FBI declares cloud vendors must meet CJIS security rules
Officials acknowledge difficulties facing large cloud vendors like Google, but contends that requirements are met by some firms
Computerworld - The FBI Tuesday reaffirmed its rule that all cloud products sold to to U.S. law enforcement agencies must comply with the FBI's Criminal Justice Information Systems (CJIS) security requirements.
While the nation's top law enforcement agency concedes that some vendors may have a tough time meeting those requirements, it insisted that there would be no compromising on security.
"The FBI remains committed to using technology in its information-sharing processes, but not at the sacrifice of the security of the information with which it has been entrusted," Stephen Fischer Jr., a spokesman for the FBI's CJIS division said today in an email to Computerworld.
Fischer's comments come less than two months after the Los Angeles Police Department canceled a planned migration to Google Apps because it said the cloud service was not compliant with CJIS security requirements.
At the time, two city officials noted that U.S. Department of Justice requirements for the CJIS are not currently compatible with cloud computing.
Google has also maintained that CJIS requirements are incompatible with cloud computing and therefore present a unique challenge to any cloud vendor.
The CJIS database, maintained by the FBI, is one of the world's largest repositories of criminal history records and fingerprints.
The records are available to law enforcement agencies and contractors around the country that comply with the security rules, which include requirements that all data, both in transit and at rest, be encrypted and that anyone who accesses the database pass FBI background checks.
Fischer today maintained that the CJIS security requirements are compatible with cloud computing.
"The CJIS Security Policy is a cloud-compatible policy," that was fully vetted and approved by local, state, tribal and federal law enforcement agencies in the U.S. and Canada, he said, while acknowledging that "the requirements may be tough for some vendors to meet."
One of the more challenging requirements requires cloud service providers to identify all system, database, security and network administrators who have access to criminal justice information, he said.
Similarly, cloud vendors will likely find it difficult to require fingerprint criminal background checks on all administrators with access to the criminal justice information. Fischer said.
Analysts have previously noted such rules would be particularly difficult for cloud vendors like Google that maintain staffed data centers outside the U.S.
Fischer noted as much today. "Admittedly, these requirements may be difficult for some cloud-computing vendors due to the sheer numbers and the geographic disbursement of their personnel," he said.
"However," he added, "these requirements aren't new to vendors serving the criminal justice community and many vendors have successfully met these requirements for years."
Jeff Gould, CEO of IT consulting firm Peerstone Research, said that the requirements are likely most challenging to large cloud providers with roots in the business of providing hosted services to consumers.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Oracle Fusion Financials Cloud Service Modern organizations are under intense pressure to provide accurate, reliable, and speedy financial information to business decision-makers. Furthermore, complying with global standards has...
- Cloud for Business Managers in Midsize Organizations: The Good, the Bad & the Ugly Read this independent research report to learn how business managers around the world are using Cloud applications.
- Cloud Computing eGuide In this eGuide, CIO, Computerworld, and InfoWorld offer advice, tips, news, and predictions regarding cloud implementations in the coming year and beyond. Read...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cloud Computing White Papers | Webcasts