The FBI’s latest CJIS security policy update, released last December, makes sweeping changes to how agencies must protect criminal justice information such as criminal case histories, biometric data and other forms of personal information contained in case and incident files. Among other things, the FBI now requires CJIS users to implement multifactor authentication (MFA), data encryption at rest and in transit, and new measures to reduce supply chain vulnerabilities. The changes are meant to counter increasingly sophisticated cyber threats and address risks created by greater use of cloud and mobile technologies by public safety agencies. In addition, the new policy aims to simplify compliance by aligning CJIS to National Institute of Standards and Technology security standards, which form the framework for other federal standards like the Health Insurance Portability and Accountability Act and IRS 1075.
Massachusetts is on the verge of deploying MFA to the State Police, Department of Correction and other state agencies that access CJIS data, as well as more than 350 local law enforcement agencies, said Jamison Gagnon, commissioner of the Massachusetts Department of Criminal Justice Information Services, which oversees CJIS compliance for the state. Implementing MFA and adopting new compliance audit procedures are the first steps in the state’s incremental approach to CJIS modernization, Gagnon said.
“Like any technology change, this is all about prioritization and resource management. We have to break it down, so we don’t overwhelm our users,” he said, adding that the new FBI mandates take effect in phases. “I think the FBI’s CJIS Division acknowledges there are a lot of moving parts to this.”
The state will adopt multiple MFA technologies to fit an operating environment that includes police officers in cruisers and correctional officers in prison facilities. “There will be different solutions because not everyone is a traditional office user with access to a laptop and a phone,” Gagnon said. “We’ve already done an assessment. We’ll start state agencies, and that rollout will be begin very soon.”
The new CJIS system is hosted in the Amazon Web Services commercial cloud — not the company’s specialized government cloud — through a contract provided by the Massachusetts Executive Office of Technology Services and Security. The CJIS project aligns with an overall push by the state’s central technology office to move on-premises systems to cloud platforms. “It makes us more secure and resilient — and we can make changes faster,” Gagnon said. “That’s all part of our cloud modernization story.”
He added that the commercial cloud platform meets CJIS requirements for U.S.- or Canada-based data centers, strict physical and logical access controls, and data encryption. “What matters is that the solution is compliant with the CJIS security policy — not if it’s the gov cloud or commercial,” Gagnon said. “If it checks all the boxes, it’s good.”
The new cloud platform also gives Massachusetts law enforcement agencies access to AI-powered tools and other innovative features. Gagnon said AI could be useful in multiple areas, including data analysis, workflow automation and security threat detection.
“That’s one of the reasons this policy decision was made — we wanted something that’s updated and modernized and lets us take advantage of new applications,” Gagnon said. “We’re investigating those avenues right now, but we’re not there yet.”
