[kictanet] FBI declares cloud vendors must meet CJIS security rules

[S.M. Muraya]

There are somethings foreign vendors cannot just do for us.

They can build the infrastructure hardware and software, but our local
firms provide the customized (customer fitting) services.

Trust our security services are not outsourced to foreign governments.

:)

http://www.itnews.com/cloud-computing/41891/fbi-declares-cloud-vendors-must-meet-cjis-security-rules
*
FBI declares cloud vendors must meet CJIS security rules*

Feb 07, 2012 03:54 pm | Computerworld

Officials acknowledge difficulties facing large cloud vendors like Google,
but contends that requirements are met by some firms
*by Jaikumar Vijayan*

The FBI Tuesday reaffirmed its rule that all cloud products sold to to U.S.
law enforcement agencies must comply with the FBI's Criminal Justice
Information Systems (CJIS) security requirements.

While the nation's top law enforcement agency concedes that some vendors
may have a tough time meeting those requirements, it insisted that there
would be no compromising on security.

"The FBI remains committed to using technology in its information-sharing
processes, but not at the sacrifice of the security of the information with
which it has been entrusted," Stephen Fischer Jr., a spokesman for the
FBI's CJIS division said today in an email to Computerworld.

Fischer's comments come less than two months after the Los Angeles Police
Department canceled<http://www.computerworld.com/s/article/9222932/Plans_to_migrate_LAPD_to_Google_s_cloud_apps_dropped>a
planned migration
to Google Apps<http://www.computerworld.com/s/article/9140038/Google_Apps_scores_in_L.A._with_assist_from_Microsoft>because
it said the cloud service was not compliant with CJIS security
requirements.

At the time, two city officials noted that U.S. Department of Justice
requirements for the CJIS are not currently compatible with cloud computing.

Google has also maintained that CJIS requirements are incompatible with
cloud computing and therefore present a unique challenge to any cloud
vendor.

The CJIS database, maintained by the FBI, is one of the world's largest
repositories of criminal history records and fingerprints.

The records are available to law enforcement agencies and contractors
around the country that comply with the security rules, which include
requirements that all data, both in transit and at rest, be encrypted and
that anyone who accesses the database pass FBI background checks.

Fischer today maintained that the CJIS security requirements are compatible
with cloud computing.

"The CJIS Security Policy is a cloud-compatible policy," that was fully
vetted and approved by local, state, tribal and federal law enforcement
agencies in the U.S. and Canada, he said, while acknowledging that "the
requirements may be tough for some vendors to meet."

One of the more challenging requirements requires cloud service providers
to identify all system, database, security and network administrators who
have access to criminal justice information, he said.

Similarly, cloud vendors will likely find it difficult to require
fingerprint criminal background checks on all administrators with access to
the criminal justice information. Fischer said.

Analysts have previously noted that large cloud vendors like Google that
maintain staffed data centers outside the U.S.

Fischer noted as much today. "Admittedly, these requirements may be
difficult for some cloud-computing vendors due to the sheer numbers and the
geographic disbursement of their personnel," he said.

"However," he added, "these requirements aren't new to vendors serving the
criminal justice community and many vendors have successfully met these
requirements for years."

Jeff Gould, CEO of IT consulting firm Peerstone Research, said that the
requirements are likely most challenging to large cloud providers with
roots in the business of providing hosted services to consumers.

http://www.itnews.com/cloud-computing/41891/fbi-declares-cloud-vendors-must-meet-cjis-security-rules?page=0,1

Several small, specialty providers, today offer cloud services that are
compliant with CJIS requirements, said Gould, a co-founder of
Safegov.org<http://safegov.org/>, which promotes best practices for
deploying cloud-based systems in
government entities.

Gould cited InterAct Public Safety, Datamaxx, and Vertical Computer
Services as cloud companies that use secure data centers staffed by people
who have undergone the requisite FBI background checks.

Services from such firms may be more expensive than the offerings from
large vendors like Google, but these firms have invested the needed funds
to meet the FBI's security requirements, he said.

He added that the FBI has tweaked CJIS requirements to make it easier for
cloud vendors to comply.

"The old requirements were written before cloud computing took off," Gould
said. "CJIS 5.0 goes out of its way to make room for cloud vendors."

Jaikumar Vijayan covers data security and privacy issues, financial
services security and e-voting for Computerworld. Follow Jaikumar on
Twitter at @jaivijayan <http://twitter.com/jaivijayan> , or subscribe
to Jaikumar's
RSS feed <http://www.computerworld.com/s/feed/keyword/Jaikumar+Vijayan> .
His e-mail address is jvijayan at computerworld.com .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20120309/fcacbdb5/attachment.htm>