Iowa DPS: Compliance Depends on Who's Asking

In a series of open records responses between September 22 and 25, 2025, Story County told me various compliance records for its Flock contract, including the CJIS Security Addendum, did not exist. After it became clear to the county that those records were a requirement for a federal grant it had received in 2024, the addendum suddenly materialized, bearing a date of September 15, 2025.

The grant in question is an Edward Byrne Memorial Justice Assistance Grant (JAG).^[1] In Iowa, these grants are administered by the Department of Public Safety (DPS) Office of Drug Control Policy (ODCP). JAG funds can pay for equipment and services, including for criminal justice information systems (CJIS)^[2] and criminal intelligence systems (CIS).^[3]

Story County told ODCP it was purchasing license plate reader cameras. The grant required Story County to comply with the federal regulations for these types of system, and it required Story County to have policies in place before purchasing any equipment.

Expressly listed is a special condition:

Project is required to have established policies and procedures in place regarding the appropriate use of technology and data security/privacy prior to purchasing grant supported technology.

DPS/ODCP approved the grant, but Story County did not use it to buy any equipment. It did not adopt the necessary policies. It did not execute the necessary security addendum. It did not collect the required certifications.

Instead, Story County used the money to enter into a software-as-a-service contract with Flock.

I certify that the program in this application meets all the requirements of the Omnibus Crime Control and Safe Streets Act of 1968, as amended; that all the information presented is correct; and the application will comply with the provisions of the Act and all other Federal laws, regulations, and guidelines.

Then Story County sent an invoice and a check for the “purchase” of cameras to ODCP, and ODCP reimbursed the amount requested. Throughout this process, ODCP does not appear to have required a final inventory report, or even received — let alone read — the Flock contract, under which Flock keeps ownership of the hardware and the county pays only for access to a hosted service.

#DPS Finds Non-Compliance, Then Unfinds It

The CJIS Security Addendum, which I’ve discussed often, is a critical part of CJIS compliance. It is attached to a service contract and contractually binds the employees of the service provider (Flock) to adhere to federal CJIS regulations and policies. It’s the official, FBI-sanctioned method of allowing private parties access to sensitive data.

Story County did not execute a CJIS Security Addendum with Flock. This means Flock was not contractually or legally bound to keep any CJIS data it received secure. It could send it abroad, or hold it in insecure, non-compliant software.

DPS’s own CJIS staff knew. In an internal email on October 6, 2025, the Department’s CJIS Compliance Officer, Rebecca Dyer, wrote that “CJIS language was not present in the contract” between the county and Flock — and began assembling the documents the county was missing (more on that below).

I had filed a CJIS complaint with the Department on September 30. Its Director of Investigative Operations, Paul Feddersen, reviewed it and transferred it to the Department’s Program Services Bureau — home of Iowa’s FBI CJIS Systems Officer. On October 14, that officer, Rusty Ringler, confirmed in writing:

Following a review, the Department identified missing or incomplete addendums/agreements requiring attention on the part of the Story County Sheriff’s Office and Flock Safety. These items would typically be identified in a triennial audit conducted by our CJIS audit team, and the agency would be given an opportunity to remediate prior to escalation.

The Story County Sheriff’s office is not scheduled for [its] triennial audit until next year, but we have begun working with them to identify and address areas of concern.

In other words, the conditions for the grant were never met. There was no “purchase” of any equipment. There was no compliance with the federal regulations — least of all before the grant was awarded.

ODCP, however, had already decided otherwise. The day before Ringler’s email — on October 13 — ODCP Bureau Chief Susie Sher wrote:

As the pass-through entity for Iowa’s portion of federal Bryne-JAG funds, ODCP alone is responsible for determining cause for disallowing costs and recouping funds. After a thorough review, ODCP believes this complaint is unfounded and does not find cause to disallow the expenditure of funds for this purpose.

So: DPS’s CJIS compliance officer flagged the missing CJIS language on October 6. ODCP called the complaint “unfounded” on October 13. DPS’s CJIS Systems Officer put “missing or incomplete” in writing on October 14. One department, three divisions — two of them confirming the gap on either side of the third declaring it imaginary. ODCP did not provide any further explanation.

#DPS After Dark

Behind the scenes, much more was happening. Story County and DPS had a phone meeting, contents unknown, which in turn produced a set of email exchanges between ODCP Bureau Chief Susie Sher, Marylin Mosinski (Communications Operations Manager, Story County Sheriff’s Office) and Rebecca Dyer (Iowa DPS CJIS Compliance Officer).

On October 6, DPS and ODCP staff began supplying Story County the documents that should already have existed. That morning at 10:52, Mosinski emailed DPS about a form she couldn’t identify:

There is also one more form that was mentioned during the FLOCK FOIA request phone call that will be needed for the next audit. Could we get a copy of that as well so that we can get it signed with all the other forms? We aren’t sure what that one is called…

Dyer replied:

Since FBI CJIS language was not present in the contract signed with your agency and FLOCK, an Amendment needs to be signed between the Sheriff’s Office and FLOCK to meet CJIS requirements; this document is labeled IDPS CJIS Security Amendment.

Minutes later, at 11:03, Dyer sent the templates and assigned who would sign what:

Good morning Marylin- Please see the attached documents. Below I noted who needs to be involved with certain documents. … Amendment: Flock and Story County Sheriff’s Office / Agency User Agreement: Story County Sheriff’s Office / MCA: Story County IT and Story County Sheriff’s Office

A couple of weeks later, on October 22, Mosinski wrote to Dyer:

Command would like me to change the wording on the MCA so it better reflects who is signing. Since you sent me the copy in word format, I can make those changes myself but want to check in with you.

In essence, there isn’t too much wrong with DPS’s CJIS division helping a sheriff’s office come into compliance. But non-compliance in October 2025 means non-compliance at the time the grant was certified and awarded in 2024.

It is also worth noting that Mosinski did not receive the templates until October, yet the executed CJIS amendment carries a September 15 date:

#Auditors and Oversight

In 2024, Story County certified compliance, on federal forms, to obtain a federal benefit. Certifying compliance that does not exist, on a federal form, to draw federal money is the kind of conduct that carries federal criminal exposure for ordinary people.

ODCP, the agency that administers these federal funds, dropped the ball at every point. It should at least have asked the most basic question: “what is this grant for?” The answer would have revealed that there was no “purchase” of any equipment. Standard follow-ups, such as “show me you complied with the special conditions of this grant” or “provide a final inventory report,” would also have revealed the error.

Even crediting its own CJIS division, which confirmed the documents were not in place, would have let ODCP recoup the funds and keep future grants to other agencies honest. ODCP chose to ignore its obligations under federal law instead.

The state’s last backstop is the Auditor of State. I referred the matter to Rob Sand’s office in November. On December 27, 2025, Sand replied:

Thank you kindly. For your awareness, we are generally not able to provide substantive responses. Anything we learn during the course of an audit is confidential until a release is made public. In addition to that, timelines for audit work across both the public and private sectors are longer than anyone would prefer. These are serious allegations and we will take them seriously.

That was the last I heard. Audit work is confidential, so I cannot say whether anything is underway; I can say that more than five months later, there has been no further word.

The federal backstop fared no better. In January 2026, the U.S. Department of Justice Office of the Inspector General sent the following response:

The U.S. Department of Justice (DOJ), Office of the Inspector General, investigates allegations of misconduct by employees and contractors of DOJ, as well as waste, fraud and abuse affecting DOJ programs and operations. After reviewing your complaint, we have determined that the matters that you raised are more appropriate for review by another office within the DOJ.

And that was the last I heard of that.

#The Grants Will Continue

It reinforces a pattern seen over and over in Iowa and other states: police agencies and their preferred vendors are free to ignore laws, rules, and regulations. Even though both the county and DPS now acknowledge non-compliance — long after certifying that they were compliant — there are no consequences for certifying compliance that never existed, or for accepting those certifications to release federal funds.

ODCP does not enforce its own grant terms. DPS’s CJIS division identified the non-compliance but treats it as a remediation project rather than a breach. And the Department’s investigative side, handed a complaint about the same conduct, passed it along rather than pursue it.

The amount for this specific grant is small, but ODCP is just one state agency in Iowa, and grants for intelligence systems are common. Grants for “organized retail crime” and other purposes are even more so.

The following are intelligence-systems grants awarded by DPS, presumably under much the same terms as Story County’s grant:

If you are in Iowa, please take a minute to ask the State Auditor to act — he has all the evidence. If you are not in Iowa, I recommend filing some open records requests — you will almost certainly find the same thing where you are.

In the meantime, when reading about criminal charges for improper certifications on federal benefit forms — like those for SNAP or Medicaid — take a minute to consider what happened in Story County and how it reflects on the word “law enforcement.”