CJIS Compliance Through Secure File Sharing for Mobile, Cloud-based IT
New mobile and cloud technologies present law enforcement with new opportunities to capture and communicate Criminal Justice Information (CJI), potentially speeding investigations, building better cases, and demonstrating CJIS compliance. By employing these technologies, investigators working on a case can quickly and securely share reports, photographs, eyewitness statements, and other information with one another, from the office or in the field.
But these technologies also create risks. Data breaches can put investigations in jeopardy and compromise public safety. And some new CJI technologies can also be difficult to use, impeding workflows. Law enforcement shouldn’t be tasked with time-consuming technical work or extra documentation to demonstrate chain of custody. Secure file sharing therefore needs to be fast and intuitive, so law enforcement professionals can focus on their jobs rather than manage technology.
The FBI’s CJIS Security Policy
Drafted by the FBI, the Criminal Justice Information System (CJIS) Security Policy recognizes the need for law enforcement agencies to protect CJI from tampering, which includes data leaks. Protecting CJI and ensuring chain of custody are the roots of CJIS compliance. In the words of the FBI, the purpose of CJIS is:
…to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.
To demonstrate CJIS compliance, today’s law enforcement agencies must:
- Make CJI securely available to authorized users, including users in different agencies and users working remotely. While mobile devices provide users the ability to access information and capture photos and videos, law enforcement needs a solution that enables CJI to be exchanged efficiently from the field while meeting strict data security and compliance requirements for secure mobile file sharing.
- Ensure that data security and data governance best practices are followed in any scenario. The latest cloud and mobile technologies can improve data access and productivity, but they most do so without creating new challenges for data security and data governance. This can be a challenge when CJI is shared between agencies on different systems, or on mobile devices in the field.
- Enforce the CJIS Security Policy consistently, across all internal platforms and cloud services in use. This is all the more challenging as data is distributed across a variety of Enterprise Content Management (ECM) platforms and file storage services, such as Microsoft SharePoint, Windows File Shares, Google Drive, Microsoft OneDrive, Box, Dropbox, and other content sources. Secure mobile file sharing and other security features should be available to all authorized users, regardless of which ECM platform or file storage service they’re using.
The Accellion Secure File Sharing Solution for CJIS Compliance
The Accellion secure file sharing platform is an enterprise-class, CJIS-compliant solution that enables the secure and efficient exchange of sensitive information with external parties.
Accellion leverages a law enforcement agency’s existing investments in ECM and email platforms with a content access and security layer that supports authoring, collaboration, workflow, and secure file sharing, and implements data governance including enterprise search for all content under management. Whether you choose an on-premise, private/hybrid cloud, or FedRAMP deployment, you maintain full control of your content, including sole ownership of your encryption keys. In addition, all content is audited, and can optionally be held to collect information for use in industry-standard eDiscovery tools.
With Accellion, law enforcement professionals can securely capture and transfer CJI with their mobile phones. For example, photos are secured and automatically uploaded to the Accellion server, bypassing the phone’s camera roll entirely. With no evidence available on the device, the risk of data leaks is eliminated; however, a complete audit trail of the chain of custody is preserved, aiding with CJIS compliance.
Similarly, law enforcement professionals can remotely access, view, edit and share content stored in on-premise and cloud repositories without having to download any files onto their phones. Because no CJI stored is on the phone, a lost, stolen, or hacked phone doesn’t present any security issues. Lastly, staff can collect, organize and share content with other departments, jurisdictions and attorneys general through web, office and email tools, again without leaks and with a full audit trail.
Government and law enforcement agencies such as the City of Pleasanton, Abbotsford Police Department, South Carolina Attorney General’s Office, Texas Juvenile Justice Department, the County of Sacramento and others rely on Accellion to ensure maximum information security and demonstrate CJIS compliance when sharing CJI and other sensitive information from any location, using any device. Strong security controls and the industry’s broadest deployment options enable organizations to ensure CJIS compliance through the protection of CJI and other sensitive information. In addition, comprehensive management and control over all information sharing activities allow for the highest levels of data security and compliance.
The Accellion platform demonstrates CJIS compliance in all applicable policy areas, including:
- Policy Area 4: Auditing and Accountability – Full auditing and accountability through reports accessible through Admin dashboards, as well as through Syslog and SNMP. Administrators can comply with legal requests to preserve and collect all relevant files and metadata, and set content retention policies to meet CJIS compliance requirements.
- Policy Area 5: Access Control – Access Control through LDAP, SSO, 2FA, and local databases for external user authentication. The Accellion platform also provides granular permissions for individual folders for collaboration.
- Policy Area 6: Identification and Authentication – Authentication through LDAP, SSO, and 2FA. Whatever combination of these best-practice authentication measures is applied helps with CJIS compliance.
- Policy Area 7: Configuration Management
– Full administrative control over configuration management. The Accellion platform also provides access restrictions for changes.
- Policy Area 10: System and Communications Protection and Information Integrity
– End-to-end encryption of data in transit and data at rest. The Accellion platform is available in FIPS 140-2 certified and compliant configurations. Customers also retain sole ownership and control of their encryption keys.
- Policy Area 13: Mobile Devices
– Major mobile operating systems supported. Native MDM-light capabilities such as remote data wipe, secure encrypted containers, access PINs, token lifetime configuration, and mobile app whitelisting are all available through the Accellion platform. The mobile productivity suite makes it easy for authorized users to create, edit, share, and collaborate on files on mobile devices. Secure mobile file sharing becomes fast and easy.
In total, the Accellion private cloud secure file sharing platform enables law enforcement agencies to take full advantage of the latest advances in mobile devices and cloud computing, while meeting strict requirements for CJIS compliance.
To learn more about Accellion and its features for CJIS compliance, please contact us.