A journey of innovation in CJIS compliance

This story also appeared in the CJIS Group blog.

To protect citizens and save lives, justice and public safety agencies rely on timely access to critical information, such as criminal histories, arrest warrants, stolen vehicles, and 911 call data. Providing this mission critical criminal justice information with five nines (99.999%) availability and protecting it according to the rigorous security requirements prescribed in the Criminal Justice Information Services Security Policy are top priorities for criminal justice agencies (CJA). Because of its rigorous security assessments, rapidly deployable security tools, and resilient infrastructure, many of these agencies turn to Amazon Web Services (AWS) and AWS Partners to help accomplish their mission.

Protecting criminal justice information in the cloud

The CJIS Security Policy (“the Policy”) outlines the “appropriate controls to protect the full lifecycle of criminal justice information (CJI), whether at rest or in transit,” irrespective of the underlying information technology model. The policy describes this position as architecture independence: “the data (information), services, and protection controls that apply regardless of the implementation architecture.” This independence allows the policy to be flexible to different architectural models including traditional hosting in on-premises data centers, colocation, or the use of scalable cloud services. It provides for “the replacement of one technology with another while ensuring the controls required to protect the information remain constant.”

At AWS, security and data privacy are top priorities. AWS provides building blocks that public safety agencies and their application partners can use to build highly available, resilient, and secure applications in alignment with the CJIS Security Policy. AWS customers maintain complete ownership and control over their data. Access to simple, powerful, cloud native tools allows them to manage the full life cycle of sensitive data. Customers exercise exclusive control over where data is stored and the methods used to secure data in transit and at rest. They manage access to their information systems built on AWS.

A look back at the AWS CJIS journey

As early as 2015, public safety customers started asking if could they host CJIS workloads on AWS while remaining compliant with the CJIS Security Policy. Due to the AWS support of multiple customer compliance programs with similar requirements to CJIS and the architecture independence included in the policy, there was little doubt that customers could leverage AWS Cloud services to meet or exceed the controls required by the policy. AWS also heard from law enforcement customers their desire for AWS to demonstrate that certain employees had been properly screened for access to CJI, regardless of the likelihood of, or complexity associated with, having even incidental access to unencrypted CJI. In response, AWS worked with state CJIS System Agencies (CSAs) to provide the necessary employee information for states to complete CJIS background checks.

AWS heard from customers, such as State CJIS Information Security Officers, that managing background check information and CJIS agreements was administratively and operationally challenging for them. Agencies wanted a way to achieve compliance with a higher level of security and less administrative burden. AWS began working directly with CJIS officials across the US to outline a new compliance model built on innovative technology platforms and provable security concepts. These services empowered AWS customers to build solutions that not only complied with the requirements of the CJIS security policy but did so in a way that eliminated all AWS personnel from the scope of additional time-consuming CJIS background checks. More importantly, this new model put security and data privacy at the forefront, making sure that CJAs controlled access to unencrypted CJI.

Innovation in virtualization technology

To increase performance and security for our customers, in 2012 AWS started down a path of reinventing our elastic compute technology to offload virtualization functions to dedicated hardware and software, resulting in less virtualization overhead, greater efficiencies, and notable security gains. We released the AWS Nitro System incrementally over a five-year period, with the last components released in 2017, which included an entirely reinvented hypervisor.

Among the security gains associated with the launch of the AWS Nitro System, the compute instances operate on a locked down security model designed to prohibit all interactive administrative access—including that of Amazon employees. This security model eliminates the possibility of human error and tampering commonly associated with traditional hypervisors, because we designed the AWS Nitro System without interactive administrative access or access to compute memory. The only interface for operators is a restricted API, making it impossible to access customer data or mutate the system in unapproved ways. The AWS Nitro System also uses purpose-built hardware and servers designed specifically to run a virtual compute hypervisor—nothing more—removing all extra and unnecessary ports, components, and capabilities found on traditional servers. In 2020, AWS took Nitro one step further with the introduction of AWS Nitro Enclaves. These isolated compute environments feature no persistent storage, no interactive access, and no external networking.

Innovation in encryption

The CJIS Security policy requires CJI transmitted or stored outside the boundary of a CJIS defined physically secure location to be encrypted both in-transit and at-rest using symmetric encryption methods. An important and often overlooked security function involves the proper and secure management of the encryption keys. In 2018, the AWS Key Management Service (AWS KMS) started using FIPS 140-2 validated hardware security modules, allowing customers to create, own, and manage their own symmetric master keys to encrypt data at scale. These customer master keys never leave the AWS KMS FIPS validated hardware security modules unencrypted and are not visible to AWS personnel. With this innovation in encryption technologies, customers or their trusted software application partners can be confident that their CJI stored, transmitted, and processed on AWS is consistently protected while at rest, in transit, or in process.

Innovation and CJIS compliance

With the security innovations introduced by the AWS Nitro System and the FIPS 140-2 validated hardware security modules provided by AWS KMS for symmetric encryption keys, AWS offers services designed so you can implement stringent least-privilege access controls that comply with the CJIS Security Policy. This allows customers and application providers to build solutions that eliminate all AWS employees from having physical and logical access to CJI and devices that store, process, and transmit CJI. These innovations also help preserve the critical “chain of custody for digital evidence in the cloud by removing cloud provider personnel from impacting the cloud digital evidence chain of custody.

“As the CJIS Systems Agency (CSA), the Washington State Patrol is responsible for ensuring Washington State criminal justice agencies meet or exceed the requirements of the CJIS Security Policy for the protection of criminal justice information (CJI) wherever it may reside. A large part of providing compliance falls on personnel clearances, which include state and national fingerprint-based background checks, CJIS Security Awareness training, and for vendor personnel, signed CJIS Security Addendums. Because of the security and access model employed by AWS, the ability for non-CJA personnel to have unescorted access to unencrypted CJI is eliminated, and thus, so is the need for personnel determinations, making auditing and compliance in this area far simpler,” said Kevin Baird, CJIS information security officer, Washington State Patrol.

AWS’s innovative features and security controls can help customers achieve CJIS compliance in a simplified way. Criminal justice agencies can now move beyond an outdated model that relies on arbitrary vetting of personnel with no method to accurately validate access to one that employs technical controls to validate in real-time who can access their most sensitive data and when.