CJI refers to the FBI CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws, such as biometric, identity history, person, organization, property, and case/incident history data. CJI also refers to data necessary for civil agencies to perform their mission, including, data used to make hiring decisions.
Hosted~FTP~ relies on the successful track record of Amazon Web Services (AWS) that have developed a suite of security and privacy features to attract a customer base that use the AWS cloud for storing a wide range of sensitive federal, state and municipal government data, including Criminal Justice Information (CJI) data. Hosted~FTP~ has embedded in its implementation of AWS services features that dramatically improve the security and protection of PII, PHI and CJI data.
To support law enforcement customers, Hosted~FTP~ utilizes only Amazon Web Services (AWS) infrastructure that is committed to a strong position of compliance across a wide range of frameworks and has documented direct alignment of applicable CJIS requirements in their AWS CJIS Security Policy Workbook. Hosted~FTP~ deploys our FTP application services securely on AWS by leveraging the specific AWS security features required to comply with the CJIS Security Policy requirements including:
– law enforcement clients can enforce all FTP traffic (FTPS/SFTP) to be encrypted in transit from the transfer device to our Hosted~FTP~ AWS system. This includes not only the data, but also the credentials and the file names/folder names.
– all browser based transfers use HTTPS which automatically encrypts not only the data, but also the credentials and the file names/folder names.
– all data is encrypted on arrival at the Hosted~FTP~ site
– all data is encrypted in AWS S3 data storage with AWS provided options
– all access to law enforcement data can not only be protected with log in credentials but the account admin can also enforce multi-factor authentication
– Hosted~FTP~ensures secure access by any support/operations area using AWS Identity and Access Management (IAM) with multi-factor authentication
– Hosted~FTP~ tracks all logging and monitoring with S3 logging, AWS CloudTrail, Amazon CloudWatch, and AWS Trusted Advisor
– All account access is automatically logged and an audit log is available for all logins and file transfer activity in the Files Logs folder for all Hosted~FTP~ (law enforcement) customers.
As an Enterprise+ feature, The administrator can enforce users to be CJIS compliant on an entire account, group, or individual user level. Users who attempt to change their settings differently cannot save changes and are required to meet requirements in their Setup tab.
Criminal Justice Information Services (CJIS) Security Policy | Area Detail | Compliance/Comments |
CSP 5.3 | Policy Area 3: Incident Response:
There has been an increase in the number of accidental or malicious computer attacks against both government and private agencies, regardless of whether the systems are high or low profile. Agencies shall: (i) establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii) track, document, and report incidents to appropriate agency officials and/or authorities. ISOs have been identified as the POC on security-related issues for their respective agencies and shall ensure LASOs institute the CSA incident response reporting procedures at the local level. Appendix F contains a sample incident notification letter for use when communicating the details of an incident to the FBI CJIS ISO. |
Hosted~FTP~ has reviewed the IT Security Incident Response form in section F and has updated their internal reporting procedures to generate a completed incident report as necessary.
|
CSP 5.10.1.5 | Policy area 5.10.1.5 Cloud Computing:
Organizations transitioning to a cloud environment are presented unique opportunities and challenges (e.g., purported cost savings and increased efficiencies versus a loss of control over the data). Reviewing the cloud computing white paper (Appendix G.3), the cloud assessment located within the security policy resource center on FBI.gov, NIST Special Publications (800- 144, 800-145, and 800-146),as well as the cloud provider’s policies and capabilities will enable organizations to make informed decisions on whether or not the cloud provider can offer service that maintains compliance with the requirements of the CJIS Security Policy. The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided. |
Hosted~FTP~ does not scan any email, files, credentials, file-names, folder names or any other type of metadata for the purpose of building analytics, data mining, advertising or any other type of intended corporate use.
|
CSP Appendix G3 – Cloud Computing | G.3 Cloud Computing White Paper recommendations | |
Governance | Hosted~FTP~ has put in place
audit mechanisms and tools to ensure organizational practices are followed throughout the system life-cycle. |
|
Compliance | Hosted~FTP~ ensures that the jurisdiction of all data stored at an AWS location in the US remains at a single AWS location. We maintain strict privacy and security controls and ensure that no electronic discovery requirements compromise the privacy or security of data and
applications |
|
Hosted~FTP~ has put in place
audit mechanisms and tools to ensure organizational practices are followed throughout the system life-cycle. |
||
Trust | The law enforcement service has sole responsibility for the data/files stored at Hosted~FTP~. We continuously monitor the security state of our service for on-going risk management decisions. | |
Architecture | Hosted~FTP~ uses all best practices in the design and configuration of our AWS infrastructure to support our FTP cloud services.
We have been at AWS for seven years and are expert at their acrchitecture. |
|
Identity and Access Management |
We ensure that safeguards are in place for secure authentication, |
|
Software Isolation | Our SaaS employs very sophisticated logical isolation techniques for restricting access to the multi-tenant software architecture | |
Data Protection |
Access to data is securely controlled with user credentials as well as the ability to configure Multi-Factor authentication (MFA). We encrypt all data in transit, on arrival at the SaaS and at rest. We also have “chain of custody” on the data that fingerprints the file before S3 storage and compares when retrieved to ensure no data tampering. |
|
Availability | Our SaaS service SLA is 99.99+ % | |
Incident Response | We monitor and support our services with live chat, ticket and phone support midnight to 7 PM EST daily (M-F) and monitor all AWS logs and incidents 7x24x365.
We would inform all law enforcement and enterprise level clients of any security breach and have in place DR and DoS plans. |