Computerworld reported that last week, the FBI has reaffirmed that cloud computing vendors must comply with its strict criminal database access and sharing rules to do business with them or any US law enforcement entity. These rules are known as Criminal Justice Information Systems (CJIS) security requirements.
When it comes to sharing data online, the FBI most definitely did not just fall off the turnup truck. In fact, according to its web site, The FBI established the CJIS division all the way back in 1992 and the security requirements are a precise set of rules developed over the years to help law enforcement agencies share criminal database information in a secure fashion.
The FBI is now insisting that any company that wants to sell the FBI (or any US law enforcement entity) cloud services has to comply with these regulations, which involves ensuring that *anyone* who has access to the criminal justice information has been fully vetted including a finger print background check.
The situation has become even more confusing because other federal agencies have been content to hold cloud vendors to the the FISMA Guidelines up to now. David Perera, who is editor at FierceGovernmentIT says trying to sort out the different Federal Government security guidelines can be confusing.
“FISMA requires that all IT systems undergo a security risk assessment, have adequate controls and be expressly authorized to operate on the network. The controls, correlated to risk (roughly, low- moderate- and high-), are kept in NIST Special Publication 800-53,” Perera explained.
He adds that the cloud only adds to this overall puzzle. “So cloud systems are just like any other system operating on a federal network, in that sense – except that the Obama administration wants individual agencies to start accepting cloud authorizations to operate on a government-wide basis, rather than having each agency go through the FISMA process each time a cloud provider sells them a service,” he said.
And of course, Perera added, if you’re involved in national security, that’s something entirely different and these departments can depart from FISMA guidelines to layer on their requirements, as the FBI has done in this case.
But is the FBI being completely fair here? While it’s clearly their right to protect the databases and the information in it, should these same strict guidelines apply to any cloud service the FBI uses?
The FBI and Justice Department may have very sound reasons for this because some of this data may end up in a Google Docs document, for example, and perhaps it’s too hard to have more than one set of rules for different situations. Instead, they decide to apply the most stringent policies to everyone to ensure nothing slips through the cracks.
Regardless of why or whether it’s fair or not fair, the FBI has made it clear its cloud vendors need to comply, and if they can’t, they won’t be able to do business with US law enforcement.