Law enforcement personnel in the field have long used in-vehicle computers to access criminal justice information (CJI) and databases, often based on department servers or accessed through agency networks. Data transmissions are often limited, and departments must generally comply with the data protection provisions delineated by Criminal Justice Information Services (CJIS) policy.
Forward-thinking agencies, however, are quickly recognizing the value of using smartphones and cloud services instead. Although independently beneficial, when used together these two technologies allow officers to more effectively access a greater level of mission-critical information whenever and wherever they need it.
Progressive law enforcement agencies are finding that today’s smartphones can actually replicate the functionality of in-vehicle computers. The sheer utility of the devices means personnel are no longer dependent on a dashboard-mounted computer and can more effectively engage the community. Paired with the Samsung DeX platform, smartphones can fully support in-vehicle, in-field and in-station operations. Other mobile devices, such as tablets and wearables, are also finding their way into field operations.
Law enforcement commonly uses a variety of technology-driven force multipliers, including license plate readers, in-vehicle video systems and body-worn cameras, all of which generate large amounts of data and place huge demands on even the most robust department-maintained servers. Archived records and photos can also provide significant benefit — but only if they can be readily accessed from the field.
Cloud services can be a cost-effective way to ensure personnel have maximum smartphone capabilities in the field, on an evergreen platform with a modern and secure framework. Mobile apps designed for public safety operations are rapidly evolving and expanding their scope. And these apps are increasingly being paired with cloud services that perform data processing and storage outside the mobile device, leading to greater functionality and efficiency. These apps also have the advantage of regular updates and less vulnerability to cyber threats.
Cloud-based storage is easily scalable, continually updated and maintained 24/7 by cyber professionals. With cloud storage, complex responsibilities like maintaining a disaster recovery solution no longer rest with the agency. Cloud storage also makes it possible to provide resources like detailed building diagrams for use during a rapidly unfolding tactical incident.
CJIS considerations for smartphones
Much of the data accessed by law enforcement is subject to CJIS requirements. The intent of CJIS is to protect the criminal justice database systems and the sensitive data associated with personal information. Noncompliance can result in denial of access to key information sources.
A key component of managing agency smartphones is having an effective mobile device management (MDM) or enterprise mobility management (EMM) solution. More importantly, an MDM or EMM is a requirement for any agency that wants to access, transmit or store criminal justice data using mobile devices. CJIS Section 5.13 Policy Area 13 specifically addresses mobile devices (namely, smartphones) and Section 5.13.2 requires the use of an MDM/EMM capable of performing, at a minimum, the following actions:
- Remote locking and wiping the device
- Setting and locking device configuration
- Detection of “rooted” and “jailbroken” devices
- Enforcement of folder or disk-level encryption
- Application of mandatory policy settings on the device
- Detection of unauthorized configurations, software or apps
- Ability to determine the location of agency-controlled devices
- Prevention of unpatched devices from accessing CJI or CJI systems
- Automatic device wiping after a specified number of failed access attempts
Agency administrators should also closely review Appendix G.4 of the CJIS policy regarding best practices specific to mobile devices.
The value of Samsung Knox
Samsung’s defense-grade Knox security platform is built into Samsung smartphones, tablets and wearables. It provides overlapping defense and security mechanisms to protect against intrusion and malicious threats. Knox is particularly adept at protecting data stored on a device because encryption and tamper protection features are built in from the chip up. Additional Knox solutions include powerful MDM and EMM capabilities that can accomplish CJIS-required tasks. Knox can also function with many third-party MDMs used by law enforcement agencies.
Achieve mobile CJIS compliance at your agency
Get expert, practical advice for your mobile deployment so you can be both connected and compliant. Download Now
CJIS considerations for cloud computing
CJIS has specific rules regarding the use of cloud computing for criminal justice information. CJIS Security Policy Section 184.108.40.206 covers the core requirements with additional guidance provided in Appendix G.3. Agencies interested in utilizing cloud services to access, store or transmit CJIS data must be ready for a degree of due diligence. Here are some important considerations:
- Although there are numerous cloud-based services and cloud computing vendors, only a small percentage can meet the stringent requirements imposed by CJIS. Be cautious of those who claim “CJIS certification,” because there is no central CJIS certification or accreditation authority. Ensuring compliance with the CJIS Security Policy is the shared responsibility of FBI CJIS, CJIS Systems Agencies and the State Identification Bureaus. Accordingly, each CJIS review is unique and an authorized solution in one state may not be acceptable in another. There may even be differences within a state due to variables inherent in law enforcement processes.
- Ultimate responsibility for CJIS compliance rests with the law enforcement agency, not the vendor. Although using cloud services is an effective way to manage and access data, agencies should not assume that a cloud solution will transfer total responsibility to the cloud provider. Agencies are still responsible for areas such as training, policy, device and data security, and the specifics applicable to the device type (such as those in CJIS 5.13 for mobile devices).
- Plan on a collaborative approach and start with the person responsible for CJIS compliance at your agency (often the NCIC coordinator). Determine if other agencies already have the capability that you’re seeking and learn from their process. Ask to review a copy of their CJIS application. Work with your mobile device provider so that you understand and utilize built-in security features. Carefully vet potential cloud vendors and ask them for referrals to agencies already using their services. With CJIS, experience counts.
The CJIS security policy is more than 200 pages long and complying with these rules can be somewhat challenging because technology evolves so quickly. Fortunately, some flexibility is built into the policy for dealing with these challenges. For example, CJIS policy has a provision known as “compensating controls,” which permits alternative security processes that provide the same or greater level of protection in circumstances involving legitimate business or technical constraints (CJIS Policy Section 220.127.116.11.1). This is particularly relevant for agencies rolling out a new smartphone program. The CJIS Security Policy containing the cited references is available for download at the CJIS Security Policy Resource Center.
Today’s smartphones can support a wide range of police operations, and the more officers can accomplish with a single device, the more effective they will be. When agencies combine a robust smartphone program with CJIS-compliant cloud services, officers can efficiently access important and beneficial information that will make for better crimefighting capabilities and more informed decision making.
Get more practical advice for deploying smartphones and tablets at your agency with our free, comprehensive CJIS compliance guide. And discover how Knox Manage can function as your mobile command center, offering an all-in-one defense-grade solution to managing a large mobile fleet.