Cloud Vendors Should No Longer Manage Encryption Keys
In October 2022, CJIS updated its security policy to add more specificity to requirements for encrypting criminal justice information in a cloud environment. CJIS Security Policy version 5.9.1 updated guidance for encrypting data in transit, at rest and in use, tasking state and local law enforcement and criminal justice agencies with sole administration of encryption keys.
Prior to this update, many agencies relied on vendors to issue, manage or access encryption keys. However, the new CJIS Security Policy forbids doing so, requiring agencies to establish independent encryption. As the FBI no longer wants vendors maintaining access to encryption keys, agencies must establish encryption for data transmission or storage in the cloud and must do so at a level consistent with or better than Federal Information Processing Standard 140-2.
As Amazon Web Services notes in a blog post describing the impact of this update, “The modernized policy provides a clear path for agencies and their solution providers to eliminate access by cloud provider personnel to critical CJI stored on the cloud by controlling encryption keys in a secure compute environment. This is paramount to being able to successfully defend chain of custody claims and remove the risk of credentials compromise.”
AWS facilitates the creation of “locked down” keys that are inaccessible by Amazon employees. Microsoft similarly helps agencies meet the CJIS security requirements through their “sole control over encryption keys when encrypting CJI in transit, at rest and in use.” Google Cloud also offers solutions that fulfill the requirements.
Law Enforcement Must Use MFA to Access Information Anywhere
In December 2022, CJIS again updated the security policy, to version 5.9.2, revising guidance as to when state and local law enforcement agencies must employ multifactor authentication when accessing criminal justice information. Agencies using cloud services to transmit, store or process criminal justice information must expand their use of multifactor authentication.
Prior to this update, state and local law enforcement personnel accessing cloud data in their headquarters buildings or in their patrol cars did not have to use multifactor authentication to secure access. The patrol car was thought of as a secure facility, and the police department or sheriff’s office was likewise considered a secure facility.
Officers accessing criminal justice information in the office or in patrol cars did not necessarily have to use multifactor authentication, but they had to do so if they were using a laptop or mobile device outside of those environments. So, should an officer stop at city hall or a coffee shop with a laptop, he or she was then required to use multifactor authentication to access that data.
Now, however, CJIS requires law enforcement personnel to use multifactor authentication at every location, including headquarters and patrol cars.
Law enforcement and criminal justice agencies have until Oct. 1 to comply with the updated guidance.