For law enforcement agencies today, CJIS cloud compliance is no longer a question of ‘if,’ but ‘how.’ While benefits like scalability, accessibility, and speed are undeniable, strict CJIS regulations make data security and migration a complex hurdle.
Agencies must now balance modernizing their infrastructure with the rigorous security required to protect sensitive data.
Understanding CJIS cloud requirements is the first step toward modernization. By implementing strong encryption, strong access controls, and proper provider vetting, cloud solutions for law enforcement agencies can be confidently adopted.
What the CJIS Security Policy Says About Cloud Computing
In the past, storing Criminal Justice Information (CJI) on-premises was seen as the most secure option. However, the CJIS Security Policy has improved in compatibility with the modern need for cloud computing.
Law enforcement agencies are now allowed to use cloud services for CJI, but only if those services strictly adhere to CJIS cloud compliance standards.
The CJIS Security Policy includes sections, like Appendix G, which states that the cloud can be used if specific controls are in place. The core principle remains: agencies retain full security control.
The agency must control and have access to the cryptographic keys that are used for protecting the data, even if it is stored on a third-party server. This way, the cloud provider cannot access unencrypted CJI.
Data Encryption Requirements for CJIS Cloud Compliance
One of the most critical CJIS cloud requirements is the need for highly secure data encryption. The policy requires that CJI be encrypted at all times, during transit, at rest, and in use.
To protect the encrypted CJIS data, law enforcement agencies must use FIPS 140-2 (or higher) certified encryption modules. These generally utilize the Advanced Encryption Standard (AES) with a minimum key length of 256 bits.
- During Transit: The data exchanged between the agency and the cloud must be encrypted using TLS 1.2 or above.
- At Rest: The data in the cloud must be encrypted in a manner that prevents it from being read without the specific decryption key.
- In Use: Protect active data with Trusted Execution Environments (TEEs). This prevents exposure to the operating system or cloud provider.
- Key Control: The agency must have sole control over the encryption keys. Hardware key vaults ensure cloud providers cannot decrypt or access sensitive files.
Cloud Key Management and Trusted Execution
The updated guidelines in CJIS have brought the main focus on key management to light. In case the data in the cloud environment (for processing) is decrypted, deploying highly secure “trusted execution” environments is a must.
To comply with the CJIS cloud requirements detailed in CJIS v5.9.1, agencies should restrict the cloud operator’s access using the following methods:
- Implement strict controls: Use confidential computing or Hardware Security Modules (HSMs) to ensure that CSP workers cannot access unencrypted CJI.
- Data Sovereignty needs to be a priority: The safest approach for secure cloud storage of law enforcement data consists of two steps:
- Customer-managed keys should be used.
- All cloud resources should be hosted exclusively in U.S. regions to prevent data from being transferred to other jurisdictions.
Network and Access Controls
Adopting a “zero trust” model is an absolute necessity for cloud migrations. That is, cloud-based CJIS software has to be accessed through secure means, such as:
- VPNs and Private Links: Always opt for robust Virtual Private Networks (VPNs) or allocated private connections instead of the public internet for direct database access.
- Session Management: Apply very strict session locks. For example, after 30 minutes of inactivity, the system should automatically lock the screen or session.
- Login Limits: To reduce the chances of brute-force attacks, a lockout policy after a given number of failed login attempts (e.g., five attempts) should be enforced.
- Role-Based Access Control (RBAC): Make sure that users will not have access to any data other than what’s required for their specific role. The principle of least privilege is critical to internal security.
Choosing CJIS-Compliant Cloud Providers
The quality of different cloud service providers (CSPs) varies. Thus, for CJIS cloud migration, law enforcement agencies need to choose CSPs that are willing and agree to sign the CJIS Security Addendum (CSA).
The CSA is a document of agreements between two parties that defines the security measures to be put in place by the provider.
However, basic requirements still apply, and the selected provider should also:
- Conduct FBI-compliant background checks on all personnel with potential access to the physical or logical infrastructure;
- Have the provider’s data centers located only in the United States;
- Guarantee high availability and provide detailed data integrity assertions;
- Be able to furnish evidence of the passage of independent audits, verifying the effectiveness of their physical and informational security controls.
Working with Cloud Services
The successful deployment of cloud solutions for law enforcement is not only about the technology, but also about having transparent and straightforward governance.
- Agreements: Service Level Agreements (SLAs) should be set up. This will clearly define data ownership (the agency owns the data, not the vendor) and mandatory breach notification timelines.
- Auditing: Make sure that the provider can provide audit logs whenever needed. This is a key point for the chain of custody of the digital evidence to be maintained.
- Regular Review: Review the commitments made in the CJIS Security Addendum regularly and carry out joint audits to prove that the provider complies with CJIS cloud requirements.
PsPortals and Cloud Solutions
Modernizing your agency’s infrastructure is seamless with a cloud-based CJIS software like PsPortals. Tailor-made for the modern web, their suite of cloud solutions for law enforcement guarantees compliance while reducing IT compatibility issues.
- Portal XL: This browser-based NCIC/NLETS workstation functions as a zero-footprint client. It operates in all modern browsers, thus perfectly integrating with cloud infrastructures without the need for local software installation.
- Personal Portal: This product, meant for field officers, offers secure mobile access to CJI through the internet. It employs stringent authentication measures to make sure encrypted CJIS data gets to the officer securely.
- Testing & Certification: PsPortals also provides cloud-based solutions for monitoring training and certifications, thus making sure law enforcement personnel remain qualified and compliant with CJIS standards.
- Super Administrator: This solution provides a centralized administrator with complete control over the users, keys, and policies through a single dashboard. Super Administrator makes management of permissions and audits throughout the cloud easier.
By using PsPortals’ browser-based solutions, agencies can have secure cloud storage of law enforcement tactics and at the same time provide the end-users with a fast, trustworthy, and compliant experience that meets strict requirements.
Conclusion
Cloud migration transforms public safety operations with faster, more efficient tools, yet the duty to secure Criminal Justice Information remains paramount. By mastering CJIS requirements such as encryption and strict vendor vetting, agencies can successfully modernize their infrastructure without ever compromising data security.
PsPortals bridge the gap between strict regulation and modern technology. Using inherently compliant cloud solutions, PsPortals allows your agency to focus on its true mission: public safety and law enforcement. Compliance shouldn’t hinder innovation; with the right tools and understanding, you can navigate the cloud confidently.
Frequently Asked Questions (FAQs)
Q: Can law enforcement data be stored in the public cloud under CJIS policy?
A: Of course, as long as the agency and the cloud provider adhere to the stringent CJIS cloud compliance standards. This involves signing the CJIS Security Addendum and ensuring that the data is encrypted with agency-managed keys.
Q: What encryption is required for CJIS data in the cloud?
A: Requirements set forth by the CJIS mandate FIPS 140-2-certified encryption for data while in transit or at rest. CJI data is usually encrypted using AES-256.
Q: How do we manage encryption keys for cloud CJI storage?
A: The agency is to keep the keys under its control at all times. This means that the cloud provider does not have access to the keys at any point.
Q: What should we look for in a CJIS-compliant cloud provider?
A: Identify providers that are willing to sign the CJIS Security Addendum, operate U.S. data centers, conduct background checks for employees, and have strong physical and logical security measures in place.
Q: Are CJIS background checks required for cloud provider personnel?
A: If the personnel accesses CJI, then generally, yes. However, the requirement may be made less stringent based on the particular situation dealt with in the CJIS Security Policy.
Q: How do we ensure CJI in the cloud stays within policy?
A: Conducting regular audits, maintaining strict compliance with the CJIS Security Addendum, and applying CJIS cloud software tailored for compliance ensures cloud-based CJI are secure.
Q: Does the CJIS policy allow cloud-based email or messaging?
A: Yes. However, the standard regulations still apply. The email system should universally support encryption. Additionally, if the email system transmits CJI, it must comply with all CJIS cloud controls, and data residency and authentication requirements will be in place.