The quick signatures were necessary for the software giant to come up with a new law enforcement client: the New York Police Department, according to people familiar with the matter and emails reviewed by the Protocol. An NYPD spokesperson did not respond to several requests for comment.
“We apologize for the tight deadline and realize we are asking for your help this weekend,” former Trust Manager Jim Alkove wrote to employees.
Signatures were also required for officials to continue working in the government division. The summit’s warning was clear: those who did not sign should move to another department.
The document in question addressed a secret hurdle the tech industry faces with clients such as the NYPD: Criminal Justice Information Services, or CJIS, a division of the FBI that stores fingerprints, documents, and other data and evidence used, among other security activities. law enforcement, to examine the history of criminal suspects.
In order for a software vendor to work with, say, a city’s local prison system, the engineers in those accounts are required to provide their personal data — including social security numbers — to the CJIS for background, criminal, and credit checks. It’s similar to the clearance tech workers must get to work with federal agencies, known as FedRAMP.
But unlike FedRAMP, clients like the NYPD can add additional requirements — such as preventing anyone who has filed for bankruptcy from working on the account — that make the CJIS process more ad hoc. This prevented Salesforce from being able to implement a standardized process, the sources say.
“Trust is our number one value and we take protecting our customers’ data very seriously. Protecting customer data includes complying with various regulatory programs, such as the Criminal Justice Information Services (CJIS) Security Policy, which may impose additional requirements on Salesforce employees,” a gatekeeper.word of Salesforce said in a statement by email.
After receiving a detailed overview of the reporting in this story, the spokesperson declined to comment further.
CJIS in the brain
The plunge into CJIS-related work is part of a larger effort by Salesforce to win more government business, including top-secret work with agencies like the State Department. The company has at least 12 pending deals with clients related to CJIS, including the U.S. Drug Enforcement Administration, according to a source familiar with the pipeline.
However, the company has struggled to galvanize employee support for the later demands that come with its deeper push into the law enforcement sector. In a sign of the difficulties Salesforce is facing, neither the company nor the NYPD has confirmed whether the deal discussed at the last December meeting is still active.
To win more public sector customers, Salesforce must prove it can meet the requirements imposed by the NYPD and others. But the December effort set off alarm bells for some, which eventually led to the relocation of several employees from the government’s cloud division due to their refusal to sign the contract and submit their personal information, sources said. Salesforce declined to comment on employee-related issues.
With only a few hours to review a contract larger than “War and Peace”, some engineers backed off. Salesforce executives ended up having to hold a meeting on Dec. 13 to answer questions from employees, the sources said.
Engineers were asked to fill out booking forms, the sources said, including listing any visible tattoos or scars.
In the end, the workers had more time to review and sign the contract. But some employees questioned the urgent timetable disclosed by Salesforce. For example, the documents included the signature of an executive who had left months earlier, indicating that Salesforce had long anticipated this confrontation, according to one source, and a Slack channel that employees had access to showed conversations of executives discussing the pending tenure. from several months earlier.
Many of the questions from employees focused on how their information would be used, the protocols in place to protect it, how long it would be stored, and, ultimately, whether that would open them up to bad credit or background checks. Salesforce, sources said, provided few answers.
The other glaring problem with CJIS, they argued, is that each potential customer may have a separate list of additional information requirements and subsequent requests that could prevent an individual from working on the account. FedRAMP, on the other hand, has a uniform list of requirements that all companies must meet.
It’s also a problem that some rivals – and close partners – don’t have. Other vendors, particularly cloud providers, probably don’t need to send employee information to the CJIS system, even if they work with similar customers. In fact, AWS, Microsoft, and Google, for the most part, have implemented stricter protections that prevent their own employees from accessing customer information.
“Cloud service personnel are unlikely to have unattended access to unencrypted criminal justice information,” an FBI spokesperson told Protocol. Spokespersons for AWS, Microsoft and Google Cloud did not respond to several email inquiries.
However, Salesforce engineers can access this data to help with maintenance and support, according to a source familiar with its inner workings. It is also difficult to prevent engineers from accessing specific accounts, as the various systems share underlying infrastructure that makes it difficult to install these firewalls, the sources say. Salesforce, however, is trying to move some self-hosted programs to FedRAMP systems owned and managed by AWS, according to one of the sources.
The third time is the charm
The NYPD had strict rules about who could work on the account. For example, anyone who committed a moving offense punishable by a fine of more than $300 or filed for bankruptcy was barred from working with the client, the sources said.
Some officials immediately refused. At the same time, this was not a new request for many in the room.
Salesforce had attempted a similar move twice before, the sources say: once in 2017 with Philadelphia’s prison departments, and again years later for a customer that could not be independently verified by protocol.
The contract with the Philadelphia Department of Prisons fell amid resistance from officials. Engineers were asked to fill out booking forms, the sources said, including listing any visible tattoos or scars. Since Salesforce employees were technically contractors, this was the only way the prison system could process the necessary background and credit checks.
However, a spokesperson for the Philadelphia Department of Prisons denied that was why the deal fell apart.
“The contract was not terminated because the employees objected to providing their personal information to the CJIS,” they said in an emailed statement. The spokesperson declined to comment further, citing ongoing litigation with the company. Salesforce declined to comment.
But it is clear that the company may not be prepared for resistance from employees.
One of the CJIS requirements, for example, is employee fingerprinting. Salesforce suggested storing all applicable employee fingerprints on a separate encrypted laptop. This, combined with a signed employee contract, would make it easier for the company to provide its employee data to future customers. The engineers, however, saw it differently and retreated. The idea was eventually discarded.
The push to get the NYPD — as well as the hiring for related roles — is a clear sign that Salesforce is eager to win more law enforcement business. Salesforce is also trying to step up its work with other federal agencies. For example, the company is currently recruiting for a role on “Project Blackjack,” Salesforce’s codename for a top-secret initiative with the State Department.
The effort to delve deeper into the law enforcement industry comes at an interesting time for Salesforce. Employees make public their disappointment with the company’s work with the NRA following the Uvalde shooting. And with law enforcement’s reputation tarnished to some beyond repair, Salesforce’s growth ambitions may once again clash with its cherished cultural values.