Until recently, data sharing for law enforcement often meant using an in-vehicle computer to access files maintained on department servers. Data transmissions were limited, and departments largely complied with the data protection provisions delineated by the Criminal Justice Information System (CJIS).
Forward-thinking agencies, however, are quickly recognizing the value of using smartphones and cloud-based storage instead. Although independently beneficial, when used together these two technologies allow officers to more effectively access a greater level of mission-critical information whenever and wherever they need it.
Progressive law enforcement agencies are finding that today’s smartphones can actually replicate the functionality of in-vehicle computers. The sheer utility of the devices means personnel are no longer dependent on a dashboard-mounted computer and can more effectively engage the community. Paired with a Samsung DeX platform, smartphones can fully support in-vehicle, in-field and in-station operations. Other mobile devices, such as tablets and wearables, are also finding their way into field operations.
Law enforcement commonly uses a variety of technology-driven force multipliers, including license plate readers, in-vehicle video systems and body-worn cameras, all of which generate large amounts of data and place huge demands on even the most robust department-maintained servers. Archived records and photos can also provide significant benefit — but only if they can be readily accessed from the field.
Cloud storage can be a cost-effective way to ensure the security and availability of data. It is easily scalable, continually updated and maintained 24/7 by cyber professionals. With cloud storage, complex responsibilities like maintaining a disaster recovery solution no longer rest with the agency. Cloud storage also makes it possible to provide resources like detailed building diagrams for use during a rapidly unfolding tactical incident.
CJIS Considerations for Smartphones
Much of the data accessed by law enforcement is subject to CJIS requirements. The intent of CJIS is to protect the criminal justice database systems and the sensitive data associated with personal information. Non-compliance can result in denial of access to key information sources.
CJIS Policy Section 5.13 specifically addresses mobile devices (namely, smartphones) and Section 5.13.2 requires the use of a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solution capable of performing at a minimum the following actions:
- Remote locking of the device
- Remote wiping of the device
- Setting and locking device configuration
- Detection of “rooted” and “jailbroken” devices
- Enforcement of folder or disk level encryption
- Application of mandatory policy settings on the device
- Detection of unauthorized configurations
- Detection of unauthorized software or applications
- Ability to determine the location of agency-controlled devices
- Prevention of unpatched devices from accessing CJI or CJI systems
- Automatic device wiping after a specified number of failed access attempts
Agency administrators should also review CJIS Policy Sections 5.5 and 5.6, which deal with access and authentication, respectively. Many requirements and recommendations apply specifically to mobile devices. For instance, Section 5.5 acknowledges the portability of mobile devices and recommends limiting login attempts before the device is locked or wiped using the agency’s MDM/EMM solution.
Samsung’s defense-grade Knox platform is built into Samsung smartphones, tablets and wearables. It provides overlapping defense and security mechanisms to protect against intrusion and malicious threats. Knox is particularly adept at protecting data stored on a device, because security is built in at the chip level. Additional Knox solutions include powerful MDM and EMM capabilities that can accomplish CJIS-required tasks. Knox can also function with many third-party MDMs used by law enforcement agencies.
The CJIS security policy is more than 200 pages long, and complying with CJIS rules can be somewhat challenging because technology evolves so quickly. Fortunately, provision is sometimes built into the policy for dealing with these challenges. For example, CJIS has a provision known as “compensating controls,” which permits alternative security processes that provide the same or greater level of protection in circumstances involving legitimate business or technical constraints. (CJIS Policy Section 18.104.22.168.1) This is particularly relevant to agencies rolling out a new smartphone program.
CJIS Considerations for Cloud Storage
CJIS has specific rules regarding the use of cloud storage for criminal justice information. CJIS Security Policy Section 22.214.171.124 covers the requirements with additional guidance provided in Appendix G.3. Agencies interested in utilizing cloud storage for CJIS data must be ready for a degree of due diligence. Here are some important considerations:
- Although there are numerous cloud storage vendors, only a small percentage can meet the stringent requirements imposed by CJIS. Be cautious of those who claim “CJIS certification,” because there is no central CJIS certification or accreditation authority. Ensuring compliance with the CJIS Security Policy is the shared responsibility of FBI CJIS, CJIS Systems Agency and the State Identification Bureaus. Accordingly, each CJIS review is unique and an authorized solution in one state may not be acceptable in another. There may even be differences within a state due to variables inherent in law enforcement processes.
- Ultimate responsibility for CJIS compliance rests with the law enforcement agency, not the vendor. Although using cloud storage is an effective way to manage and access data, agencies should not assume that a cloud solution will transfer total responsibility to the cloud provider. Agencies are still responsible for areas such as training, policy, device and data security, and the specifics applicable to the device type (such as those in CJIS 5.13 for mobile devices).
- Plan on a collaborative approach and start with the person responsible for CJIS compliance at your agency (often the NCIC coordinator). Determine if other agencies already have the capability that you’re seeking and learn from their process. Ask to review a copy of their CJIS application. Work with your mobile device provider so that you understand and utilize built-in security features. Carefully vet potential cloud vendors, and ask them for referrals to agencies already storing criminal justice information. With CJIS, experience counts.
The CJIS Security Policy containing the cited references is available for download at the CJIS Security Policy Resource Center.
Today’s smartphones can support a wide range of police operations, and the more officers can accomplish with a single device, the more effective they will be. When agencies combine a robust smartphone program with CJIS-compliant cloud storage, officers can access important and beneficial information that will make for better crimefighting capabilities and more informed decision making.
Learn more about advanced public safety technology that’s improving officer safety and access to information.