Moving to the cloud makes it easier for law enforcement and other government agencies to share data, leading to better intelligence in tracking criminals and a higher standard of service. But Criminal Justice Information Services (CJIS) rules and other data protection regulations can make cloud compliance difficult. As a result, some agencies choose not to make a full migration. This doesn’t necessarily make their information safer, but it does prevent them from sharing valuable information. Creating a CJIS compliant cloud costs time and money, but the benefits far outweigh the drawbacks and risks.
CJIS and the Cloud
The Criminal Justice Information Services (CJIS) Division of the FBI was founded in 1992 as a way for national, state and local crime fighters to share intelligence. It houses a massive database, granting Law Enforcement Organizations (LEOs) instantaneous access to crime reporting, fingerprint identification and other Criminal Justice Information (CJI).
So, what is CJIS? The CJIS links almost 18,000 law enforcement agencies, and the FBI has been ambitiously expanding the program. In 2008, they began building the National Data Exchange (N-DEx), a giant warehouse to allow law enforcement agencies to better share their own data, making it easier to track criminals across jurisdictions.
Unfortunately, the majority of law enforcement organizations have been slow to share data because of the demanding CJIS Security Policy, which has exacting rules about how digital CJI must be controlled and protected.
Where CJIS Compliance Rules Apply
CJIS security policy applies to anyone who works with CJI. LEOs and private security agencies are on the hook, obviously, but so are organizations and contractors that store or support CJI. Any organizations running a CJIS compliant cloud needs policies in place governing everyone from their hosting company to their clerical and IT support staff. Email and other software used to process or send CJI also needs to be compliant.
CJIS security policy also requires a lot of cooperation between different levels of government. Each state is required to appoint a CJIS Systems officer (CSO) to interpret and administers the security policy. The CSO has to create policies for computers, networks, and other parts of the CJIS infrastructure, and make sure organizations are adhering to the rules.
Each local agency must provide a Terminal Agency Coordinator (TAC) to enforce CJIS policy in their department. Other officials are required to perform a variety of roles, including documenting CJIS compliance and serving as points of contact for the FBI.
The Importance of Data Encryption in a CJIS Compliant Cloud
Data encryption is a crucial part of CJIS cloud compliance. LEOs and support organizations need to use 128-bit encryption or stronger to protect any digital CJI. This applies to both data storage and data transmission; if your officers are going to use email to share or discuss criminal records, fingerprints or other CJI, they need to encrypt their messages and attachments.
Virtru was designed to make CJIS compliant email easy and safe in the cloud. Virtru uses the Trusted Data Format to protect email with 256-bit AES encryption. In addition, all data sent with Virtru is encrypted client-side, which prevents hackers or spies from deciphering confidential communications; some forms of encryption, such as SSL/TLS can be intercepted and hacked by a bad actor, but client-side encryption ensures that even if your email is intercepted in transit, it can’t be read by an unauthorized user. And because Virtru encrypts with the flip of a switch, it does not require any special training for law enforcement.
CJIS Networking Best Practices
Any time sensitive data is sent over a network, there’s a risk of exposure. A CJIS compliant cloud needs to be supported by good policies and monitoring to limit the risks. Networking best practices include:
- Access control criteria to govern what CJI users can access, based on location, job, network address, time-of-day
- Access Control Lists to dictate who is allowed to access CJI, and what resources each user should be able to access
- Resource restriction measures, to prevent users from gaining access to information or tools that aren’t appropriate for them
- Unsuccessful login limits that automatically lock users out for 10 minutes, after 5 failed login attempts
- Session lock timers which engage after 30 minutes, preventing unauthorized users from seeing sensitive information if an officer forgets to logout
- Separation between physical or virtual machines that process or store CJI, and those that can be accessed by the public (such as web pages and Internet portals)
Organizations need to provide training, supervision, and monitoring. They should record and audit data access and integrity, making sure information is not improperly read or changed.
CJIS Compliant Access Points
CJIS requires physical access control, meaning organizations need to restrict and secure Access Points (APs) — places or devices where CJI can be accessed. LEOs using Wi-Fi should place their networks in a secure place, protect them with strong passwords and encryption and monitor them to make sure unauthorized users aren’t snooping or gaining access.
Controlling access requires tradeoffs. A CJIS compliant cloud must weigh security requirements against the need to give officers quick and convenient access to CJI. If you allow your officers to use their personal devices and public networks to access restricted data, for example, it makes their jobs easier, but also makes it much harder to keep the CJIS cloud secure. It would be relatively easy for a hacker or criminal to spy on the network, or get ahold of an unsecured device. On the other hand, if you only allow officers to access CJI from secure terminals inside a police station, it will increase your data security, but prevent officers from sharing data in the field.
Many organizations compromise by restricting how much access officers get based on how secure a particular access point is. For example, you could allow certain access from agency owned portable devices, but restrict more sensitive information to controlled access points.
CJIS Compliant Cloud Storage Requirements
For CJIS compliant cloud storage providers, data security must be a top priority. The information needs to be housed in a secure data center, and encrypted both in storage and during transmission. CJI should be kept under the control of LEOs, and should never be data-mined or read by the cloud provider. CJI should also be logically or physically separated from other data to prevent tampering or unauthorized access.
Dependability is also key; for critical information and services, the CJIS cloud provider should retain at least a 99.999% uptime. Because Digital CJI used as evidence requires a chain of custody, the host needs to keep a precise record of access to the data, so that officers can prove it has not been altered. If the hosting company ever needs to move the data to another location, they should notify law enforcement first.
LEOs need to put measures in place to verify cloud security and stability; before employing an organization to host CJI, a law enforcement agency should establish terms for periodic audits. Technically, a CJIS compliant cloud storage provider can do audits internally, but external audits by a compliance expert are also a good idea.
CJIS Compliance and Data Migration
Migrating to a CJIS compliant cloud can be a logistical challenge. It’s not enough to encrypt CJI once it gets to the cloud storage facility — it has to be protected every step of the way. If a police department wishes to move paper records from a storage facility to the cloud, for example, they’ll need to scan them in a secured room onto a computer that can’t be accessed from the outside. Then, they’ll have to tag them, encrypt them, upload them and make sure no unencrypted CJI is left on the computer used. Finally, they’ll have to securely store or destroy the paper records.
Faced with the challenge of securing the whole process, many organizations simply decide it’s not feasible. They scan low security information, while leaving CJI in locked cabinets, or stored in onsite computers that aren’t connected to the cloud. Paradoxically, this often increases security risks. Many of these LEOs have poorly secured storage rooms or unencrypted onsite databases, neither of which provides the same level of security as encryption.
Virtru can help: We allow organizations to use client-side encryption to transfer criminal records, incident reports, and other CJI safely to the cloud. This prevents data from being read in transit, eliminating risks associated with CJIS cloud migration. And once the data is uploaded, it’s easy for authorized users to access, but virtually impossible for bad actors to read. For additional security, you can also host your own encryption keys separately from the data with the Virtru Private Keystore.
Virtru: Your CJIS Compliant Cloud Solution
Virtru is simply the best choice for securing CJI in the cloud. Our CJIS compliant email allows law enforcement and support staff to send secure messages with the click of a button, ensuring that sensitive data is not compromised. It integrates flawlessly with our G Suite encryption, keeping data safe along every step of its journey. Virtru DLP goes one step further, to help prevent human error. Organizations can use custom rules to stop law enforcement from sending unencrypted emails, or forwarding CJI to the wrong parties. Virtru lets law enforcement increase data security, without compromising on ease of use or flexibility.
