AWS complies with the FBI's Criminal Justice Information Services (CJIS) standard. We sign CJIS security agreements with our customers, including allowing or performing any required employee background checks according to the CJIS Security Policy.
AWS has created a Criminal Justice Information Services (CJIS) Workbook in a security plan template format aligned to the CJIS Policy Areas.
Law enforcement customers (and partners who manage CJI) are taking advantage of AWS services to dramatically improve the security and protection of CJI data, using the advanced security services and features of AWS, such as activity logging (AWS CloudTrail), encryption of data in motion and at rest (S3’s Server-Side Encryption with the option to bring your own key), comprehensive key management and protection (AWS Key Management Service and CloudHSM), and integrated permission management (IAM federated identity management, multi-factor authentication).
What is Criminal Justice Information?
CJI refers to the FBI CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws, such as biometric, identity history, person, organization, property, and case/incident history data. CJI also refers to data necessary for civil agencies to perform their mission, including, data used to make hiring decisions.
What is the CJIS Security Policy?
The CJIS Security Policy and Requirements ("Policy") reflects the shared responsibility between FBI CJIS, CJIS Systems Agency (CSA), and the State Identification Bureaus (SIB) of the lawful use and appropriate protection of Criminal Justice Information ("CJI”). The Policy provides a baseline of security requirements for current and planned services and establishing sets a minimum standard for new initiatives. Consistent with the Policy, we do our part as a cloud service provider and give our customers the means, through our services, to comply with CJIS requirements for the IT environment in AWS.
Can AWS be used for CJIS data?
Yes. To meet the needs of CJIS customers, the AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available. Customers can deploy applications, data, and services, all of which securely comply with CJIS Security Policy requirements.
What do I need to consider when building CJIS compliant applications and services on AWS?
Similar to our other compliance frameworks, the CJIS Policy utilizes a shared responsibility between AWS and our customers. Using a cloud service that aligns to CJIS security requirements doesn't automatically mean that your environment is covered by the CSP's security posture. When using AWS you must still:
- Review the Policy requirements to determine which are directly applicable to your environment
- Implement solutions (as necessary) to address each of those requirements
- Assess and audit the solution against the applicable control requirements
- Submit your CJIS documentation using the AWS CJIS Workbook to your customer agency for review and formal CJIS authorization.
Finally, there are few key points in supporting customer CJIS workloads:
- Security is a shared responsibility - as AWS doesn't manage the customer environment or data, this means you are responsible for implementing the applicable CJIS Security Policy requirements in your AWS environment, over and above the AWS implementation of security requirements within the infrastructure.
- Encryption of data at rest is critical - AWS provides several "key" resources to help you achieve this important solution. From Solutions Architect personnel available to assist you to our Encrypting Data at Rest Whitepaper, AWS strives to provide the resources you need to implement secure solutions.
- AWS directly addresses the relevant CJIS Security Policy requirements applicable to the AWS infrastructure. As AWS provides a self-provisioned platform that customers wholly manage, AWS isn't directly subject to the CJIS Security Policy. However, we are absolutely committed to maintaining world-class cloud security and compliance programs in support of our customer needs. AWS demonstrate compliance with applicable CJIS requirements as supported by our third-party assessed frameworks (such as FedRAMP) incorperating on-site data center audits by our FedRAMP accredited 3PAO.
- In the spirit of a shared responsibility philosophy, AWS provides a CJIS Security Policy Workbook (in a system security plan template) aligned to the CJIS Policy Areas. This Workbook is intended to support customers in systematically documenting their implementation of CJIS requirements alongside the AWS approach to each requirement (along with guidance on submitting the document for review and authorization). This Workbook is available to customers.
- AWS provides multiple built-in security features in support of CJIS workloads such as:
- Secure access using AWS Identity and Access Management (IAM) with multi-factor authentication
- Encrypted data storage with either AWS provided options or customer maintained options
- Logging and monitoring with S3 logging, AWS CloudTrail, Amazon CloudWatch, and AWS Trusted Advisor
- Centralized, customer controlled key management with AWS CloudHSM and AWS Key Management Service (KMS)
How is CJIS compliance determined?
Unlike many of the compliance frameworks AWS supports, there is no central CJIS authorization body, no accredited pool of independent assessors, nor a standardized assessment approach to determining whether a particular solution is considered "CJIS compliant". Simply put, a standardized "CJIS compliant” solution which works across all law enforcement agencies does not exist.
Instead, each law enforcement organization granting CJIS authorizations interprets solutions according to their own risk acceptance standard of what can be construed as compliant within the CJIS requirements. Authorizations from one state do not find reciprocity within another state (or even necessarily within the same state); providers must submit solutions for review with each agency authorizing official(s), possibly to include duplicate fingerprint, and background checks and other state/jurisdiction-specific requirements.
Each authorization is an agreement with that particular organization; something that must be repeated locally at each law enforcement agency. AWS will not claim to be something we are not, and that is why we won't make broad statements of being "CJIS compliant". Although a particular state or agency may have determined that AWS is CJIS compliant for their purposes, there is no one CJIS certification that applies across all law enforcement departments.
Are there customers using AWS for CJIS data?
Yes. We have several partner solutions, which collect, transfer, manage, and share digital evidence (e.g., video, audio files) related to law enforcement interactions. AWS is also working with partners who are delivering electronic warrant services that create, route for approval and issue field warrants electronically across multiple state, county and city law enforcement agencies. Additionally, AWS is supporting law enforcement agencies to manage police videos related to demonstrations, public meetings, and general police interactions as a way to create transparency through public portals, helping to build trust and transparency in law enforcement.