Law Enforcement Information Confidentiality and Integrity on Microsoft Azure Government
A revolution in minimization, battery technology, sensors and sophisticated software is fundamentally changing law enforcement. Vast amounts of information enable the reconstruction of a crime scene millisecond-by-millisecond. Data from hundreds of sources can be now correlated, often many miles from the actual scene. This transformation has brought with it a new challenge of data confidentiality and integrity at hyper scale. Not only is the data vast, it’s uncorrelated and located in many different data repositories. This means it’s not often immediately clear what data is relevant to a criminal
case. It may be weeks, even months into the investigation before a piece of electronic information is found material to a case. Nevertheless, law enforcement and district attorney offices must still demonstrate that they’ve maintained the required management of this information. This means ensuring the chain-of-custody, proving that only authorized individuals had access and that the information hasn’t been tampered.
The challenge then for law enforcement officials is to prove that they have created the court-ready, “evidence room” for electronic information. The Cloud can enable this by providing strong, consistent security for the underlying infrastructure; and can do so at hyper scale. Security; however, must be based on one or more widely recognized standards. There is indeed an available standard that is already adopted by law enforcement. This is the FBI’s Criminal Justice Information Services (CJIS) Security Policy. While it directly pertains to just the sharing of specific types of law enforcement information, its security requirements are derived from a national standard that applies broadly to the protection of any sensitive data or information system. This is the National Institute of Standards (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This is the same standard that is the foundation for the security accreditation for most U.S. Government information systems and has been recently adopted by the U.S. Department of Defense for their unclassified Cloud Based systems.
Microsoft Azure Government thus made an early commitment to CJIS. This was both to enable customers to meet the specific requirement for CJI information protection and sharing while also demonstrating a broader commitment to law enforcement data confidentiality and
integrity. The Microsoft Azure Government commitment has several components.
- The first is implementing the CJIS technical security requirements. Version 5.3 dated 8/4/2015 is the current policy. There are approximately 500 individual controls (e.g. requirements). These include access control, identity management, incident response, physical security, media control, mobile communications, systems and information protection/integrity, auditing/accountability, security awareness training and formal audits. Most of these requirements are based on NIST 800-53. The means they inherit the considerable experience and research conducted by NIST and
other Federal Agencies including rigorous testing criteria documented in NIST SP 800-53a and independent validation by qualified third party auditors. The advantage for Microsoft Azure Government is the U.S. Government Cloud security accreditation program, Federal Risk and Authorization Program (FedRAMP), is based on this standards. We can utilize our FedRAMP assurance work to directly implement and validate meeting these CJIS requirements for our internal system security.
- Microsoft provides formal assurance. We do so by entering into formal agreements with State authorities. Among the specific commitments in these agreements are:
- Complying with all applicable requirements of the CJIS Policy.
- Signing the same FBI Security Addendum that states officials and individuals must sign who have access to criminal justice information.
- Submitting key privilege Azure Government administrators to fingerprint based background screening.
- Security awareness training and incident reporting requirement tailored to CJI.
- Continuous monitoring is key element of information confidentiality and integrity. Because CJIS Security Policy is based on NIST 800-53 it inherits an already well-defined monitoring structure. Operating system, database and Web scanning are routinely conducted. These check patch levels and
baselines against prescribed security settings. They require regular review of controls by independent, formally qualified assessors. External and internal penetration testing are mandatory.
Recent events involving video recording of police activity are indicative of the new and uncertain regulatory environments and social norms governing digital information management. The Cloud brings unique capabilities during this period of large and frequent change. Microsoft Azure Government is design to
enable the rapid deployment of new storage and application environments. It brings consistent security to the physical infrastructure and other functions needed by these environments. Equally important, its CJIS security foundation is based on a standard already widely adopted by law enforcement. This
standard further has a formal, joint State-Federal update process to adapt to the changing demands on criminal justice information security management.
Manager – Azure Government Engineering/ISSO