Aug 14 2023

FBI Updates Cloud Security Guidance for State and Local Law Enforcement

The security policy revisions by Criminal Justice Information Services specify new requirements for encryption and multifactor authentication.

The Criminal Justice Information Services Division of the FBI provides security guidance to federal, state and local law enforcement agencies accessing criminal justice information currently or previously managed by the bureau.

The FBI continues to make more investments in cloud computing and moving workloads to the cloud, and so late last year, CJIS updated the CJIS Security Policy to enhance security measures for state, local and other agencies accessing federal criminal info such as fingerprints, arrest records and more.

In an update notated as version 5.9.1, CJIS enacted a significant change to previous security policies, tightening rules around the encryption of data in transit to or at rest in the cloud. In an update that closely followed, notated as version 5.9.2, CJIS expanded the requirements for using multifactor authentication to access criminal justice information.

Click the banner below to get tips on increasing ransomware recovery capacity. 

Cloud Vendors Should No Longer Manage Encryption Keys

In October 2022, CJIS updated its security policy to add more specificity to requirements for encrypting criminal justice information in a cloud environment. CJIS Security Policy version 5.9.1 updated guidance for encrypting data in transit, at rest and in use, tasking state and local law enforcement and criminal justice agencies with sole administration of encryption keys.

Prior to this update, many agencies relied on vendors to issue, manage or access encryption keys. However, the new CJIS Security Policy forbids doing so, requiring agencies to establish independent encryption. As the FBI no longer wants vendors maintaining access to encryption keys, agencies must establish encryption for data transmission or storage in the cloud and must do so at a level consistent with or better than Federal Information Processing Standard 140-2.

As Amazon Web Services notes in a blog post describing the impact of this update, “The modernized policy provides a clear path for agencies and their solution providers to eliminate access by cloud provider personnel to critical CJI stored on the cloud by controlling encryption keys in a secure compute environment. This is paramount to being able to successfully defend chain of custody claims and remove the risk of credentials compromise.”

AWS facilitates the creation of “locked down” keys that are inaccessible by Amazon employees. Microsoft similarly helps agencies meet the CJIS security requirements through their “sole control over encryption keys when encrypting CJI in transit, at rest and in use.” Google Cloud also offers solutions that fulfill the requirements.

MORE FROM STATETECH: Public safety drives establishment of mission-critical operations centers.

Law Enforcement Must Use MFA to Access Information Anywhere

In December 2022, CJIS again updated the security policy, to version 5.9.2, revising guidance as to when state and local law enforcement agencies must employ multifactor authentication when accessing criminal justice information. Agencies using cloud services to transmit, store or process criminal justice information must expand their use of multifactor authentication.

Prior to this update, state and local law enforcement personnel accessing cloud data in their headquarters buildings or in their patrol cars did not have to use multifactor authentication to secure access. The patrol car was thought of as a secure facility, and the police department or sheriff’s office was likewise considered a secure facility. 

Officers accessing criminal justice information in the office or in patrol cars did not necessarily have to use multifactor authentication, but they had to do so if they were using a laptop or mobile device outside of those environments. So, should an officer stop at city hall or a coffee shop with a laptop, he or she was then required to use multifactor authentication to access that data.

Now, however, CJIS requires law enforcement personnel to use multifactor authentication at every location, including headquarters and patrol cars. 

Law enforcement and criminal justice agencies have until Oct. 1 to comply with the updated guidance.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


PeopleImages/ Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.