Addressing Cloud security through CJIS compliance
There’s a lot of discussion on law enforcement tasks that can be handled in the cloud. GPN reached out to Intergraph’s John Whitehead for his views.
John Whitehead is a director of public safety at Intergraph. He has more than 20 years of public safety experience, including serving as operations manager for Jefferson County, Mo., 911. Whitehead’s photo is below on the right.
Huntsville, Ala.–based Intergraph is a provider of public safety software. The company is working with Microsoft to deploy its web-based records management system, inPURSUIT WebRMS on the Microsoft Azure government-community cloud service.
GPN: What does the future hold for law enforcement/homeland security functions in the cloud?
John Whitehead: “In the cloud” has a lot of different meanings for law enforcement and homeland security personnel. From using software as a service (SaaS) model to putting applications within a private cloud, agencies are still trying to get a handle on the best solution for their existing workflows.
The International Association of Chiefs of Police (IACP) recently released a survey that shows 54 percent of member respondents have implemented or were planning to implement a cloud-based solution in the next two years. This shows that we’ve moved beyond whether agencies are comfortable with the cloud. It’s now a question of what and how to implement cloud-based solutions.
GPN: If a cloud-based system complies with requirements of the FBI’s Criminal Justice Information Services Division (CJIS), does that give local governments some security protection, or does it ensure good performance?
JW: This is all about security of data and sensitive material. While performance is key to day-to-day usage, security is the most important factor when looking for a cloud-based solution. CJIS compliance ensures agencies that a stringent set of security has been met.
GPN: Are there any other benefits of having a CJIS-compliant cloud setup?
JW: Public safety agencies are looking to reduce their cost while maintaining the highest standards. A cloud-based solution can potentially help. It can lower the initial cost and also (depending on the product), lower the overall, life-cycle cost of the solution.
GPN: How does a law enforcement agency/local government find out if a cloud-based system is CJIS-compliant?
JW: The vendor community has a responsibility to the agencies to provide CJIS compliance information. This ensures that agencies are getting the most secure systems available. However, just like any other purchase, a little homework goes a long way. Reference checks for vendors have always been common in the public safety community, but agencies should now also check on the security of the vendor’s software to ensure it meets CJIS requirements.
GPN: Is it important for law enforcement and homeland security functions/systems in the cloud to be CJIS-compliant?
JW: It is really no longer an option, as the FBI continues to state that cloud-based solutions and products sold to agencies must comply with CJIS security requirements. Agencies today have to deal with the same threats as other organizations and businesses.
They must assume there are networking threats attempting to illegally access their data. This means that securing their IT infrastructure is just as important as securing their brick-and- mortar structure; and in some cases, more so.
GPN: A recent IACP survey shows almost half (42 percent) of law enforcement officials who responded have no knowledge or are not familiar with CJIS rules. Is it important for law enforcement to be up to speed on CJIS?
JW: It’s all about being an educated consumer. Users see and hear the industry buzz words buzzwords, such as cloud computing and Next Gen 911, but knowing what these terms mean to your agency is critical to a successful implementation. CJIS rules and requirements are no different. Agencies don’t have to memorize the CJIS security policy manual, but designating a department resource to become familiar with those policies is key. The FBI website provides a lot of the information an agency will need. The CJIS security policy is available online. It is recommended reading for anyone interested.
GPN: I’ve seen a CJIS 2012 technical report on implementing cloud-computing solutions. Are there other reports that are worth a look?
JW: I would recommend the CJIS security policy manual as a great resource to explain the standards. It includes a full section on cloud-based recommendations. There are also numerous white papers and a checklist available online for agencies to utilize.
GPN: Are there other resources that should be consulted?
JW: CJIS offers state- and national-level conferences that provide a wealth of information. Agencies can attend these conferences and get a lot of great information.
Michael Keating is Senior Editor at Government Product News, an American City & County sister brand.