When law enforcement and government agencies share data and intelligence, the ability to track criminals, solve crimes, find missing people, and provide a better standard of public service becomes much more effective. This sounds like an obvious win, so how come law enforcement agencies have been slow to embrace cloud computing and the collaboration benefits it provides? To understand their hesitation, it helps to look at the history of Criminal Justice Information Services (CJIS).
History of the CJIS and Compliance
Established in 1992, the CJIS division of the FBI is a high-tech intelligence hub housed in the hills of West Virginia. Linking nearly 18,000 law enforcement agencies across the country to a massive database of crime reports, fingerprints, and other agency data, the CJIS gives law enforcement, national security, and intelligence community partners the information they need to protect the United States, while preserving civil liberties.
For CJIS security policy to be effective, however, cooperation across various levels of government is required. Complicating matters further, there is no nationwide, uniform certification system for CJIS compliance. Instead, each state government manages CJIS compliance semi-independently through a state-appointed CJIS Systems Officer (CSO) who administers policy for computers, networks, and other parts of the CJIS infrastructure. The CSO is also tasked with ensuring that organizations are obeying regulations, documenting compliance, and reporting back to the FBI. This hodge-podge of similar-but-different rules being used across the country, and other government red tape surrounding CJIS compliance, has deterred many law enforcement organizations from sharing data in order to keep their nose clean.
Challenges Concerning CJIS Compliance
If law enforcement and government agencies are encouraged to share data, even across jurisdictions, why does CJIS compliance make it so difficult to accomplish? Obviously, CJIS data is highly sensitive, so organizations running within a CJIS-compliant cloud need cloud computing security policies in place governing those that have access to data—from the cloud provider to internal clerical and IT support staff. That’s not all; data-at-rest and data-in-motion also need to be compliant. Meaning all organizations must use at least 128-bit encryption to protect digital intelligence while in storage or transit so hackers and spies cannot employ deciphering techniques.
Choosing a CJIS Compliant Cloud Provider
Choosing a reputable cloud services provider is crucial for government and law enforcement agencies migrating to the cloud. To minimize risk and maintain the security of critical information, be sure that your potential provider has been audited by the state’s CJIS Systems Agency (CSA) which will ensure that at a minimum they perform each of the following as outlined by the CJIS:
- Limits access to intelligence based on employee job assignment, network address, location, and time of day.
- Employs restriction measures to prevent unauthorized users from accessing information they don’t need to perform job duties.
- Limits login attempts to five tries, after which users will be locked out until they contact an administrator.
- Employs a session lock timer which engages after 30 minutes to prevent unauthorized users from accessing data should a user forget to logout.
- Performs ongoing monitoring and automatic recording of various activities (such as password changes) and maintains these logs for at least one year.
- Uses multi-factor authentication for highly-sensitive data (for example, a software application may generate a unique, one-time password at timed intervals which adds a second level of complexity to logging in, but provides another barrier of entry against ransomware and data thieves).
- Maintains division between physical and virtual servers that store intelligence, and those that can be accessed by the public through webpages and internet portals.
- Performs criminal background checks on all employees with access to unencrypted intelligence, and performs ongoing and frequent employee training on CJIS best practices with ample documentation and knowledge sharing.