U.S. flag

An official website of the United States government, Department of Justice.

Guidance for Applicants and Award Recipients

Applicants for federal assistance

All funding applications must be submitted electronically. Information on how to apply for federal assistance, along with resources to help potential applicants navigate the application process, can be found on the Office of Justice Programs' Applicant Resources page.

Award recipients of federal assistance

Information System Security and Privacy Requirements 

Award recipients and subrecipients that serve as BJS data collection agents to complete statistical activities under BJS’s authority in conjunction with the funded activities, including collecting, receiving, processing, analyzing, storing, transferring, or disseminating information, must maintain the appropriate administrative, physical, and technical safeguards to ensure that the appropriate data management processes are followed. Award recipients must operate information systems that are adequately secured and protected against unauthorized disclosure, in accordance with applicable federal laws, regulations, and other authorities. 

BJS requires special data-handling controls and procedures to protect identifiable BJS data, which includes information identifiable to a private person (as defined in 28 C.F.R. Part 22.2), direct PII, (e.g., names, Social Security numbers, last-known addresses, or FBI, state, or department of corrections (DOC) ID numbers), and other non-public data. 

Specifically, BJS award recipients and subrecipients are required to, as applicable— 

  • Comply with the data security and confidentiality provisions detailed in 28 C.F.R. Part 22. 
  • Adhere to National Institute of Standards and Technology (NIST) guidelines and Office of Management and Budget (OMB) guidance to categorize the sensitivity of all data collected or maintained on behalf of BJS. 
  • Once the system has been categorized, secure data in accordance with the most updated Risk Management Framework specified by NIST guidelines. 
  • Maintain data security controls comparable to the Federal Information Security Modernization Act (FISMA) Moderate security level for projects that collect, store, transfer, or disseminate information identifiable to a private person. 
  • Employ adequate controls to ensure data are not comingled with any other data set or product without the express written consent of BJS. 
  • Reduce the volume of PII collected, used, or retained to the minimum necessary. 
  • Restrict access to identifiable data to individuals who must have such access. 
  • Restrict use of identifiable data to approved purposes. 
  • Follow BJS’s established security incident notification procedures, including notifying BJS and the appropriate DOJ officials, within 1 hour of discovery, of all security incidents involving PII or other sensitive information collected or maintained in conjunction with BJS-funded activities. 
  • Log all computer-readable data extracts from databases holding sensitive information and ensure that each extract including sensitive data has been erased within 90 days or that its use is still required. 
  • Ensure all contracts involving the processing and storage of PII comply with DOJ policies on remote access and security incident reporting. 
  • Comply with BJS’s data disposition requirements to return all identifiable and nonpublic data to BJS upon project completion, digitize paper copies of surveys and data collection materials saved on other physical media, and securely destroy identifiable data after receiving BJS’s permission to do so.
  • Complete data security and confidentiality trainings, as applicable. 
  • Employ formal sanctions for anyone failing to comply with DOJ policy and procedures, in accordance with applicable laws and regulations. 

Further, award recipients that receive funding for projects that involve completing statistical activities under BJS’s authority are required to develop and maintain a BJS-approved DMP that describes how the data collected under BJS’s authority for the program will be collected or acquired, received, handled, processed, stored, transferred, and disposed. A model DMP template is available on the BJS website Human Subjects Protection, Confidentiality, and Data Management Plan Requirements

OJP may audit the information systems used by award recipients during the performance period to assess compliance with federal laws, regulations, and policies related to data management, confidentiality, and security. 

The BJS Data Protection Guidelines, summarize the federal statutes, regulations, and other authorities that govern data collected and maintained under BJS’s authority.

Standards for Providing Information Technology and Publishing Support to BJS 

The following sections describe BJS standards grantees and contractors should take into consideration when proposing and pricing information technology and publishing support to BJS, as well as in associated project planning and project management. 

Ownership and Hosting of BJS-Funded Data Systems and Applications 

All BJS-funded systems or applications built for managing, processing, or publishing data absent an express agreement otherwise, shall be owned by BJS. Master databases of record shall be located on, or regularly replicated to, the OJP network. Public-facing applications shall be deployed and hosted on the OJP network and accessed via a .gov domain. The grantee should plan for these outcomes from the start of projects. For example, application developers will need to have access to the OJP network to participate in the configuration and deployment of public-facing applications. 

Use of OJP Systems and Platforms by Grantees and Contractors 

BJS grantees and contractors building BJS-funded systems or applications for managing, processing, or publishing data are required to work on the OJP network using OJP tools and systems. The OJP network is accessed using an OJP provided laptop and a Personal Identity Verification (PIV) card. To obtain this access, grantees and contractors will need to fill out a personnel onboarding form soon after award that will be forwarded onward by BJS contracting officer representatives (CORs) and cooperative agreement monitors to OJP security personnel. This access should be requested soon after award for all personnel who may need access to the OJP network. 

Use of OJP systems, tools, and networks, along with compatibility and compliance with OJP systems and policies, must be accounted for in budgets and planned for from the start of the performance period. 

Any projects or tasks that will involve the OJP network and/or coordination with OJP support teams should be described in detail as soon as possible and submitted to the chief of the BJS technology and data management unit to ensure arrangements are made that support the milestones and deliverables of the contract or agreement. 

Adherence to federal standards 

All systems and applications developed for BJS must adhere to federal, DOJ, OJP, and BJS processes, practices, standards, policies, and mandates. Grantees and contractors must collaborate with and regularly update BJS technology staff on the progress of application and system development. 

21st Century Integrated Digital Experience Act 

Any website that is developed, modernized, enhanced, maintained, or otherwise delivered as a result of this agreement must comply with the website standards of the Technology Transformation Services of the General Services Administration. The U.S. Web Design System (USWDS) shall be adopted incrementally over the life of the project or requirement and the awardee shall prioritize implementation to align with the priorities identified within the agreement. 

Additional key BJS information technology policies, practices, and standards are available.

Privacy Requirements

All BJS award recipients are required to comply with applicable federal requirements concerning the protection of human subjects and the confidentiality of information identifiable to a private person, consistent with the regulations at 28 CFR Part 46 and 28 CFR Part 22. Applicants are required to submit a Privacy Certificate and a Human Subjects Protection Certification of Compliance Form.

Applicants are strongly encouraged to carefully review the information in Human Subjects Protection, Confidentiality, and Data Management Plan Requirements | Bureau of Justice Statistics before submitting an application.

Performance Reporting

Award recipients receiving funds from BJS are required to report on the progress of grant activities. For additional guidance on performance reporting requirements and report templates for specific BJS programs, see:

Questions about performance reporting requirements should be directed to the BJS Program Manager. Additional resources for award recipients are available on the OJP page for Recipient Resources.

Budget and Financial Templates and Information

Award recipients receiving funds from BJS are required to report financial progress of grant activities. For additional guidance on financial reporting requirements, report templates and financial forms for general BJS programs, see:

Questions about financial reporting requirements should be directed to the Office of the Chief Financial Officer (OCFO) Helpdesk at [email protected]. Additional resources for award recipients are available on the OJP page for Recipient Resources.

Grant Management Templates, Forms and Information

Questions about grant management requirements should be directed to the BJS Program Manager. Additional resources for award recipients are available on the OJP page for Recipient Resources.