The latest version of the FBI's Criminal Justice Information Systems (CJIS) Security Policy document puts severe constraints on VoIP and cloud Implementations for organizations that require access to CJIS databases. As reviewed in the document, maintaining compliance can double the price of cloud and VoIP systems for these law enforcement agencies.
The CJIS Security Policy for cloud and VoIP services impacts U.S. public safety organizations -- for example, police departments require vendors who have certified solutions. The policies controlling VoIP and cloud implementations do represent a deep understanding of the associated advantages and risks. That is great, except that these policies also often become hard constraints on deployment options and vendor choices for the organizations that they govern, such as police departments. In this post, I'll provide insight into design drivers, solutions, and vendors around this issue.
CJIS Background
Criminal Justice Information Systems (CJIS) databases hold the information that authorized users need to operate under tight security. New technologies and services that offer operational improvement and cost savings such as cloud and VoIP need be incorporated into existing compliance frameworks. This compliance is state by state, department by department, and supplier by supplier.
These are the databases that fall under CJIS: arrest reports, fingerprint data, criminal background checks, license plate numbers, stolen property reports, protective orders, foreign identity information, sentencing and parole reports, and body worn camera video
These are the organizations and companies that have access to some or all those databases: U.S. Federal agencies dealing with CJI; state, county, and city police departments; departments of public safety, departments of corrections, offices of attorney generals, offices of public defender, offices of the U.S. courts, offices of county sheriffs, and government contractors.
To be clear, within public safety organizations the entire IT infrastructure as well as almost every employee fall under CJIS IT policy. Or, in the case of other organizations such as government contractors, whose HR department may need CJIS database infrastructure to vet job candidates, only a few terminals and the employees who have access to them may fall under those guidelines.
CJIS data needs to be isolated, and the physical security of LAN equipment as well as end points are crucial to ensuring that isolation. As an example, LAN rack access is protected with locked equipment cabinets that are accessible only by CJIS certified technicians.
VoIP and Cloud Implementations
The most recent release of the document, found here, provides extensive guidance for both VoIP and cloud implementations.
Because of the integration of voice and data in a single network, establishing a secure VoIP and data network is a complex process requiring greater effort than that required for data-only networks. Start with the general guidelines found in appendix G.2, recognizing that practical considerations such as cost or legal requirements, may necessitate adjustments for a particular organization:
- Develop appropriate network architecture
- Ensure your organization has examined and can acceptably manage and mitigate the risks to its information, system operations, and continuity of essential operations when deploying VoIP systems
- Special consideration should be given to E-911 emergency services communications because E-911 automatic location service is not available with VoIP in some cases
- Agencies should be aware that physical controls are especially important in a VoIP environment and deploy them accordingly
- VoIP-ready firewalls and other appropriate protection mechanisms should be employed, and agencies must enable, use, and routinely test the security features that are included in VoIP systems
- If practical, "softphone" systems, which implement VoIP using an ordinary PC with a headset and special software, should not be used where security or privacy are a concern
- If mobile units are to be integrated with the VoIP system, use products implementing Wi-Fi Protected Access (WPA), rather than 802.11 Wired Equivalent Privacy (WEP)
- Carefully review statutory requirements regarding privacy and record retention with competent legal advisors
Ultimately, the move to cloud computing is a business decision in which the following relevant factors are given proper consideration (see also appendix G.3):
- Readiness of existing applications for cloud deployment
- Transition costs
- Life-cycle costs
- Maturity of service orientation in existing infrastructure
- Security and privacy requirements (federal, state, and local)
As you can see, when undergoing a VoIP or cloud implementation, organizations that have CJIS compliant data networks need careful coordination with IT departments, the CJIS coordinator, and providers of the CJIS-compliant hardware and services to develop strategies for implementation and operation. This activity should begin during the high-level requirements development phase and continue to be discussed during the design phase so that by the time procurement begins, the detailed requirements for the potential vendors are clear. Depending on the approach, CJIS constraints and requirements in an RFP can preclude some major vendors from participating.
One of our recent clients, a police department whose IT department wanted the simplest approach, required the installation of a separate system. In the end that required physically separate LAN (cabling, electronics, racks) and WAN. This increased the complexity of the solution and the procurement, plus the cost was doubled. Prior to creating a design and certainly before creating an RFP, verify that solutions that meet your needs exist in the market landscape.
I have also heard of a situation in which the IT department of large city government, after reviewing the procurement plan, announced it wanted a completely separate LAN. This could have driven by concern of any IT department about taking on a major new service, but also by the added burden of expanding CJIS controls. If you build a separate VoIP network, you can keep it outside of CJIS controls.
Some CJIS Compliant Solutions
Microsoft, AWS and Mitel are examples of companies that have compliant solutions. Last fall while I was researching the availability of CJIS-compliant solutions, Microsoft announced that Azure would be compliant with CJIS in all 50 states; it is compliant in 30 states as of July 2017. AWS also indicates it is compliant on its website and offers a CJIS workbook for download. Mitel stated in an RFP that it could deliver a Mitel CJIS-compliant solution. Depending on the customer, however, FedRAMP could also come into play.
In Conclusion
CJIS Security Policy implementation does not create much excitement, nor does it seem well understood in the consultant community and much of the vendor community. However, its requirements impact the design and implementation of systems, whether all players are aware of that or not.
The policy document is worth reviewing, because in large part, it contains excellent guidelines for any VoIP and cloud migration/implementation.
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.