Microsoft helping agencies prepare for regulatory revisions
As part of Microsoft's commitment to meet the applicable requirements of the Criminal Justice Information Services (CJIS) Security Policy, it is critical to prepare in advance for future requirements as well. With law enforcement deploying innovative solutions for camera technology, biometrics, jail/court/offender management, investigation and evidence solutions with cloud solutions, the CJIS Security and Access (S&A) subcommittee shared important information at the recent CJIS Advisory Policy Board (ABP) meeting.
CJIS Audits in 2016
Mr. Brad Truitt, is the new S&A Chairman. He shared valuable information at the June 2017 APB. Starting with an interesting report from the CJIS Audit Group about the technical audits conducted during the last year, there were 213 total audits done on Criminal Justice Agencies (CJA) and an additional 64 audits completed on Non-Criminal Justice Agencies (NCJA). Results indicated event logging and encryption were the top two issues resulting in findings on the CJA side with Contracted Non-Criminal Justice (NCJ) functions and encryption as the top two noncompliance issues on the NCJA side.
Data Location for CJI
The S&A subcommittee also has a Mobile Task Force and Cloud Task Force. The Cloud Task Force submitted two issues for APB consideration. The first issue concerns preventing the storage of Criminal Justice Information (CJI) in Cloud Computing facilities located outside the United States or its territories. The five CJIS Working Groups suggested the issue have verbiage added that considered existing treaties and exchange agreements and the APB sent it back for further review and changes.
I asked Alan Ferretti, CJIS Security Analyst at Diverse Computing and former Texas CJIS Information Security Officer, to comment on this issue. Alan said, "I find it hard to understand why the Law Enforcement Community would allow CJI to be placed somewhere where United State law was not enforceable. From an agency perspective, would a Law Enforcement Agency have the resources to address getting its data returned in a foreign court system? Companies can be in business one day and disappear the next. Unless the treaties and exchange agreement specifically address CJI, I would be very hesitant to allow CJI storage anywhere that U.S. Law was not enforceable."
Microsoft has always considered U.S. data location a priority and commitment for our government customers. Microsoft Government Cloud services, including Office 365 for Government, Azure Government and Dynamics CRM Online for Governments, ensures all customer data at rest is stored within the borders of the United States and is always available to the owning agency at any time. This is a contractual commitment in the Microsoft Online Terms and Agreement.
Use of Metadata
The other Cloud issue addressed by the APB concerned the collection and use of metadata by Cloud Service providers. The current policy statement was removed and replaced with one that prevents metadata from being used for advertising or any other commercial purpose. It permits the use of metadata if the intended use is detailed in the service agreement between the Cloud Provider and the agency.
I asked Alan to share his thoughts on this as well. He stated, "This is a good change and clears up a lot of confusion for both Cloud Providers and agencies regarding metadata usage. This was in fact the original intent of the metadata statement in the Policy, but the new verbiage is more specific and to the point. This is where I must say that Microsoft Cloud services has assured this was being followed from the beginning of storing Law Enforcement data in its Government Cloud. The Security of the data is of primary concern for Microsoft.
Released of CJIS Security Policy v5.6
Mr. George White, the FBI CJIS ISO, then gave an update following the S&A report. He announced in the latest version of the Policy, version 5.6, had just been released and is now available. He also announced that there will be a one day Information Security Officer (ISO) training Symposium in Alexandria VA, during the August Working Group meetings.
This was another informational Advisory Policy Board meeting (despite the fire alarm sounding during the S&A presentation - false alarm). Significant useful information was distributed and the issues facing both the agencies and the vendors that support them continue to be addressed.
As you know, Microsoft considers compliance a commitment and not a checkbox. A critical aspect of that commitment means we will continually work with regulators and agencies to understand current and upcoming regulatory requirements so law enforcement can meet their compliance obligations today and in the future.
Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing (www.diversecomputing.com ). He retired as the CJIS ISO for the State of Texas after 13 years of service. He was also the Chairman of the APB CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at email@example.com or (850) 656-3333 ext.293.
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click "Subscribe by Email!" on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.