Please note that the following post is intended for informational purposes only. The approach detailed below may not be suitable for all organizations and/or compliance programs. It is important to evaluate this potential solution against the compliance needs of your organization and any applicable regulatory obligations you may have.

While Criminal Justice Information Services (CJIS)-compliant workloads can run in standard US AWS Regions, some Justice and Public Safety (JPS) agencies may choose AWS GovCloud (US) for their sensitive workloads. These organizations can securely access cutting-edge Artificial Intelligence (AI) models from AWS Standard US Regions through FIPS-validated endpoints ensuring that all data is securely encrypted with FIPS 140-3 encryption as required by CJIS. This access may allow you to maintain CJIS compliance based on your organization’s secure cross-partition connectivity implementation. You should always review and validate a solution against your compliance goals.

This approach delivers three key advantages: immediate access to advanced AI capabilities, the ability for you to assess this against your existing compliance as an option, and enhanced operational capabilities for mission-critical operations.

Justice and Public Safety organizations require access to the latest foundation models (FMs) available through Amazon Bedrock for mission-critical AI implementations. This post aids with your evaluation of important CJIS compliance considerations that JPS organizations must address when implementing these architectures.

CJIS compliance approach for cross-partition AI access

Implementing CJIS-compliant cross-partition AI access requires mapping AWS security controls to specific CJIS Security Policy requirements. This approach ensures comprehensive compliance while enabling secure access to AI services in AWS Standard US Regions.

AWS security controls mapping to CJIS requirements

The FBI’s CJIS Security Policy establishes comprehensive security requirements for accessing, processing, and storing Criminal Justice Information (CJI). Key AWS security controls that can help you address critical CJIS requirements include:

Cryptographic Protection (SC-28, SC-23): AWS Key Management Service (AWS KMS) uses FIPS 140-3 validated Hardware Security Modules to help protect the required 256 bit symmetric (AES) customer master encryption keys for encryption at rest, while FIPS endpoints ensure compliant data transmission using FIPS 140-3 encryption.

Access Control (AC family): IAM Roles Anywhere enables temporary credential management without long-lived keys, enforcing principle of least privilege.

Audit and Accountability (AU family): AWS CloudTrail provides comprehensive API activity logging across partitions with cryptographic validation and configurable retention periods.

Technical implementation guidance

Successful cross-partition AI implementation in compliance focused environments requires careful configuration of security controls, monitoring systems, and compliance procedures. The following guidance provides implementation steps that can aid you in deciding how you maintain compliance throughout the AI access workflow.

Secure cross-partition configuration

IAM Roles Anywhere Setup: Configure temporary credential management with appropriate session durations, ensuring compliance with CJIS 30-minute inactivity timeouts, with comprehensive logging of all credential operations. Certificate revocation lists (CRLs) must be imported and maintained in IAM Roles Anywhere Trust Anchors to enable certificate status validation and meet PKI CJIS authentication requirements.

Network Security: Deploy Amazon Virtual Private Cloud (VPC) security groups restricting outbound traffic to FIPS endpoints only, with network isolation between AI workloads, and enable VPC Flow Logs for compliance monitoring.

Encryption Implementation: Implement customer-managed AWS KMS keys with automatic rotation for data at rest, while ensuring all cross-partition communication uses FIPS 140-3 validated HTTPS endpoints.

Compliance monitoring and alerting

Monitoring and Auditing: Implement continuous monitoring for compliance violations and unauthorized access attempts with automated alerts. Maintain comprehensive audit trails across both partitions with centralized log aggregation and integrity protection.

Architecture overview

The following diagram illustrates what a CJIS-compliance infrastructure may look like for a cross-partition architecture with secure AI access using FIPS endpoints.

Figure 1: Cross-partition architecture demonstrating secure AI access from AWS GovCloud (US) to AWS Standard US Regions.

Architecture components and data flow

Authentication Flow: AWS GovCloud (US) applications use X.509 certificates from their PKI infrastructure to authenticate with IAM Roles Anywhere in the AWS Standard US partition through secure connections. The Trust Anchor validates these certificates by constructing a certification path and checking certificate status information, and IAM Roles Anywhere issues temporary credentials back to the AWS GovCloud (US) applications, minimizing security exposure through short-lived credentials.

Secure Communication: All cross-partition communication flows through FIPS 140-3 validated HTTPS endpoints. Applications connect directly from AWS GovCloud (US) to AWS Standard US Region FIPS endpoints, where IAM Roles Anywhere manages authentication before routing API calls to Amazon Bedrock.

AI Service Access: Once authenticated, applications access the latest FMs available in Amazon Bedrock through FIPS-validated endpoints. All API calls leverage the FIPS compliant endpoints and are logged for audit purposes. Amazon Bedrock ensures customer data protection through encryption at rest with customer-managed keys, private model copies that prevent data sharing with model providers, and regional data residency that keeps all customer content within the selected AWS Region.

Compliance Controls: Both partitions maintain comprehensive security controls including encryption key management, audit logging, and network isolation throughout the AI processing workflow.

JPS AI use cases

Cross-partition AI access enables JPS organizations to leverage advanced AI capabilities for mission-critical operations. These use cases demonstrate practical applications while maintaining strict compliance requirements.

Emergency response optimization

911 Call Analysis: Natural language processing enables real-time incident classification and optimal resource dispatch, improving response times.

Multilingual Support: Real-time translation services provide instant language detection and bidirectional communication, improving service delivery equity across diverse communities.

Criminal investigation support

Document Analysis: AI processes witness statements, evidence reports, and case files to extract key facts and identify patterns across investigations, significantly reducing document review time.

Pattern Recognition: Cross-case correlation identifies similarities in modus operandi and evidence characteristics, generating actionable investigation leads while ensuring proper CJI classification.

Predictive analytics for JPS resource allocation

Risk Assessment Models: Data-driven patrol allocation based on crime pattern analysis optimizes resource deployment, improving response times and resource utilization.

Budget Forecasting: Predictive models analyze historical incident data to forecast service demand and optimize staffing levels, improving budget accuracy.

Implementation considerations

Organizations looking to deploy CJIS-compliant cross-partition AI implementations must address comprehensive planning and ongoing compliance requirements. Pre-implementation activities should include CJIS Security Officer involvement, data classification procedures, network architecture review, FIPS 140-3 encryption implementation, IAM Roles Anywhere configuration with CRL management, CloudTrail logging, and incident response procedures.

Ongoing compliance requires establishing regular monitoring processes including security event review, audit log analysis, and periodic security assessments based on organizational requirements. These considerations ensure successful deployment and sustained compliance throughout the AI implementation lifecycle.

CJIS alignment

This architecture is designed to support organizations working within the FBI CJIS Security Policy v6.0 framework and other security standards including FedRAMP Moderate and NIST 800-53 Rev 5. Always review the latest official compliance information to ensure the solution meets your organization’s needs.

Under the AWS Shared Responsibility Model, AWS provides secure, compliant infrastructure and services, while customers remain responsible for proper configuration, access controls, data classification, and security implementation. Organizations must ensure their specific implementation meets all applicable CJIS requirements through proper configuration of the security controls and procedures outlined in this guidance.

Conclusion

CJIS compliance for AI on AWS represents a significant opportunity for JPS organizations to enhance their mission-critical operations while maintaining strict security requirements. The key to successful implementation lies in understanding that CJIS compliance is not a barrier to AI innovation on AWS—it’s a security requirement that can be met while enabling advanced AI capabilities through secure connectivity.

Success requires careful planning, thorough documentation, and ongoing CJIS compliance monitoring. Organizations that invest in proper AI implementation on AWS will gain operational advantages while maintaining the trust and security that communities depend on.

Ready to implement CJIS-compliant artificial intelligence (AI) capabilities? Contact your AWS account team to discuss your specific requirements and develop a tailored implementation plan.