Using AWS GovCloud (US) for Criminal Justice Information Solutions
Properly securing Criminal Justice Information (CJI) and maintaining compliance with the CJIS Security Policy requires a number of security controls aimed at ensuring only authorized individuals have access to the CJI. One critical control is the use of independently tested and validated encryption to protect sensitive information both in-transit and at-rest, regardless of physical location. Another critical control involves limiting access to individuals that hold or manage encryption keys, allowing agencies to define and limit the universe of users with logical access to CJI.
Technological advancements have removed the need to engage in the traditional method of relying on physical security and background checks as a way to qualify an individual’s “access” to unencrypted CJI. While the traditional approach can help achieve minimum compliance under the CJIS Security Policy, it doesn’t compare to the security that can be achieved using strong encryption practices and the deployment of “least privilege” principles to restrict CJI access to those with a need-to-know, right-to-know, and your explicit authorization.
Amazon Web Services (AWS) empowers customers to encrypt their criminal justice data in AWS GovCloud (US) employing FIPS 140-2 validated encryption in-transit services and FIPS-197 compliant encryption for data at-rest.
AWS GovCloud (US) also offers a Key Management Service (KMS) using FIPS 140-2 validated hardware security modules, allowing customers to create, own, and manage their own customer master keys for all encryption. These customer master keys never leave the AWS KMS FIPS validated hardware security modules unencrypted and are never known to AWS personnel.
The principal of least privilege is one of the most fundamental underpinnings of the CJIS Security Policy based on a "need-to-know, right-to-know" standard. AWS GovCloud (US) customers can enforce least privilege by securely encrypting their CJI and limiting all access to the CJI to only those with access to the encryption keys. By using AWS GovCloud (US), customers are provided AWS services, tools, and security assurance to enable their agencies and trusted partners to retain complete control and ownership over their own criminal justice data.
By using solutions built on AWS, agencies can manage and secure their applications, data, and other CJIS resources in the AWS GovCloud (US). AWS GovCloud (US) Regions consist of US data centers hosting services authorized to FedRamp High, managed by US citizens, and offering the FIPS validated endpoints necessary to build CJIS-compliant solutions.