CJIS Security Policy and Cloud Computing; Don’t be in the “No!”
In the last newsletter I started talking about cloud computing and CJIS Security Policy (CSP) compliance. One of the the items I mentioned was that there are a couple of prohibitions that are identified within the CSP regarding cloud services.
Typically, the CSP describes what must be done to achieve compliance, not what is prohibited. Section 18.104.22.168 covers cloud computing, and most of that section talks about the white paper located in the Appendices (G.3). Hint-If you are going to contract for cloud services, you really need to read that white paper.
However, there are two policy statements in that section, both of which are prohibitions.
Several years ago when the CJIS Advisory Policy Board (APB) Security and Access Subcommittee was considering cloud requirements, these were the two issues that came up in the discussion.
The first one states “The metadata derived from CJI shall not be used by any cloud service provider for any purposes.”
Although metadata does not typically include the actual data itself, information about the data can be used to help paint a picture of “what’s going on.”
The Advisory Policy Board’s view was that vendors did not need to sift through this information, which could potentially compromise a criminal investigation (there are a lot of law enforcement folks on the APB.)
The second statement is kind of like the first “The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”
The members of the APB are always concerned about the potential unauthorized access to or use of Criminal Justice Information (CJI), and particularly Criminal History Record Information (CHRI). Federal law and many state laws are extremely emphatic in that area.
Remember, CHRI is a type of CJI, and there are very specific requirements associated with its access and dissemination. As such, the APB is required to protect CHRI from unauthorized access, e.g., scanning records that include CHRI for improving services is considered a type of access.
Scanning records to improve services is not an authorized purpose for access to CHRI.
As we’ve mentioned before, when looking for a CJIS compliant cloud solution, you have to look at everything, and evaluate whether it meets the requirements of the CJIS Security Policy.
Assuming that something is compliant in the cloud because it was compliant when it was sitting in your criminal justice owned data center is a recipe for disaster.
Years ago, I ran into that when an agency moved their server from within their building to a datacenter across town. Inside their building, they didn’t need to encrypt traffic (it stayed in the building), but when it got moved, they had to figure a way to encrypt to and from the server.
As cloud computing continues to be a option for saving IT resources, the APB will most likely modify the CSP, and that is your opportunity to help define the controls for protecting CJI in the cloud.
If you’re interested in helping make those changes, contact your CJIS Systems Officer (CSO), or go to our blog and read our newsletter on the APB process to understand your role.
Want to know more or further discuss CJIS compliance? Give me a call at 850-656-3333 x288 or email me at firstname.lastname@example.org.
Y’all take care.