Criminal Justice Information Services (CJIS)
AWS services support customer CJIS requirements by addressing the CJIS Security Policy Areas. AWS infrastructure and services have been reviewed by state and federal law enforcement agencies, which confirm AWS’s competence in supporting customer CJIS workloads.
Many customers that manage sensitive data – including law enforcement agencies, financial institutions, and healthcare organizations – are comfortable deploying workloads on AWS GovCloud (US) as the region is explicitly designed to meet unique compliance needs associated with sensitive workloads. Beyond the assurance programs available to all commercial regions, AWS GovCloud (US) allows customers at the state, local and federal level to adhere to ITAR, FedRamp/FISMA High and DoD SRG impact levels 2, 4 and 5.
Law enforcement customers (and partners who manage criminal justice information) are taking advantage of AWS services to dramatically improve the security and protection of CJI data, using the advanced security services and features of AWS, such as:
- Activity logging (AWS CloudTrail).
- Encryption of data in motion and at rest (Amazon S3’s Server-Side Encryption with the option to bring your own key)
- Comprehensive key management and protection (AWS Key Management Service and CloudHSM).
- Integrated permission management (IAM federated identity management, multi-factor authentication).
What is Criminal Justice Information?
Criminal Justice Information (CJI) refers to the data necessary for law enforcement agencies to perform their mission and enforce the laws, such as biometric, identity history, person, organization, property, and case/incident history data. CJI also refers to data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
What is the CJIS Security Policy?
The CJIS Security Policy ("Policy") reflects the shared responsibility between FBI CJIS, CJIS Systems Agency (CSA), and the State Identification Bureaus (SIB) of the lawful use and appropriate protection of Criminal Justice Information (CJI). The Policy provides a baseline of security requirements for current and planned services, and establishes a minimum standard for new initiatives. Consistent with the Policy, we do our part as a cloud service provider and give our customers the means, through our services, to comply with CJIS requirements for the IT environment in AWS.
Can AWS be used for CJIS data?
Yes. To meet the needs of CJIS customers, the AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available. Customers can deploy applications, data, and services, all of which securely meet the requirements of the CJIS Security Policy.
What do I need to consider when building CJIS compliant applications and services on AWS?
Similar to our other compliance frameworks, the CJIS Security Policy uses a shared responsibility model between AWS and our customers. For more information, see the AWS Shared Responsibility Model webpage.
Using a cloud service provider (CSP) that aligns to CJIS security requirements doesn't automatically mean that your environment is covered by the CSP's security posture. When using AWS, you must still:
- Review the CJIS Security Policy requirements to determine which are directly applicable to your environment.
- Implement solutions (as necessary) to address each of those requirements.
- Assess and audit the solution against the applicable control requirements.
- Submit your CJIS documentation using the AWS CJIS Workbook to your customer agency for review and formal CJIS authorization.
Finally, there are few key points in supporting customer CJIS workloads:
- Security is a shared responsibility AWS doesn't manage the customer environment or data, which means you are responsible for implementing the applicable CJIS Security Policy requirements in your AWS environment. AWS only manages the implementation of security requirements within the AWS infrastructure.
- Encryption of data at rest is critical. AWS provides several resources to help you achieve this important solution, including Solutions Architect personnel available to assist you, and our Encrypting Data at Rest whitepaper.
- AWS directly addresses the relevant CJIS Security Policy requirements that apply to the AWS infrastructure. AWS provides a self-provisioned platform that customers wholly manage, so AWS isn't directly subject to the CJIS Security Policy. However, we are absolutely committed to maintaining world-class cloud security and compliance programs in support of our customer needs. AWS demonstrates compliance with applicable CJIS requirements as supported by our third-party assessed frameworks, such as FedRAMP which includes on-site data center audits by our FedRAMP-accredited third-party assessment organization (3PAO).
- In the spirit of a shared responsibility model, AWS provides a CJIS Security Policy Workbook (in a system security plan template) that is aligned to the CJIS Policy Areas. This workbook helps customers to systematically document their implementation of CJIS requirements alongside the AWS approach to each requirement (along with guidance on submitting the document for review and authorization). See the Criminal Justice Information Services (CJIS) Workbook and spreadsheet.
- AWS provides multiple built-in security features in support of CJIS workloads such as:
- Secure access by using AWS Identity and Access Management (IAM) with multi-factor authentication
- Encrypted data storage with either AWS-provided options or customer-maintained options.
- Logging and monitoring with S3 logging, AWS CloudTrail, Amazon CloudWatch, and AWS Trusted Advisor
- Centralized, customer-controlled key management with AWS CloudHSM and AWS Key Management Service (KMS)
How is CJIS compliance determined?
There is no central CJIS authorization body, no accredited pool of independent assessors, nor a standardized assessment approach to determining whether a particular solution is considered CJIS compliant. There is no standardized CJIS compliant solution that works across all law enforcement agencies. Instead, each law enforcement organization granting CJIS authorizations interprets solutions according to their own standard of what is considered compliant within the CJIS requirements. Authorizations from one state do not find reciprocity within another state (or even necessarily within the same state); providers must submit solutions for review with each agency authorizing official, possibly to include duplicate fingerprint, and background checks, and other state/jurisdiction-specific requirements.
Each authorization is an agreement with that particular organization; something that must be repeated locally at each law enforcement agency. AWS will not claim to be something we are not, and that is why we won't make broad statements of being CJIS compliant. Although a particular state or agency may have determined that AWS is CJIS compliant for their purposes, there is no single CJIS certification that applies across all law enforcement departments.
Are there customers using AWS for CJIS data?
Yes. For example, we have several partner solutions that collect, transfer, manage, and share digital evidence (for example, video and audio files) related to law enforcement interactions. AWS is also working with partners who are delivering electronic warrant services that create, route for approval, and issue field warrants electronically across multiple state, county, and city law enforcement agencies. Additionally, AWS is supporting law enforcement agencies to manage police videos related to demonstrations, public meetings, and general police interactions as a way to create transparency through public portals, helping to build trust and transparency in law enforcement.