28 C.F.R. § 20.21
A plan shall be submitted to OJARS by each State on March 16, 1976, to set forth all operational procedures, except those portions relating to dissemination and security. A supplemental plan covering these portions shall be submitted no later than 90 days after promulgation of these amended regulations. The plan shall set forth operational procedures to—
(a) Completeness and accuracy. Insure that criminal history record information is complete and accurate.
(b) Limitations on dissemination. Insure that dissemination of nonconviction data has been limited, whether directly or through any intermediary only to:
(c) General policies on use and dissemination.
(f) Security. Wherever criminal history record information is collected, stored, or disseminated, each State shall insure that the following requirements are satisfied by security standards established by State legislation, or in the absence of such legislation, by regulations approved or issued by the Governor of the State.
(3)
(i) Computer operations, whether dedicated or shared, which support criminal justice information systems, operate in accordance with procedures developed or approved by the participating criminal justice agencies that assure that:
(a) Criminal history record information is stored by the computer in such manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by non-criminal justice terminals.
(b) Operation programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than criminal justice system terminals which are so designated.
(c) The destruction of records is limited to designated terminals under the direct control of the criminal justice agency responsible for creating or storing the criminal history record information.
(d) Operational programs are used to detect and store for the output of designated criminal justice agency employees all unauthorized attempts to penetrate any criminal history record information system, program or file.
(e) The programs specified in paragraphs (f)(3)(i) (b) and (d) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals and agencies pursuant to a specific agreement with the criminal justice agency to provide such programs and the program(s) are kept continuously under maximum security conditions.
(f) Procedures are instituted to assure that an individual or agency authorized direct access is responsible for (1) the physical security of criminal history record information under its control or in its custody and (2) the protection of such information from unauthorized access, disclosure or dissemination.
(g) Procedures are instituted to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.
(4) The criminal justice agency will:
(iii) Institute procedures, where computer processing is not utilized, to assure that an individual or agency authorized direct access is responsible for
(a) The physical security of criminal history record information under its control or in its custody and
(b) The protection of such information from unauthorized access, disclosure, or dissemination.
(g) Access and review. Insure the individual's right to access and review of criminal history information for purposes of accuracy and completeness by instituting procedures so that—
[41 FR 11715, Mar. 19, 1976, as amended at 42 FR 61595, Dec. 6, 1977]