AWS Public Sector Blog
How the latest FBI CJIS Security Policy updates help you control your criminal justice information
The recent Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy update contains important cloud computing language that aligns with the Amazon Web Services (AWS) approach to building CJIS compliant solutions. The modernized policy provides a clear path for agencies and their solution providers to eliminate access by cloud provider personnel to critical CJI stored on the cloud by controlling encryption keys in a secure compute environment. This is paramount to being able to successfully defend chain of custody claims and remove the risk of credentials compromise. AWS empowers customers to build solutions that eliminate access to critical CJI by AWS personnel.
The CJIS policy changes
One of the most notable changes and clarifications is to Policy Area 12 on personnel security, which states:
“Regardless of the implementation model – physical data center, virtual cloud solution, or a hybrid model – unescorted access to unencrypted CJI must be determined by the agency taking into consideration if those individuals have unescorted logical or physical access to any information system resulting in the ability, right, or privilege to view, modify, or make use of unencrypted CJI….Fingerprint-based record checks may not be required for all cloud provider personnel depending upon the type of service offering and access to encryption keys.” [Criminal Justice Information Services (CJIS) Security Policy, version 5.9.1, page 67.]
The cloud-based encryption key management language was also updated. The current policy states “As a best security practice, the CJIS ISO Program does not recommend allowing the cloud service provider access to the encryption keys used to protect CJI.” The recent update adds that “…through management and control of encryption keys, all service offerings may be implemented in an agency-controlled manner where the cloud service provider has no ability to access unencrypted CJI.” [Page G-22.]
How AWS supports the CJIS policy requirements
To support these new CJIS policy requirement updates, AWS customers and partners can design, configure, and manage applications on AWS using AWS Key Management Service (AWS KMS) and AWS Nitro System. The AWS Nitro System virtual compute instances operate on a locked down security model prohibiting all interactive administrative access, including that of Amazon employees. This restricts all access to all managed resources (virtual devices, services, virtual private clouds, etc.) to only authorized customer personnel, “making it impossible to access customer data or mutate the system in unapproved ways,” wrote Amazon chief technology officer (CTO), Werner Vogels, in this blog post.
“A large part of providing compliance falls on personnel clearances, which include state and national fingerprint-based background checks, CJIS Security Awareness training, and for vendor personnel, signed CJIS Security Addendums. Because of the security and access model employed by AWS, the ability for non-CJA personnel to have unescorted access to unencrypted CJI is eliminated, and thus, so is the need for personnel determinations, making auditing and compliance in this area far simpler,” said Kevin Baird, former CJIS information security officer with the Washington State Patrol.
Data security is being measured not by the number of people who are fingerprinted, but by the ability to eliminate access to data all together. These new technical controls in the FBI CJIS Security Policy can be seamlessly implemented in solutions built on AWS.
Visit the Using AWS for Criminal Justice Information Solutions site for more information, or contact us. Check out more stories on CJIS on the AWS Public Sector Blog, or watch the on-demand webinars, How to secure digital evidence to secure the chain of custody and Maintain full control over your criminal justice information under the latest FBI CJIS Security Policy update.
Read related stories on the AWS Public Sector Blog:
- Customers in all 50 states in US can now host criminal justice information on AWS
- A journey of innovation in CJIS compliance
- New IDC whitepaper released: How government agencies meet security and compliance requirements with the cloud
- Amazon Connect achieves FedRAMP High authorization
- How governments can transform services securely in the cloud
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.