Complying with FBI cloud policy
All cloud products sold to law enforcement must comply with the FBI’s Criminal Justice Information Services (CJIS) Security Policy. Unfortunately, a recent study showed that half of law enforcement officials have no knowledge or are not familiar with CJIS rules and requirements. The International Association of Chiefs of Police (IACP) conducted the study, and to help, has issued a report, “Guiding Principles on Cloud Computing in Law Enforcement.”
GPN reached out to Paul Rosenzweig, senior advisor to the Washington, D.C.-based Chertoff Group, who offers his views on the topic. Michael Chertoff is one of the founders of the firm and is a former secretary of the U.S. Dept. of Homeland Security.
Below are Paul Rosenzweig’s views.
GPN: If a cloud-based system is CJIS-compliant, does that give local governments some security protection, or does it ensure good performance?
Paul Rosenzweig: CJIS compliance cannot, of course, guarantee good performance or security. It does, however, give those who adopt CJIS standards confidence that they have met a stringent baseline of security and operational standards that are the accepted national standard. Doing so will demonstrate a commitment to security and provide assurance that reasonable steps have been taken to protect against malicious intrusions.
GPN: For systems in the cloud, does CJIS compliance offer any other benefits?
PR: Yes. CJIS compliance assures interoperability of a government’s data system and reduces costs. If a government operates two incommensurate systems, one CJIS-compliant and one that is not – it incurs significant costs in curating its data system, as well as costs associated with disaggregated databases. Using CJIS as a baseline treats all data at a high level of security and, in the long run, increases efficiency.
GPN: How does a law enforcement agency/local government find out if a cloud-based system is CJIS-compliant?
PR: Unfortunately, there is no independent certification authority that will conduct an independent third-party check on CJIS-compliance. A law enforcement agency or local government should require a cloud-based provider to certify compliance and agree to a periodic audit by the government as a way of ensuring conformance to the CJIS standard.
GPN: Is it important for law enforcement & homeland security functions/systems in the cloud to be CJIS-compliant?
PR: Very much so. Cloud-based services offer significant efficiency advantages that can reduce costs for law enforcement. But, if criminal justice or homeland security information is stored in the cloud in an insecure manner, local governments risk defaulting on their obligation to maintain the security of their citizen’s most intimate data. As repositories for large quantities of personal information about citizens, governments have a special obligation of trust to their constituents.
GPN: An IACP survey shows almost half (42 percent) of law enforcement officials who responded have no knowledge or are not familiar with CJIS rules and requirements. Is it important for law enforcement officials to be up to speed on CJIS?
PR: Absolutely. In the first place, CJIS sets a baseline of good cybersecurity practices that every law enforcement agency should be familiar with. Second, compliance with CJIS is essential in order for local governments to take advantage of many federal resources. The FBI will not share federal criminal justice information with non-compliant law enforcement agencies.
GPN: What resources should local law enforcement use when determining whether a cloud-based system is CJIS-compliant? I’ve seen an FBI-CJIS 2012 technical report on implementing cloud-computing solutions? Are there other resources to consult?
PR: In addition to the technical report, there is, of course, the CJIS Policy itself, Version 5.3 which was published in August 2014. In addition, guidance may be taken from the recently issued ISO standard, 27018, which expresses an international standard for cloud service providers.
GPN: What does the future hold for law enforcement/homeland security functions in the cloud?
PR: The cloud is too attractive an option for law enforcement and homeland security organizations to ignore. It increases effectiveness while reducing costs. The future will only see greater transition to the cloud. To take just one example, it is estimated that a single officer’s body-worn camera will create a terabyte of data. Storage requirements for these new devices and this volume of data will mandate that cloud-based systems be adopted.
GPN: Thank you, Paul Rosenzweig of the Chertoff Group, for your views.
Michael Keating is Senior Editor at Government Product News, an American City & County sister brand.