approved cryptographic protection, this can be achieved by
employing application -level FIPS - approved encryption over the native Bluetooth encryption.
Agencies shall:
1. Provide users with a list of precautionary measures they should take to better protect
handheld Bluetooth devices from theft. The organization and its employees should be
responsible for its wireless technology components because theft of those components
could lead to malicious activities against the organization's information system resource.
2. Maintain a complete inventory of all Bluetooth- enabled wireless devices and addresses
(BD _ADDRs). A complete inventory of Bluetooth- enabled wireless devices can be
referenced when conducting an audit that searches for unauthorized use of wireless
technologies.
3. Change the default setting of the Bluetooth device to reflect the organization's security
policy. Because default settings are generally not secure, a careful review of those
settings should be performed to ensure that they comply with the organization's security
policy.
4. Set Bluetooth devices to the lowest necessary and sufficient power level so that
transmissions remain within the secure perimeter of the organization. Setting Bluetooth
devices to the lowest necessary and sufficient power level ensures a secure range of
access to authorized users. The use of Class 1 devices should be avoided due to their
extended range (approximately 100 meters).
5. Choose personal identification number (PIN) codes that are sufficiently random and long.
Avoid static and weak PINS, such as all zeroes. PIN codes should be random so that they
cannot be easily reproduced by malicious users. Longer PIN codes are more resistant to
2/09/2011 33
C11SD- ITS -DOC- 08140 -5.0 1 k
brute force attacks. For Bluetooth v2.0 (or earlier) devices, an eight- character
alphanumeric PIN shall be used.
6. For v2.1 devices using Secure Simple Pairing, avoid using the "Just Works" model. The
"Just Works" model does not provide protection against man-in -the- middle (MITM)
attacks. Devices that only support Just Works should not be procured if similarly
qualified devices that support one of the association models (i.e. Numeric Comparison,
Out of Band, or Passkey Entry) are available.
7. Bluetooth devices should be configured by default as, and remain, undiscoverable except
as needed for pairing. Bluetooth interfaces should be configured as non - discoverable,
which prevents visibility to other Bluetooth devices except when discovery is specifically
needed. Also, the default self - identifying or discoverable names provided on Bluetooth
devices should be changed to anonymous unidentifiable names.
8. Invoke link encryption for all Bluetooth connections regardless of how needless
encryption may seem (i.e. no Security Mode 1). Link encryption should be used to
secure all data transmissions during a Bluetooth connection; otherwise, transmitted data
is vulnerable to eavesdropping.
9. If multi -hop wireless communication is being utilized, ensure that encryption is enabled
on every link in the communication chain. Every link should be secured because one
unsecured link results in compromising the entire communication chain.
10. Ensure device mutual authentication is performed for all accesses. Mutual authentication
is required to provide verification that all devices on the network are legitimate.
11. Enable encryption for all broadcast transmission (Encryption Mode 3). Broadcast
transmissions secured by link encryption provide a layer of security that protects these
transmissions from user interception for malicious purposes.
12. Configure encryption key sizes to the maximum allowable. Using maximum allowable
key sizes provides protection from brute force attacks.
13. Establish a "minimum key size" for any negotiation process. Establishing minimum key
sizes ensures that all keys are long enough to be resistant to brute force attacks. See
Section 5.10.1.2 for minimum key encryption standards.
14. Use Security Mode 3 in order to provide link -level security prior to link establishment.
15. Users do not accept transmissions of any kind from unknown or suspicious devices.
These types of transmissions include messages, files, and images. With the increase in
the number of Bluetooth enabled devices, it is important that users only establish
connections with other trusted devices and only accept content from these trusted
devices.
5.5.8 References/Citations/Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
34
2/09/2011 \
CJ I SD.ITS-DOC-08 140-5.0
Figure 6 - A Local Police Department's Access Controls
A local police department purchased a new computer - assisted dispatch (CAD) system that
integrated with their state CSA's CJI interfaces. In doing so, the police department employed
least- privilege practices to ensure that its employees were only given those privileges needed
to perform their jobs, and as such, excluding IT administrators, employees had only non -
administrative privileges on all equipment they used. The police department also used ACLs
in the operating systems to control access to the CAD client's executables. The CAD system
used internal role -based access controls to ensure only those users that needed access to CJI
were given it. The police department performed annual audits of user accounts on all systems
under their control including remote access mechanisms, operating systems, and the CAD
system to ensure all accounts were in valid states. The police department implemented
authentication - failure account lockouts, system use notification via login banners, and screen -
saver passwords on all equipment that processes CJI.
2/09/2011 35 \
CJISD- ITS -DOC- 08140 -5.0 1 `Cdl
5.6 Policy Area 6: Identification and Authentication
The agency shall identify information system users and processes acting on behalf of users and
authenticate the identities of those users or processes as a prerequisite to allowing access to
agency information systems or services.
5.6.1 Identification Policy and Procedures
Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified.
A unique identification shall also be required for all persons who administer and maintain the
system(s) that access CJI or networks leveraged for CJI transit. The unique identification can
take the form of a full name, badge number, serial number, or other unique alphanumeric
identifier. Agencies shall require users to identify themselves uniquely before the user is
allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to
currently authorized users. Identification data shall be kept current by adding new users and
disabling and/or deleting former users.
5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information
Exchanges
An FBI authorized originating agency identifier (ORI) shall be used in each transaction on CJIS
systems in order to identify the sending agency and to ensure the proper level of access for each
transaction. The original identifier between the requesting agency and the CSA/SIB /Channeler
shall be the ORI, and other agency identifiers, such as user identification or personal identifier,
an access device mnemonic, or the Internet Protocol (IP) address.
Agencies may act as a servicing agency and perform transactions on behalf of authorized
agencies requesting the service. Servicing agencies performing inquiry transactions on behalf of
another agency may do so using the requesting agency's ORI. Servicing agencies may also use
their own ORI to perform inquiry transactions on behalf of a requesting agency if the means and
procedures are in place to provide an audit trail for the current specified retention period.
Because the agency performing the transaction may not necessarily be the same as the agency
requesting the transaction, the CSA/SIB /Channeler shall ensure that the ORI for each transaction
can be traced, via audit trail, to the specific agency which is requesting the transaction.
Audit trails can be used to identify the requesting agency if there is a reason to inquire into the
details surrounding why an agency ran an inquiry on a subject. Agencies assigned a P (limited
access) ORI shall not use the full access ORI of another agency to conduct an inquiry
transaction.
5.6.2 Authentication Policy and Procedures
Authentication refers to mechanisms or processes that verify users are valid once they are
uniquely identified. The CSA/SIB may develop an authentication strategy which centralizes
oversight but decentralizes the establishment and daily administration of the security measures
for access to CJI.
Each individual's identity shall be authenticated at either the local agency, CSA, SIB or
Channeler level. The authentication strategy shall be part of the agency's audit for policy
compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish
36
2/09/2011
C1ISD- ITS -DOC- 08140 -5.0 1l ta�
direct web -based interactive sessions with FBI CJIS Services. The FBI CJIS Division shall
authenticate the ORI of all message -based sessions between the FBI CJIS Division and its
customer agencies but will not further authenticate the user nor capture the unique identifier for
the originating operator because this function is performed at the local agency, CSA, SIB or
Channeler level.
5.6.2.1 Standard Authentication (Password)
Agencies shall follow the secure password attributes, below, to authenticate an individual's
unique ID. Passwords shall:
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.
5.6.2.2 Advanced Authentication
Advanced Authentication (AA) provides for additional security to the typical user identification
and authentication of login ID and password, such as: biometric systems, user -based public key
infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or
"Risk -based Authentication" that includes a software token element comprised of a number of
factors, such as network information, user information, positive device identification (i.e. device
forensics, user pattern analysis and user binding), user profiling, and high -risk
challenge /response questions.
5.6.2.2.1 Advanced Authentication Policy and Rationale
The requirement to use or not use AA is dependent upon the physical, personnel and technical
security controls associated with the user location. For example, AA shall not be required for
users requesting access to CJI from within the perimeter of a physically secure location (Section
5.9), when the technical security controls have been met (Sections 5.5 and 5.10). Conversely, if
the technical security controls have not been met AA shall be required even if the request for CJI
originates from within a physically secure location. Section 5.6.2.2.2 provides agencies with a
decision tree to help guide AA decisions.
INTERIM COMPLIANCE:
1. For interim compliance, users accessing CJI from devices associated with, and
located within, a police vehicle are exempt from the AA requirement until September
30th 2013 if the information system being used has not been procured or upgraded
anytime after September 30th, 2005. For the purposes of this policy, a police vehicle
is defined as an enclosed criminal justice conveyance with the capability to comply,
during operational periods, with Section 5.9.1.3.
2/09/2011 37
C1ISD- ITS -DOC- 08140 -5.0
2. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced
authentication; however, agencies that have funded/implemented IPSec in order to
meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize
IPSec for AA until 2013. Examples:
a. A police officer runs a query for CJI from his/her laptop mounted in a police
vehicle. The police officer leverages a cellular network as the transmission
medium; authenticates the device using IPSec key exchange; and tunnels
across the cellular network using the IPSec virtual private network (VPN).
IPSec was funded and installed in order to meet the AA requirements of CJIS
Security Policy version 4.5. AA requirements are waived until 2013.
b. A detective accesses CJI from various locations while investigating a crime
scene. The detective uses an agency managed laptop with IPSec installed and
leverages a cellular network as the transmission medium. IPSec was funded
and installed in order to meet the AA requirements of CJIS Security Policy
version 4.5. AA requirements are waived until 2013.
EXCEPTION:
AA shall be required when the requested service has built AA into its processes and requires a
user to provide AA before granting access. EXAMPLES:
a. A user, irrespective of his/her location, accesses the LEO website. The LEO
has AA built into its services and requires AA prior to granting access. AA is
required.
b. A user, irrespective of their location, accesses a State's portal through which
access to CJI is facilitated. The State Portal has AA built into its processes
and requires AA prior to granting access. AA is required.
5.6.2.2.2 Advanced Authentication Decision Tree
The following AA Decision Tree, coupled with figures 8 and 9 below, assist decision makers in
determining whether or not AA is required.
1. Can request's originating location be determined physically?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed
to question 2.
a. The IP address is attributed to a physical structure; or
b. The mnemonic is attributed to a specific device assigned to a specific location
that is a physical structure.
If neither (a) or (b) above are true then the answer is "no ". Skip to question number
4.
2. Does request originate from within a physically secure location (that is not a police
vehicle) as described in section 5.9.1?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed
to question 3.
38
CJIS 011
CJISD- ITS- DOC- 08140 -5.0 la
a. The IP address is attributed to a physically secure location; or
b. If a mnemonic is used it is attributed to a specific device assigned to a specific
physically secure location.
If neither (a) or (b) above are true then the answer is "no". Decision tree completed.
AA required.
3. Are all required technical controls implemented at this location or at the controlling
agency?
If either (a) or (b) below are true the answer to the above question is "yes ". Decision
tree completed. AA requirement waived.
a. Appropriate technical controls listed in sections 5.5 and 5.10 are implemented;
or
b. The controlling agency (i.e. parent agency or agency leveraged as conduit to
FBI CJIS data) extends its wide area network controls down to the requesting
agency and the extended controls provide assurance equal or greater to the
controls listed in sections 5.5 and 5.10.
If neither (a) or (b) above are true then the answer is "no". Decision tree completed.
AA required.
4. Does request originate from an agency- managed user device?
If either (a) or (b) below are true the answer to the above question is "yes ". Proceed
to question 5.
a. The static IP address or MAC address can be traced to registered device; or
b. Certificates are issued to agency managed devices only and certificate
exchange is allowed only between authentication server and agency issued
devices.
If neither (a) or (b) above are true then the answer is "no". Decision tree completed.
AA required.
5. Is the agency managed user device associated with a law enforcement conveyance?
If any of the (a), (b), or (c) statements below is true the answer to the above question
is "yes ". Proceed to question 6.
a. The static IP address or MAC address is associated with a device associated
with a law enforcement conveyance; or
b. The certificate presented is associated with a device associated with a law
enforcement conveyance; or
c. The mnemonic presented is associated with a specific device assigned and that
device is attributed to a law enforcement conveyance.
If none of the (a), (b), or (c) statements above are true then the answer is "no". Skip
to question number 7.
2,09/2011 39 1 A0)
CJI SD- ITS -DOC- 08140 -5.0
6. Has there been an acquisition or upgrade since 2005?
If any of the (a), (b), (c), or (d) statements below are true the answer to the above
question is "yes ". Proceed to question number 7.
a. The "green- screen" MDTs have been replaced with laptops or other mobile
devices; or
b. An upgrade of technology exceeding 25% of the cost of the system being
upgraded has taken place; or
c. Any upgrade to the system encryption module has taken place; or
d. Any upgrade to the system that is not replacing like technology has taken
place.
If none of the (a), (b), (c), or (d) statements above are true then the answer is "no".
Decision tree completed. AA requirement waived.
7. Was IPSec implemented to meet the requirements of Policy Version 4.5?
If either (a) or (b) below are true the answer to the above question is "yes ". Decision
tree completed. AA requirement is waived.
a. The budget acquisition of IPSec was completed prior to January ls`, 2009 and
IPSec was subsequently implemented; or
b. Implementation of IPSec was completed prior to January 1", 2009.
If neither (a) or (b) above are true then the answer is "no". Decision tree completed.
AA required.
5.6.3 Identifier and Authenticator Management
The agency shall establish identifier and authenticator management processes.
5.6.3.1 Identifier Management
In order to manage user identifiers, agencies shall:
1. Uniquely identify each user.
2. Verify the identity of each user.
3. Receive authorization to issue a user identifier from an appropriate agency official.
4. Issue the user identifier to the intended party.
5. Disable the user identifier after a specified period of inactivity.
6. Archive user identifiers.
5.6.3.2 Authenticator Management
In order to manage information system authenticators, agencies shall:
1. Define initial authenticator content.
40
2 /09/2011
C1ISD- ITS -DOC- 08140 -5.0 (tCa )
Establish administrative procedures for initial authenticator distribution, for
lost/compromised, or damaged authenticators, and for revoking authenticators.
3. Change default authenticators upon information system installation.
4. Change /refresh authenticators periodically.
Information system authenticators include, for example, tokens, user -based PKI certificates,
biometrics, passwords, and key cards. Users shall take reasonable measures to safeguard
authenticators including maintaining possession of their individual authenticators, not loaning or
sharing authenticators with others, and immediately reporting lost or compromised
authenticators.
5.6.4 Assertions
Identity providers can be leveraged to identify individuals and assert the individual's identity to a
service or to a trusted broker who will in -turn assert the identity to a service. Assertion
mechanisms used to communicate the results of a remote authentication to other parties shall be:
1. Digitally signed by a trusted entity (e.g., the identity provider).
2. Obtained directly from a trusted entity (e.g. trusted broker) using a protocol where the
trusted entity authenticates to the relying party using a secure protocol (e.g. transport
layer security [TLS]) that cryptographically authenticates the verifier and protects the
assertion.
Assertions generated by a verifier shall expire after 12 hours and shall not be accepted thereafter
by the relying party.
5.6.5 References /Citations /Directives
Appendix C contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 7 - A Local Police Department's Authentication Controls
During the course of an investigation, a detective accessed CH from a hotel room using an
agency issued mobile broadband card. To gain access, the detective first established the
remote session via a secure virtual private network (VPN) tunnel (satisfying the requirement
for encryption), then was challenged to enter both password and the value from a hardware
token (satisfying the requirement for advanced authentication). Once the detective's
credentials were validated, his identity was asserted by the infrastructure to all authorized
applications needed to complete his investigation.
2/09/2011
CJISD- ITS -DOC- 08140 -5.0 41\ 1Cc `\ )
•
r -1
U
0
Figure 8 - Authentication Decision for Known Location
Yes
Yes,
2/09/2011
CJ I S D- ITS -DOC- 08140 -5.0
Wil _FLIT, �m-I�I`��jIII�I��I�
42
k`f
c-1
E
C]
0
Figure 9 - Authentication Decision for Unknown Location
Incoming CJI
cress Reque,
Can requesfs p"cal
See Figure 8
Orginalirg locaflun tie es
No
94
Goes request >"nate
frorn an agercv-managed
14 o or Unknown
user device?
95
is he agency nanagod
user device assodat 2
with
a Law Enforcement
Cbnvftarte?
Yes
No or Unknown
Has there been an
acqLusition or upgracle since
20054
Was I PSec implamented to
r, of
No
meat the AA requirements Qf
Pcf;cy version
_—Yes Figure 9
0110112011
2/09/2011 43
CJISD-ITS-DOC-08140-5.0
5.7 Policy Area 7: Configuration Management
5.7.1 Access Restrictions for Changes
Planned or unplanned changes to the hardware, software, and/or firmware components of the
information system can have significant effects on the overall security of the system. The goal is
to allow only qualified and authorized individuals access to information system components for
purposes of initiating changes, including upgrades, and modifications. Section 5.5, Access
Control, describes agency requirements for control of privileges and restrictions.
5.7.1.1 Least Functionality
The agency shall configure the application, service, or information system to provide only
essential capabilities and shall specifically prohibit and/or restrict the use of specified functions,
ports, protocols, and/or services.
5.7.1.2 Network Diagram
The agency shall ensure that a complete topological drawing depicting the interconnectivity of
the agency network, to criminal justice information, systems and services is maintained in a
current status. See Appendix C for sample network diagrams.
The network topological drawing shall include the following:
1. All communications paths, circuits, and other components used for the interconnection,
beginning with the agency -owned system(s) and traversing through all interconnected
systems to the agency end - point.
2. The logical location of all components (e.g., firewalls, routers, switches, hubs, servers,
encryption devices, and computer workstations). Individual workstations (clients) do not
have to be shown; the number of clients is sufficient.
3. "For Official Use Only" (FOUO) markings.
4. The agency name and date (day, month, and year) drawing was created or updated.
5.7.2 Security of Configuration Documentation
The system configuration documentation often contains sensitive details (e.g. descriptions of
applications, processes, procedures, data structures, authorization processes, data flow, etc.)
Agencies shall protect the system documentation from unauthorized access consistent with the
provisions described in section 5.5 Access Control.
5.7.3 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
44
2109/2011
CJISD- ITS -DOC- 08140 -5.0
Figure 10 - A Local Police Department's Configuration Management Controls
A local police department decided to update their CAD system, and in doing so tracked all
changes made to their infrastructure in a configuration management journal, updated their
network topology documents to include all new components in their architecture, then marked
all documentation as FOUO and stored them securely.
2/09/2011 45 `
CJISD- ITS -DOC- 08140 -5.0 ,lf��
5.8 Policy Area 8: Media Protection
Media protection policy and procedures shall be documented and implemented to ensure that
access to electronic and physical media in all forms is restricted to authorized individuals.
Procedures shall be defined for securely handling, transporting and storing media.
5.8.1 Media Storage and Access
The agency shall securely store electronic and physical media within physically secure locations
or controlled areas. The agency shall restrict access to electronic and physical media to
authorized individuals. If physical and personnel restrictions are not feasible then the data shall
be encrypted per section 5.10.1.2.
5.8.2 Media Transport
The agency shall protect and control electronic and physical media during transport outside of
controlled areas and restrict the activities associated with transport of such media to authorized
personnel.
5.8.2.1 Electronic Media in Transit
"Electronic media" means electronic storage media including memory devices in laptops and
computers (hard drives) and any removable, transportable digital memory media, such as
magnetic tape or disk, optical disk, flash drives, external hard drives, or digital memory card.
Controls shall be in place to protect electronic media containing CJI while in transport
(physically moved from one location to another) to help prevent compromise of the data.
Encryption, as defined in section 5.10.1.2 of this policy, is the optimal control during transport;
however, if encryption of the data isn't possible then each agency shall institute other controls to
ensure the security of the data.
5.8.2.2 Physical Media in Transit
The controls and security measures in this document also apply to CJI in physical (printed
documents, printed imagery, etc.) form. Physical media shall be protected at the same level as
the information would be protected in electronic form.
5.8.3 Electronic Media Sanitization and Disposal
The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior
to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be
destroyed (cut up, shredded, etc.). The agency shall maintain written documentation of the steps
taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or
destruction is witnessed or carried out by authorized personnel.
5.8.4 Disposal of Physical Media
Physical media shall be securely disposed of when no longer required, using formal procedures.
Formal procedures for the secure disposal or destruction of physical media shall minimize the
risk of sensitive information compromise by unauthorized individuals. Physical media shall be
2/09/2011 46
CJISD - ITS -DOC- 08140 -5.0 I1( 1)
destroyed by shredding or incineration. Agencies shall ensure the disposal or destruction is
witnessed or carried out by authorized personnel.
5.8.5 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 11 - A Local Police Department's Media Management Policies
A local police department implemented a replacement CAD system that integrated to their state's
CSA and was authorized to process CJI. The police department contracted with an off -site
media manager to store backups of their data in the contractor's vaults, but the contractor was
not authorized to process or store CJI. To ensure the confidentially of the police department's
data while outside its perimeter, they encrypted all data going to the contractor with Advanced
Encryption Standard (AES) -256. The police department rotated and reused media through the
contractor's vaults periodically, and when it required destruction, the police department
incinerated the media to irreversibly destroy any data on it.
CJIS 01I
CJIS o(d)
D- ITS- DOC -OS 140 -5.0
5.9 Policy Area 9: Physical Protection
Physical protection policy and procedures shall be documented and implemented to ensure CJI
and information system hardware, software, and media are physically protected through access
control measures.
5.9.1 Physically Secure Location
A physically secure location is a facility or an area, a room, or a group of rooms within a facility
with both the physical and personnel security controls sufficient to protect CJI and associated
information systems. The physically secure location is subject to criminal justice agency
management control; SIB control; FBI CJIS Security addendum; or a combination thereof.
Sections 5.9.1.1 — 5.9.1.9 describe the physical controls required in order to be considered a
physically secure location, while section 5.12 describes the minimum personnel security controls
required for unescorted access to a physically secure location.
For interim compliance, and for the sole purpose of meeting the advanced authentication policy,
a police vehicle shall be considered a physically secure location until September 3O`h 2013. For
the purposes of this policy, a police vehicle is defined as an enclosed criminal justice conveyance
with the capability to comply, during operational periods, with section 5.9.1.3.
5.9.1.1 Security Perimeter
The perimeter of physically secure location shall be prominently posted and separated from non-
secure locations by physical controls. Security perimeters shall be defined, controlled and
secured in a manner acceptable to the CSA or SIB.
5.9.1.2 Physical Access Authorizations
The agency shall develop and keep current a list of personnel with authorized access to the
physically secure location (except for those areas within the permanent facility officially
designated as publicly accessible) or shall issue credentials to authorized personnel.
5.9.1.3 Physical Access Control
The agency shall control all physical access points (except for those areas within the facility
officially designated as publicly accessible) and shall verify individual access authorizations
before granting access.
5.9.1.4 Access Control for Transmission Medium
The agency shall control physical access to information system distribution and transmission
lines within the physically secure location.
5.9.1.5 Access Control for Display Medium
The agency shall control physical access to information system devices that display CJI and shall
position information system devices in such a way as to prevent unauthorized individuals from
accessing and viewing CJI.
2/09/2011
CJ I SD- ITS -DOC- 08140 -5.0
48
1 lam)
5.9.1.6 Monitoring Physical Access
The agency shall monitor physical access to the information system to detect and respond to
physical security incidents.
5.9.1.7 Visitor Control
The agency shall control physical access by authenticating visitors before authorizing escorted
access to the physically secure location (except for those areas designated as publicly accessible).
The agency shall escort visitors at all times and monitor visitor activity.
5.9.1.8 Access Records
The agency shall maintain visitor access records to the physically secure location (except for
those areas officially designated as publicly accessible) that includes:
1. Name and agency of the visitor.
2. Signature of the visitor.
3. Form of identification.
4. Date of access.
5. Time of entry and departure.
6. Purpose of visit.
7. Name and agency of person visited.
The visitor access records shall be maintained for a minimum of one year. Designated officials
within the agency shall review the visitor access records frequently for accuracy and
completeness.
5.9.1.9 Delivery and Removal
The agency shall authorize and control information system - related items entering and exiting the
physically secure location.
5.9.2 Controlled Area
If an agency cannot meet all of the controls required for establishing a physically secure location,
but has an operational need to access or store CJI, the agency shall designate an area, a room, or
a storage container, as a "controlled area" for the purpose of day -to -day CJI access or storage.
The agency shall, at a minimum:
1. Limit access to the controlled area during CJI processing times to only those personnel
authorized by the agency to access or view CJI.
2. Lock the area, room, or storage container when unattended.
3. Position information system devices and documents containing CJI in such a way as to
prevent unauthorized individuals from access and view.
4. Follow the encryption requirements found in section 5.10.1.2 for electronic storage (i.e.
data "at rest") of CJI.
2/09/2011 49
CJISD4TS -DOC- 08140 -5.0 `
5.9.3 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure V - A Local Police Department's Physical Protection Measures
A local police department implemented a replacement CAD system that was authorized to
process CJI over an encrypted VPN tunnel to the state's CSA. The police department established
a physically separated wing within their precinct separated by locked doors, walls, and a
monitored security system within which CJI was processed by dispatchers, officers, and
detectives. Only those persons with the appropriate authorizations were permitted within this
wing unless accompanied by such a person. Within this secure wing the police department
further segregated the back -office information systems' infrastructure within a separately
controlled area restricted only to those authorized administrative personnel with a need to enter.
so \>
II
CJISD - t VC
1ISD- ITS- DOC -OS 140 -s.0 1
5.10 Policy Area 10: System and Communications Protection and
Information Integrity
Examples of systems and communications safeguards range from boundary and transmission
protection to securing an agency's virtualized environment. In addition, applications, services,
or information systems must have the capability to ensure system integrity through the detection
and protection against unauthorized changes to software and information. This section details
the policy for protecting systems and communications infrastructures.
5.10.1 Information Flow Enforcement
The network infrastructure shall control the flow of information between interconnected systems.
Information flow control regulates where information is allowed to travel within an information
system and between information systems (as opposed to who is allowed to access the
information) and without explicit regard to subsequent accesses to that information. In other
words, controlling how data moves from one place to the next in a secure manner. Examples of
controls that are better expressed as flow control than access control (see section 5.5) are:
1. Prevent CJI from being transmitted unencrypted across the public network.
2. Block outside traffic that claims to be from within the agency.
3. Do not pass any web requests to the public network that are not from the internal web
proxy.
Specific examples of flow control enforcement can be found in boundary protection devices (e.g.
proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or
establish configuration settings that restrict information system services or provide a packet
filtering capability.
5.10.1.1 Boundary Protection
The agency shall:
1. Control access to networks processing CJI.
2. Monitor and control communications at the external boundary of the information system
and at key internal boundaries within the system.
3. Ensure any connections to the Internet, other external networks, or information systems
occur through controlled interfaces (e.g. proxies, gateways, routers, firewalls, encrypted
tunnels). See Section 5.10.4.4 for guidance on personal firewalls.
4. Employ tools and techniques to monitor network events, detect attacks, and provide
identification of unauthorized use.
5. Ensure the operational failure of the boundary protection mechanisms do not result in any
unauthorized release of information outside of the information system boundary (i.e. the
device shall "fail closed" vs. "fail open ").
6. Allocate publicly accessible information system components (e.g. public Web servers) to
separate sub networks with separate, network interfaces. Publicly accessible information
2/09/2011 51
CJISD4TS -DOC- 08140 -5.0 p)
systems residing on a virtual host shall follow the guidance in section 5.10.3.2 to achieve
separation.
5.10.1.2 Encryption
1. Encryption shall be a minimum of 128 bit.
2. When CH is transmitted outside the boundary of the physically secure location, the data
shall be immediately protected via cryptographic mechanisms (encryption).
EXCEPTIONS: See sections 5.5.7.3.2 and 5.10.2.
3. When CJI is at rest (i.e. stored electronically) outside the boundary of the physically
secure location, the data shall be protected via cryptographic mechanisms (encryption).
4. When encryption is employed, the cryptographic module used shall be certified to meet
FIPS 140 -2 standards.
Note 1: Subsequent versions of approved cryptographic modules that are under current
review for FIPS 140 -2 compliancy can be used in the interim until certification is
complete.
Note 2: While FIPS 197 (Advanced Encryption Standard) certification is desirable, a
FIPS 197 certification alone is insufficient as the certification is for the algorithm only vs.
the FIPS 140 -2 standard which certifies the packaging of an implementation.
5. For agencies using public key infrastructure technology, the agency shall develop and
implement a certificate policy and certification practice statement for the issuance of
public key certificates used in the information system. Registration to receive a public
key certificate shall:
a) Include authorization by a supervisor or a responsible official.
b) Be accomplished by a secure process that verifies the identity of the certificate
holder.
c) Ensure the certificate is issued to the intended party.
5.10.1.3 Intrusion Detection Tools and Techniques
The agency shall implement network -based and/or host -based intrusion detection tools.
The CSA/SIB shall, in addition:
1. Monitor inbound and outbound communications for unusual or unauthorized activities.
2. Send individual intrusion detection logs to a central logging facility where correlation and
analysis will be accomplished as a system wide intrusion detection effort.
3. Employ automated tools to support near -real -time analysis of events in support of
detecting system -level attacks.
5.10.1.4 Voice Over Internet Protocol
Appropriate agency officials must explicitly authorize the use of Voice over Internet Protocol
(VoIP). Agencies using the VoIP protocol shall:
2/0912011 52
CJISD- ITS- DOC-08140 -5.0 1
1. Establish usage restrictions and implementation guidance for VoIP technologies.
2. Document, monitor and control the use of VoIP within the agency.
5.10.2 Facsimile Transmission of CJI
CJI transmitted via facsimile is exempt from encryption requirements.
5.10.3 Partitioning and Virtualization
As resources grow scarce, agencies are increasing the centralization of applications, services, and
system administration. Advanced software now provides the ability to create virtual machines
that allows agencies to reduce the amount of hardware needed. Although the concepts of
partitioning and virtualization have existed for a while, the need for securing the partitions and
virtualized machines has evolved due to the increasing amount of distributed processing and
federated information sources now available across the Internet.
5.10.3.1 Partitioning
The application, service, or information system shall separate user functionality (including user
interface services) from information system management functionality.
The application, service, or information system shall physically or logically separate user
interface services (e.g. public web pages) from information storage and management services
(e.g. database management). Separation may be accomplished through the use of one or more of
the following:
1. Different computers.
2. Different central processing units.
3. Different instances of the operating system.
4. Different network addresses.
5. Other methods approved by the FBI CJIS ISO.
5.10.3.2 Virtualization
Virtualization refers to a methodology of dividing the resources of a computer (hardware and
software) into multiple execution environments. Virtualized environments are authorized for
criminal justice and noncriminal justice activities. In addition to the security controls described
in this policy, the following additional controls shall be implemented in a virtual environment:
1. Isolate the host from the virtual machine. In other words, virtual machine users cannot
access host files, firmware, etc.
2. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts'
virtual environment.
3. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be
physically separate from Virtual Machines that process CJI internally.
4. Device drivers that are "critical" shall be contained within a separate guest.
2/09/2011 53
CJ I S D- I TS- DOC- 08140 -5.0
The following are additional technical security control best practices and should be implemented
wherever feasible:
I . Encrypt network traffic between the virtual machine and host.
2. Implement IDS and IPS monitoring within the virtual machine environment.
3. Virtually firewall each virtual machine from each other (or physically firewall each
virtual machine from each other with an application layer firewall) and ensure that only
allowed protocols will transact.
4. Segregate the administrative duties for the host.
Appendix G provides some reference and additional background information on virtualization.
5.10.4 System and Information Integrity Policy and Procedures
5.10.4.1 Patch Management
The agency shall identify applications, services, and information systems containing software or
components affected by recently announced software flaws and potential vulnerabilities resulting
from those flaws.
The agency (or the software developer /vendor in the case of software developed and maintained
by a vendor /contractor) shall develop and implement a local policy that ensures prompt
installation of newly released security relevant patches, service packs and hot fixes. Local
policies should include such items as:
1. Testing of appropriate patches before installation.
2. Rollback capabilities when installing patches, updates, etc.
3. Automatic updates without individual user intervention.
4. Centralized patch management.
Patch requirements discovered during security assessments, continuous monitoring or incident
response activities shall also be addressed expeditiously.
5.10.4.2 Malicious Code Protection
The agency shall implement malicious code protection that includes automatic updates for all
systems with Internet access. Agencies with systems not connected to the Internet shall
implement local procedures to ensure malicious code protection is kept current (i.e. most recent
update available).
The agency shall employ virus protection mechanisms to detect and eradicate malicious code
(e.g., viruses, worms, Trojan horses) at critical points throughout the network and on all
workstations, servers and mobile computing devices on the network. The agency shall ensure
malicious code protection is enabled on all of the aforementioned critical points and information
systems and resident scanning is employed.
5.10.4.3 Spam and Spyware Protection
The agency shall implement spam and spyware protection.
2/09/2011 54
CJISD - ITS -DOC- 08140 -5.0 1 d)
The agency shall:
1. Employ spam protection mechanisms at critical information system entry points (e.g.
firewalls, electronic mail servers, remote - access servers).
2. Employ spyware protection at workstations, servers and/or mobile computing devices on
the network.
3. Use the spam and spyware protection mechanisms to detect and take appropriate action
on unsolicited messages and spyware /adware, respectively, transported by electronic
mail, electronic mail attachments, Intemet accesses, removable media (e.g. diskettes or
compact disks) or other removable media as defined in this policy document.
5.10.4.4 Personal Firewall
A personal firewall shall be employed on all devices that are mobile by design (i.e. laptops,
handhelds, personal digital assistants, etc.). For the purpose of this policy, a personal firewall is
an application that controls network traffic to and from a computer, permitting or denying
communications based on policy. At a minimum, the personal firewall shall perform the
following activities:
1. Manage program access to the Intemet.
2. Block unsolicited requests to connect to the PC.
3. Filter incoming traffic by IP address or protocol.
4. Filter incoming traffic by destination ports.
5. Maintain an IP traffic log.
5.10.4.5 Security Alerts and Advisories
The agency shall:
1. Receive information system security alerts /advisories on a regular basis.
2. Issue alerts /advisories to appropriate personnel.
3. Document the types of actions to be taken in response to security alerts /advisories.
4. Take appropriate actions in response.
5. Employ automated mechanisms to make security alert and advisory information available
throughout the agency as appropriate.
5.10.4.6 Information Input Restrictions
The agency shall restrict the information input to any connection to FBI CJIS services to
authorized personnel only.
Restrictions on personnel authorized to input information to the information system may extend
beyond the typical access controls employed by the system and include limitations based on
specific operational /project responsibilities.
2/09/2011 55
CJISD- ITS -DOC- 08140 -5.0 \1 O)
5.10.5 References/Citations/Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 13 - A Local Police Department's Information Systems & Communications Protections
A local police department implemented a replacement CAD system within a physically secure
location that was authorized to process CJI using a FIPS 140 -2 encrypted VPN tunnel over the
Internet to the state's CSA. In addition to the policies, physical and personnel controls already in
place, the police department employed firewalls both at their border and at key points within
their network, intrusion detection systems, a patch - management strategy that included automatic
patch updates where possible, virus scanners, spam and spyware detection mechanisms that
update signatures automatically, and subscribed to various security alert mailing lists and
addressed vulnerabilities raised through the alerts as needed.
56
2/09/2011
CJISD - ITS -DOC- 08140 -5.0
5.11 Policy Area 11: Formal Audits
Formal audits are conducted to ensure compliance with applicable statutes, regulations and
policies.
5.11.1 Audits by the FBI CJIS Division
5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division
The FBI CJIS Division is authorized to conduct audits, once every three (3) years as a minimum,
to assess agency compliance with applicable statutes, regulations and policies. The CJIS Audit
Unit (CAU) shall conduct a triennial audit of each CSA in order to verify compliance with
applicable statutes, regulations and policies. This audit shall include a sample of CJAs and, in
coordination with the SIB, the NCJAs. Audits may be conducted on a more frequent basis if the
audit reveals that an agency has not complied with applicable statutes, regulations and policies.
The FBI CJIS Division shall also have the authority to conduct unannounced security inspections
and scheduled audits of Contractor facilities.
5.11.1.2 Triennial Security Audits by the FBI CJIS Division
The FBI CJIS Division is authorized to conduct security audits of the CSA and SIB networks and
systems, once every three (3) years as a minimum, to assess agency compliance with the CJIS
Security Policy. This audit shall include a sample of CJAs and NCJAs. Audits may be
conducted on a more frequent basis if the audit reveals that an agency has not complied with the
CJIS Security Policy.
5.11.2 Audits by the CSA
Each CSA shall:
1. At a minimum, triennially audit all CJAs and NCJAs which have direct access to the state
system in order to ensure compliance with applicable statutes, regulations and policies.
2. In coordination with the SIB, establish a process to periodically audit all NCJAs, with
access to CJI, in order to ensure compliance with applicable statutes, regulations and
policies.
3. Have the authority to conduct unannounced security inspections and scheduled audits of
Contractor facilities.
5.11.3 Special Security Inquiries and Audits
All agencies having access to CJI shall permit an inspection team to conduct an appropriate
inquiry and audit of any alleged security violations. The inspection team shall be appointed by
the APB and shall include at least one representative of the CJIS Division. All results of the
inquiry and audit shall be reported to the APB with appropriate recommendations.
5.11.4 References /Citations /Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
2109/2011 57
CISD- ITS -DOC- 08140 -5.0 j \P)
Figure 14 - The Audit of a Local Police Department
A local police department implemented a replacement CAD system that integrated to their state's
CSA and was authorized to process CJI. Shortly after the implementation, their state's CSA
The police
ss CJI.
conducted an audit of their policies, procedures, and systems that proce
department supplied all architectural and policy documentation, including detailed network
diagrams, to the auditors in order to assist them in the evaluation. The auditors discovered a
deficiency in the police department's systems and marked them "out" in this aspect of the FBI
CJIS Security Policy. The police department quickly addressed the deficiency and took
corrective action, notifying the auditors of their actions.
58
2/09/2011
CJIS ]I SD- ITS -DOC- 08140 -5.0
5.12 Policy Area 12: Personnel Security
Having proper security measures against the insider threat is a critical component for the CJIS
Security Policy. This section's security terms and requirements apply to all personnel who have
access to unencrypted CJI including those individuals with only physical or logical access to
devices that store, process or transmit unencrypted CJI.
5.12.1 Personnel Security Policy and Procedures
5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:
1. To verify identification, a state of residency and national fingerprint -based record checks
shall be conducted within 30 days of assignment for all personnel who have direct access
to CJI and those who have direct responsibility to configure and maintain computer
systems and networks with direct access to CJI. When appropriate, the screening shall be
consistent with: (i) 5 CFR 731.106; (ii) Office of Personnel Management policy,
regulations, and guidance; and (iii) agency policy, regulations, and guidance. (See
Appendix J for applicable guidance regarding noncriminal justice agencies performing
adjudication of civil fingerprint submissions.) Federal entities bypassing state
repositories in compliance with federal law may not be required to conduct a state
fingerprint -based record check.
2. All requests for access shall be made as specified by the CSO. The CSO, or their
designee, is authorized to approve access to CJI. All CSO designees shall be from an
authorized criminal justice agency.
3. If a felony conviction of any kind exists, the hiring authority in the Interface Agency shall
deny access to CJI. However, the hiring authority may ask for a review by the CSO in
extenuating circumstances where the severity of the offense and the time that has passed
would support a possible variance.
4. If a record of any other kind exists, access to CJI shall not be granted until the CSO or
his/her designee reviews the matter to determine if access is appropriate.
5. If the person appears to be a fugitive or has an arrest history without conviction, the CSO
or his/her designee shall review the matter to determine if access to CJI is appropriate.
6. If the person is employed by a NCJA, the CSO or his/her designee, and, if applicable, the
appropriate board maintaining management control, shall review the matter to determine
if CJI access is appropriate. This same procedure applies if this person is found to be a
fugitive or has an arrest history without conviction.
7. If the person already has access to CJI and is subsequently arrested and or convicted,
continued access to CJI shall be determined by the CSO. This does not implicitly grant
hiring/firing authority with the CSA, only the authority to grant access to CJI.
8. If the CSO or his/her designee determines that access to CJI by the person would not be
in the public interest, access shall be denied and the person's appointing authority shall be
notified in writing of the access denial.
2/09/2011 59
CJISD- ITS -DOC- 08140 -5.0 1 f
9. Support personnel, contractors, and custodial workers with access to physically secure
locations or controlled areas (during CH processing) shall be subject to a state and
national fingerprint -based record check unless these individuals are escorted by
authorized personnel at all times.
It is recommended individual background re- investigations be conducted every five years unless
Rap Back is implemented.
5.12.1.2 Personnel Screening for Contractors and Vendors
In addition to meeting the requirements in paragraph 5.12.1.1, contractors and vendors shall meet
the following requirements:
1. Prior to granting access to CJI, the CGA on whose behalf the Contractor is retained shall
verify identification via a state of residency and national fingerprint -based record check.
2. If a record of any kind is found, the CGA shall be formally notified and system access
shall be delayed pending review of the criminal history record information. The CGA
shall in turn notify the Contractor- appointed Security Officer.
3. When identification of the applicant with a criminal history has been established by
fingerprint comparison, the CGA or the CJA (if the CGA does not have the authority to
view CHRI) shall review the matter.
4. A Contractor employee found to have a criminal record consisting of felony conviction(s)
shall be disqualified.
5. Applicants shall also be disqualified on the basis of confirmations that arrest warrants are
outstanding for such applicants.
6. The CGA shall maintain a list of personnel who have been authorized access to CJI and
shall, upon request, provide a current copy of the access list to the CSO.
Applicants with a record of misdemeanor offense(s) may be granted access if the CSO
determines the nature or severity of the misdemeanor offense(s) do not warrant disqualification.
The CGA may request the CSO to review a denial of access determination.
5.12.2 Personnel Termination
The agency, upon termination of individual employment, shall immediately terminate access to
CJI.
5.12.3 Personnel Transfer
The agency shall review CJI access authorizations when personnel are reassigned or transferred
to other positions within the agency and initiate appropriate actions such as closing and
establishing accounts and changing system access authorizations.
5.12.4 Personnel Sanctions
The agency shall employ a formal sanctions process for personnel failing to comply with
established information security policies and procedures.
2/09/2011 60
C1ISD- ITS -DOC- 08140 -5.0
5.12.5 References/Citations/Directives
Appendix I contains all of the references used in this policy and may contain additional sources
that apply to this section.
Figure 15 - A Local Police Department's Personnel Security Controls
A local police department implemented a replacement CAD system that integrated to their state's
CSA and was authorized to process CJI. In addition to the physical and technical controls
already in place, the police department implemented a variety of personnel security controls to
reduce the insider threat. The police department used background screening consistent with the
FBI CJIS Security Policy to vet those with unescorted access to areas in which CJI is processed,
including the IT administrators employed by a contractor and all janitorial staff. The police
department established sanctions against any vetted person found to be in violation of stated
policies. The police department re- evaluated each person's suitability for access to CJI every
five years.
2/09/2011 61
CJISD- ITS -DOC- 08140 -5.0 ' (!d)
APPENDIX A TERMS AND DEFINITIONS
Access to Criminal Justice Information — The physical or logical (electronic) ability, right or
privilege to view, modify or make use of Criminal Justice Information.
Administration of Criminal Justice — The detection, apprehension, detention, pretrial release,
post -trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused
persons or criminal offenders. It also includes criminal identification activities; the collection,
storage, and dissemination of criminal history record information; and criminal justice
employment. In addition, administration of criminal justice includes "crime prevention
P
rograms" to the extent access to criminal history record information is limited to law
enforcement agencies for law enforcement programs (e .g. record checks of individuals who
participate in Neighborhood Watch or "safe house" programs) and the result of such checks will
not be disseminated outside the law enforcement agency.
Agency Coordinator (AC) — A staff member of the Contracting Government Agency who
manages the agreement between the Contractor and agency.
Agency Liaison (AL) — Coordinator of activities between the criminal justice agency and the
noncriminal justice agency when responsibility for a criminal justice system has been delegated
by a criminal justice agency to a noncriminal justice agency, which has in turn entered into an
agreement with a contractor. The agency liaison shall, inter alia, monitor compliance with
system security requirements. In instances in which the noncriminal justice agency's authority is
directly from the CJIS systems agency, there is no requirement for the appointment of an agency
liaison.
Authorized User /Personnel — An individual, or group of individuals, who have been
appropriately vetted through a national fingerprint -based record check and have been granted
access to CJI data.
Authorized Recipient — (1) A criminal justice agency or federal agency authorized to receive
CHRI pursuant to federal statute or executive order; (2) A nongovernmental entity authorized by
federal statute or executive order to receive CHRI for noncriminal justice purposes; or (3) A
government agency authorized by federal statute or executive order, or state statute which has
been approved by the United States Attorney General to receive CHRI for noncriminal justice
purposes.
Availability — The degree to which information, a system, subsystem, or equipment is operable
and in a useable state; frequently represented as a proportion of time the element is in a
functioning condition.
Biographic Data — Information collected about individuals associated with a unique case, and
not necessarily connected to identity data. Biographic Data does not provide a history of an
individual, only information related to a unique case.
Biometric Data — When applied to CJI, it is used to identify individuals, and includes the
following types: finger prints, palm prints, DNA, iris, and facial recognition.
Case / Incident History — All relevant information gathered about an individual, organization,
incident, or combination thereof, arranged so as to serve as an organized record to provide
A -1
2/09/2011
OISD- ITS -DOC- 08140 -5.0
analytic value for a criminal justice organization. In regards to CJI, it is the information about
the history of criminal incidents.
Channeler — An FBI approved contractor, who has entered into an agreement with an
Authorized Recipient(s), to receive noncriminal justice applicant fingerprint submissions and
collect the associated fees. The Channeler ensures fingerprint submissions are properly and
adequately completed, electronically forwards fingerprint submissions to the FBI's CJIS Division
for national noncriminal justice criminal history record check, and receives electronic record
check results for dissemination to Authorized Recipients. A Channeler is essentially an
"expediter" rather than a user of criminal history record check results.
CJIS Advisory Policy Board (APB) — The governing organization within the FBI CJIS
Advisory Process composed of representatives from criminal justice and national security
agencies within the United States. The APB reviews policy, technical, and operational issues
relative to CJIS Division programs and makes subsequent recommendations to the Director of
the FBI.
CJIS Audit Unit (CAU) — The organization within the FBI CJIS Division responsible to
perform audits of CSAs to verify compliance with the CJIS Security Policy.
CJIS Security Policy — The FBI CJIS Security Policy document as published by the FBI CJIS
ISO; the document containing this glossary.
CJIS Systems Agency (CSA) — A duly authorized state, federal, international, tribal, or
territorial criminal justice agency on the CJIS network providing statewide (or equivalent)
service to its criminal justice users with respect to the CJIS data from various systems managed
by the FBI CJIS Division. There shall be only one CSA per state or territory. In federal
agencies, the CSA may be the interface or switch to other federal agencies connecting to the FBI
CJIS systems.
CJIS Systems Agency Information Security Officer (CSA ISO) — The appointed FBI CJIS
Division personnel responsible to coordinate information security efforts at all CJIS interface
agencies.
CJIS Systems Officer (CSO) — An individual located within the CJIS Systems Agency
responsible for the administration of the CJIS network on behalf for the CJIS Systems Agency.
Compact Council — The entity created by the National Crime Prevention and Privacy Compact
of 1998 that has the authority to promulgate rules and procedures governing the use of the III
system for noncriminal justice purposes.
Compact Officers — The leadership of the Compact Council, oversees the infrastructure
established by the National Crime Prevention and Privacy Compact Act of 1998, which is used
by ratifying states to exchange criminal records for noncriminal justice purposes. Their primary
responsibilities are to promulgate rules and procedures for the effective and appropriate use of
the III system.
Computer Security Incident Response Capability (CSIRC) — A collection of personnel,
systems, and processes that are used to efficiently and quickly manage a centralized response to
any sort of computer security incident which may occur.
Confidentiality — The concept of ensuring that information is observable only to those who
have been granted authorization to do so.
2/09/2011 A-2
CJIS D- ITS -DOC- 08140 -5.0
Contractor — A private business, agency or individual which has entered into an agreement for
the administration of criminal justice or noncriminal justice functions with a Criminal Justice
Agency or a Noncriminal Justice Agency. Also, a private business approved by the FBI CJIS
Division to contract with Noncriminal Justice Agencies to perform noncriminal justice functions
associated with civil fingerprint submission for hiring purposes.
Contracting Government Agency (CGA) — The government agency, whether a Criminal
Justice Agency or a Noncriminal Justice Agency, which enters into an agreement with a private
contractor.
Crime Reports Data — The data collected through the Uniform Crime Reporting program and
reported upon annually by the FBI CJIS division used to analyze the crime statistics for the
United States.
Criminal History Record Information (CHRI) — A subset of CJI. Any notations or other
written or electronic evidence of an arrest, detention, complaint, indictment, information or other
formal criminal charge relating to an identifiable person that includes identifying information
regarding the individual as well as the disposition of any charges.
Criminal Justice Agency (CJA) — The courts, a governmental agency, or any subunit of a
governmental agency which performs the administration of criminal justice pursuant to a statute
or executive order and which allocates a substantial part of its annual budget to the
administration of criminal justice. State and federal Inspectors General Offices are included.
Criminal Justice Agency User Agreement — A terms -of- service agreement that must be
signed prior to accessing CJI. This agreement is required by each CJA and spells out user's
responsibilities, the forms and methods of acceptable use, penalties for their violation,
disclaimers, and so on.
Criminal Justice Conveyance — A criminal justice conveyance is any mobile vehicle used for
the purposes of criminal justice activities with the capability to comply, during operational
periods, with the requirements of section 5.9.1.3.
Criminal Justice Information (CJI) — Criminal Justice Information is the abstract term used
to refer to all of the FBI CJIS provided data necessary for law enforcement agencies to perform
their mission and enforce the laws, including but not limited to: biometric, identity history,
person, organization, property, and case /incident history data. In addition, CJI refers to the FBI
CJIS - provided data necessary for civil agencies to perform their mission; including, but not
limited to data used to make hiring decisions.
Criminal Justice Information Services Division (FBI CJIS or CJIS) — The FBI division
responsible for the collection, warehousing, and timely dissemination of relevant CJI to the FBI
and to qualified law enforcement, criminal justice, civilian , academic, employment, and licensing
agencies.
Data — See Information and CJI.
Degauss — Neutralize a magnetic field to erase information from a magnetic disk or other
storage device. In the field of information technology, degauss has become synonymous with
erasing information whether or not the medium is magnetic. In the event the device to be
degaussed is not magnetic (e.g. solid state drive, USB storage device), steps other than magnetic
degaussing may be required to render the information irretrievable from the device.
A -3
2/09/2011 r
CJ IS 13- ITS- DOC-08140-5.0 t l�
Department of Justice (DoJ) — The Department within the U.S. Government responsible to
enforce the law and defend the interests of the United States according to the law, to ensure
public safety against threats foreign and domestic, to provide federal leadership in preventing
and controlling crime, to seek just punishment for those guilty of unlawful behavior, and to
ensure fair and impartial administration of justice for all Americans.
Direct Access — (1) Having the authority to access systems managed by the FBI CJIS Division,
whether by manual or automated methods, not requiring the assistance of, or intervention by, any
other party or agency (28 CFR, Chapter 1, Part 20). (2) Having the authority to query or update
national databases maintained by the FBI CJIS Division including national queries and updates
automatically or manually generated by the CSA.
Dissemination — The transmission/distribution of CH to Authorized Recipients within an
agency.
Federal Bureau of Investigation (FBI) — The agency within the DOJ responsible to protect
and defend the United States against terrorist and foreign intelligence threats, to uphold and
enforce the criminal laws of the United States, and to provide leadership and criminal justice
services to federal, state, municipal, and international agencies and partners.
FBI CJIS Information Security Officer (FBI CJIS ISO) — The FBI personnel responsible for
the maintenance and dissemination of the FBI CJIS Security Policy; the liaison between the FBI
and the CSA's ISOs and other relevant security points -of- contact (POCs); the provider of
technical guidance as to the intent and implementation of technical policy issues; the POC for
computer incident notification which also disseminates security alerts to the CSOs and ISOs.
Federal Information Security Management Act (FISMA) — The Federal Information
Security Management Act of 2002, a US Federal law that established information security
standards for the protection of economic and national security interests of the United States. It
requires each federal agency to develop, document, and implement an agency -wide program to
provide information security for the information and information systems that support the
operations and assets of the agency, including those provided or managed by another agency,
contractor, or other source.
For Official Use Only (FOLIO) — A caveat applied to unclassified sensitive information that
may be exempt from mandatory release to the public under the Freedom of Information Act
(FOIA), 5 U.S.0 522. In general, information marked FOUO shall not be disclosed to anybody
except Government (Federal, State, tribal, or local) employees or contractors with a need to
know.
Guest Operating System — An operating system that has emulated hardware presented to it by
a host operating system. Also referred to as the virtualized operating system.
Host Operating System — In the context of virtualization, the operating system that interfaces
with the actual hardware and arbitrates between it and the guest operating systems. It is also
referred to as a hypervisor.
Hypervisor — See Host Operating System.
Identity History Data — Textual data that corresponds with an individual's biometric data,
providing a history of criminal and/or civil events for the identified individual.
Information — See data and CJI.
2/09/2011 A -4
CJISD- ITS -DOC- 08140 -5.0
Information Exchange Agreement — An agreement that codifies the rules by which two
parties engage in the sharing of information. These agreements typically include language which
establishes some general duty -of -care over the other party's information, whether and how it can
be further disseminated, penalties for violations, the laws governing the agreement (which
establishes venue), procedures for the handling of shared information at the termination of the
agreement, and so on. This document will ensure consistency with applicable federal laws,
directives, policies, regulations, standards and guidance.
Information Security Officer (ISO) — Typically a member of an organization who has the
responsibility to establish and maintain information security policy, assesses threats and
vulnerabilities, performs risk and control assessments, oversees the governance of security
operations, and establishes information security training and awareness programs. The ISO also
usually interfaces with security operations to manage implementation details and with auditors to
verify compliance to established policies.
Information System — A system of people, data, and processes, whether manual or automated,
established for the purpose of managing information.
Integrated Automated Fingerprint Identification System (IAFIS) — The national fingerprint
and criminal history system maintained by the FBI CJIS Division that provides the law
enforcement community with automated fingerprint search capabilities, latent searching
capability, electronic image storage, and electronic exchange of fingerprints and responses.
Integrity — The perceived consistency of expected outcomes, actions, values, and methods of
an individual or organization. As it relates to data, it is the concept that data is preserved in a
consistent and correct state for its intended use.
Interconnection Security Agreement (ISA) — An agreement much like an Information
Exchange Agreement as mentioned above, but concentrating more on formalizing the technical
and security requirements pertaining to some sort of interface between the parties' information
systems.
Interface Agency — A legacy term used to describe agencies with direct connections to the
CSA. This term is now used predominantly in a common way to describe any sub - agency of a
CSA or SIB that leverages the CSA or SIB as a conduit to FBI CJIS information.
Interstate Identification Index (I11) — The CJIS service that manages automated submission
and requests for CHRI that is warehoused subsequent to the submission of fingerprint
information. Subsequent requests are directed to the originating State as needed.
Law Enforcement Online (LEO) — A secure, Intemet -based communications portal provided
by the FBI CJIS Division for use by law enforcement, first responders, criminal justice
professionals, and anti - terrorism and intelligence agencies around the globe. Its primary purpose
is to provide a platform on which various law enforcement agencies can collaborate on FOUO
matters.
Local Agency Security Officer (LASO) — The primary Information Security contact between
a local law enforcement agency and the CSA under which this agency interfaces with the FBI
CJIS Division. The LASO actively represents their agency in all matters pertaining to
Information Security, disseminates Information Security alerts and other material to their
constituents, maintains Information Security documentation (including system configuration
A -5
2/09/2011
CnSD- ITS -DOC- 08140 -5.0
data), assists with Information Security audits of hardware and procedures, and keeps the CSA
informed as to any Information Security needs and problems.
Management Control Agreement (MCA) — An agreement between parties that wish to share
or pool resources that codifies precisely who has administrative control over, versus overall
management and legal responsibility for, assets covered under the agreement. An MCA must
ensure the CJA's authority remains with regard to all aspects of section 3.2.2. The MCA usually
results in the CJA having ultimate authority over the CJI supporting infrastructure administered
by the NCJA.
National Crime Information Center (NCIC) — An information system which stores CJI
which can be queried by appropriate Federal, state, and local law enforcement and other criminal
J ustice agencies.
National Instant Criminal Background Check System (NICS) — A system mandated by the
Brady Handgun Violence Prevention Act of 1993 that is used by Federal Firearms Licensees
(FFLs) to instantly determine via telephone or other electronic means whether the transfer of a
firearm would be in violation of Section 922 (g) or (n) of Title 18, United States Code, or state
law, by evaluating the prospective buyer's criminal history.
National Institute of Standards and Technology (KIST) — Founded in 1901, NIST is a non-
regulatory federal agency within the U.S. Department of Commerce whose mission is to promote
U.S. innovation and industrial competitiveness by advancing measurement science, standards,
and technology in ways that enhance economic and national security.
Noncriminal Justice Agency (NCJA) — A governmental agency, or any subunit thereof, that
provides services primarily for purposes other than the administration of criminal justice.
Examples of services include, but not limited to, employment suitability, licensing
determinations, immigration and naturalization matters, and national security clearances.
NCJA (Government) — A Federal, state, local, or tribal governmental agency or any subunit
thereof whose charter does not include the responsibility to administer criminal justice, but may
have a need to process CJI. An example would be the central IT organization within a state
government that administers equipment on behalf of a state law- enforcement agency.
NCJA (Private) — A private agency or subunit thereof whose charter does not include the
responsibility to administer criminal justice, but may have a need to process CJI. An example
would include a local bank.
NCJA (Public) — A public agency or sub -unit thereof whose charter does not include the
responsibility to administer criminal justice, but may have a need to process CJI. An example
would include a county school board which uses CHRI to assist in employee hiring decisions.
Noncriminal Justice Purpose — The uses of criminal history records for purposes authorized
by federal or state law other than purposes relating to the administration of criminal justice,
including employment suitability, licensing determinations, immigration and naturalization
matters, and national security clearances.
Office of Management and Budget (OMB) — The agency within the Executive Branch of the
Federal government responsible to oversee the preparation of the federal budget, to assist in the
supervision of other Executive Branch agencies, and to oversee and coordinate the Presidential
Administration's procurement, financial management, information, and regulatory policies.
2/09/2011 A -6
C1ISD- ITS -DOC- 08140 -5.0 it r _I
Outsourcing — The process of delegating in -house operations to a third -party. For instance,
when the administration of criminal justice functions (network operations, dispatch functions,
system administration operations, etc.) are performed for the criminal justice agency by a city or
county information technology department or are contracted to be performed by a vendor.
Outsourcing Standard — National Crime Prevention and Privacy Compact Council's
Outsourcing Standard. The Compact Council's uniform standards and processes for the
interstate and Federal -State exchange of criminal history records for noncriminal justice
purposes.
Physically Secure Location — A facility or an area, a room, or a group of rooms, within a
facility with both the physical and personnel security controls sufficient to protect CH and
associated information systems. For interim compliance, a police vehicle shall be considered a
physically secure location until September 30th, 2013. For the purposes of this policy, a police
vehicle is defined as an enclosed criminal justice conveyance with the capability to comply,
during operational periods, with section 5.9.1.3.
Personal Firewall — An application which controls network traffic to and from a computer,
permitting or denying communications based on a security policy.
Personally Identifiable Information (PII) — PII is information which can be used to
distinguish or trace an individual's identity, such as name, social security number, or biometric
records, alone or when combined with other personal or identifying information which is linked
or linkable to a specific individual, such as date and place of birth, or mother's maiden name.
Property Data — Information about vehicles and property associated with a crime.
Rap Back — An IAFIS service that allows authorized agencies to receive notification of
subsequent criminal activity reported to the FBI committed by persons of interest.
Repository Manager — The designated manager of the agency having oversight responsibility
for a CSA's fingerprint identification services. If both state fingerprint identification services
and CJIS systems control are managed within the same state agency, the repository manager and
CSO may be the same person.
Secondary Dissemination — The promulgation of CJI from a releasing agency to an authorized
recipient agency when the recipient agency has not been previously identified in a formal
information exchange agreement.
Security Addendum (SA) — A uniform addendum to an agreement between the government
agency and a private contractor, approved by the Attorney General of the United States, which
specifically authorizes access to criminal history record information, limits the use of the
information to the purposes for which it is provided, ensures the security and confidentiality of
the information consistent with existing regulations and the CJIS Security Policy, provides for
sanctions, and contains such other provisions as the Attorney General may require.
Sensitive But Unclassified (SBU) — Designation of information in the United States federal
government that, though unclassified, often requires strict controls over its distribution. SBU is a
broad category of information that includes material covered by such designations as For Official
Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security
Information, Security Sensitive Information (SSI), Critical Infrastructure Information (CII), etc.
Some categories of SBU information have authority in statute or regulation (e.g. SSI, CII) while
2/09/2011 A -7
CJISD- ITS -DOC- 08140 -5.0 ( it ))
others, including FOUO, do not. As of May 9, 2008, the more appropriate terminology to use is
Controlled Unclassified Information (CUI).
Service — The organized system of apparatus, appliances, personnel, etc, that supply some
tangible benefit to the consumers of this service. In the context of CJI, this usually refers to one
of the applications that can be used to process CJI.
Shredder — A device used for shredding documents, often as a security measure to prevent
unapproved persons from reading them. Strip -cut shredders, also known as straight -cut or
spaghetti -cut, slice the paper into long, thin strips but are not considered secure. Cross -cut
shredders provide more security by cutting paper vertically and horizontally into confetti -like
pieces.
Social Engineering — The act of manipulation people into performing actions or divulging
confidential information. While similar to a confidence trick or simple fraud, the term typically
applies to trickery or deception for the purpose of information gathering, fraud, or computer
system access; in most cases the attacker never comes face -to -face with the victim.
Software Patch — A piece of software designed to fix problems with, or update, a computer
program or its supporting data. This includes fixing security vulnerabilities and other bugs and
improving the usability or performance. Though meant to fix problems, poorly designed patches
can sometimes introduce new problems. As such, patches should be installed in a test
environment prior to being installed in a live, operational system. Patches often can be found in
multiple locations but should be retrieved only from sources agreed upon through organizational
policy.
State and Federal Agency User Agreement — A written agreement that each CSA or SIB
Chief shall execute with the FBI CJIS Division stating their willingness to demonstrate
conformance with the FBI CJIS Security Policy prior to the establishment of connectivity
between organizations. This agreement includes the standards and sanctions governing use of
CJIS systems, as well as verbiage to allow the FBI to periodically audit the CSA as well as to
allow the FBI to penetration test its own network from the CSA's interfaces to it.
State Compact Officer — The representative of a state that is party to the National Crime
Prevention and Privacy Compact, and is the chief administrator of the state's criminal history
record repository or a designee of the chief administrator who is a regular full -time employee of
the repository.
State Identification Bureau (SIB) — The state agency with the responsibility for the state's
fingerprint identification services.
State Identification Bureau (SIB) Chief — The SIB Chief is the designated manager of state's
SIB. If both state fingerprint identification services and CJIS systems control are managed
within the same state agency, the SIB Chief and CSO may be the same person.
System — Refer to connections to the FBI's criminal justice information repositories and the
equipment used to establish said connections. In the context of CJI, this usually refers to
applications and all interconnecting infrastructure required to use those applications that process
CJI.
2/09/2011 A-8
CJISD- ITS -DOC- 08140 -5.0 11 /Ct )
Terminal Agency Coordinator (TAC) — Serves as the point -of- contact at the local agency for
matters relating to CJIS information access. A TAC administers CJIS systems programs within
the local agency and oversees the agency's compliance with CJIS systems policies.
Virtualization — Refers to a methodology of dividing the resources of a computer (hardware
and software) into multiple execution environments, by applying one or more concepts or
technologies such as hardware and software partitioning, time - sharing, partial or complete
machine simulation or emulation allowing multiple operating systems, or images, to run
concurrently on the same hardware.
2/09/2011 A -9
C11SD- ITS -DCC- 08140 -5.0 1 1Cd,
LJ
APPENDIX B ACRONYMS
2/09/2011 B-1
CJISD-ITS-DOC-08140-5.0 I I cp`)
AA
AC
ACL
AES
............. 11 ................ . . . ........... ......... . ..... ................................ . .. . . . ...........
AP
Advanced Authentication
... .... ....... ................ ... . ........
Agency Coordinator
.... . .. . ......... 11 ... . ............. . . . . .... . .. . . .......... . . . .... . ........... . . .....
Access Control List
Advanced Encryption Standard
.............. - -- I .. . . . ............ . . . .............................. . . .. . . .............. . ... . . . . ..... ... . . ..... .. . . . .................................. . .. . ................ .................... .............. .
Access Point
APB
.. . .. . . ... . .. . ................................ . .. . . . ............ -.- . . . ...........
Advisory Policy Board
...... ... . .. . . ........ . . . .......... . . . .... . ....... . .......... . . . . .
BD-ADDR
--.1 .......... . . ....... ...................... . . . . . . . ....................... . . . ....... . . .........
. .. . ....... ........................ . .. . .. . ...... . .... . . . . . . ................ . ....... . .... .. . .............. . .....
Bluetooth-Enabled Wireless Devices and Addresses
-.- ... ..... . ... . ..... ...1--.1
CAD
............... . . . . .............................
.. . .. . .............. ............... - . ..... - ......... ............ . . . ...... . - --------
Computer-Assisted Dispatch
.. .. . .......... . .. . . ......... . ........... . . . ... . ....................... . . . ....... . ............. ......
CAU
I . ........... .. . .... .............. . . . ............ . ... . .. . .....
CJIS Audit Unit
•.......
. ..... . . .......................... . ......... . ............ . . . ... . ..............
---- ....... . ..... . . . ........ ..... .......... .. .............. . .. . ................. . ........ . . ..... . .. . . ....
CFR
.................................................................... .. . . .. .......... .....................
Code of Federal Regulations
............. - ----- ............ I .............. -- .. . ........................... -- . . .. . ........ -- ... . . . . ...............................
CGA
......... . . ... . ......
. ........... . ............ .......... . . .... ........ . . . .. . ..... ......
Contracting Government Agency
...... . ...... ------ ---
CHRI
Criminal History Record Information
CJA
Criminal Justice Agency
. . ................. ... ................ . .................... . .. . . .......................... .. . . . .............
Cil
. . ................... . .... .. .. ... ---- . ..... . ............. . . . .....
........... I .... .... . ............. . I ....... . ............. . ... . . .... .............. . ... ............ .................. ..... . .................... .......... . .. . ..... . ........... ............... ... .. . ................
Criminal Justice Information
..........
. .
CJIS
... . ..... . ........
. .. . - . . .... . . . .............. I -
Criminal Justice Information Services
Con0ps
.. ........... .... . .................... . . ...........
Concept of Operations
CSA
................... I .............. ...................... . . ..... . ..... . . . . .............. ...........
CJIS Systems Agency
I ......... . .... -.- ....................... ---- . ............. . .. . ...... . . . ............. . ................... ......................................... . ................
CSIRC
......... . . . .... . ..................
Computer Security Incident Response Capability
.. . .. .. .... .... ....... ... . -- "..- . . ....... -.-
CSO
.................. . ... . ........ . ................ . ...... . .. . ................. . . . . . .... . ...
CJIS Systems Officer
. .......... . .......... . . . . . . . . . ....................
DAA
. . . ........ . ........
Designated Approving Authority
DoJ
...... ........... .. .- ......................................... ..........
Department of Justice
........... I I -- ...... . ....................... I..., I.".'"' .... . .... . . . .. . ...... . .................
DoJCERT I
. ......... . . .......... ............. . .. . . . . ............ ....................................... . .....
DOJ Computer Emergency Response Team
2/09/2011 B-1
CJISD-ITS-DOC-08140-5.0 I I cp`)
FBI
Federal Bureau of Investigation
FIPS
Federal Information Processing Standards
FISMA
Federal Information Security Management Act
FOIA
Freedom of Information Act
FOUO
For Official Use Only
HTTP
Hypertext Transfer Protocol
IAFIS
Integrated Automated Fingerprint Identification System
IDS
Intrusion Detection System
III
Interstate Identification Index
IP
Internet Protocol
IPS
Intrusion Prevention System
IPSEC
Internet Protocol Security
ISA
Interconnection Security Agreement
ISO
Information Security Officer
IT
Information Technology
LASO
Local Agency Security Officer
LEO
Law Enforcement Online
MAC
Media Access Control
MCA
Management Control Agreement
MITM
Man-in- the - Middle
MOU
Memorandum of Understanding
NCIC
National Crime Information Center
NCJA
Noncriminal Justice Agency
NICS
National Instant Criminal Background Check System
NIST
National Institute of Standards and Technology
2/09/2011 B-z
C1ISD. ITS -DOC- 08140 -5.0 IV)
OMB
Office of Management and Budget
ORI
................... .
Originating Agency Identifier
PDA
Personal Digital Assistant
PII
Personally Identifiable Information
PIN
_._........
Personal Identification Number
PKI
_
Public Key Infrastructure
POC
Point -of- Contact
QA
Quality Assurance
RF
Radio Frequency
SA
Security Addendum
SCO
State Compact Officer
SIB
State Identification Bureau
SIG
Special Interest Group
SP
Special Publication
SSID
Service Set Identifier
TAC
Terminal Agency Coordinator
TLS
Transport Layer Security
VLAN
Virtual Local Area Network
VoIP
Voice Over Internet Protocol
VPN
Virtual Private Network
WEP
...._ .............
Wired Equivalent Privacy
WLAN
Wireless Local Area Network
WPA
Wi -Fi Protected Access
2/09/2011 3
C11SD- ITS- DOC- 08t40 -5.0 B -3 11
APPENDIX C NETWORK TOPOLOGY DIAGRAMS
Network diagrams, i.e. topological drawings, are an essential part of solid network security.
Through graphical illustration, a comprehensive network diagram provides the "big picture" —
enabling network managers to quickly ascertain the interconnecting nodes of a network for a
multitude of purposes, including troubleshooting and optimization. Network diagrams are
integral to demonstrating the manner in which each agency ensures criminal justice data is
afforded appropriate technical security protections and is protected during transit and at rest.
The following diagrams, labeled Appendix C.1 -A through C.1 -E, are examples for agencies to
utilize during the development, maintenance, and update stages of their own network diagrams.
By using these example drawings as a guideline, agencies can form the foundation for ensuring
compliance with Section 5.7.1.2 of the CJIS Security Policy.
The purpose for including the following diagrams in this policy is to aid agencies in their
understanding of diagram expectations and should not be construed as a mandated method for
network topologies. It should also be noted that agencies are not required to use the identical
icons depicted in the example diagrams and should not construe any depiction of a particular
vendor product as an endorsement of that product by the FBI CJIS Division.
Appendix C.1 -A is a conceptual overview of the various types of agencies that can be involved
in handling of CJIS data, and illustrates several ways in which these interconnections might
occur. This diagram is not intended to demonstrate the level of detail required for any given
agency's documentation, but it provides . the reader with some additional context through which
to digest the following diagrams. Take particular note of the types of network interfaces in use
between agencies, in some cases dedicated circuits with encryption mechanisms, and in other
cases VPNs over the Internet. This diagram attempts to show the level of diversity possible
within the law enforcement community. These diagrams in no way constitute a standard for
network engineering, but rather, for the expected quality of documentation.
The next four topology diagrams are of two separate types: those for strictly conceptual agencies,
C.1 -13 through C.1 -D, and one documenting an actual municipal law- enforcement agency's
equipment, C.1 -E. For C.1 -13 through C.1 -D, the details identifying specific "moving parts" in
the diagrams by manufacturer and model are omitted, but it is expected that any agencies
producing such documentation will provide diagrams with full manufacturer and model detail for
each element of the diagram as is demonstrated in C.1 -E. Note that the quantities of clients
should be documented in order to assist the auditor in understanding the scale of assets and
information being protected.
Appendix C.1 -13 depicts a conceptual state law enforcement agency's network topology and
demonstrates a number of common technologies that are in use throughout the law enforcement
community (some of which are compulsory per CJIS policy, and some of which are optional)
including Mobile Broadband cards, VPNs, Firewalls, Intrusion Detection Devices, VLANs, and
so forth. Note that although most state agencies will likely have highly- available configurations,
the example diagram shown omits these complexities and only shows the "major moving parts"
for clarity but please note the policy requires the logical location of all components be shown.
The level of detail depicted should provide the reader with a pattern to model future
documentation from, but should not be taken as network engineering guidance.
2/09/2011 C -1
CJISD - ITS -DOC- 08140 -5.0 �r� l
Appendix C.1 -C depicts a conceptual county law enforcement agency. A number of common
technologies are presented merely to reflect the diversity in the community, including proprietary
Packet - over -RF infrastructures and advanced authentication techniques, and to demonstrate the
fact that agencies can act as proxies for other agencies.
Appendix C.1 -13 depicts a conceptual municipal law enforcement agency, presumably a small
one that lacks any precinct -to -patrol data communications. This represents one of the smallest
designs that could be assembled that, assuming all other details are properly considered, would
meet the criteria for Section 5.7.1.2. This diagram helps to demonstrate the diversity in size that
agencies handling criminal justice data exhibit.
Appendix C.l -E depicts an actual municipal police force's topology, and demonstrates the level
of detail suitable to assist an auditor. It also shows a few more common technologies in use,
namely thin - client computing, advanced authentication services, and so on.
2/09/2011 C -2
CJISD- ITS -DOC- 08140 -5.0 1 l cc')
'2
V
Figure C -I -A Overview: Conceptual Connections Between Various Agencies
Overview: Conceptual Connections Between Various Agencies
Ded"W ouwu
r�+
Y
2/09/2011
CJI SD- ITS -DOC- 08140 -5.0
C -3
Figure C -1 -C Conceptual Topology Diagram for a County Law Enforcement Agency
Conceptual Topology Diagram For A County L
OpACated nearar1a
Intama CireWt To Cbaits To
.State I Murw:ip* s
L=
RMW
t III�fILS[If
INa+r+rt �OIBCtpfl E> EtgYGnp1
Card * BUP-
RK MQ-2
ExNPUW
F
CAD Q�t
WA.K
— — — - F" tN ,uMMtYIYr EW.TtITTI:N
(� � SLMiISlO3CtHiECSId+
f Vvl-•
2/09/2011
01 SD- ITS -DOC- 08140 -5.0
,aw Enforcement Agency
WN Turnel6 Tn
FAuruapa4tisa Yia
Irnenret'
r.
.t
Fk"w IWN
12CWOWn[
limed BY
-AA .�.• �.,:
r , t TLS wn�,
6 N�0
. ...... � .. Hosnd er State CA6C1ern
Appendix C.1
0110112011
C -5
Figure C -1 -D Conceptual Topology Diagram for a Municipal Law Enforcement Agency
Conceptual Topology Diagram For A Municipal Law Enforcement Agency
Quake m vPN T VA
Incemal kudKa d
Stale I Inierrst Tn CounFY
Inui -w-t Exlranal'
Router Ro"
1 Rau:erl Fikaw�l WN,
j fIPS 7J0-2 COmpLan[
_ =!
I ECtiant to115 We8APP tyCAp Flaeled 5Y m +.178 -u¢
+AA R:. +A.A.
... .. ,» . FIF3 M62GlYpcLWTfWGiVRL16N
2/09/2011
CJISD- ITS -DOC- 08140 -5.0
1011M
Appendix C.1-0
01/O1t2011
C -6
APPENDIX D SAMPLE INFORMATION EXCHANGE
AGREEMENTS
D -1. CJIS User Agreement
CRIMINAL JUSTICE INFORMATION SERVICES (CJIS)
SYSTEMS USER AGREEMENT
The FBI CJIS Division provides state -of -the -art identification and information
services to the local, state, tribal, federal, and international criminal justice communities, as well
as the noncriminal justice community, for licensing and employment purposes. These services
are administered and maintained by the FBI CJIS Division and managed in cooperation with the
CJIS Systems Agency (CSA) and its administrator for CJIS data, the CJIS Systems Officer
(CSO). The CJIS Systems include, but are not limited to: the Interstate Identification Index
(III); National Crime Information Center (NCIC); Uniform Crime Reporting (UCR), whether
summary or incident -based reporting to the National Incident -Based Reporting System;
Fingerprint Identification Record System; Law Enforcement National Data Exchange (N -DEx);
Law Enforcement Online; and the National Instant Criminal Background Check System (NICS).
The FBI CJIS Division provides the following services to its users, as applicable:
1. Operational, technical, and investigative assistance.
2. Telecommunication lines to state, federal, and regulatory interfaces.
3. Legal and legislative review of matters pertaining to all CJIS Systems.
4. Timely information on all aspects of all CJIS Systems and other related programs by
means of operating manuals, code manuals, technical and operational updates, various
newsletters, information letters, frequently asked questions, and other relevant
documents.
5. Training assistance and up -to -date materials provided to each CSO, NICS Point of
Contact (POC), state Compact Officer, State Administrator, Information Security Officer
(ISO), and other appropriate personnel.
6. Ongoing assistance to Systems' users through meetings and briefings with the CSOs,
State Administrators, Compact Officers, ISOs, and NICS State POCs to discuss
operational and policy issues.
7. Advisory Process through which authorized users have input as to the policies and
procedures governing the operation of CJIS programs.
2/09/2011
C11SD- ITS -DOC- 08140 -5.0
D -1
mc')
8. National Crime Prevention and Privacy Compact Administrative Office through which
states and other authorized users may submit issues concerning the noncriminal justice
use of the III System.
9. Annual NICS Users Conference.
10. Audit.
11. Staff research assistance.
PART 1
The purpose behind a designated CSO is to unify responsibility for Systems user
discipline and to ensure adherence to established procedures and policies within each signatory
state /territory/tribal agency and by each federal user. This agreement outlines the responsibilities
of each CSO as they relate to all CJIS Systems and other related CJIS administered programs.
These individuals are ultimately responsible for planning necessary hardware, software, funding,
and training for access to all CJIS Systems.
To ensure continued access as set forth above, the CSA agrees to adhere to all
applicable CJIS policies including, but not limited to, the following:
The signatory state/tribal agency will provide fingerprints that meet submission criteria
for all qualifying arrests. In addition, states /tribal agencies will make their records
available for interstate exchange for criminal justice and other authorized purposes unless
restricted by state/tribal law, and, where applicable, continue to move toward
participation in the III and, upon ratification of the National Crime Prevention and
Privacy Compact, the National Fingerprint File.
2. Appropriate and reasonable quality assurance procedures; e.g., hit confirmation, audits
for record timeliness, and validation, must be in place to ensure that only complete,
accurate, and valid information is maintained in the CJIS Systems.
3. Biannual file synchronization of information entered into the III by participating states.
4. Security - Each agency is responsible for appropriate security measures as applicable to
physical security of terminals and telecommunication lines; personnel security to include
background screening requirements; technical security to protect against unauthorized
use; data security to include III use, dissemination, and logging; and security of criminal
history records. Additionally, each CSO must ensure that all agencies establish an
2/09/2011
CJ I S D- ITS -DOC -081 40 -5.0
D -2
information security structure that provides for an ISO and complies with the CJIS
Security Policy.
5. Audit - Each agency shall be responsible for complying with all audit requirements for
use of CJIS Systems. Each CSO is responsible for completing a triennial audit of all
agencies with access to CJIS Systems through the CSO's lines.
6. Training - Each agency shall be responsible for training requirements, including
compliance with operator training mandates.
7. Integrity of the Systems - Each agency shall be responsible for maintaining the integrity
of the system in accordance with FBI CJIS Division/state/federal/tribal policies to ensure
only authorized terminal access; only authorized transaction submission; and proper
handling and dissemination of CJIS data. Each agency shall also be responsible for
computer security incident reporting as required by the CJIS Security Policy.
The following documents are incorporated by reference and made part of this
agreement for CSA users:
1. Bylaws for the CJIS Advisory Policy Board and Working Groups.
2. CJIS Security Policy.
3. Interstate Identification Index Operational and Technical Manual, National Fingerprint
File Operations Plan, NCIC 2000 Operating Manual, UCR Handbook -NIBRS Edition,
and National Incident -Based Reporting System Volumes 1, 2, and 4.
4. National Crime Prevention and Privacy Compact, 42 United States Code (U.S.C.)
§ 14616.
5. NCIC Standards and UCR Standards, as recommended by the CJIS Advisory Policy
Board.
6. The National Fingerprint File Qualification Requirements.
7. Title 28, Code of Federal Regulations, Parts 20 and 25, §50.12, and Chapter IX.
8. Electronic Fingerprint Transmission Specifications.
2/09/2011 D -3
CJISD - ITS -DOC- 08140 -5.0
9. Other relevant documents, to include: NCIC Technical and Operational Updates, CJIS
Information Letters, NICS User Manual, NICS Interface Control Document.
10. Applicable federal, state, and tribal laws and regulations.
PART 2
Additionally, there are authorized federal regulatory recipients and other authorized
users that provide electronic fingerprint submissions through a CJIS Wide Area Network (WAN)
connection (or other approved form of electronic connection) to the CJIS Division that are
required to comply with the following CJIS policies:
1. The authorized user will provide fingerprints that meet submission criteria and apply
appropriate and reasonable quality assurance procedures.
2. Security - Each agency is responsible for appropriate security measures as applicable to
physical security of communication equipment; personnel security to include background
screening requirements; technical security to protect against unauthorized use; and
security of criminal history records.
3. Audit - Each authorized user shall be responsible for complying with all audit
requirements for CJIS Systems. Additionally, each authorized user is subject to a
triennial audit by the CJIS Division Audit staff.
4. Training - Each authorized user receiving criminal history record information shall be
responsible for training requirements, including compliance with proper handling of
criminal history records.
The following documents are incorporated by reference and made part of this
agreement for non -CSA authorized users:
1. CJIS Security Policy.
2. National Crime Prevention and Privacy Compact, 42 U.S.C. §14616.
3. Title 28, Code of Federal Regulations, Parts 20 and 25, § 50.12, and Chapter IX.
4. Other relevant documents, to include CJIS Information Letters.
2/09/2011 D-4
CJ I SD- ITS -DOC- 08140 -5.0
11Cd�
5. Applicable federal, state, and tribal laws and regulations.
GENERAL PROVISIONS
Funding:
Unless otherwise agreed in writing, each party shall bear its own costs in relation to
this agreement. Expenditures will be subject to federal and state budgetary processes
and availability of funds pursuant to applicable laws and regulations. The parties
expressly acknowledge that this in no way implies that Congress will appropriate
funds for such expenditures.
Termination:
1. All activities of the parties under this agreement will be carried out in accordance to the
above - described provisions.
2. This agreement may be amended or terminated by the mutual written consent of the
parties authorized representatives.
Either party may terminate this agreement upon 30 -days written notification to the other
party. Such notice will be the subject of immediate consultation by the parties to decide
upon the appropriate course of action. In the event of such termination, the following
rules apply:
a. The parties will continue participation, financial or otherwise, up to the effective
date of termination.
b. Each party will pay the costs it incurs as a result of termination.
c. All information and rights therein received under the provisions of this agreement
prior to the termination will be retained by the parties, subject to the provisions of
this agreement.
2/09/2011 D -5
CJ I S D- I TS- DOC- 08140 -5.0
ACKNOWLEDGMENT AND CERTIFICATION
As a CSO or CJIS WAN Official (or other CJIS authorized official), I hereby
acknowledge the duties and responsibilities as set out in this agreement. I acknowledge that
these duties and responsibilities have been developed and approved by CJIS Systems users to
ensure the reliability, confidentiality, completeness, and accuracy of all information contained in,
or obtained by means of, the CJIS Systems. I further acknowledge that failure to comply with
these duties and responsibilities may result in the imposition of sanctions against the offending
state /agency; other federal, tribal, state, and local criminal justice users; and approved
noncriminal justice users with System access, whether direct or indirect. The Director of the FBI
(or the National Crime Prevention and Privacy Compact Council), may approve sanctions to
include the termination of CJIS services.
I hereby certify that I am familiar with all applicable documents that are made part of
this agreement and to all applicable federal and state laws and regulations relevant to the receipt
and dissemination of documents provided through the CJIS Systems.
This agreement is a formal expression of the purpose and intent of both parties and is
effective when signed. It may be amended by the deletion or modification of any provision
contained therein, or by the addition of new provisions, after written concurrence of both parties.
The "Acknowledgment and Certification" is being executed by the CSO or CJIS WAN Official
(or other CJIS authorized official) in both an individual and representative capacity.
Accordingly, this agreement will remain in effect after the CSO or CJIS WAN Official (or other
CJIS authorized official) vacates his/her position or until it is affirmatively amended or rescinded
in writing. This agreement does not confer, grant, or authorize any rights, privileges, or
obligations to any third party.
2/09/2011
D -6
CJ I S D- ITS -DOC -0 8140 -5.0
11� �
SYSTEMS USER AGREEMENT
Please execute either Part 1 or Part 2
PART 1
Date:
CJIS Systems Officer
Printed Name /Title
CONCURRENCE OF CSA HEAD:
Date:
CSA Head
Printed Name /Title
PART 2
Date:
CJIS WAN Official (or other CJIS Authorized Official)
Printed Name /Title
CONCURRENCE OF CJIS WAN AGENCY HEAD:
Date:
CJIS WAN Agency Head
Printed Name/Title
2/09/2011 D -7
CJ I S D -I T S- DOCC- 08140 -5.0
11(��
FBI CJIS DIVISION:
Date:
Daniel D. Roberts
Assistant Director
FBI CJIS Division
* The FBI Designated Federal Officer should be notified when a CSO or other CJIS
WAN /authorized Official vacates his/her position. The name and telephone number of the
Acting CSO or other CJIS WAN /authorized Official, and when known, the name and telephone
number of the new CSO or other CJIS WAN /authorized Official, should be provided. Revised:
05/03/2006
2/09/2011
k�CS0
CJI S D- ITS -DOC- 08140 -5.0
D -2. Management Control Agreement
Management Control Agreement
Pursuant to the CJIS Security Policy Version 5, Sections 3.2.2 and 5.1, it is agreed that
with respect to administration of that portion of computer systems and network infrastructure
interfacing directly or indirectly with the state network (Network Name) for the interstate
exchange of criminal history/criminal justice information, the (Criminal Justice Agency) shall
have the authority, via managed control, to set and enforce:
(1) Priorities.
(2) Standards for the selection, supervision, and termination of personnel.
(3) Policy governing operation of justice systems, computers, access devices, circuits, hubs,
routers, firewalls, and any other components, including encryption, that comprise and
support a telecommunications network and related criminal justice systems to include but
not limited to criminal history record/criminal justice information, insofar as the
equipment is used to process or transmit criminal justice systems information
guaranteeing the priority, integrity, and availability of service needed by the criminal
justice community.
(4) Restriction of unauthorized personnel from access or use of equipment accessing the
State network.
(5) Compliance with all rules and regulations of the (Criminal Justice Agency) Policies and
CJIS Security Policy in the operation of all information received.
"Responsibility for management of security control shall remain with the criminal justice
agency." CJIS Security Policy Version 5.0, Section 3.2.
This agreement covers the overall supervision of all (Criminal Justice Agency) systems,
applications, equipment, systems design, programming, and operational procedures associated
with the development, implementation, and maintenance of any (Criminal Justice Agency)
system to include NCIC Programs that may be subsequently designed and/or implemented within
the (Criminal Justice Agency).
John Smith, CIO Date
Any State Department of Administration
Joan Brown, CIO Date
(Criminal Justice Agency)
D -9
2/09/2011
CJISD - ITS -DOC- 08140 -5.0
1`
D -3. Noncriminal Justice Agency Agreement & Memorandum of Understanding
MEMORANDUM OF UNDERSTANDING
BETWEEN
THE FEDERAL BUREAU OF INVESTIGATION
AND
(Insert Name of Requesting Organization)
FOR
THE ESTABLISHMENT AND ACCOMMODATION OF
THIRD -PARTY CONNECTIVITY TO THE
CRIMINAL JUSTICE INFORMATION SERVICES DIVISION'S WIDE AREA NETWORK
1. PURPOSE: This Memorandum of Understanding (MOU) between the Federal Bureau of
Investigation (FBI) and (insert requesting organization's name), hereinafter referred to as the
"parties," memorializes each party's responsibilities with regard to establishing connectivity to
records services accessible via the Wide Area Network (WAN) of the FBI's Criminal Justice
Information Services (CJIS) Division.
2. BACKGROUND: The requesting organization, (insert requesting organization's name),
being approved for access to systems of records accessible via the CJIS WAN, desires
connectivity to the CJIS WAN or via a secure Virtual Private Network (VPN) Connection
(Internet) to the CJIS WAN. The CJIS Division has created a framework for accommodating
such requests based on the type of connection.
In preparing for such non - CJIS - funded connectivity to the CJIS WAN, the parties plan to
acquire, configure, and place needed communications equipment at suitable sites and to make
electronic connections to the appropriate systems of records via the CJIS WAN.
2/09/2011
D -10
C11SD- ITS- DOC- 08140 -5.0
To ensure that there is a clear understanding between the parties regarding their
respective roles in this process, this MOU memorializes each party's responsibilities regarding
the development, operation, and maintenance of third -party connectivity to the CJIS WAN.
Unless otherwise contained in an associated contract, the enclosed terms apply. If there is a
conflict between terms and provisions contained in both the contract and this MOU, the contract
will prevail.
3. AUTHORITY: The FBI is entering into this MOU under the authority provided by Title 28,
United States Code (U.S.C.), Section 534; 42 U.S.C. § 14616; and/or Title 28, Code of Federal
Regulations, Part 906.
4. SCOPE:
a. The CJIS Division agrees to:
i. Provide the requesting organization with a "CJIS WAN Third -Party
Connectivity Package" that will detail connectivity requirements and options
compatible with the CJIS Division's WAN architecture upon receipt of a signed
nondisclosure statement.
ii. Configure the requesting organization's connection termination equipment
suite at Clarksburg, West Virginia, and prepare it for deployment or shipment
under the CJIS WAN option. In the Secure VPN arrangement only, the third
party will develop, configure, manage, and maintain its network connectivity to
its preferred service provider.
iii. Work with the requesting organization to install the connection termination
equipment suite and verify connectivity.
iv. Perform installation and/or routine maintenance on the requesting
organization's third -party dedicated CJIS WAN connection termination
equipment after coordinating with the requesting organization's designated point
of contact (POC) and during a time when the CJIS Division's technical personnel
are near the requesting organization's site.
v. Perform periodic monitoring and troubleshooting of the requesting
organization's CJIS WAN connection termination equipment. Software patches
will be maintained on the dedicated CJIS WAN connected network equipment
only. Under the Secure VPN option, no availability or data thru -put rates will be
guaranteed.
2/09/2011 D -11
CMD- ITS -DOC- 08140 -5.0
vi. Provide 24 hours a day, 7 days a week uninterrupted monitoring from the CJIS
Division's Network Operations Center.
vii. Provide information regarding potential hardware end -of -life replacement
cycles to the requesting organization for its budgeting purposes.
viii. Maintain third -party dedicated CJIS WAN connection termination equipment
as if in the CJIS Division's operational environment.
ix. Update the appropriate software on the requesting organization's dedicated
connection termination equipment connected to the CJIS WAN (i.e., Cisco
Intemetwork Operating System, SafeNet frame relay encryptor firmware, etc.)
pursuant to the requesting organization's authorized maintenance contracts.
x. Provide a POC and telephone number for MOU- related issues.
b. The (insert requesting organization's name) agrees to:
i. Coordinate requests for third -party connectivity to the CJIS WAN or the Secure
VPN with the CJIS Division's POC.
ii. Purchase hardware and software that are compatible with the CJIS WAN.
iii. Pay for the telecommunications infrastructure that supports its connection to
the CJIS WAN or Secure VPN.
iv. Maintain telecommunication infrastructure in support of Secure VPN
connectivity.
v. Provide any /all hardware and software replacements and upgrades as mutually
agreed to by the parties.
vi. Pay for all telecommunication requirements related to its connectivity.
vii. Provide required information for dedicated service relating to Data Link
Connection Identifiers, Circuit Identifier, Permanent Virtual Circuit Identifiers,
2/09/2011
D-1 2
C11SD- ITS- DOC -08 I40 -5.0
��cd�
Local Exchange Carrier Identifier, POC, location, etc., as determined by the
parties.
viii. Transport the CJIS WAN connection termination equipment suite to the CJIS
Division for configuration and preparation for deployment under the dedicated
service option.
ix. Provide registered Internet Protocol information to be used by the requesting
organization's system to the CJIS Division.
x. Provide the CJIS Division with six months advance notice or stated amount of
time for testing activities (i.e., disaster recovery exercises).
xi. Provide the CJIS Division with applicable equipment maintenance contract
numbers and level of service verifications needed to perform software upgrades
on connection termination equipment.
xii. Provide the CJIS Division with applicable software upgrade and patch images
(or information allowing the CJIS Division to access such images).
xiii. Transport only official, authorized traffic over the Secure VPN.
xiv. Provide a POC and telephone number for MOU- related issues.
5. FUNDING: There are no reimbursable expenses associated with this level of support. Each
party will fund its own activities unless otherwise agreed to in writing. This MOU is not an
obligation or commitment of funds, nor a basis for transfer of funds, but rather is a basic
statement of understanding between the parties hereto of the nature of the relationship for the
connectivity efforts. Unless otherwise agreed to in writing, each party shall bear its own costs in
relation to this MOU. Expenditures by each party will be subject to its budgetary processes and
to the availability of funds and resources pursuant to applicable laws, regulations, and policies.
The parties expressly acknowledge that the above language in no way implies that Congress will
appropriate funds for such expenditures.
6. SETTLEMENT OF DISPUTES: Disagreements between the parties arising under or relating
to this MOU will be resolved only by consultation between the parties and will not be referred to
any other person or entity for settlement.
2/09/2011
CJ I S D- ITS -DOC- 08140 -5.0
D -13
k(d)
7. SECURITY: It is the intent of the parties that the actions carried out under this MOU will be
conducted at the unclassified level. No classified information will be provided or generated
under this MOU.
8. AMENDMENT, TERMINATION, ENTRY INTO FORCE, AND DURATION:
a. All activities of the parties under this MOU will be carried out in accordance with the
above - described provisions.
b. This MOU may be amended or terminated by the mutual written consent of the parties'
authorized representatives.
c. Either party may terminate this MOU upon 30 -days written notification to the other
party. Such notice will be the subject of immediate consultation by the parties to decide
upon the appropriate course of action. In the event of such termination, the following
rules apply:
i. The parties will continue participation, financial or otherwise, up to the
effective date of the termination.
ii. Each party will pay the costs it incurs as a result of the termination.
iii. All information and rights therein received under the provisions of this MOU
prior to the termination will be retained by the parties, subject to the provisions of
this MOU.
9. FORCE AND EFFECT: This MOU, which consists of nine numbered sections, will enter
into effect upon signature of the parties and will remain in effect until terminated. The parties
should review the contents of this MOU annually to determine whether there is a need for the
deletion, addition, or amendment of any provision. This MOU is not intended, and should not be
construed, to create any right or benefit, substantive or procedural, enforceable at law or
otherwise by any third party against the parties, their parent agencies, the United States, or the
officers, employees, agents, or other associated personnel thereof.
The foregoing represents the understandings reached between the parties.
2/09/2011 D -14
CJ ISD- ITS -DOC- 08140 -5.0
tk fd
FOR THE FEDERAL BUREAU OF INVESTIGATION
DANIEL D. ROBERTS Date
Assistant Director
Criminal Justice Information Services Division
FOR THE (insert requesting organization name)
Date
2/09/2011
CJIS D- ITS -DOC- 08140 -5,0
D -15
ll�d�
D -4. Interagency Connection Agreement
CRIMINAL JUSTICE INFORMATION SERVICES (CJIS)
Wide Area Network (WAN) USER AGREEMENT
BY INTERIM REMOTE LATENT USERS
The responsibility of the FBI CJIS Division is to provide state -of -the -art
identification and information services to the local, state, federal, and international criminal
justice communities, as well as the civil community for licensing and employment purposes.
The data provided by the information systems administered and maintained by the FBI CJIS
Division are routed to and managed in cooperation with the designated interface agency official.
This information includes, but is not limited to, the Interstate Identification Index (III), National
Crime Information Center (NCIC), Uniform Crime Reporting (UCR)/National Incident -Based
Reporting System (NIBRS), and the Integrated Automated Fingerprint Identification System
(IAFIS) programs.
In order to fulfill this responsibility, the FBI CJIS Division provides the following
services to its users:
■ Operational, technical, and investigative assistance;
■ Telecommunications lines to local, state, federal and authorized interfaces;
• Legal and legislative review of matters pertaining to IAFIS, CJIS WAN
and other related services;
■ Timely information on all aspects of IAFIS, CJIS WAN, and other related
programs by means of technical and operational updates, various
newsletters, and other relative documents;
■ Shared management through the CJIS Advisory Process and the Compact
Council;
■ Training assistance and up -to -date materials provided to each designated
agency official, and;
■ Audit.
2/09/201 l
CESD- ITS -DOC- 08140 -5.0
D -16
1 1(d)
The concept behind a designated interface agency official is to unify
responsibility for system user discipline and ensure adherence to system procedures and policies
within each interface agency. These individuals are ultimately responsible for planning
necessary hardware, software, funding, training, and the administration of policy and procedures
including security and integrity for complete access to CJIS related systems and CJIS WAN
related data services by authorized agencies.
The following documents and procedures are incorporated by reference and made
part of this agreement:
• CJIS Security Policy;
• Title 28, Code of Federal Regulations, Part 20;
• Computer Incident Response Capability (CIRC);
■ Applicable federal and state laws and regulations.
To ensure continued access as set forth above, the designated interface agency agrees to adhere
to all CJIS policies, including, but not limited to, the following:
The signatory criminal agency will provide fingerprints for all qualifying
arrests either via electronic submission or fingerprint card that meet
submission criteria. In addition, the agency will make their records available
for interstate exchange for criminal justice and other authorized purposes.
2. The signatory civil agency with legislative authority will provide all
qualifying fingerprints via electronic submission or fingerprint card that meet
submission criteria.
Appropriate and reasonable quality assurance procedures must be in place to
ensure that only complete, accurate, and valid information is maintained in the
system.
4. Security - Each agency is responsible for appropriate security measures as
applicable to physical security of terminals and telecommunications lines;
Interim Distributed Imaging System (IDIS) equipment shall remain stand-
2/09/2011 D -17
CJ I SD- ITS -DOC- 08140 -5.0
\\ (d)
alone devices and be used only for authorized purposes; personnel security to
meet background screening requirements; technical security to protect against
unauthorized use; data security, dissemination, and logging for audit purposes;
and actual security of criminal history records. Additionally, each agency
must establish an information security structure that provides for an
Information Security Officer (ISO) or a security point of contact.
5. Audit - Each agency shall be responsible for complying with the appropriate audit
requirements.
6. Training - Each agency shall be responsible for training requirements,
including compliance with training mandates.
7. Integrity of the system shall be in accordance with FBI CJIS Division and
interface agency policies. Computer incident reporting shall be implemented.
Until states are able to provide remote latent connectivity to their respective latent
communities via a state WAN connection, the CJIS Division may provide direct connectivity to
IAFIS via a dial-up connection or through the Combined DNA Index System ( CODIS) and/or
National Integrated Ballistics Information Network (NIBIN) connections. When a state
implements a latent management system and is able to provide intrastate connectivity and
subsequent forwarding to IAFIS, this agreement may be terminated. Such termination notice
will be provided in writing by either the FBI or the state CJIS Systems Agency.
It is the responsibility of the local remote latent user to develop or acquire an
IAFIS compatible workstation. These workstations may use the software provided by the FBI or
develop their own software, provided it is IAFIS compliant.
The CJIS Division will provide the approved modem and encryptors required for
each dial -up connection to IAFIS. The CJIS Communication Technologies Unit will configure
and test the encryptors before they are provided to the user. Users requesting remote latent
connectivity through an existing CODIS and/or NIBIN connection must receive verification
from the FBI that there are a sufficient number of Ethernet ports on the router to accommodate
the request.
If at any time search limits are imposed by the CJIS Division, these individual
agency connections will be counted toward the total state allotment.
2/09/2011 D-18
CISD- ITS- DOC -08140-5.o I t(d )
ACKNOWLEDGMENT AND CERTIFICATION
As a CJIS WAN interface agency official serving in the CJIS system, I hereby
acknowledge the duties and responsibilities as set out in this agreement. I acknowledge that
these duties and responsibilities have been developed and approved by CJIS system users in
order to ensure the reliability, confidentiality, completeness, and accuracy of all information
contained in or obtained by means of the CJIS system. I further acknowledge that a failure to
comply with these duties and responsibilities may subject our agency to various sanctions
adopted by the CJIS Advisory Policy Board and approved by the Director of the FBI. These
sanctions may include the termination of CJIS service.
As the designated CJIS WAN interface agency official serving in the CJIS
system, I hereby certify that I am familiar with the contents of the Title 28, Code of Federal
Regulations, Part 20; CJIS Security Policy; Computer Incident Response Capability; and
applicable federal or state laws and regulations applied to IAFIS and CJIS WAN Programs for
the dissemination of criminal history records for criminal and noncriminal justice purposes.
Signature
Print or Type
CJIS WAN Agency Official Date
CONCURRENCE OF FEDERAL /REGULATORY AGENCY HEAD OR STATE
CJIS SYSTEMS OFFICER (CSO):
Signature
Title
State CSO
2/09/2011
CJ IS D- ITS -DOC- 08140 -5.0
Print or Type
Date
D -19
� k(d )
FBI CJIS DIVISION:
Signature - Daniel D. Roberts
Assistant Director
Title Date
* If there is a change in the CJIS WAN interface agency official, the FBI Designated Federal
Employee must be notified in writing 30 days prior to the change.
5/27/2004 UA modification reflects change in CTO title to CSO.
2/09/2011
D -20
CJISD- ITS- DOC -OS 140 -5.0
kk(d)
APPENDIX E SECURITY FORUMS AND ORGANIZATIONAL
ENTITIES
AntiOnline
... . .. . ............ ........ . ........... . ......... I ....... . . ......... . ............. . . ..... .......... I . . ........... . ............... - .................................... . . .. . ............. . ..... . . ........... . .......
Black Hat
....... . .. ........................... . . .... . ....................... . . ..................... . ... I ....... . ............. I ...... . ........... .... .................. ....... . .............. . ....... . . ................. . . . . ..........................
CIO.com
CSO Online
.. . ......... . ............. . . .... . ... ........... . ....... .
CyberSpeak Podcast
. ............. ... . .......... ................. ....... . . . . . ......... . ............ . .. ......... ... ....... . ........ ..... .. . ...........
FBI Criminal Justice information Services Division (CJIS)
............ . ......... . .
Forrester Security Forum
........ . ................. . . ........ . ........ . . .... . .............. -- ... . ... .............. ..
Forum of Incident Response and Security Teams (FIRST) ...........
........ . ......... ............................... --- ................................... . ......................................................................... ............. . ...........................................................................
Information Security Forum (ISF)
Information Systems Audit and Control Association (ISACA)
......... ... ... . ........ .
Information Systems Security Association (ISSA)
. .... . ............. . . ......... . ......
Infosyssec
I-- . — . ... . ...... . . . . ..... . ....
International Organization for Standardization (ISO)
-.1.1 ..... . ................... . ............ I ........ . .... - ......... . ......... . . .......... ..... . .... . ..................... . .. ............................................. . .................. .................. . .. ...... . .. . ..................... . ......................... . . ............ . ........... . . . .............
International Information Systems Security Certification Consortium, Inc. (ISC)2
. . .... . .................. . ............................................................ . ......................... . ....................................... ....................... . . ........... ......... . . ........... . .... . ..... . . . ......... . . . . . .. . . . ......................
Metasploit ........ . .
.... . ......... . ............
Microsoft Developer Network (MSDN) Information Security
... . ........ . ...... . . .... . . ........
National Institute of Standards and Technology (NIST)
. ............... - ................... . ... ........... . ..
Open Web Application Security Project (OWASP)
.......... ...... .......
................................
...........
SANS (SysAdmin, Audit, Network, Security) Institute
.......................................... ........... . ........... . .... . .......... - ......................................... . . . .......... - .................. . .... . .................. . ....... . ..... . ...... . ....... . .... . ......................... . ............................. . ...... . . . .. . .......... . . . ...... -
SC Magazine
.1.1- ................ - ......... ... ...... .. I .............. ...... - .... ........ .................. .... ........... ............. .......................................... ............... ...............................................................
Schneier.corn
--- ......... ............ . . - .... . ....... .... . ........ . .. . . . ......... . .. ..........
Security Focus ...............
.......... ...
The Register . .......... ..... ..................
US Computer Emergency Response Team (CERT) . .......
US DoJ Computer Crime and Intellectual Property Section (CCIPS)
E-1
2/09/2011
CJISD-ITS-DOC-08140-5.0
APPENDIX F IT SECURITY INCIDENT RESPONSE FORM
(Sample Form)
FBI CJIS DIVISION
INFORMATION SECURITY OFFICER (ISO)
COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY (CSIRC)
DATE OF REPORT:
DATE OF INCIDENT:
POINT(S) OF CONTACT: _
LOCATION(S) OF INCIDENT:
SYSTEM(S) AFFECTED:
METHOD OF DETECTION:
NATURE OF INCIDENT:
INCIDENT DESCRIPTION:
ACTIONS TAKEN /RESOLUTION:
Copies To:
George White
(FBI CJIS Division ISO)
1000 Custer Hollow Road
Clarksburg, WV 26306 -0102
(304) 625 -5849
ueorae.white(a- ), leo.gov
or
iso(dleo.eov
2/09/2011
CJ ISD- ITS -DOC- 08140.5.0
REPORTING FORM
(mm/dd/yyyy)
( mm/dd/yyyy)
PHONE /EXT /E -MAIL:
Rob Richter
(FBI CJIS CSIRC POC)
1000 Custer Hollow Road/Module D -2
Clarksburg, AN 26306 -0102
(304) 625 -5044
john.richter @leo.gov
or
iso(aleo.aov
F -1
APPENDIX G VIRTUALIZATION
This appendix documents security considerations for implementing and operating virtual
environments that process, store, and/or transmit Criminal Justice Information.
The FBI CJIS ISO has fielded several inquiries from various states requesting guidance on
implementing virtual environments within their data centers. With the proliferation of virtual
environments across industry in general there is a realistic expectation that FBI CJIS Auditors
will encounter virtual environments during the upcoming year. Criminal Justice Agencies (CJAs)
and Noncriminal Justice Agencies (NCJAs) alike need to understand and appreciate the
foundation of security protection measures required for virtual environments.
From Microsoft's Introduction to Windows Server 2008
http://www.microsoft.com/windowsserver2008/en/usihvperv.M x:
"Server virtualization, also known as hardware virtualization, is a hot topic in the
IT world because of the potential for serious economic benefits. Server
virtualization enables multiple operating systems to run on a single physical
machine as virtual machines (VMs). With server virtualization, you can
consolidate workloads across multiple underutilized server machines onto a
smaller number of machines. Fewer physical machines can lead to reduced costs
through lower hardware, energy, and management overhead, plus the creation of
a more dynamic IT infrastructure. "
From a trade publication, kernelthread.com
httv://www.kemelthread.com/i)ublications/virtualization/:
"virtualization is a framework or methodology of dividing the resources of a
computer into multiple execution environments, by applying one or more concepts
or technologies such as hardware and software partitioning, time - sharing, partial
or complete machine simulation, emulation, quality of service, and many others.
From an Open Source Software developer
huv://www.kallasoft.com/t)c-bardware-virtualization-basics/:
" Virtualization refers to virtualizing hardware in software, allowing multiple
operating systems, or images, to run concurrently on the same hardware. There
are two main types of virtualization software:
• "Type -1 Hypervisor, which runs 'bare- metal' (on top of the hardware)
• "Type -2 Hypervisor which requires a separate application to run within an
operating system
"Type] hypervisors usually offer the best in efficiency, while Type -2 hypervisors
allow for greater support of hardware that can be provided by the operating
system. For the developer, power user, and small business IT professionals,
virtualization offers the same basic idea of collapsing multiple physical boxes into
one. For instance, a small business can run a web server and an Exchange server
without the need for two boxes. Developers and power users can use the ability to
contain different development environments without the need to modify their main
operating system. Big businesses can also benefit from virtualization by allowing
G -1
2/09/2011
CJISD - ITS -DOC- 08140 -5.0 \k(d)
software maintenance to be run and tested on a separate image on hardware
without having to take down the main production system. "
Industry leaders and niche developers are bringing more products to market every day. The
following article excerpts, all posted during September 2008, on www.virtualization.com are
examples of industry offerings.
"Microsoft and Novell partnered together for joint virtualization solution.
Microsoft and Novell are announcing the availability of a joint virtualization
solution optimized for customers running mixed - source environments. The joint
offering includes SUSE Linux Enterprise Server configured and tested as an
optimized guest operating system running on Windows Sever 2008 Hyper -V, and
is fully support by both companies' channel partners. The offering provides
customers with the first complete, fully supported and optimized virtualization
solution to span Windows and Linux environments. "
"Sun Microsystems today account the availability of Sun xVM Server software
and Sun xVM Ops Center 2. 0, key components in its strategy. Sun also announced
the addition of comprehensive services and support for Sun xVM Server software
and xVM Ops Center 2.0 to its virtualization suite of services. Additionally, Sun
launched xVMserver.org, a new open source community, where developers can
download the first source code bundle for SunxVM Server software and
contribute to the direction and development of the product. "
"NetEx, specialist in high -speed data transport over TCP, today announced
Virtual HyperlP bandwidth optimization solutions for VMware environments that
deliver a threefold to tenfold increase in data replication performance. Virtual
HyperlP is a software -based Data Transport Optimizer that operates on the
VMware ESX server and boost the performance of storage replication
applications from vendors such as EMC, NetApp, Symantec, IBM, Data Domain,
and FalconStor. Virtual HyperlP mitigates TCP performance issues that are
common when moving data over wide —area network (WAN) connections because
of bandwidth restrictions, latency due to distance and /or router hop counts,
packet loss and network errors. Like the company's award - winning appliance -
based HyperlP, Virtual HyperlP eliminates these issues with an innovative
software design developed specifically to accelerate traffic over an IP based
network. "
From several sources, particularly:
http: / /www. windowsecurity.com/ articles /security- virutalization.html
http: / /csrc.nist. gov /publications/ drafts /6--= 64rev2 /draft- sp800- 64- Revision2.pdf
Virtualization provides several benefits:
• Make better use of under - utilized servers by consolidating to fewer machines saving on
hardware, environmental costs, management, and administration of the server
infrastructure.
• Legacy applications unable to run on newer hardware and /or operating systems can be
loaded into a virtual environment — replicating the legacy environment.
2/09/2011 O -2
CJ I S D-1 TS- DOC- 08140 -5.0
• Provides for isolated portions of a server where trusted and untrusted applications can be
ran simultaneously — enabling hot standbys for failover.
• Enables existing operating systems to run on shared memory multiprocessors.
• System migration, backup, and recovery are easier and more manageable.
Virtualization also introduces several vulnerabilities:
• Host Dependent.
• If the host machine has a problem then all the VMS could potentially terminate.
• Compromise of the host makes it possible to take down the client servers hosted on the
primary host machine.
• If the virtual network is compromised then the client is also compromised.
• Client share and host share can be exploited on both instances. Potentially this can lead
to files being copied to the share that fill up the drive.
These vulnerabilities can be mitigated by the following factors:
• Apply "least privilege" technique to reduce the attack surface area of the virtual
environment and access to the physical environment.
• Configuration and patch management of the virtual machine and host, i.e. Keep operating
systems and application patches up to date on both virtual machines and hosts.
• Install the minimum applications needed on host machines.
• Practice isolation from host and virtual machine.
• Install and keep updated antivirus on virtual machines and the host.
• Segregation of administrative duties for host and versions.
• Audit logging as well as exporting and storing the logs outside the virtual environment.
• Encrypting network traffic between the virtual machine and host IDS and IPS
monitoring.
• Firewall each virtual machine from each other and ensure that only allowed protocols
will transact.
2/09/2011
CJI SD- ITS- D0608140 -5.0
G -3
i«d>
APPENDIX H SECURITY ADDENDUM
The following pages contain the legal authority, purpose, and genesis of the Criminal Justice
Information Services Security Addendum (H2 -H4); the Security Addendum itself (1-15 -1-16);
and the Security Addendum Certification page (1-17).
2/09/2011
CJI SD- ITS -DOC- 08140 -5.0
H -1
ko'
FEDERAL BUREAU OF INVESTIGATION
CRIMINAL JUSTICE INFORMATION SERVICES
SECURITY ADDENDUM
Legal Authority for and Purpose and Genesis of the
Security Addendum
Traditionally, law enforcement and other criminal justice agencies have been
responsible for the confidentiality of their information. Accordingly, until mid -1999, the
Code of Federal Regulations Title 28, Part 20, subpart C, and the National Crime
Information Center (NCIC) policy paper approved December 6, 1982, required that the
management and exchange of criminal justice information be performed by a criminal
justice agency or, in certain circumstances, by a noncriminal justice agency under the
management control of a criminal justice agency.
In light of the increasing desire of governmental agencies to contract with private
entities to perform administration of criminal justice functions, the FBI sought and obtained
approval from the United States Department of Justice (DOJ) to permit such privatization
of traditional law enforcement functions under certain controlled circumstances. In the
Federal Register of May 10, 1999, the FBI published a Notice of Proposed Rulemaking,
announcing as follows:
1. Access to CHRI (Criminal History Record Information] and
Related Information, Subject to Appropriate Controls, by a Private Contractor
Pursuant to a Specific Agreement with an Authorized Governmental Agency
To Perform an Administration of Criminal Justice Function (Privatization).
Section 534 of title 28 of the United States Code authorizes the Attorney
General to exchange identification, criminal identification, crime, and other
records for the official use of authorized officials of the federal government,
the states, cities, and penal and other institutions. This statute also provides,
however, that such exchanges are subject to cancellation if dissemination is
made outside the receiving departments or related agencies. Agencies
authorized access to CHRI traditionally have been hesitant to disclose that
information, even in furtherance of authorized criminal justice functions, to
anyone other than actual agency employees lest such disclosure be viewed as
unauthorized. In recent years, however, governmental agencies seeking
greater efficiency and economy have become increasingly interested in
obtaining support services for the administration of criminal justice from the
private sector. With the concurrence of the FBI's Criminal Justice
Information Services (CJIS) Advisory Policy Board, the DOJ has concluded
that disclosures to private persons and entities providing support services for
criminal justice agencies may, when subject to appropriate controls, properly
be viewed as permissible disclosures for purposes of compliance with 28
U.S.C. 534.
We are therefore proposing to revise 28 CFR 20.33(a)(7) to provide
express authority for such arrangements. The proposed authority is similar to
the authority that already exists in 28 CFR 20.21(b)(3) for state and local
CHRI systems. Provision of CHRI under this authority would only be
permitted pursuant to a specific agreement with an authorized governmental
2/09/2011
H -2
CJ I S D- ITS -DOC -0 8140 -5.0
Wd)
agency for the purpose of providing services for the administration of
criminal justice. The agreement would be required to incorporate a security
addendum approved by the Director of the FBI (acting for the Attorney
General). The security addendum would specifically authorize access to
CHRI, limit the use of the information to the specific purposes for which it is
being provided, ensure the security and confidentiality of the information
consistent with applicable laws and regulations, provide for sanctions, and
contain such other provisions as the Director of the FBI (acting for the
Attorney General) may require. The security addendum, buttressed by
ongoing audit programs of both the FBI and the sponsoring governmental
agency, will provide an appropriate balance between the benefits of
privatization, protection of individual privacy interests, and preservation of
the security of the FBI's CHRI systems.
The FBI will develop a security addendum to be made available to
interested governmental agencies. We anticipate that the security addendum
will include physical and personnel security constraints historically required
by NCIC security practices and other programmatic requirements, together
with personal integrity and electronic security provisions comparable to those
in NCIC User Agreements between the FBI and criminal justice agencies,
and in existing Management Control Agreements between criminal justice
agencies and noncriminal justice governmental entities. The security
addendum will make clear that access to CHRI will be limited to those
officers and employees of the private contractor or its subcontractor who
require the information to properly perform services for the sponsoring
governmental agency, and that the service provider may not access, modify,
use, or disseminate such information for inconsistent or unauthorized
purposes.
Consistent with such intent, Title 28 of the Code of Federal Regulations (C.F.R.)
was amended to read:
§ 20.33 Dissemination of criminal history record information.
a) Criminal history record information contained in the Interstate
Identification Index (III) System and the Fingerprint Identification
Records System (FIRS) may be made available:
1) To criminal justice agencies for criminal justice purposes, which
purposes include the screening of employees or applicants for
employment hired by criminal justice agencies.
2) To noncriminal justice governmental agencies performing criminal
justice dispatching functions or data processing/information services
for criminal justice agencies; and
3) To private contractors pursuant to a specific agreement with an
agency identified in paragraphs (a)(1) or (a)(6) of this section and for
the purpose of providing services for the administration of criminal
justice pursuant to that agreement. The agreement must incorporate a
security addendum approved by the Attorney General of the United
2/09/2011 H -3
CJISD- ITS -DOC- 08140 -5.0
States, which shall specifically authorize access to criminal history
record information, limit the use of the information to the purposes for
which it is provided, ensure the security and confidentiality of the
information consistent with these regulations, provide for sanctions,
and contain such other provisions as the Attorney General may
require. The power and authority of the Attorney General hereunder
shall be exercised by the FBI Director (or the Director's designee).
This Security Addendum, appended to and incorporated by reference in a
government- private sector contract entered into for such purpose, is intended to insure that
the benefits of privatization are not attained with any accompanying degradation in the
security of the national system of criminal records accessed by the contracting private
party. This Security Addendum addresses both concerns for personal integrity and
electronic security which have been addressed in previously executed user agreements and
management control agreements.
A government agency may privatize functions traditionally performed by criminal
justice agencies (or noncriminal justice agencies acting under a management control
agreement), subject to the terms of this Security Addendum. If privatized, access by a
private contractor's personnel to NCIC data and other CJIS information is restricted to only
that necessary to perform the privatized tasks consistent with the government agency's
function and the focus of the contract. If privatized the contractor may not access, modify,
use or disseminate such data in any manner not expressly authorized by the government
agency in consultation with the FBI.
2/09/2011 H-4
CJ IS D- ITS- DOC-0 8140-5.0
\k�i�
FEDERAL BUREAU OF INVESTIGATION
CRIMINAL JUSTICE INFORMATION SERVICES
SECURITY ADDENDUM
The goal of this document is to augment the CJIS Security Policy to ensure adequate
security is provided for criminal justice systems while (1) under the control or management of
a private entity or (2) connectivity to FBI CJIS Systems has been provided to a private entity
(contractor). Adequate security is defined in Office of Management and Budget Circular A-
130 as "security commensurate with the risk and magnitude of harm resulting from the loss,
misuse, or unauthorized access to or modification of information."
The intent of this Security Addendum is to require that the Contractor maintain a
security program consistent with federal and state laws, regulations, and standards (including
the CJIS Security Policy in effect when the contract is executed), as well as with policies and
standards established by the Criminal Justice Information Services (CJIS) Advisory Policy
Board (APB).
This Security Addendum identifies the duties and responsibilities with respect to the
installation and maintenance of adequate internal controls within the contractual relationship
so that the security and integrity of the FBI's information resources are not compromised. The
security program shall include consideration of personnel security, site security, system
security, and data security, and technical security.
The provisions of this Security Addendum apply to all personnel, systems, networks
and support facilities supporting and/or acting on behalf of the government agency.
1.00 Definitions
1.01 Contracting Government Agency (CGA) - the government agency, whether a Criminal
Justice Agency or a Noncriminal Justice Agency, which enters into an agreement with a
private contractor subject to this Security Addendum.
1.02 Contractor - a private business, organization or individual which has entered into an
agreement for the administration of criminal justice with a Criminal Justice Agency or a
Noncriminal Justice Agency.
2.00 Responsibilities of the Contracting Government Agency.
2.01 The CGA will ensure that each Contractor employee receives a copy of the Security
Addendum and the CJIS Security Policy and executes an acknowledgment of such receipt and
the contents of the Security Addendum. The signed acknowledgments shall remain in the
possession of the CGA and available for audit purposes.
3.00 Responsibilities of the Contractor.
3.01 The Contractor will maintain a security program consistent with federal and state laws,
regulations, and standards (including the CJIS Security Policy in effect when the contract is
executed), as well as with policies and standards established by the Criminal Justice
Information Services (CJIS) Advisory Policy Board (APB).
4.00 Security Violations.
4.01 The CGA must report security violations to the CJIS Systems Officer (CSO) and the
Director, FBI, along with indications of actions taken by the CGA and Contractor.
H -5
2/09/2011
CJ I SD- ITS -DOC- 08140 -5.0
IV%
4.02 Security violations can justify termination of the appended agreement.
4.03 Upon notification, the FBI reserves the right to:
a. Investigate or decline to investigate any report of unauthorized use;
b. Suspend or terminate access and services, including telecommunications links.
The FBI will provide the CSO with timely written notice of the suspension.
Access and services will be reinstated only after satisfactory assurances have been
provided to the FBI by the CJA and Contractor. Upon termination, the
Contractor's records containing CHRI must be deleted or returned to the CGA.
5.00 Audit
5.01 The FBI is authorized to perform a final audit of the Contractor's systems after
termination of the Security Addendum.
6.00 Scope and Authority
6.01 This Security Addendum does not confer, grant, or authorize any rights, privileges, or
obligations on any persons other than the Contractor, CGA, CIA (where applicable), CSA,
and FBI.
6.02 The following documents are incorporated by reference and made part of this
agreement: (1) the Security Addendum; (2) the NCIC 2000 Operating Manual; (3) the CJIS
Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20. The parties are also
subject to applicable federal and state laws and regulations.
6.03 The terms set forth in this document do not constitute the sole understanding by and
between the parties hereto; rather they augment the provisions of the CJIS Security Policy to
provide a minimum basis for the security of the system and contained information and it is
understood that there may be terms and conditions of the appended Agreement which impose
more stringent requirements upon the Contractor.
6.04 This Security Addendum may only be modified by the FBI, and may not be modified
by the parties to the appended Agreement without the consent of the FBI.
6.05 All notices and correspondence shall be forwarded by First Class mail to:
Assistant Director
Criminal Justice Information Services Division, FBI
1000 Custer Hollow Road
Clarksburg, West Virginia 26306
2/09/2011
CJIS D- ITS -DOC- 08140 -5.0
M
� lP)
FEDERAL BUREAU OF INVESTIGATION
CRIMINAL JUSTICE INFORMATION SERVICES
SECURITY ADDENDUM
CERTIFICATION
I hereby certify that I am familiar with the contents of (1) the Security Addendum,
including its legal authority and purpose; (2) the NCIC 2000 Operating Manual; (3) the CJIS
Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20, and agree to be bound
by their provisions.
I recognize that criminal history record information and related data, by its very
nature, is sensitive and has potential for great harm if misused. I acknowledge that access to
criminal history record information and related data is therefore limited to the purpose(s) for
which a government agency has entered into the contract incorporating this Security
Addendum. I understand that misuse of the system by, among other things: accessing it
without authorization; accessing it by exceeding authorization; accessing it for an improper
purpose; using, disseminating or re- disseminating information received as a result of this
contract for a purpose other than that envisioned by the contract, may subject me to
administrative and criminal penalties. I understand that accessing the system for an
appropriate purpose and then using, disseminating or re- disseminating the information
received for another purpose other than execution of the contract also constitutes misuse. I
further understand that the occurrence of misuse does not depend upon whether or not I
receive additional compensation for such authorized activity. Such exposure for misuse
includes, but is not limited to, suspension or loss of employment and prosecution for state and
federal crimes.
Printed Name /Signature of Contractor Employee Date
Printed Name /Signature of Contractor Representative Date
Organization and Title of Contractor Representative
2/09/2011
C1IS D- ITS -DOC- 08140 -5.0
H -7
I k(d)
APPENDIX REFERENCES
White House Memo entitled "Designation and Sharing of Controlled Unclassified Information
(CUI), May 9, 2008
[CJIS RA] CJIS Security Policy Risk Assessment Report; August 2008; For Official Use Only,
Prepared by: Noblis; Prepared for: U.S. Department of Justice, Federal Bureau
of Investigation, Criminal Justice Information Services Division, 1000 Custer
Hollow Road, Clarksburg, WV 26306
[FBI SA 8/20061 Federal Bureau of Investigation, Criminal Justice Information Services,
Security Addendum; 8/2006; Assistant Director, Criminal Justice Information
Services, FBI, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306
[FISMA] Federal Information Security Management Act of 2002; House of Representatives
Bill 2458, Title III - Information Security
[FIPS 199] Standards for Security Categorization of Federal Information and Information
Systems; Federal Information Processing Standards Publication, FIPS PUB
199; February 2004
[FIPS 200] Minimum Security Requirements for Federal Information and Information
Systems; Federal Information Processing Standards Publication, FIPS PUB
200; March 2006
[FIPS 201] Personal Identity Verification for Federal Employees and Contractors; Federal
Information Processing Standards Publication, FIPS PUB 201 -1
[NIST SP 800 -14] Generally Accepted Principles and Practices for Securing Information
Technology Systems; NIST Special Publication 800-14
[NIST SP 800 -25] Federal Agency Use of Public Key Technology for Digital Signatures and
Authentication; NIST Special Publication 800-25
[NIST SP 800 -30] Risk Management Guide for Information Technology Systems; NIST
Special Publication 800-36
[NIST SP 800 -321 Introduction to Public Key Technology and the Federal PKI
Infrastructure; NIST Special Publication 800-32
[NIST SP 800 -341 Contingency Planning Guide for Information Technology Systems; NIST
Special Publication 800-34
[NIST SP 800 -351 Guide to Information Technology Security Services; NIST Special
Publication 800-35
[NIST SP 800 -361 Guide to Selecting Information Technology Security Products; NIST
Special Publication 800-36
[NIST SP 800 -39] Managing Riskfrom Information Systems, An Organizational Perspective;
NIST Special Publication 800-39
[NIST SP 800 -401 Procedures for Handling Security Patches; NIST Special Publication 800-
40
[NIST SP 800 -44] Guidelines on Securing Public Web Servers; NIST Special Publication
800-44
2/09/2011
CJ I SD- ITS -DOC- 08140 -5.0
ktw)
[NIST SP 800-451 Guidelines on Electronic Mail Security; NIST Special Publication 800 -45,
Version 2
[NIST SP 800-461 Security for Telecommuting and Broadband Communications; NIST
Special Publication 800-46
[NIST SP 800 -18] Wireless Network Security: 802.11, Bluetooth, and Handheld Devices;
NIST Special Publication 8008
[NIST SP 800 -52] Guidelines on the Selection and Use of Transport Layer Security; NIST
Special Publication 800-52
[NIST SP 800 -53] Recommended Security Controls for Federal Information Systems; NIST
Special Publication 800 -53, Revision 2
[NIST SP 800 -53A] Guide for Assessing the Security Controls in Federal Information
Systems, Building Effective Security Assessment Plans; NIST Special
Publication 800 -53A
[NIST SP 800-601 Guide for Mapping Types of Information and Information Systems to
Security Categories; NIST Special Publication 800 -60, Revision 1, DRAFT
[NIST SP 800-63 -1] Electronic Authentication Guideline; NIST Special Publication 800 -63-
1; DRAFT
[NIST SP 800 -64] NIST Special Publication 800-64
[NIST SP 800 -661 An Introductory Resource Guide for Implementing the Health Insurance
Portability and Accountability Act (HIPAA); NIST Special Publication 800-66
[NIST SP 800-68] Guidance for Securing Microsoft Windows XP Systems for IT
Professionals: A NIST Security Configuration Checklist; NIST Special
Publication 800-68
[NIST SP 800 -70] Security Configuration Checklists Program for IT Products; NIST Special
Publication 800-70
[NIST SP 800 -72] Guidelines on PDA Forensics; NIST Special Publication 800-72
[NIST SP 800 -731 Integrated Circuit Card for Personal Identification Verification; NIST
Special Publication 800 -73; Revision 1
[NIST SP 800 -76] Biometric Data Specification for Personal Identity Verification; NIST
Special Publication 800-76
[NIST SP 800 -77] Guide to IPSec VPNs; NIST Special Publication 800-77
[NIST SP 800 -781 Cryptographic Algorithms and Key Sizes for Personal Identity
Verification; NIST Special Publication 800-78
[NIST SP 800 -81] Secure Domain Name System (DNS) Deployment Guide; NIST Special
Publication 800-81
[NIST SP 800 -841 Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities; NIST Special Publication 800-84
[NIST SP 800 -86] Guide to Integrating Forensic Techniques into Incident Response•, NIST
Special Publication 800-86
2/09/2011 1 -2
CJISD - ITS -DOC- 08140 -5.0 t( c1
[NIST SP 800 -871 Codes for the Identification of Federal and Federally Assisted Agencies;
NIST Special Publication 800-87
[NIST SP 800 -961 PIV Card /Reader Interoperability Guidelines; NIST Special Publication
800-96
[NIST SP 800 -97] Guide to IEEE 802.11 is Robust Security Networks; NIST Special
Publication 800-97
[NIST SP 800 -1211 Guide to Bluetooth Security, NIST Special Publication 800 -121
[NIST SP 800 -124] Guidelines on Cell Phone and PDA Security, NIST Special Publication
800 -124
[OMB A -1301 Management of Federal Information Resources; Circular No. A -130; Revised;
February 8, 1996
[OMB M -04-041 E- Authentication Guidance for Federal Agencies; OMB Memo 04-04;
December 16, 2003
[OMB M-06-15] Safeguarding Personally Identifiable Information; OMB Memo 06-15;
May 22, 2006
[OMB M- 06-16] Protection of Sensitive Agency Information; OMB Memo 06-16; June 23,
2006
[OMB M- 06-191 Reporting Incidents Involving Personally Identifiable Information and
Incorporating the Cost for Security in Agency Information Technology
Investments; OMB Memo 06-19; July 12, 2006
[OMB M -07 -16] Safeguarding Against and Responding to the Breach of Personally
Identifiable Information; OMB Meme 07 -16; May 22, 2007
[Surviving Security] Surviving Security: How to Integrate People, Process, and Technology;
Second Edition; 2004
[USC Title 5, Section 5521 Public information; agency rules, opinions, orders, records, and
proceedings; United States Code, Title 5 - Government Agency and
Employees, Part I - The Agencies Generally, Chapter 5 - Administrative
Procedure, Subchapter II - Administrative Procedure, Section 552. Public
information; agency rules, opinions, orders, records, and proceedings
[USC Title 44, Section 3506] Federal Information Policy; 01/02/2006; United States Code,
Title 44 - Public Printing and Documents; Chapter 35 - Coordination of
Federal Information Policy; Subchapter I - Federal Information Policy, Section
3506
2/09/2011
CJISD- ITS -DOC- 08140 -5.0
1 -3
APPENDIX J NONCRIMINAL JUSTICE AGENCY
SUPPLEMENTAL GUIDANCE
This supplemental guidance for noncriminal justice agencies (NCJA) is provided
specifically for those whose only access to FBI CJIS data is authorized by legislative
enactment or federal executive order to request civil fingerprint -based background checks for
licensing, employment, or other noncriminal justice purposes, via their State Identification
Bureau and/or Channeling agency. This guidance does not apply to criminal justice agencies
covered under an active user agreement with the FBI CJIS Division for direct connectivity to
the FBI CJIS Division via the FBI CJIS Wide Area Network. Examples of the target audience
for this supplemental guidance include school boards, banks, medical boards, gaming
commissions, alcohol and tobacco control boards, social services agencies, pharmacy boards,
etc. The information below identifies the sections of the CJIS Security Policy most closely
related to the NCJA's limited scope of interaction with CJI.
1. The following CJIS Security Policy sections comprise the minimum standard
requirements in all situations:
a. 3.2.9 — Local Agency Security Officer (LASO)
b. 5.1.1.6 — Agency User Agreements
c. 5.1.1.7 — Security and Management Control Outsourcing Standard*
d. 5.1.3 — Secondary Dissemination
e. 5.2.1.1 — Security Awareness Training
f. 5.3 — Incident Response
g. 5.4.6 — Audit Record Retention
h. 5.8 — Media Protection
i. 5.9.2 — Controlled Area
j. 5.11 — Formal Audits"
k. 5.12 — Personnel Security * **
* Note: Outsourcing Standard applies when contracting with channeling or
outsourcing agency.
* *Note: States shall periodically conduct audits of NCJAs. The FBI CJIS Division
shall triennially conduct audits of a sampling of NCJAs.
* ** Note: See the National Crime Prevention and Privacy Compact Council's
Outsourcing Standard for Contractor background check requirements.
2. Agencies located within states having passed legislation authorizing or requiring civil
fingerprint -based background checks for personnel with access to criminal history
record information for the purposes of licensing or employment shall follow the
guidance in section 5.12. Agencies located within states without this authorization or
2/09/2011 1-1
C A S D- ITS - DOC- 08140 -5.0
�lCd)
requirement are exempted from the fingerprint -based background check requirement
until such time as appropriate legislation has been written into law.
3. When receiving CJI via encrypted e-mail or downloading from a web -site and
subsequently storing the information as an encrypted electronic image Authorized
Recipients should, in addition to all of the aforementioned sections, focus on
compliance with policy sections:
a. 5.5.2.4 — Access Control — Encryption
b. 5.6 — Identification and Authentication (web -site access)
c. 5.10.1.2 — System and Communications Protection — Encryption
4. When receiving CJI via e -mail or retrieving CJI from a website and subsequently
storing the CJI electronically, Authorized Recipients should, in addition to l.a —l.k
above, focus on compliance with policy sections:
a. 5.5.2.4 — Access Control — Encryption
b. 5.6 — Identification and Authentication
c. 5.7 — Configuration Management
d. 5.10 —System and Communications Protection and Information Integrity
5. If an NCJA further disseminates CJI via encrypted e -mail to Authorized Recipients,
located outside the NCJA's designated controlled area, the NCJA should, in addition
to l.a -3.c above, focus on compliance with policy sections:
a. 5.7 — Configuration Management
b. 5.10 —System and Communications Protection and Information Integrity
6. If an NCJA further disseminates CJI via secure website posting to Authorized
Recipients, located outside the NCJA's designated controlled area, the NCJA should
focus on all sections outlined in l .a -4.d above.
2/09/2011
CJIS D- ITS -DOC- 08140 -5.0
1 -2
11(d)
APPENDIX K CRIMINAL JUSTICE AGENCY
SUPPLEMENTAL GUIDANCE
This supplemental guidance is directed toward those criminal justice agencies that
have historically not been subject to audit under the CJIS Security Policy guidelines. The
target audience typically gains access to CJI via fax, hardcopy distribution or voice calls; does
not have the capability to query state or national databases for criminal justice information;
and, may have been assigned an originating agency identifier (ORI) but is dependent on other
agencies to run queries on their behalf. This guidance does not apply to criminal justice
agencies covered under an active information exchange agreement with another agency for
direct or indirect connectivity to the state CSA — in other words those agencies traditionally
identified as "terminal agencies ". The information below identifies the sections of the CJIS
Security Policy the target audience will most often encounter:
1. The following CJIS Security Policy sections comprise the minimum standard
requirements in all situations:
a. 3.2.9 — Local Agency Security Officer (LASO)
b. 5.1.1.3 — Criminal Justice Agency User Agreements
c. 5.1.3 — Secondary Dissemination
d. 5.2.1.1 — Security Awareness Training
e. 5.3 — Incident Response
f. 5.4.6 — Audit Record Retention
g. 5.8 — Media Protection
h. 5.9 — Physical Security
i. 5.10.2 — Facsimile Transmission of CJI
j. 5.11 — Formal Audits*
k. 5.12 — Personnel Security
*Note: States shall triennially audit all CJAs
2. When receiving CJI via encrypted e-mail or downloading from a web -site and
subsequently storing the information as an encrypted electronic image Authorized
Recipients should, in addition to all of the aforementioned sections, focus on
complying with policy sections:
a. 5.5.2.4 — Access Control — Encryption
b. 5.6 — Identification and Authentication
c. 5.10.1.2 — System and Communications Protection — Encryption
2/09/2011 K -1
C ISD- ITS -DOC- 08140 -5.0
l lcd )
3. When receiving CH via e -mail or retrieving CJI from a website and subsequently
storing the CJI electronically, Authorized Recipients should, in addition to l.a —l.k
above, focus on complying with policy sections:
a. 5.5.2.4 — Access Control — Encryption
b. 5.6 — Identification and Authentication
c. 5.7 — Configuration Management
d. 5.10— System and Communications Protection and Information Integrity
2/09/2011 K 2
C11SD- ITS -DOC- 08140 -5.0 `k�d
146B.01, 2011 Minnesota Statutes
2011 Minnesota Statutes
146B.01 DEFINITIONS.
Page 1 of 3
Subdivision 1. Scope. The terms defined in this section apply to this chapter.
Subd. 2. Aftercare. "Aftercare" means written instructions given to a client, specific to the
procedure rendered, on caring for the body art and surrounding area. These instructions must
include information on when to seek medical treatment.
Subd. 3. Antiseptic. "Antiseptic" means an agent that destroys disease - causing microorganisms
on human skin or mucosa.
Subd. 4. Body art. "Body art" or "body art procedures" means physical body adornment using,
but not limited to, tattooing and body piercing. Body art does not include practices and procedures
that are performed by a licensed medical or dental professional if the procedure is within the
professional's scope of practice.
Subd. 5. Body art establishment. "Body art establishment" or "establishment" means any
structure or venue, whether permanent, temporary, or mobile, where body art is performed.
Mobile establishments include vehicle- mounted units, either motorized or trailered, and readily
moveable without dissembling and where body art procedures are regularly performed in more
than one geographic location.
Subd. 6. Body piercing. "Body piercing" means the penetration or puncturing of the skin by any
method for the purpose of inserting jewelry or other objects in or through the body. Body piercing
also includes branding, scarification, suspension, subdermal implantation, microdermal, and
tongue bifurcation. Body piercing does not include the piercing of the outer perimeter or the lobe
of the ear using a presterilized single -use stud - and -clasp ear - piercing system.
Subd. 7. Branding. "Branding" means an indelible mark burned into the skin using instruments
of thermal cautery, radio hyfrecation, and strike branding.
Subd. 8. Commissioner. "Commissioner" means the commissioner of health.
Subd. 9. Contaminated waste. "Contaminated waste" means any liquid or semiliquid blood or
other potentially infectious materials; contaminated items that would release blood or other
potentially infectious materials in a liquid or semiliquid state if compressed; items that are caked
with dried blood or other potentially infectious materials and are capable of releasing these
materials during handling; and sharps and any wastes containing blood and other potentially
infectious materials, as defined in Code of Federal Regulations, title 29, section 1910.1030,
known as "Occupational Exposure to Bloodborne Pathogens."
Subd. 10. Department. "Department" means the Department of Health.
Subd. 11. Equipment. "Equipment" means all machinery, including fixtures, containers,
vessels, tools, devices, implements, furniture, display and storage areas, sinks, and all other
apparatus and appurtenances used in the operation of a body art establishment.
Subd. 12. Guest artist. "Guest artist" means an individual who performs body art procedures
according to the requirements under section 146B.04.
Subd. 13. Hand sink. "Hand sink" means a sink equipped with potable hot and cold water held
under pressure, used for washing hands, wrists, arms, or other portions of the body.
1 I Ce)
https: / /www. revisor .mn.gov /statutes / ?id= 146B.01 6/28/2012
14613.01, 2011 Minnesota Statutes Page 3 of 3
Subd. 30. Tattooing. "Tattooing" means any method of placing indelible ink or other pigments
into or under the skin or mucosa with needles or any other instruments used to puncture the skin,
resulting in permanent coloration of the skin or mucosa. Tattooing also includes
micropigmentation and cosmetic tattooing.
Subd. 31. Technician. "Technician" or "body art technician" means any individual who is
licensed under this chapter as a tattoo technician or as a body piercing technician or as both.
Subd. 32. Temporary body art establishment. "Temporary body art establishment" means any
place or premise operating at a fixed location where an operator performs body art procedures for
no more than 21 days in conjunction with a single event or celebration.
Subd. 33. Tongue bifurcation. "Tongue bifurcation" means the cutting of the tongue from the
tip to the base, forking at the end.
History: 2010 c 317 s 1
I I CO
https: / /www. revisor .mn.gov /statutes / ?id= 146B.01 6/28/2012
146B.02, 2011 Minnesota Statutes Page 1 of 2
2011 Minnesota Statutes
146B.02 ESTABLISHMENT LICENSE PROCEDURES.
Subdivision 1. General. Beginning January 1, 2011, no person acting individually or jointly
with any other person may maintain, own, or operate a body art establishment in the state without
an establishment license issued by the commissioner in accordance with this chapter, except as
permitted under subdivision 8 or 9.
Subd. 2. Requirements. (a) Each application for an initial establishment license and for renewal
must be submitted to the commissioner on a form provided by the commissioner accompanied
with the applicable fee required under section 146B.10. The application must contain:
(1) the name(s) of the owner(s) and operator(s) of the establishment;
(2) the location of the establishment;
(3) verification of compliance with all applicable local and state codes;
(4) a description of the general nature of the business; and
(5) any other relevant information deemed necessary by the commissioner.
(b) The commissioner shall issue a provisional establishment license effective until the
commissioner determines after inspection that the applicant has met the requirements of this
chapter. Upon approval, the commissioner shall issue a body art establishment license effective
for three years.
Subd. 3. Inspection. (a) Within the period of the provisional establishment license, and
thereafter at least one time during each three -year licensure period, the commissioner shall
conduct an inspection of the body art establishment and a review of any records necessary to
ensure that the standards required under this chapter are met.
(b) The commissioner shall have the authority to enter a premises to make an inspection.
Refusal to permit an inspection constitutes valid grounds for licensure denial or revocation.
(c) If the establishment seeking licensure is new construction or if a licensed establishment is
remodeling, the establishment must meet all local building and zoning codes.
Subd. 4. Location restricted. No person may perform a body art procedure at any location other
than a body art establishment licensed under this chapter except as permitted under subdivisions 8
and 9.
Subd. 5. Transfer and display of license. A body art establishment license must be issued to a
specific person and location and is not transferable. A license must be prominently displayed in a
public area of the establishment.
Subd. 6. Establishment information. The following information must be kept on file for three
years on the premises of the establishment and must be made available for inspection upon request
by the commissioner:
(1) a description of all body art procedures performed by the establishment;
(2) copies of the spore tests conducted on each sterilizer; and
https://www.revisor.mn.gov/statutes/?id=146B.02
Ce)
6/28/2012
14613.02, 2011 Minnesota Statutes Page 2 of 2
(3) the following information for each technician or guest artist employed or performing body
art procedures in the establishment:
(i) name;
(ii) home address;
(iii) home telephone number;
(iv) date of birth;
(v) copy of an identification photo; and
(vi) license number or guest artist license number.
Subd. 7. Establishments located in a private residence. If the body art establishment is located
within a private residence, the space where the body art procedures are performed must:
(1) be completely partitioned off,
(2) be exclusively used for body art procedures, except for licensed practices under chapter
155A which must be performed in compliance with the health and safety standards in this chapter;
(3) be separate from the residential living, eating, and bathroom areas;
(4) have a separate and secure entrance accessible without entering the residential living,
eating, and bathroom areas;
(5) meet the standards of this chapter; and
(6) be made available for inspection upon the request of the commissioner.
Subd. 8. Temporary events permit. (a) An owner or operator of a temporary body art
establishment shall submit an application for a temporary events permit to the commissioner at
least 14 days before the start of the event. The application must include the specific days and
hours of operation. The owner or operator shall comply with the requirements of this chapter.
(b) The temporary events permit must be prominently displayed in a public area at the
location.
(c) The temporary events permit, if approved, is valid for the specified dates and hours listed
on the application. No temporary events permit shall be issued for longer than a 21 -day period,
and may not be extended.
Subd. 9. Exception. (a) Any body art establishment located within a county or municipal
jurisdiction that has enacted an ordinance that establishes licensure for body art establishments
operating within the jurisdiction shall be exempt from this chapter if the provisions of the
ordinance meet or exceed the provisions of this chapter. Any county or municipal jurisdiction that
maintains an ordinance that meets this exception may limit the types of body art procedures that
may be performed in body art establishments located within its jurisdiction.
(b) Any individual performing body art procedures in an establishment that meets an
exception under this subdivision must be licensed as a body art technician under this chapter.
History: 2010 c 317 s 2
10
https: / /www. revisor .mn.gov /statutes / ?id= 146B.02 6/28/2012
14613.03, 2011 Minnesota Statutes
2011 Minnesota Statutes
146B.03 LICENSURE FOR BODY ART TECHNICIANS.
Page 1 of 3
Subdivision 1. Licensure required. (a) Effective January 1, 2011, no individual may perform
tattooing unless the individual holds a valid tattoo technician license issued by the commissioner
under this chapter, except as provided in subdivision 3.
(b) Effective January 1, 2011, no individual may perform body piercing unless the individual
holds a valid body piercing technician license issued by the commissioner under this chapter,
except as provided in subdivision 3.
(c) If an individual performs both tattooing and body piercing, the individual must hold a
valid dual body art technician license.
Subd. 2. Designation. (a) No individual may use the title of "tattooist," "tattoo artist," "tattoo
technician," "body art practitioner," "body art technician," or other letters, words, or titles in
connection with that individual's name which in any way represents that the individual is engaged
in the practice of tattooing or authorized to do so, unless the individual is licensed and authorized
to perform tattooing under this chapter.
(b) No individual may use the title "body piercer," "body piercing artist," "body art
practitioner," "body art technician," or other letters, words, or titles in connection with that
individual's name which in any way represents that the individual is engaged in the practice of
body piercing or authorized to do so, unless the individual is licensed and authorized to perform
body piercing under this chapter.
(c) Any representation made to the public by a licensed technician must specify the types of
body art procedures the technician is licensed to perform.
Subd. 3. Exceptions. (a) The following individuals may perform body art procedures within the
scope of their practice without a technician's license:
(1) a physician licensed under chapter 147;
(2) a nurse licensed under sections 148.171 to 148.285;
(3) a chiropractor licensed under chapter 148;
(4) an acupuncturist licensed under chapter 14713;
(5) a physician's assistant licensed under chapter 147A; or
(6) a dental professional licensed under chapter 150A.
(b) A guest artist under section 14613.04 may perform body art procedures in accordance with
the requirements of section 14613.04.
Subd. 4. Licensure requirements. An applicant for licensure under this section shall submit to
the commissioner on a form provided by the commissioner:
(1) proof that the applicant is over the age of 18;
(2) the type of license the applicant is applying for;
(3) all fees required under section 14613.10;
https://www.revisor.mn.gov/statutes/?id=146B.03
Ii(G)
6/28/2012
14613.03, 2011 Minnesota Statutes Page 2 of 3
(4) proof of completing a minimum of 200 hours of supervised experience within each area
for which the applicant is seeking a license, and must include an affidavit from the supervising
licensed technician;
(5) proof of having satisfactorily completed coursework within the year preceding application
and approved by the commissioner on bloodborne pathogens, the prevention of disease
transmission, infection control, and aseptic technique. Courses to be considered for approval by
the commissioner may include, but are not limited to, those administered by one of the following:
(i) the American Red Cross;
(ii) United States Occupational Safety and Health Administration (OSHA); or
(iii) the Alliance of Professional Tattooists; and
(6) any other relevant information requested by the commissioner.
Subd. 5. Action on licensure applications. (a) The commissioner shall notify the applicant in
writing of the action taken on the application. If the application is approved, the commissioner
shall issue a tattoo technician license, a body piercing technician license, or a dual body art
technician license.
(b) If licensure is denied, the applicant must be notified of the determination and the grounds
for it, and the applicant may request a hearing under chapter 14 on the determination by filing a
written statement with the commissioner within 30 days after receipt of the notice of denial. After
the hearing, the commissioner shall notify the applicant in writing of the decision.
Subd. 6. Licensure term; renewal. (a) A technician's license is valid for two years from the
date of issuance and may be renewed upon payment of the renewal fee established under section
146B.10.
(b) At renewal, a licensee must submit proof of continuing education approved by the
commissioner in the areas identified in subdivision 4, clause (5).
Subd. 7. Temporary licensure. (a) The commissioner may issue a temporary license to an
applicant who submits to the commissioner on a form provided by the commissioner:
(1) proof that the applicant is over the age of 18;
(2) all fees required under section 148B.10; and
(3) a letter from a licensed technician who has agreed to provide the supervision to meet the
supervised experience requirement under subdivision 4, clause (4).
(b) Upon completion of the required supervised experience, the temporary licensee shall
submit documentation of satisfactorily completing the requirements under subdivision 4, clauses
(3) and (4), and the applicable fee under section 146B.10. The commissioner shall issue a new
license in accordance with subdivision 4.
(c) A temporary license issued under this subdivision is valid for one year and may be
renewed for one additional year.
Subd. 8. License by reciprocity. The commissioner shall issue a technician's license to a person
who holds a current license, certification, or registration from another state if the commissioner
https://www.revisor.mn.gov/statutes/?id=146B.03
o (e)
6/28/2012
14613.03, 2011 Minnesota Statutes Page 3 of 3
determines that the standards for licensure, certification, or registration in the other jurisdiction
meet or exceed the requirements for licensure stated in this chapter and a letter is received from
that jurisdiction stating that the applicant is in good standing.
Subd. 9. Transfer and display of license. A license issued under this section is not transferable
to another individual. A valid license must be displayed at the establishment site and available to
the public upon request.
Subd. 10. Transition period. Until January 1, 2012, the supervised experience requirement
under subdivision 4, clause (4), shall be waived by the commissioner if the applicant submits to
the commissioner evidence satisfactory to the commissioner that:
(1) the applicant has performed at least 2,080 hours within the last five years in the body art
area in which the applicant is seeking licensure; or
(2) the applicant completed more than 1,040 hours but less than 2,080 hours within the last
five years in the body art area in which the applicant is seeking licensure and has successfully
completed at least six hours of coursework provided by one of the following entities: Alliance of
Professional Tattooists, Association of Professional Piercers, or Compliance Solutions
International.
History: 2010 c 317 s 3; 2011 c 110 art 2 s 1,2
https: / /www. revisor .mn.gov /statutes / ?id= 146B.03
��(O
6/28/2012
146B.04, 2011 Minnesota Statutes
2011 Minnesota Statutes
146B.04 TEMPORARY LICENSURE FOR GUEST ARTISTS.
Page 1 of 1
Subdivision 1. General. Before an individual may work as a guest artist, the commissioner shall
issue a temporary license to the guest artist. The guest artist shall submit an application to the
commissioner on a form provided by the commissioner. The form must include:
(1) the name, home address, and date of birth of the guest artist;
(2) the name of the licensed technician sponsoring the guest artist;
(3) proof of having satisfactorily completed coursework within the year preceding application
and approved by the commissioner on bloodborne pathogens, the prevention of disease
transmission, infection control, and aseptic technique;
(4) the starting and anticipated completion dates the guest artist will be working; and
(5) a copy of any current body art credential or licensure issued by another local or state
jurisdiction.
Subd. 2. Guest artists. A guest artist may not conduct body art procedures for more than 30
days per calendar year. If the guest artist exceeds this time period, the guest artist must apply for a
technician's license under section 14613.03.
History: 2010 c 317 s 4; 2011 c 110 art 2 s 3
https: / /www. revisor .mn.gov /statutes / 9*id= 146B.04
t(e)
6/28/2012
14613.05, 2011 Minnesota Statutes
2011 Minnesota Statutes
Page 1 of 1
146B.05 GROUNDS FOR DENIAL OF AN ESTABLISHMENT LICENSE OR EMERGENCY
CLOSURE.
Subdivision 1. General. If any of the following conditions exist, the owner or operator of a
licensed establishment may be ordered by the commissioner to discontinue all operations of a
licensed body art establishment or the commissioner may refuse to grant or renew, suspend, or
revoke licensure:
(1) evidence of a sewage backup in an area of the body art establishment where body art
activities are conducted;
(2) lack of potable, plumbed, or hot or cold water to the extent that handwashing or toilet
facilities are not operational;
(3) lack of electricity or gas service to the extent that handwashing, lighting, or toilet
facilities are not operational;
(4) significant damage to the body art establishment due to tornado, fire, flood, or another
disaster;
(5) evidence of an infestation of rodents or other vermin;
(6) evidence of any individual performing a body art procedure without a license as required
under this chapter;
(7) evidence of existence of a public health nuisance;
(8) use of instruments or jewelry that are not sterile;
(9) failure to maintain required records;
(10) failure to use gloves as required;
(11) failure to properly dispose of sharps, blood or body fluids, or items contaminated by
blood or body fluids;
(12) failure to properly report complaints of potential bloodborne pathogen transmission to
the commissioner; or
(13) evidence of a positive spore test on the sterilizer if there is no other working sterilizer
with a negative spore test in the establishment.
Subd. 2. Licensure or reopening requirements. Prior to license approval or renewal or the
reopening of the establishment, the establishment shall submit to the commissioner satisfactory
proof that the problem condition causing the need for the licensure action or emergency closure
has been corrected or removed by the operator of the establishment. A body art establishment may
not reopen without the written approval of the commissioner and a valid establishment license.
History: 2010 c 317 s 5
1k(t)
https: / /www. revisor .mn.gov /statutes / ?id= 146B.05 6/28/2012
14613.06, 2011 Minnesota Statutes
->n-ii Minnesota Statutes
146B.06 HEALTH AND SAFETY STANDARDS.
Page 1 of 3
Subdivision 1. Establishment standards. (a) The body art establishment must meet the health
and safety standards in this subdivision before a licensed technician may conduct body art
procedures at the establishment.
(b) The procedure area must be separated from any other area that may cause potential
contamination of work surfaces.
(c) For clients requesting privacy, at a minimum, a divider, curtain, or partition must be
provided to separate multiple procedure areas.
(d) All procedure surfaces must be smooth, nonabsorbent, and easily cleanable.
(e) The establishment must have an accessible hand sink equipped with:
(1) liquid hand soap;
(2) single -use paper towels or a mechanical hand drier or blower; and
(3) a nonporous washable garbage receptacle with a foot - operated lid or with no lid and a
removable liner.
(t) All ceilings in the body art establishment must be in good condition.
(g) All walls and floors must be free of open holes or cracks and be washable and no
carpeting may be in areas used for body art procedures unless the carpeting is entirely covered
with a rigid, nonporous, easily cleanable material.
(h) All facilities within the establishment must be maintained in a clean and sanitary
condition and in good working order.
(i) No animals may be present during a body art procedure, unless the animal is a service
animal.
Subd. 2. Standards for equipment, instruments, and supplies. (a) Equipment, instruments, and
supplies must comply with the health and safety standards in this subdivision before a licensed
technician may conduct body art procedures.
(b) Jewelry used as part of a body art procedure must be made of surgical implant -grade
stainless steel, solid 14 -karat or 18 -karat white or yellow gold, niobium, titanium, or platinum, or
a dense low- porosity plastic. Use of jewelry that is constructed of wood, bone, or other porous
material is prohibited.
(c) Jewelry used as part of a body art procedure must be free of nicks, scratches, or irregular
surfaces and must be properly sterilized before use.
(d) Reusable instruments must be thoroughly washed to remove all organic matter, rinsed,
and sterilized before and after use.
(e) Needles must be single -use needles and sterilized before use.
(f) Sterilization must be conducted using steam heat or chemical vapor.
at)
https: / /www.revisor.mn.gov /statutes / ?id= 146B.06 6/28/2012
14613.06, 2011 Minnesota Statutes
Page 2 of 3
(g) All sterilization units must be operated according to the manufacturer's specifications.
(h) At least once a month, but not to exceed 30 days between tests, a spore test must be
conducted on each sterilizer used to ensure proper functioning. If a positive spore test result is
received, the sterilizer at issue may not be used until a negative result is obtained.
(i) All inks and other pigments used in a body art procedure must be specifically
manufactured for tattoo procedures.
0) Immediately before applying a tattoo, the ink needed must be transferred from the ink
bottle and placed into single -use paper or plastic cups. Upon completion of the tattoo, the single -
use cups and their contents must be discarded.
(k) All tables, chairs, furniture, or other procedure surfaces that may be exposed to blood or
body fluids during the body art procedure must be cleanable and must be sanitized after each
client with a liquid chemical germicide.
(1) Single -use towels or wipes must be provided to the client. These towels must be dispensed
in a manner that precludes contamination and disposed of in a nonporous washable garbage
receptacle with a foot - operated lid or with no lid and a removal liner.
(m) All bandages and surgical dressings used must be sterile or bulk - packaged clean and
stored in a clean, closed nonporous container.
(n) All equipment and instruments must be maintained in good working order and in a clean
and sanitary condition.
(o) All instruments and supplies must be stored clean and dry in covered containers.
(p) Single -use disposable barriers or a chemical germicide must be used on all equipment that
cannot be sterilized as part of the procedure as required under this section including, but not
limited to, spray bottles, procedure light fixture handles, and tattoo machines.
Subd. 3. Standards for body art procedures. (a) All body art procedures must comply with the
health and safety standards in this subdivision.
(b) The skin area subject to a body art procedure must be thoroughly cleaned with soap and
water, rinsed thoroughly, and swabbed with an antiseptic solution. Only single -use towels or
wipes may be used to clean the skin.
(c) Whenever it is necessary to shave the skin, a new disposable razor or a stainless steel
straight edge must be used. The disposable razor must be discarded after use. The stainless steel
straight edge must be thoroughly washed to remove all organic matter and sterilized before use on
another client.
(d) No body art procedure may be performed on any area of the skin where there is an evident
infection, irritation, or open wound.
(e) Single -use nonabsorbent gloves of adequate size and quality to preserve dexterity must be
used for touching clients, for handling sterile instruments, or for handling blood or body fluids.
Nonlatex gloves must be used with clients or employees who request them or when petroleum
products are used. Gloves must be changed if a glove becomes damaged or comes in contact with
any nonclean surface or objects or with a third person. At a minimum, gloves must be discarded
,0
https: / /www. revisor .mn.gov /statutes / ?id= 146B.06 6/28/2012
14613.06, 2011 Minnesota Statutes Page 3 of 3
after the completion of a procedure on a client. Upon leaving the procedure area, hands and wrists
must be washed before putting on a clean pair of gloves and after removing a pair of gloves.
Subd. 4. Standards for technicians. (a) Technicians must comply with the health and safety
standards in this subdivision.
(b) Technicians must scrub their hands and wrists thoroughly before and after performing a
body art procedure, after contact with the client receiving the procedure, and after contact with
potentially contaminated materials.
(c) A technician may not smoke, eat, or drink while performing body art procedures.
(d) A technician may not perform a body art procedure if the technician has any open sores
visible or in a location that may come in contact with the client.
Subd. 5. Contamination standards. (a) Infectious waste and sharps must be managed according
to sections 116.76 to 116.83 and must be disposed of by an approved infectious waste hauler at a
site permitted to accept the waste, according to Minnesota Rules, parts 7035.9100 to 7035.9150.
Sharps ready for disposal must be disposed of in an approved sharps container.
(b) Contaminated waste that may release liquid blood or body fluids when compressed or that
may release dried blood or body fluids when handled must be placed in an approved red bag that
is marked with the international biohazard symbol.
(c) Contaminated waste that does not release liquid blood or body fluids when compressed or
handled may be placed in a covered receptacle and disposed of through normal approved disposal
methods.
(d) Storage of contaminated waste on site must not exceed the overflow level of any
container.
History: 2010 c 317 s 6; 2011 c 110 art 2 s 4
�qt)
https: / /www. revisor .mn.gov /statutes / ?id= 146B.06 6/28/2012
146B.07, 2011 Minnesota Statutes Page 1 of 3
2oii Minnesota Statutes
146B.07 PROFESSIONAL STANDARDS.
Subdivision 1. Proof of age. (a) A technician shall require proof of age before performing any
body art procedure on a client. Proof of age must be established by one of the following methods:
(1) a valid driver's license or identification card issued by the state of Minnesota or another
state that includes a photograph and date of birth of the individual;
(2) a valid military identification card issued by the United States Department of Defense;
(3) a valid passport;
(4) a resident alien card; or
(5) a tribal identification card.
(b) Before performing any body art procedure, the technician must provide the client with a
disclosure and authorization form that indicates whether the client has:
(1) diabetes;
(2) a history of hemophilia;
(3) a history of skin diseases, skin lesions, or skin sensitivities to soap or disinfectants;
(4) a history of epilepsy, seizures, fainting, or narcolepsy;
(5) any condition that requires the client to take medications such as anticoagulants that thin
the blood or interfere with blood clotting; or
(6) any other information that would aid the technician in the body art procedure process
evaluation.
(c) The form must include a statement informing the client that the technician shall not
perform a body art procedure if the client fails to complete or sign the disclosure and
authorization form, and the technician may decline to perform a body art procedure if the client
has any identified health conditions.
(d) The technician shall ask the client to sign and date the disclosure and authorization form
confirming that the information listed on the form is accurate.
(e) Before performing any body art procedure, the technician shall offer and make available
to the client personal draping, as appropriate.
Subd. 2. Parent or legal guardian consent; prohibitions. (a) A technician may perform body
piercings on an individual under the age of 18 if the individual's parent or legal guardian is
present and a consent form and the authorization form under subdivision 1, paragraph (b) is
signed by the parent or legal guardian in the presence of the technician, and the piercing is not
prohibited under paragraph (c).
(b) No technician shall tattoo any individual under the age of 18 regardless of parental or
guardian consent.
,4)
https: / /www. revisor .mn.gov /statutes / 9*id= 146B.07 6/28/2012
146B.07, 2011 Minnesota Statutes Page 2 of 3
(c) No nipple or genital piercing, branding, scarification, suspension, subdermal implantation,
microdermal, or tongue bifurcation shall be performed by any technician on any individual under
the age of 18 regardless of parental or guardian consent.
(d) No technician shall perform body art procedures on any individual who appears to be
under the influence of alcohol, controlled substances as defined in section 152.01, subdivision 4,
or hazardous substances as defined in rules adopted under chapter 182.
(e) No technician shall perform body art procedures while under the influence of alcohol,
controlled substances as defined under section 152.01, subdivision 4, or hazardous substances as
defined in the rules adopted under chapter 182.
(f) No technician shall administer anesthetic injections or other medications.
Subd. 3. Informed consent. Before performing a body art procedure, the technician shall obtain
from the client a signed and dated informed consent form. The consent form must disclose:
(1) that a tattoo is considered permanent and may only be removed with a surgical procedure
and that any effective removal may leave scarring; or
(2) that body piercing may leave scarring.
Subd. 4. Client record maintenance. For each client, the body art establishment operator shall
maintain proper records of each procedure. The records of the procedure must be kept for three
years and must be available for inspection by the commissioner upon request. The record must
include the following:
(1) the date of the procedure;
(2) the information on the required picture identification showing the name, age, and current
address of the client;
(3) a copy of the authorization form signed and dated by the client required under subdivision
1, paragraph (b);
(4) a description of the body art procedure performed;
(5) the name and license number of the technician performing the procedure;
(6) a copy of the consent form required under subdivision 3; and
(7) if the client is under the age of 18 years, a copy of the consent form signed by the parent
or legal guardian as required under subdivision 2.
Subd. 5. Aftercare. A technician shall provide each client with verbal and written instructions
for the care of the tattooed or pierced site upon the completion of the procedure. The written
instructions must advise the client to consult a health care professional at the first sign of
infection.
Subd. 6. State and local public health regulations. An operator and technician shall comply
with all applicable state, county, and municipal requirements regarding public health.
Subd. 7. Notification. The operator of the body art establishment shall immediately notify the
commissioner and local health authority of any reports they receive of a potential bloodborne
pathogen transmission.
ob)
https: / /www. revisor .mn.gov /statutes / ?id= 146B.07 6/28/2012
146B.07, 2011 Minnesota Statutes Page 3 of 3
History: 2010 c 317 s 7
1 \0
https: / /www.revisor.mn.gov /statutes / ?id= 146B.07 6/28/2012
14613.08, 2011 Minnesota Statutes
2oii Minnesota Statutes
146B.08 INVESTIGATION AND GROUNDS FOR DISCIPLINARY ACTION.
Page 1 of 2
Subdivision 1. Investigations of complaints. The commissioner may initiate an investigation
upon receiving a signed complaint or other signed written communication that alleges or implies
that an individual or establishment has violated this chapter. According to section 214.13,
subdivision 6, in the receipt, investigation, and hearing of a complaint that alleges or implies an
individual or establishment has violated this chapter, the commissioner shall follow the
procedures in section 214.10.
Subd. 2. Rights of applicants and licensees. The rights of an applicant denied licensure are
stated in section 14613.03, subdivision 5. A licensee may not be subjected to disciplinary action
under this section without first having an opportunity for a contested case hearing under chapter
14.
Subd. 3. Grounds for disciplinary action. The commissioner may take any of the disciplinary
actions listed in subdivision 4 on proof that a technician or an operator of an establishment has:
(1) intentionally submitted false or misleading information to the commissioner;
(2) failed, within 30 days, to provide information in response to a written request by the
commissioner;
(3) violated any provision of this chapter;
(4) failed to perform services with reasonable judgment, skill, or safety due to the use of
alcohol or drugs, or other physical or mental impairment;
(5) aided or abetted another person in violating any provision of this chapter;
(6) been or is being disciplined by another jurisdiction, if any of the grounds for the
discipline are the same or substantially equivalent to those under this chapter;
(7) not cooperated with the commissioner in an investigation conducted according to
subdivision 1;
(8) advertised in a manner that is false or misleading;
(9) engaged in conduct likely to deceive, defraud, or harm the public;
(10) demonstrated a willful or careless disregard for the health, welfare, or safety of a client;
(11) obtained money, property, or services from a client through the use of undue influence,
harassment, duress, deception, or fraud;
(12) failed to refer a client to a health care professional for medical evaluation or care when
appropriate; or
(13) been convicted of a felony -level criminal sexual conduct offense. "Conviction" means a
plea of guilty, a verdict of guilty by a jury, or a finding of guilty by a court.
Subd. 4. Disciplinary actions. If the commissioner finds that a technician or an operator of an
establishment should be disciplined according to subdivision 3, the commissioner may take any
one or more of the following actions:
\kce)
https: / /www.revisor.mn.gov /statutes / ?id= 146B.08 6/28/2012
14613.08, 2011 Minnesota Statutes Page 2 of 2
(1) refuse to grant or renew licensure;
(2) suspend licensure for a period not exceeding one year;
(3) revoke licensure;
(4) take any reasonable lesser action against an individual upon proof that the individual has
violated this chapter; or
(5) impose, for each violation, a civil penalty not exceeding $10,000 that deprives the
licensee of any economic advantage gained by the violation and that reimburses the department
for costs of the investigation and proceedings resulting in disciplinary action, including the
amount paid for services of the Office of Administrative Hearings, the amount paid for services of
the Office of the Attorney General, attorney fees, court reporters, witnesses, reproduction of
records, department staff time, and expenses incurred by department staff.
Subd. 5. Consequences of disciplinary actions. Upon the suspension or revocation of licensure,
the technician or establishment shall cease to:
(1) perform body art procedures;
(2) use titles protected under this chapter; and
(3) represent to the public that the technician or establishment is licensed by the
commissioner.
Subd. 6. Reinstatement requirements after disciplinary action. A technician who has had
licensure suspended may petition on forms provided by the commissioner for reinstatement
following the period of suspension specified by the commissioner. The requirements of section
14613.03 for renewing licensure must be met before licensure may be reinstated.
History: 2010 c 317 s 8
https: / /www. revisor .mn.gov /statutes / ?id= 146B.08 6/28/2012
14613.09, 2011 Minnesota Statutes
eon Minnesota Statutes
146B.09 COUNTY OR MUNICIPAL REGULATION.
Page 1 of 1
Nothing in this chapter preempts or supersedes any county or municipal ordinance relating to land
use, building and construction requirements, nuisance control, or the licensing of commercial
enterprises in general.
History: 2010 c 317 s 9
�0
https: / /www. revisor .mn.gov /statutes / ?id= 146B.09 6/28/2012
146B.10, 2011 Minnesota Statutes Page 1 of 1
2011 Minnesota Statutes
14613.10 FEES.
Subdivision 1. Licensing fees. (a) The fee for the initial technician licensure and biennial
licensure renewal is $100.
(b) The fee for temporary technician licensure is $100.
(c) The fee for the temporary guest artist license is $50.
(d) The fee for a dual body art technician license is $100.
(e) The fee for a provisional establishment license is $1,000.
(f) The fee for an initial establishment license and the three -year license renewal period
required in section 146B.02, subdivision 2, paragraph (b), is $1,000.
(g) The fee for a temporary body art establishment permit is $75.
(h) The commissioner shall prorate the initial two -year technician license fee and the initial
three -year body art establishment license fee based on the number of months in the initial
licensure period.
Subd. 2. Penalty for late renewals. The penalty fee for late submission for renewal applications
is $75.
Subd. 3. Deposit. Fees collected by the commissioner under this section must be deposited in
the state government special revenue fund.
History: 2010 c 317 s 10; 2011 c 110 art 2 s 5
�4)
https: / /www. revisor .mn.gov /statutes / ?id= 146B.10 6/28/2012
mtormatron for consumers
Q: Who can be tattooed?
A: Anyone over the age of 18. Effective July 1, 2010, tattooing
of minors is prohibited, regardless of parental consent.
Q: May a minor be tattooed if they have their parents' consent
or presence?
A: No. Tattooing of minors is now prohibited by law, regardless
of parental consent.
Q: Can a minor who already had a tattoo have the tattoo
"touched up "?
A: No. Any tattooing of minors is now prohibited by law, even if
they have a pre- existing tattoo.
Q: Can a minor be pierced if they have their parents' consent?
A: As of July 1, 2010, a minor may get a piercing, but will need
parental /guardian consent and their parent/guardian must be
present during the procedure. A minor cannot get the following,
even with consent: nipple piercing, genital piercing, branding,
scarification, suspension, subdermal implantation, microdermal,
�or tongue bifurcation. continued on back
J
Q: Can an infant still have their ears pierced?
A: Yes, with parental consent.
Q: Do jewelry stores need to have licensed piercing
technicians to pierce ears?
A: No. Body piercing does not include the piercing of the outer
perimeter or the lobe of the ear using a presterilized single -
use stud - and -clasp ear - piercing system.
Q: What about permanent makeup?
A: Permanent makeup is a form of tattooing, and is subject
to the body art regulation. As of January 1, 2011, permanent
makeup must be performed by a MDH- licensed body art
technician in a licensed body art establishment.
Q: What problems should MDH be contacted about?
A: Health and safety concerns such as: infections, unsanitary
practices, unsanitary premises, tattooing of a minor, and
piercing of a minor without parental consent. As of January 1,
2011, MDH should be notified of unlicensed practice.
Q: How do I know if a technician and/or establishment is
licensed?
A: Look for posted technician and establishment licenses; call
MDH at 651 - 201 -3731; and /or visit our website www.health.
state.mn.us and enter "body arC in the search box, where a
list of licensed technicians and establishments All be posted.
Q: Are temporary events legal, and can visiting technicians
practice legally?
A: After January 1, 2011, if licensed by MDH, temporary
events and /or visiting guest technicians are legal. Look for
posted licenses.
MDH
Background Information for technicians Information for establishments
The Minnesota Legislature passed a law during the
2010 session requiring the Minnesota Department
of Health (MDH) to regulate tattoo and piercing
professionals.
This brochure provides helpful information for body
art technicians, establishments and consumers. You
can find the law (Minnesota Statutes, Chapter 146B)
at https: / /www.revisor.mn.gov /laws / ?id= 317 &doctype =
chapter &year= 2010 &type =0
Q: What is body art?
A: Body art means physical body adornment using,
but not limited to, tattooing and body piercing. Body
art does not include practices and procedures
that are performed by a licensed medical or
dental professional if the procedure is within the
professional's scope of practice.
Q: What is tattooing?
A: Tattooing means any method of placing indelible
ink or other pigments into or under the skin or
mucosa with needles or any other instruments
used to puncture the skin, resulting in permanent
coloration of the skin or mucosa. Tattooing also
includes micropigmentation and cosmetic tattooing.
Q: What is body piercing?
A: Body piercing means the penetration or puncturing
of the skin by any method for the purpose of inserting
jewelry or other objects in or through the body.
Body piercing also includes branding, scarification,
suspension, subdermal implantation, microdermal,
and tongue bifurcation. Body piercing does not
include the piercing of the outer perimeter or the lobe
of the ear using a presterilized single -use stud -and-
I clasp ear - piercing system.
Q: Who needs to be licensed?
A: As of January 1, 2011, anyone who provides tattooing and/
or piercing services must be MDH licensed.
Q: May a technician be licensed as both a tattooist and a
piercer?
A: Yes. A technician who provides both tattoo and piercing
services may hold a dual license. Dual licensure requires the
technician to meet loth sets of requirements.
Q: What are the requirements to be a tattoo, piercing, or dual
technician?
A: You must be at least 18 years old, have proof you have
at least 200 hours of supervised experience, and have proof
you satisfactorily completed coursework on bloodborne
pathogens, prevention of disease transmission, infection
control, and aseptic technique.
Q: Does MDH provide the required coursework for
technicians?
A: No. Training may be obtained from the American Red
Cross, OSHA, the Alliance of Professional Tattooists; or
other professional organizations.
Q: Does the Minnesota Department of Health
endorse the training offered by the certifying
organizations in order to become a licensed body
art technician?
A: No. MDH does not endorse any
educational program.
Q: Where can a body an
technician work?
A: As of January 1, 2011, a body
art technician can only perform
work at a licensed body art
establishment or an MDH licensed
body an temporary event.
Q: Do establishments need to be licensed?
A: Yes. Starting January 1, 2011, all body art
establishments must be licensed. If an establishment
is licensed by a city or county agency, it may be
exempt from the state requirement and must apply for
a waiver.
Q: Do all body art establishments need to be licensed
by MDH?
A: No. Body art establishments subject to city or
county ordinances which meet or exceed MDH
requirements do not have to have MDH licensure. For
each establishment, owners /operators must complete
and return either an application for MDH licensure or
an application for exemption from MDH licensure.
Q: What if an owner /operator has multiple
establishments?
A: If an owner /operator has more than one
establishment, each establishment must be
individually licensed, and a separate application
submitted for each establishment.
Q: What licenses need to be posted?
A: The establishment license and each technician's
license must be prominently displayed in a public area
of the establishment.
Q: Are establishments inspected?
A: Yes. Body art establishment licensed by
j MDH are inspected within the period of
111 the provisional establishment license,
and then at least one time during
each three -year licensure period.
Unannounced inspections may occur at
any time for any reason.
Date: July 2010
To: Body Art Technicians and Establishment Owners /Operators
From: Kyle Renell, Staff Attorney
Health Occupations Program
Subject: Licensure Requirement for Body Art Technicians and Establishments
On May 13, 2010, legislation was signed into law and went into effect on July 1st. As of January
1, 2011, all body art establishments and technicians must be licensed in order to provide body art
services in the State of Minnesota.
Enclosed you will find a copy of the new law and the necessary application materials needed to
begin the licensure process. You are receiving these materials because your business has been
identified by MDH as a provider of body art services.
If your body art establishment is currently licensed by a local or county agency, it may be
exempt from the state licensure; however, you must request an exemption from MDH. Enclosed
is an application form for exemption from the Minnesota Body Art Establishment License
requirement. Once MDH receives your request for exemption, MDH staff will review the
applicable laws in your jurisdiction. You will be notified in writing as to whether or not your
exemption request has been approved. If you do not apply for an exemption, you must apply for
a license using the establishment application enclosed.
Each individual body art technician must be licensed by the state. Enclosed in this packet is one
copy each of the Minnesota Body Art Technician License Application and the Temporary
License Application for Body Art Technician. If you do not have at least 200 hours of
experience, you should apply for a temporary license. Otherwise, complete the technician license
application. You may make copies of these applications, or after July lst you may download
them from: http• / /www health state mn us/ divs /hnsc/ hot)/tattoo/bodyartapi2lications.html
NOTE: NO license is valid until approved by MDH— regardless of when an application is dated,
submitted, or received.
Please return all completed application materials along with the appropriate fees (a fee schedule
is on the reverse of this page) to MDH at the address indicated on each application.
If you have any questions about the application materials and /or process, please contact the
Health Occupations Program, at 651- 201 -3770.
General Information: (651) 201 -5000 • TDD /TTY: (651) 201 -5797 • Minnesota Relay Service: (800) 627 -3529 • w .health.state.mn.us
For directions to any of the MDH locations, call (651) 201.5000 • An Equal Opportunity Employer
\k�0
BODY ART FEE SCHEDULE: (Effective 07/01/10)
Pursuant to Minnesota Statutes, section 14613, section 10, the appropriate fees must
submitted with your application. Applications will not be processed without the fees.
Technicians
• Temporary technician license [effective for one (1) year]: $110*
• Initial tattoo technician license [effective for two (2) years]: $110*
• Initial piercing technician license [effective for two (2) years]: $110*
❑ Initial dual technician license [effective for two (2) years]: $110*
❑ Renewal of technician license [effective for two (2) years]: $110*
❑ Temporary guest artist license [effective for no more than 30 days]: $55*
❑ Penalty for late renewal: $75
Establishments:
❑ Application for Exemption from State Establishment License: No fee
• Provisional establishment license +: $1,100*
• Establishment license+ [effective for three (3) years]: $1,100*
❑ Temporary establishment permit [effective for no more than 21 days]: $75.00
❑ Penalty for late renewal: $75
* The Minnesota Office of Enterprise Technology (OET) assesses a 10%
surcharge of no less than $5 and no more than $150 on each business,
commercial, professional or occupational license. The funds from this
surcharge go to OET to establish an electronic licensing system for the state.
The surcharge will be collected through June 30, 2015. See Laws of
Minnesota, Chapter 101, Article 2, Section 59.
+Provisional establishment licenses will expire when the establishment
license is issued. During the provisional period, MDH will conduct an
inspection. When MDH determines the establishment meets the license
requirements, a regular establishment license will be issued at no additional
fee.
General Instructions:
• All checks should be made payable to "Treasurer, State of Minnesota"
• Checks must be enclosed with applications. If not, the application will be considered
incomplete and will not be processed until complete applications and fees are
received.
Section
Hutchinson, NIN Code of Ordinances
CHAPTER 118: TATTOOING
118.01
Definition
118.02
License required
118.03
License application
118.04
License fee
118.05
License term
118.06
Tattooing of minors restricted
118.07
Health and sanitary requirements
§ 118.01 DEFINITION.
For the purpose of this chapter, the following definition shall apply unless the context
clearly indicates or requires a different meaning.
TATTOOING. The marking of the skin of a person by insertion of permanent colors by
introducing them through puncture of the skin.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94)
§ 118.02 LICENSE REQUIRED.
No person shall conduct any establishment where tattooing is done, nor engage in the act
of tattooing, without being licensed under this chapter. No person shall engage in the practice of
tattooing at any place other than the place or location named or described in the license granted
by the city. No person shall be granted a license under this chapter who is not of good moral
character and free from communicable disease.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94) Penalty, see § 10.99
§ 118.03 LICENSE APPLICATION.
Any person desiring a license under this chapter shall file with the City Administrator, on
a form provided by the city, a written application signed by the applicant and containing the
name of the applicant, if an individual, the names of co- partners, if a partnership, and if a
corporation, the names of the principal officers of the corporation, together with a brief
American Legal Publishing Corp.
Hutchinson, MN Code of Ordinances
description of the place or location at which the business is to be conducted, along with other
information routinely required by the City Administrator in connection with applications for
business licenses.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94)
§ 118.04 LICENSE FEE.
The annual fee for a license to engage in the practice of tattooing shall be set by ordinance
of the City Administrator.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94)
§ 118.05 LICENSE TERM.
All licenses issued under this chapter shall expire on December 31 of the licensing year.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94)
§ 118.06 TATTOOING OF MINORS RESTRICTED.
No person shall tattoo any person under the age of 18 except in the presence of, and with
the written permission of, a parent or legal guardian of that person under 18.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94) Penalty, see § 10.99
§ 118.07 HEALTH AND SANITARY REQUIREMENTS.
No person shall engage in the practice of tattooing at any place within the city without
complying with the following regulations.
(A) Every place where tattooing is done shall be equipped with a sewer and water
connected toilet and hand basin or sink. The hand basin or sink shall be supplied with hot and
cold running water under pressure, and shall be maintained in good working order at all times; it
shall be kept in a clean and sanitary condition.
(B) No person having any skin infection or other disease of the skin or any
communicable disease shall be tattooed.
American Legal Publishing Corp.
0-11)
Hutchinson, MN Code of Ordinances
(C) All equipment including needles, knell bars, tubes, pigment and receptacles,
stencils, razors and razor blades, shall be kept in a dust -proof glass case when not in use.
(D) All needles and operating instruments shall be individually pre - packaged,
pre - sterilized and disposable. No such equipment shall be used on more than one customer, but
shall be discarded in a safe and sanitary manner after its first use.
(E) All bandages and surgical dressings used in connection with tattooing of any
person shall be individually pre - packaged, pre - sterilized and disposable.
(F) Every person who practices tattooing shall wear clean, white colored, washable
outer garments when engaged in the practice of tattooing.
(G) Every person who practices tattooing shall wash his or her hands thoroughly with
soap and water and then dry them in a clean, unused towel before and after each tattooing. The
customer's skin shall also be thoroughly cleansed with soap and water and disinfected by an
antiseptic solution before the use or application of any tattooing instrument or equipment.
(H) Whenever it is necessary to shave the skin, a safety razor must be used. A new
blade must be used for each customer. The razor shall be cleaned with soap and water after each
use and shall be kept in a closed case when not in use. All electric hair clippers shall be sanitized
by a method approved by the Commissioner of Health.
(I) Pigments used in tattooing shall be sterile and free from bacterial and noxious
agents and substances. The pigments used from stock solutions for each customer shall be
placed in a single service receptacle and this receptacle and remaining solution shall be discarded
in a safe and sanitary manner after use on each customer.
(J) Every person to be tattooed shall be asked whether he or she has had viral
hepatitis in the preceding six months. No person suspected of presently having viral hepatitis or
having had viral hepatitis within the last six months, shall be tattooed without the written consent
of a licensed physician.
(K) No place used for the practice of tattooing shall be used or occupied for living or
sleeping quarters or for any purpose other than tattooing.
(L) There shall be a minimum of 150 square feet of floor space at the place where the
practice of tattooing is conducted and the place shall be adequately ventilated and lighted. All
tables, chairs and operating furniture shall be constructed of metal with white enamel or
porcelain finish or stainless steel, and shall be kept in a clean and sanitary condition.
(M) No person shall practice tattooing while under the influence of alcohol or drugs.
No customer shall be tattooed while under the influence of alcohol or drugs.
(N) A person tattooed shall be provided with written instructions on the approved care
American Legal Publishing Corp.
\``t)
Hutchinson, MN Code of Ordinances
of the tattoo during the healing process.
('89 Code, § 6.41) (Ord. 94 -104, passed 3 -8 -94) Penalty, see § 10.99
American Legal Publishing Corp.
rd
\�`e>
MINUTES
Regular Meeting — Hutchinson Utilities Commission
Wednesday, May 30, 2012
Call to order — 3:00 p.m.
Vice President Lenz called the meeting to order. Members present: Vice President
Craig Lenz; Secretary Leon Johnson; Commissioner Monty Morrow; Commissioner
Anthony Hanson; Attorney Marc Sebora; General Manager Michael Kumm. Member
absent: President Dwight Bordson.
Guests: Dave Berg and Kevin Favero (SAIC); Jeremy Carter (City); Miles Seppelt (City);
Mayor Steve Cook.
Agenda item #3: Approve Financial Statements /Budget Year to Date was moved to
agenda # 4; and
Agenda item #4: Presentation by SAIC (Dave Berg) — Rate Study was moved to agenda
item #3.
1. Approve Minutes of April 25, 2012 Regular Meeting
The minutes of the April 25, 2012 regular meeting were reviewed. A motion was
made by Secretary Johnson, seconded by Commissioner Morrow to approve the
minutes. Motion was unanimously carried.
2. Ratify Payment of Bills for April 2012
The April 2012 payables were discussed. A motion was made by Secretary
Johnson, seconded by Commissioner Hanson to ratify the payment of bills in the
amount of $4,193,701.37 (detailed listing in payables book). Motion was
unanimously carried.
3. Presentation by SAIC (Dave Berg) - Rate Study
Dave Berg and Kevin Favero of SAIC were welcomed to the meeting. Mr. Berg
gave a presentation on the results of the May 2012 Electric and Gas Cost -of-
Service and Unbundled Rate Study. Mr. Berg stated the recommended changes
are minimal and HUC is on solid financial footing. HUC may want to consider rate
design changes; however, Mr. Berg does not recommend an overall rate increase
at this time. Existing rates look favorable through 2016.
4. Approve Financial Statements /Budget Year to Date
GM Kumm presented the April 2012 financial statements /budget year -to -date. After
discussion, a motion was made by Secretary Johnson, seconded by Commissioner
Hanson to approve the financial statements /budget year -to -date. Motion was
unanimously carried.
5. Discuss Angel Network /Incubator Assistance /Future EDA Projects
Commissioner Hanson stated it was requested at the Joint HUC /City meeting to
add this discussion item to the agenda. Miles Seppelt from City of Hutchinson was
welcomed. Mr. Seppelt requested HUC's consideration to partner with EDA in
future projects such as: the Angel Network, an industrial spec building /small
business incubator and the downtown revitalization plan #2 which is an update and
refinement project to promote economic development.
6. Discuss City Administrator /Ex- Officio HUC Board Member
GM Kumm stated this agenda item is a result of the HUC /City Joint meeting to
further discuss the Mayor's request to appoint the City Administrator as an ex-
officio board member on the Commission. In the Joint meeting, Mr. Kumm had
noted per Commission President Bordson that all HUC meetings are open and
public for anyone to attend. The Board had then unanimously agreed it was not
necessary to appoint the City Administrator as an ex- officio. Mayor Cook noted he
had since spoken with President Bordson who said he had no opposition to an ex-
officio position as a non - voting member. Attorney Sebora mentioned there would
need to be a change to the City Charter. Mayor Cook suggested removing Council
member verbiage and replacing with ex- officio verbiage as a non - voting member.
Mayor Cook said it would then be presented to the Charter Commission. The
Board would like to discuss this further upon President Bordson's return and also
meet with the Charter Commission.
7. Appoint a Commissioner to Committee for Analyzing the Transfer Formula to
C ity
Mayor Cook stated this agenda item is also a result of the HUC /City Joint meeting
to appoint Commission members to the City Council approved committee which
includes Jeremy Carter, Council Member Chad Czmowski and Mayor Steve Cook,
to review the transfer formula to City. Mayor Cook would like to see if the transfer
could be increased. Vice President Lenz noted a PILOT (Payment in Lieu of
Taxes) committee was formed in 2008. HUC will need to absolve that committee at
the next regular commission meeting. A motion was made by Commissioner
Hanson, seconded by Secretary Johnson to appoint Commissioner Morrow and
President Dwight Bordson to the transfer formula committee. Another motion was
made to modify the original motion to add GM Kumm to the transfer formula
committee. Motions were unanimously carried.
8. Discuss Credit Card Payments
GM Kumm discussed information on past years' credit card charges and the credit
card fees HUC incurs to accept credit card payments as a convenience for HUC
customers. The credit card fee amounts have increased substantially over the
years due to the majority of the fees coming from businesses charging their bills.
Staff will research options to help reduce the amount HUC incurs and present at
the next regular commission meeting.
9. Review Policies and Requirements Booklet
GM Kumm presented the policies and requirements booklet, sections: meter
testing - natural gas; natural gas service work; and locating customer's underground
utilities - natural gas. This is part of HUC's policy review and no changes are
requested at this time.
6
1V)
10. Approve Changes to Exempt and Non - Exempt Handbooks
GM Kumm presented changes to the exempt and non - exempt handbooks,
sections: Section 6 — health and safety; accidents and injuries; unsafe conditions
or practices; and employee right -to -know. The changes to 'Section 6 — health and
safety' and 'accidents and injuries' were to clean up verbiage and to provide clarity
on what we currently practice. A motion was made by Commissioner Hanson,
seconded by Secretary Johnson to approve the changes to 'Section 6 — health and
safety' and 'accidents and injuries'. Motion was unanimously carried. (Changes
attached.) No changes were recommended for section 'unsafe conditions or
practices'. The changes recommended for section 'employee right to know' were to
clean up verbiage and the Board recommended changing the word 'should' to
'shall' in the last sentence. A motion was made by Commissioner Morrow,
seconded by Commissioner Hanson to approve the changes to section ' employee
right to know'. Motion was unanimously carried. (Changes attached.)
11. Approve Bid Tabulation for Units 3 & 4 RICE Rule Compliance Modifications
Steve Lancaster presented the bid tabulation for units 3 and 4 RICE rule
compliance modifications to make units 3 and 4 compliant with the RICE ruling. If
this work is not done these units would be shut down. This was a budgeted item for
$450,000. After discussion, a motion was made by Secretary Johnson, seconded
by Commissioner Hanson to approve the bid tabulation for units 3 and 4 RICE rule
compliance modifications from Farabee Mechanical Inc. for $270,980. Motion was
unanimously carried. (Bid tabulation attached.)
12. Approve Requisition #4884 for Casing Bypass Project
John Webster presented requisition #4884 for casing bypass project. GM Kumm
mentioned these are the last three casings in the distribution system and the final
part of the 19 year project. After discussion, a motion was made by Commissioner
Hanson, seconded by Commissioner Morrow to approve requisition #4884 for
casing bypass project from Northern Pipeline Construction Cc for $73,535. Motion
was unanimously carried. (Requisition attached.)
13. Division Reports
Electric — Steve Lancaster
• New engine on a rail up from Houston.
• Mandatory pre -bid site visit last week for plant 1 building modifications for
mechanical and electrical.
New switchgear in place.
Business — Jan Sifferath
• New system controller started today — Larry Mason.
• Hiring a summer temporary employee for line crew.
• Jon Guthmiller working on CIP report to send to the Department of Commerce
• Working on researching credit card payment issue.
3
1
vk1Ik_/)
Gas — John Webster
• Received United Farmers Cooperative's (United Natural Gas LLC) resolution
from their Board to design and build skids for their interconnect system to only
serve their grain facility.
Finance — Jared Martig
• Sent out bank requests for proposals last week.
• Will receive bond refinancing results tomorrow.
GM Kumm will be giving a presentation on power supply planning to City Council
members at City Center tomorrow.
14. Legal Update
Nothing to report
Unfinished Business
• Discuss Potential Capacity Sale
GM Kumm and Steve Lancaster are continuing to work on the potential
capacity sale.
New Business
• Discuss Patent License Agreement for Statistical Model in System Control
Discussion was held regarding a patent for the statistical model and software
used in system control.
• GM Kumm presented a leadership review summary comparing 2005 to 2010
results of a 360 degree feedback survey anonymously completed by all HUC
employees anonymously. Summary shows employees overall are satisfied.
There being no further business, a motion was made by Commissioner Hanson,
seconded by Commissioner Morrow to adjourn the meeting at 5:45 p.m. Motion was
unanimously carried.
Leon Johnson, Secretary
ATTEST:
Dwight Bordson, President
M
�y(a)
f: RA
Hutchinson Housing &
Redevelopment Authority
Regular Board Meeting ,Tuesday, May 15, 2012, 7:00 AM
Minutes
CALL TO ORDLR: Chairman Becky Felling called the meeting to order. Members Present: Bill Arndt,
LaVonne Hansen, LouAnn Ilohnquist. and Joel Kraft. Staff Present: ,lean Ward and Judy Flemming.
COASI DI: RATION OF MINUTES OF THE REGULAR BOARD MEETING ON APRIL 17, 2012
LaVonne Hansen moved to approve the Minutes of the regular board meeting as written. LouAnn
Holmquist seconded and the motion carried unanimously,
FINANCIAL. REPORTS
a. Bill Arndt roved to approve the City Center General Fund payments of $28,820.00 for checks
8054 to 8072 and consideration of April 2012 City Center Financial Statements. Joel Kraft
seconded and the motion carried unanimously.
h. Joel Kraft moved to approve the Park Lowers payments of $23,983.38 for checks 11968 to 11997
and consideration of Park Towers March 2012 Financial Statements. LouAnn Holmquist seconded
and the motion carried unanimously.
III IPOP LOAN SUBORDINATION REQUEST
The loan review committee reviewed the subordination request and approved it. LouAnn Holmquist
moved to approve the subordination request for 1111POP 8822 -1.ce. City Revolving loan and IIItA
Entry Cost loan. Bill Arndt seconded and the motion carried unanimously. 1'Ite mortgage company
contacted the HRA after the approval to say that the homeowners withdraw their refinance loan
application and the subordination will not be used.
PARK TOWERS UPDATE
a. Jean Ward updated the Board regarding the local HUD representatives visit scheduled for July 24"'.
b. Joel Kraft moved to approve the Depository Agreement for Park Towers' accounts with Mid
Country and First Minnesota. LOaAnn Holmquist seconded and the notion carried unanimously.
C. Occupancy Status - currently there is I vacancy.
6. CON StDL--RAATION OF MEMORANDUM OF UNDERSTANDING WITH IIUFC11 INSON
INDEPENDENT SCHOOL.. DISTRICT FOR REHAB OF 734 SOUFHVIE W DRIVE SW
• LaVonne Hansen moved to approve the Memorandum of lJnderstanding with Hutchinson
Independent School District for the rehab of 734 Southview Drive SW. LouAnn Holmquist
seconded and the motion carried unanimously.
• Bill Arndt asked the Board to think about considering donating IIRA funds for a scholarship for
students that work on the School Construction homes. "The Board decided to discuss this more
when reviewing the 2013 City Center Budget next month.
7. I;PDATE ON 400 LYNN ROAD
a. .lean Ward presented to the Board the Purchase Agreement she received yesterday afternoon. Joel
Kraft moved to accept the Purchase Agreement for 400 Lynn Road SW, LouAnn Holmquist
seconded and the motion carried unanimously.
b. The Board read a letter from Daryl Lundin, school instructor, on the progress and construction
Schedule for 400 Lynn Road.
t.i�iq li ]ql:� Minutes f a, I c,P {��
S. FIRST LOOK PROGRAM
a. update on Ptu-chase of 7 ,-1 SOUThV1Cw Drive SW — estimated closing date scheduled £or May 16,
2012.
9, 2013 CI'I"Y CENTER BUDGET DISCUSSION
£lie Board discussed their ideas on future HRA projects. The Board directed Jean when working on
the 2013 City Center budget to use S 150,000 for the tax levy amount.
10. MAKFlELD STUDY PROPOSAL
LaVonne Hansen moved to approve having the Maxfield housing study done and to split the cost with
the City Planning Department. LOUAnn Holmquist seconded and the motion carried unanimously.
11. OTH63R
FYI: City oPHutchinson Updated Polices Relating to Boards /Commissions.
12. ADJOURNMENT
Bill Arndt moved to adjourn and LouAnn Holmquist seconded. '['here being no other business,
Chairman Becky Felling declared the meeting adjourned.
Recorded by Jean Wand, HRA Executive Director
LaVonne Hansen, Secretary /Treasurer
P,Iuc �S >01 °R16nnc� f'agr2 or'� - ra'J
\ti
Summer... Enjoy!
To: Hutchinson Fire District Citizens
From: Brad Emans, Fire Chief
Date: 07/01/2012
Re: Monthly Update on the Activities of the Hutchinson Fire Department for June 2012
Fire Department Response: The Fire Department responded to 30 calls for service in the month of
June.
Fire Officer Only Response: A "fire officer only" responded to 10 calls in June saving the Hutchinson
Fire District the cost of a "general' alarm estimated at $1,820.00 for the month.
Response Time (First Emergency Vehicle Out of the Door): June — 3 minutes 10 seconds.
Example of a Few of the Calls:
• The FD responded to a bedroom fire in a manufactured home in the northwest section of
the city. Firefighters quickly got the fire under control keeping structural damage to a
minimum. The cause is under investigation;
• The FD sent one engine and four firefighters to the Sartell paper mill fire in June. In all 97
fire departments responded to the call over a six day period;
• The FD responded to a rescue call when a vehicle struck a house in the northeast part of
the fire district. No extrication was needed, however firefighters made sure that no
flammable liquids or any other hazardous material was leaking from the vehicle;
• The FD responded to a call that a machine shed was burning in the northwest part of the
fire district. It turned out to be a riding lawnmower burning inside the shed. Firefighters
quickly extinguished the fire and checked the structure for fire extension with the Thermal
Imagining Camera;
The FD responded to a residential attic fire during a lightning storm in the southwest part
of the city. The firefighters located the exact location of the smoldering insulation with the
assistance of the Thermal Imaging Camera and removed the sheetrock below it thus
limiting the structural, smoke, and water damage. It was first thought that lightning was
the cause of the fire but after the investigation was completed it was determined to be
improper wiring in the attic;
• The FD responded to a possible explosion, and the smell of smoke in the southeast part
of the city. Law enforcement advised the FD that a weapon was possibly involved and to
stay in quarters until the scene was cleared. What actually happened was the residents of
the property were having a recreational fire in their back yard when one of the people
threw an old cigarette light into the flame it exploded;
The FD activated when the district went into a Tomado Warning. Due to the late notice
we received, the FD was only able to get one Sky Warn location filled. The rest of the
units stood by in quarters for approximately one hour anticipating possible damage;
• The FD responded to a routine "funny smell" call at a large multiple unit senior living
complexes. The incident commander using a four gas meter, it was quickly determined
that the building was filling up with high concentrations of CO. The building was quickly
evacuated and then ventilated. It was determined that a PVC power exhaust pipe off one
of the commercial water heaters broke spilling the CO.
Breakdown of the Calls for the Month:
city
Type of Call
Number for the Month
Residential
4
Commercial /] ndustrial
4
Multi-Family
5
School
1
Grass
0
Medical
1
CO
3
Rescue
1
Haz-Mat Leak/Spill
2
Vehicle
1
Sk -Wam
1
Mutual Aid
1
Total
24
Structure Fires
3
Arson
0
• Page 2
Rural:
Type of Call
Number for the Month
Residential
0
Commercial / Industrial
0
School
0
Farm Building
1
Grass
0
Medical
3
CO
0
Rescue
2
Haz -Mat Leak/Spill
0
Vehicle
0
Mutual Aid
0
Total
6
Structure Fires
1
Arson
0
Training: Firefighters Trained on the Following Topics /Equipment:
I am very proud to make the announcement that 100% of our State Certified Firefighter I
firefighters have completed Firefighter II, Hazardous Material Operations, and taken the
State Certification test. This was a goal set by our training division after the firefighter
reviews in 2011 and required several four hour training nights to accomplish. This
achievement by our Training Chief and our Firefighters demonstrates the level of
professionalism your Fire Department maintains;
• In 2011 the fire department hired four new firefighters, three of them when to college to
become certified, licensed firefighters and one went to Afghanistan to serve his country.
The three sent to college have now completed Firefighter I and took their Oath of Office.
We look forward to our Marine's return to the fire service in late fall;
• The FD worked with Hutchinson Area Health Care on a demonstration for operating room
employees on the hazards of oxygen enrich environment, flammable skin cleaner,
flammability of the draping used in the operating room, and finally hands on use of fire
extinguishers. All of this training took place at the training site.
Fire Prevention / Public Relations / Other Information:
The FD replaced many of the firefighter helmets due to that fact that several of the
helmets had shells that were cracked and they were either very close to or over the
allowable years for use in interior firefighting according to NFPA and OSHA. This also
gave us the opportunity to change color for incident management. Firefighters will now
have black helmets, Lieutenants will wear red helmets, Rookie Firefighters will wear
yellow helmets, and the Chiefs will continue to wear the traditional white helmet.
• MNOSHA made a surprise inspection of the fire department in June. I am very pleased to
announce that we did not have any violations. If you have ever visited the station you are
not surprised as this department takes great pride in constantly being in the ready mode;
• Page 3
\"1'Cl
The FD completed the hiring process for paid -on -call firefighters and issued a conditional
offer of employment to three people. I want to welcome Daryl Rath, John Travis, and Kyle
Baysinger to the fire service! The rookies will train with us over the summer and fall and
then enter the Firefighter I college course in January 2013;
• The FD participated in the following public relation, or educational events:
1. Participated in the 3M Club Family Day;
2. Assisted with the Park & Recreation "Slip & Slide ";
3. Provided First Aid at the Hutchinson Jaycee "Grand Day Parade ";
4. Participated in the "Grade Day Parade ".
Measurements:
1. Number of calls that required more than one engine, and four firefighters in June: 6
2. Number of Calls that required more than "required by law investigation" in June: 5
3. Estimated dollars "saved" in property (building and contents) by the fire department
response for the month of June: $200,000
4. Estimated dollars `lost' in property (building and contents) to fire in June: $17,500
• Page 4
