FBI says CJIS security rules are cloud-friendly. But can the vendors deliver?
Last week the FBI brought much needed clarity to the question of whether its network security rules prevent law enforcement agencies from adopting cloud computing. The answer, the FBI says, is a resounding “no”. Before looking at the details, let’s take a step back and see how the issue emerged in the first place.
When the City of Los Angeles last year abruptly cancelled the deployment of a leading cloud email solution (Google Apps) in the city’s police department, city officials gave an explanation that openly cast doubt on the viability of any cloud technology in a law enforcement context. The problem, they said, was that the FBI’s security rules for accessing its national criminal history database (the Criminal Justice Information System, or CJIS) were “currently incompatible with cloud computing”. But a police department that fails to comply with these rules risks having its CJIS access rights revoked by the FBI. And a police department that can’t access the Bureau’s vast online storehouse of criminal records and fingerprint files is a police department that is effectively out of business. As a result, Los Angeles concluded that LAPD couldn’t migrate to the Google Apps suite that the rest of the city had been using successfully for over a year.
The message from Los Angeles was clear: don’t blame us if LAPD can’t move to the cloud, blame the FBI’s outdated requirements. Los Angeles CTO Randi Levin spelled things out in media interviews:
“The real issue here is the fact that the policies related to a lot of different areas in the government are not matching the technologies that are coming out. That is the core issue: The criminal justice requirements were never written with cloud computing in mind.”
Google itself issued a press release which repeated the claim that the FBI’s rules are “incompatible” with cloud computing.
But is this really true? In a statement recently released in response to a SafeGov query, the FBI offers a carefully reasoned demonstration that, contrary to the Los Angeles position, law enforcement agencies can indeed “cloud compute”, provided that their vendors are prepared to meet the Bureau’s requirements, which it characterizes as “tough” but necessary. The justification for tough rules is simple: Federal law protects the confidentiality of criminal history information. Therefore, law enforcement agencies that access the FBI’s national database (and the separate databases maintained by each state) must handle that information with great care. IT systems that store and transmit it must be secure, and the people who are allowed access to those systems must be carefully vetted.
This requirement applies not just to the primary IT systems which access the CJIS database directly, but also to any other systems used to disseminate the information. For example, if police officers use their department’s email system to discuss the contents of CJIS records, then that system must meet the same FBI security requirements as the CJIS terminals used to retrieve the records in the first place.
Several cloud vendors suggested to us off the record that police departments would have an easier time meeting CJIS requirements if they avoided using email to discuss or circulate criminal history information. While such electronic abstinence might be feasible for a small department whose members are in frequent face-to-face contact, it seems impractical for a huge agency such as LAPD with thousands of employees spread out over a vast geographical territory. Sources in LAPD confirm this view. The better approach is to push the responsibility for making cloud email CJIS-compliant back to the vendors.
But what exactly does a cloud vendor have to do to meet CJIS requirements? The current version of the CJIS Security Policy is a 127 page document bristling with technical discussions and is not an easy read. Los Angeles and Google have remained coy about exactly what part of the requirements Google Apps failed to meet for LAPD. But last week’s FBI statement spells out two key areas where it thinks cloud vendors may have trouble:
First, cloud vendors must identify all system/database/security/network administrators on their staff “who have the capability to access and recompile criminal justice information”, and these employees must pass fingerprint-based criminal background checks (in effect, if you want to administer a CJIS-related system, you better not be in CJIS yourself).
Second, remote maintenance on systems containing CJIS information cannot be performed “from locations outside the United States”.
Reports released by LAPD and the Gartner Group suggest that Google is out of compliance on both issues. Now in all fairness, let’s admit that these requirements set the bar rather high for CJIS compliance. It should be no cause for shame that Google’s flagship Gmail product – originally conceived as a free consumer service financed by ads linked to keywords in user messages – does not have these very “enterprisey” features built in. And it’s important to understand that Google is not the only cloud email vendor struggling to meet the CJIS requirements. Los Angeles CTO Levin has indicated that Microsoft’s Office 365 cloud suite doesn’t meet them either.
Like Google, Microsoft has not disclosed exactly where its product falls short. However, the firm’s marketing collateral reveals that the baseline version of Office 365 doesn’t offer at rest encryption of messages, a CJIS requirement. Whether it subjects its data center employees to FBI background checks or (like Google) has remote support staff based in Europe is unknown. Microsoft partners point out that law enforcement customers can meet CJIS requirements by deploying private cloud versions of its Exchange email server, which has a richer feature set than Office 365. That’s an interesting point, and some government users – most recently the State of Florida – have done exactly that. But many other government customers, like Los Angeles, are looking at cloud above all as a way to save money, and sophisticated private cloud solutions are likely to cost more than off-the-shelf shared tenant solutions. What governments need are solutions that combine the low cost of shared tenant clouds with the robust security features of traditional on premises systems.
But are CJIS-compatible shared cloud applications really feasible? The FBI insists that they are. The “CJIS Security Policy”, it says, “is a cloud-compatible policy”. That is a pretty unambiguous statement. The FBI doesn’t cite any examples of CJIS friendly cloud vendors, but a little research shows that they do exist.
For example, North Carolina-based InterAct Public Safety offers a web-based Records Management System for law enforcement agencies that is hosted in a CJIS-compliant data center located in the continental U.S. An InterAct executive told us that the firm selected a data center provider (Michigan-based Secure-24) where all personnel with physical or logical access to data must pass FBI background and fingerprint checks. He acknowledged that the FBI’s CJIS rules are complex and sometimes unclear, but he added that the latest version of the Bureau’s policy document has been expressly designed to make compliance easier for cloud vendors, not more difficult. He expressed some dismay at the confusion surrounding the Google Los Angeles story, observing that it might “make some customers gun-shy”. But he also noted a surge of interest among law enforcement agencies for cloud solutions, stating that these solutions are “really crossing the chasm now” and becoming “part of the mainstream”.
Of course, a police records management system, even one with a Software as a Service (SaaS) architecture, is a more vertically focused application than the email and collaboration suites mentioned above. The key question is thus straightforward: can these more horizontal applications, which began life as consumer or small business email solutions, evolve the right enterprise features to meet the more demanding needs of law enforcement agencies without compromising the significant cost advantages they gain from shared cloud infrastructure? Can Google uncouple its consumer-oriented Gmail from its advertising foundations and transform it into a true enterprise-class email system? That will be difficult and expensive, but it may not be impossible, if Google management is truly committed to this product. Will Microsoft roll out a version of shared tenant Office 365 with the full enterprise feature set of hosted Exchange? That is certainly feasible, but will depend on Microsoft’s assessment of market demand for enterprise cloud solutions. What is certain is that these are the kinds of solutions government customers want, and – we can now state with confidence – the FBI’s new CJIS policy can accommodate them. The ball is in the vendors’ camp. Let’s see if they can deliver.