28 CFR 25.8: System safeguards.
(a) Information maintained in the NICS Index is stored electronically for use in an FBI computer environment. The NICS central computer will reside inside a locked room within a secure facility. Access to the facility will be restricted to authorized personnel who have identified themselves and their need for access to a system security officer.
(b) Access to data stored in the NICS is restricted to duly authorized agencies. The security measures listed in paragraphs (c) through (f) of this section are the minimum to be adopted by all POCs and data sources having access to the NICS.
(c) State or local law enforcement agency computer centers designated by a Control Terminal Agency as POCs shall be authorized NCIC users and shall observe all procedures set forth in the NCIC Security Policy of 1992 when processing NICS background checks. The responsibilities of the Control Terminal Agencies and the computer centers include the following:
(1) The criminal justice agency computer site must have adequate physical security to protect against any unauthorized personnel gaining access to the computer equipment or to any of the stored data.
(2) Since personnel at these computer centers can have access to data stored in the NICS, they must be screened thoroughly under the authority and supervision of a state Control Terminal Agency. This authority and supervision may be delegated to responsible criminal justice agency personnel in the case of a satellite computer center being serviced through a state Control Terminal Agency. This screening will also apply to non-criminal justice maintenance or technical personnel.
(3) All visitors to these computer centers must be accompanied by staff personnel at all times.
(4) POCs utilizing a state/NCIC terminal to access the NICS must have the proper computer instructions written and other built-in controls to prevent data from being accessible to any terminals other than authorized terminals.
(5) Each state Control Terminal Agency shall build its data system around a central computer, through which each inquiry must pass for screening and verification.
(d) Authorized state agency remote terminal devices operated by POCs and having access to the NICS must meet the following requirements:
(1) POCs and data sources having terminals with access to the NICS must physically place these terminals in secure locations within the authorized agency;
(2) The agencies having terminals with access to the NICS must screen terminal operators and must restrict access to the terminals to a minimum number of authorized employees; and
(3) Copies of NICS data obtained from terminal devices must be afforded appropriate security to prevent any unauthorized access or use.
(e) FFL remote terminal devices may be used to transmit queries to the NICS via electronic dial-up access. The following procedures will apply to such queries:
(1) The NICS will incorporate a security authentication mechanism that performs FFL dial-up user authentication before network access takes place;
(2) The proper use of dial-up circuits by FFLs will be included as part of the periodic audits by the FBI; and
(3) All failed authentications will be logged by the NICS and provided to the NICS security administrator.
(f) FFLs may use the telephone to transmit queries to the NICS, in accordance with the following procedures:
(1) FFLs may contact the NICS Operations Center during its regular business hours by a telephone number provided by the FBI;
(2) FFLs will provide the NICS Representative with their FFL Number and code word, the type of sale, and the name, sex, race, date of birth, and state of residence of the prospective buyer; and
(3) The NICS will verify the FFL Number and code word before processing the request.
(g) The following precautions will be taken to help ensure the security and privacy of NICS information when FFLs contact the NICS Operations Center:
(1) Access will be restricted to the initiation of a NICS background check in connection with the proposed transfer of a firearm.
(2) The NICS Representative will only provide a response of “Proceed” or “Delayed” (with regard to the prospective firearms transfer), and will not provide the details of any record information about the transferee. In cases where potentially disqualifying information is found in response to an FFL query, the NICS Representative will provide a “Delayed” response to the FFL. Follow-up “Proceed” or “Denied” responses will be provided by the NICS Operations Center during its regular business hours.
(3) The FBI will periodically monitor telephone inquiries to ensure proper use of the system.
(h) All transactions and messages sent and received through electronic access by POCs and FFLs will be automatically logged in the NICS Audit Log described in § 25.9(b). Information in the NICS Audit Log will include initiation and termination messages, failed authentications, and matching records located by each search transaction.
(i) The FBI will monitor and enforce compliance by NICS users with the applicable system security requirements outlined in the NICS POC Guidelines and the NICS FFL Manual (available from the NICS Operations Center, Federal Bureau of Investigation, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306-0147).