All cloud products sold to U.S. law enforcement agencies must comply with the FBI’s Criminal Justice Information Systems (CJIS) security requirements, FBI officials said.
While the nation’s top law enforcement agency concedes that some vendors may have a tough time meeting those requirements, it insisted there would be no compromising on security.
“The FBI remains committed to using technology in its information-sharing processes, but not at the sacrifice of the security of the information with which it has been entrusted,” said Stephen Fischer Jr., a spokesman for the FBI’s CJIS division.
Fischer’s comments come less than two months after the Los Angeles Police Department canceled a planned migration to Google Apps because it said the cloud service was not compliant with CJIS security requirements.
At the time, two city officials said U.S. Department of Justice requirements for the CJIS are not currently compatible with cloud computing. Google also said CJIS requirements are incompatible with cloud computing and therefore present a unique challenge to any cloud vendor.
The CJIS database, maintained by the FBI, is one of the world’s largest repositories of criminal history records and fingerprints.
The records are available to law enforcement agencies and contractors around the country that comply with the security rules, which include requirements that all data, both in transit and at rest, undergo encryption and anyone that gets access to the database passes FBI background checks.
Fischer maintained the CJIS security requirements are compatible with cloud computing.
“The CJIS Security Policy is a cloud-compatible policy,” fully vetted and approved by local, state, tribal and federal law enforcement agencies in the U.S. and Canada, he said. Fischer did say, though, “the requirements may be tough for some vendors to meet.”
One of the more challenging requirements requires cloud service providers to identify all system, database, security and network administrators who have access to criminal justice information, he said.
Similarly, cloud vendors will likely find it difficult to require fingerprint criminal background checks on all administrators with access to the criminal justice information. Fischer said.