AWS Public Sector Blog
Customers in all 50 states in US can now host criminal justice information on AWS
After a multi-year journey working with the mission critical application technology providers and Criminal Justice Information Services (CJIS) officials across the US, Amazon Web Services (AWS) implemented a simple and technically robust approach to CJIS compliance. Now, agencies and organizations in all 50 states in the US can host criminal justice information (CJI) on AWS.
To achieve this milestone, AWS worked backwards from the requirements of customers and focused on fundamentally sound security practices (per CJIS Security Policy requirements) that allow agencies to retain full control over their own criminal justice information (CJI) and reduce compliance dependencies that were previously created by relying solely on personnel security controls managed by the cloud service provider. The result is a simplified model that allows agencies and technology providers to achieve compliance through provable technical controls rather than compliance through manual, point-in-time personnel security processes designed to enable access to CJI by cloud provider personnel.
“This is a big milestone for AWS, and we’re pleased to work with CJIS officials across the country to ensure that criminal justice is secure and accessible for agencies in all 50 states,” said Kim Majerus, leader of state and local government and US education at AWS. “Our services help agencies and their software partners build systems that work best for each of their constituencies. And, it gives them increased flexibility and autonomy, while remaining laser-focused on data security and privacy.”
Building CJIS-compliant solutions on AWS
As public safety agencies and technology providers look for innovative ways to meet the increasing demands placed on their mission critical operations, it has become more important to strengthen and simplify security and compliance to meet those demands.
Public safety agencies and their application providers can independently build CJIS-compliant solutions on AWS to help them deploy highly available, resilient, and secure mission-critical applications. AWS gives customers the opportunity to exercise exclusive control over where data is stored, the methods by which data is secured in transit, in process and at rest, and access to their own information systems.
Customers can meet the rigorous security requirements prescribed in the Criminal Justice Information Services Security Policy based on a zero-trust security model by retaining complete control and ownership over their own criminal justice data using AWS services such as AWS Key Management Service (KMS) and building their solution on the AWS Nitro System. This approach allows customers and application providers to build solutions where they can manage their own security controls without the need to extend unnecessary trust to AWS personnel responsible for maintaining the underlying services and infrastructure. This approach also works to preserve the critical “chain of custody” for digital evidence in the cloud by empowering agencies to cryptographically prove the integrity of digital evidence stored in the AWS Cloud.
Simplifying compliance for customers
The AWS approach to CJIS compliance simplifies the work of our customers and helps reduce the cost and time associated with auditing and maintaining records of compliance for state CJIS System Agencies (CSA). By relying on provable technical controls to protect CJI, state CSAs no longer have to use significant resources negotiating CJIS agreements and maintaining training and personnel records for cloud personnel that they had no method to accurately validate were the correct personnel with access to their agency’s CJI. AWS customers and AWS Partners employ provable technical controls to validate in real-time who can access their most sensitive data and when and demonstrate it clearly to the CSA or FBI upon request.
“As the CJIS Systems Agency (CSA), the Washington State Patrol is responsible for ensuring Washington State criminal justice agencies meet or exceed the requirements of the CJIS Security Policy for the protection of criminal justice information (CJI) wherever it may reside. A large part of providing compliance falls on personnel clearances, which include state and national fingerprint-based background checks, CJIS Security Awareness training, and for vendor personnel, signed CJIS Security Addendums. Because of the security and access model employed by AWS, the ability for non-CJA personnel to have unescorted access to unencrypted CJI is eliminated, and thus, so is the need for personnel determinations, making auditing and compliance in this area far simpler,” said Kevin Baird, CJIS information security officer, Washington State Patrol.
Getting started with CJI on AWS
For information and assistance on deploying solutions on AWS, refer to the AWS CJIS Compliance Site or reach out to me or contact us. Check out more stories on CJIS on the AWS Public Sector Blog.