While Criminal Justice Information Services (CJIS)-compliant workloads can run in standard US AWS Regions, some Justice and Public Safety (JPS) agencies may choose AWS GovCloud (US) for their sensitive workloads. These organizations can securely access cutting-edge artificial intelligence (AI) models from AWS Standard US Regions through FIPS-validated endpoints ensuring that all data is securely encrypted with FIPS 140-3 encryption as required by CJIS. This access can maintain CJIS compliance through secure cross-partition connectivity.

This approach delivers three key advantages: immediate access to advanced AI capabilities, the ability to maintain compliance through comprehensive security controls, and enhanced operational capabilities for mission-critical operations.

JPS organizations require access to the latest foundation models (FMs) available through Amazon Bedrock for mission-critical AI implementations. Amazon Web Services (AWS) recently published technical guidance on cross-partition connectivity for accessing AI models in AWS Standard US Regions from AWS GovCloud (US). This post addresses important CJIS compliance considerations JPS organizations must evaluate when implementing these architectures.

CJIS compliance approach for cross-partition AI access

Implementing CJIS-compliant cross-partition AI access requires mapping AWS security controls to specific CJIS Security Policy requirements. This approach ensures comprehensive compliance while enabling secure access to AI services in AWS Standard US Regions.

AWS security controls mapping to CJIS requirements

The FBI’s CJIS Security Policy establishes comprehensive security requirements for accessing, processing, and storing Criminal Justice Information (CJI). Key AWS security controls address critical CJIS requirements:

Cryptographic Protection (SC-28, SC-23): AWS Key Management Service (AWS KMS) uses FIPS 140-3 validated Hardware Security Modules to protect the required 256 bit symmetric (AES) customer master encryption keys for encryption at rest, while FIPS endpoints enable compliant data transmission using FIPS 140-3 encryption.

Access Control (AC family): IAM Roles Anywhere enables temporary credential management without long-lived keys, enforcing the principle of least privilege.

Audit and Accountability (AU family): AWS CloudTrail provides comprehensive API activity logging across partitions with cryptographic validation and configurable retention periods.

Technical implementation guidance

Successful CJIS-compliant cross-partition AI implementation requires careful configuration of security controls, monitoring systems, and compliance procedures. The following guidance provides specific implementation steps for maintaining compliance throughout the AI access workflow.

Secure cross-partition configuration

IAM Roles Anywhere Setup: Configure temporary credential management with appropriate session durations, maintaining compliance with CJIS 30-minute inactivity timeouts, with comprehensive logging of all credential operations. Certificate revocation lists (CRLs) must be imported and maintained in IAM Roles Anywhere Trust Anchors to enable certificate status validation and meet PKI CJIS authentication requirements.

Network Security: Deploy Amazon Virtual Private Cloud (VPC) security groups restricting outbound traffic to FIPS endpoints only, with network isolation between AI workloads, and enable VPC Flow Logs for compliance monitoring.

Encryption Implementation: Implement customer-managed AWS KMS keys with automatic rotation for data at rest, while enabling all cross-partition communication uses FIPS 140-3 validated HTTPS endpoints.

Compliance monitoring and alerting

Monitoring and Auditing: Implement continuous monitoring for compliance violations and unauthorized access attempts with automated alerts. Maintain comprehensive audit trails across both partitions with centralized log aggregation and integrity protection.

Architecture overview

The following diagram illustrates the CJIS-compliant cross-partition architecture for secure AI access using FIPS endpoints:

Figure 1: CJIS-compliant cross-partition architecture demonstrating secure AI access from AWS GovCloud (US) to AWS Standard US Regions

Architecture components and data flow

Authentication Flow: AWS GovCloud (US) applications use X.509 certificates from their PKI infrastructure to authenticate with IAM Roles Anywhere in the AWS Standard US partition through secure connections. The Trust Anchor validates these certificates by constructing a certification path and checking certificate status information, and IAM Roles Anywhere issues temporary credentials back to the AWS GovCloud (US) applications, minimizing security exposure through short-lived credentials.

Secure Communication: All cross-partition communication flows through FIPS 140-3 validated HTTPS endpoints. Applications connect directly from AWS GovCloud (US) to AWS Standard US Region FIPS endpoints, where IAM Roles Anywhere manages authentication before routing API calls to Amazon Bedrock.

AI Service Access: Once authenticated, applications access the latest FMs available in Amazon Bedrock through FIPS-validated endpoints. All API calls maintain FIPS compliance and are logged for audit purposes. Amazon Bedrock maintains customer data protection through encryption at rest with customer-managed keys, private model copies that prevent data sharing with model providers, and regional data residency that keeps all customer content within the selected AWS Region.

Compliance Controls: Both partitions maintain comprehensive security controls including encryption key management, audit logging, and network isolation throughout the AI processing workflow.

JPS AI use cases

CJIS-compliant cross-partition AI access allows JPS organizations to leverage advanced AI capabilities for mission-critical operations. These use cases demonstrate practical applications while maintaining strict compliance requirements.

Emergency response optimization

911 Call Analysis: Natural language processing enables real-time incident classification and optimal resource dispatch, improving response times.

Multilingual Support: Real-time translation services provide instant language detection and bidirectional communication, improving service delivery equity across diverse communities.

Criminal investigation support

Document Analysis: AI processes witness statements, evidence reports, and case files to extract key facts and identify patterns across investigations, significantly reducing document review time.

Pattern Recognition: Cross-case correlation identifies similarities in modus operandi and evidence characteristics, generating actionable investigation leads while enabling proper CJI classification.

Predictive analytics for JPS resource allocation

Risk Assessment Models: Data-driven patrol allocation based on crime pattern analysis optimizes resource deployment, improving response times and resource utilization.

Budget Forecasting: Predictive models analyze historical incident data to forecast service demand and optimize staffing levels, improving budget accuracy.

Implementation considerations

Organizations planning CJIS-compliant cross-partition AI implementations must address comprehensive planning and ongoing compliance requirements. Pre-implementation activities should include CJIS Security Officer involvement, data classification procedures, network architecture review, FIPS 140-3 encryption implementation, IAM Roles Anywhere configuration with CRL management, CloudTrail logging, and incident response procedures.

Ongoing compliance requires establishing regular monitoring processes including security event review, audit log analysis, and periodic security assessments based on organizational requirements. These considerations enable successful deployment and sustained compliance throughout the AI implementation lifecycle.

CJIS alignment

This architecture aligns with the current FBI CJIS Security Policy v6.0 and conforms to other complimentary compliance standards including FedRAMP Moderate and NIST 800-53 Rev 5.

Under the AWS Shared Responsibility Model, AWS provides secure, compliant infrastructure and services, while customers remain responsible for proper configuration, access controls, data classification, and security implementation. Organizations must ensure their specific implementation meets all applicable CJIS requirements through proper configuration of the security controls and procedures outlined in this guidance.

Conclusion

CJIS compliance for AI on AWS represents a significant opportunity for JPS organizations to enhance their mission-critical operations while maintaining strict security requirements. The key to successful implementation lies in understanding that CJIS compliance is not a barrier to AI innovation on AWS—it’s a security requirement that can be met while enabling advanced AI capabilities through secure connectivity.

Success requires careful planning, thorough documentation, and ongoing CJIS compliance monitoring. Organizations that invest in proper AI implementation on AWS will gain operational advantages while maintaining the trust and security that communities depend on.

Ready to implement CJIS-compliant artificial intelligence (AI) capabilities? Contact your AWS account team to discuss your specific requirements and develop a tailored implementation plan.