Hello, Larry here!
Bill and I were talking the other day about the newsletter, and what the next topic should be. We were asking ourselves – what are the questions being asked by the CJIS user communities? The conclusion was quick, and we were in total agreement – cloud computing.
Before I get too far into everyone’s favorite subject these days, I need to introduce myself (or re-introduce myself for those who already know me).
My name is Larry Coffee and I’m the newest member of the DCI/CJIS ACE team. Just to let you know, Bill hasn’t gone anywhere; in fact, he’s as busy as ever and will continue to contribute to the CJIS ACE Newsletter from time-to-time.
Since I’m going to be the principal author of the CJIS ACE Newsletter, I had better tell you a little bit about myself and my qualifications (for those who missed my introductory Newsletter):
- 22 years as a member of the Florida Department Law Enforcement (FDLE)
- Florida’s CJIS Information Security Officer (ISO)
- FDLE CJIS Information Manager for the Tallahassee and Pensacola Regions
- Florida Crime Information Center (FCIC) Compliance Auditor
- Member of the APB’s Security and Access (S&A) Subcommittee
- Member of the S&A’s CJIS Security Policy (CSP) Rewrite Task Force
- Chair of the S&A’s Mobile Security Task Force
- Member of the APB NCIC Warrants Task Force
I have spent my entire time at FDLE in the CJIS “sandbox”, both at the state and national levels. Like Bill, I extensive experience with being on both sides of a CJIS audit (literally as an compliance auditor), as well as being on the committees that decide policy and requirements, and not just the CJIS Security Policy (CSP).
All of that being said, let’s get back to the subject at hand – cloud computing.
The big question that everyone wants to know: can cloud computing be CSP compliant?
The answer is: it depends.
The folks in Florida will have heard this answer from me before. Many of them said I could never give a straight answer, but that’s how the CSP is constructed; especially with respect to cloud computing.
Any state of compliance depends on many variables. In very few instances does the CSP say “no, you can’t do that.” Interestingly enough, the realm of cloud computing is where do you find two specific prohibitions; more on that at another time.
Each cloud offering is different from provider to provider. Additionally, a given cloud provider could offer implementations where one solution could be compliant and while another is not. Same provider but two different implementations.
Then you have to consider the application, file, and/or the specific implementation that you, the user (the one ultimately responsible for CJIS compliance), plan to put it the cloud.
What your agency is planning for a given cloud implementation might be slightly different from what the folks down the road are planning utilizing the same provider. One minor variation in implementation could mean the difference in whether or not the solution is compliant.
There are some requirements that are applicable “across the board”, e.g., having the vendor employees with access to Criminal Justice Information (CJI) sign the Security Addendum Certification Page. The Certification Page itself is not contract specific, and can be used for any contract the vendor may have that requires access to CJI. Once the vendor employee has signed it, the company can keep them on file and provide them for future contracts.
Something that potentially isn’t across the board could be the employee themselves. One agency may have Brendie, Amanda and Chris working on the contract for Bill’s Cloud Solutions. Another agency using the same company and the same solution might have Diana, Sandra, and Lee. Same company and same solution, using different people. This is important because the second agency wouldn’t automatically be compliant based on the first agency’s processes. The first agency would not have conducted background checks on the folks who are working on the second agency’s contract. In this scenario, the background checks for the second agency’s contract is the responsibility of the second agency to complete.
When you’re working with a given vendor for a given implementation, your agency is ultimately responsible for meeting all of the CSP requirements for compliance. In some instances, some of the requirements may be administered by another entity (e.g., the CJIS Systems
Agency (CSA) coordinating the background check process). However, most CSAs will still require the contracting agency (that’s you) to ensure that the specific offering for your agency is CSP compliant.
The CSAs and their auditors shouldn’t accept “agency X said it was OK”, and they really shouldn’t accept “the vendor said they are CJIS compliant” without completing their own due diligence. They (the vendor) might in fact be compliant, but it’s up to you and your agency to be sure before you start storing and processing CJI in the cloud.
Sound a little confusing? Not really, but it could get a little complicated and require an in-depth review. Remember, CJIS ACE can help out with that review and help to ensure compliance.
Want to know more or discuss further? Give me a call at 850-656-3333 x288 or email me at firstname.lastname@example.org
See you soon,