Professional Documents
Culture Documents
AWS CJIS Policy Template
AWS CJIS Policy Template
(This document is part of the CJIS Workbook package, which also includes CJIS Security Policy Requirements, CJIS
Security Policy Workbook, and the Criminal Justice Information Service Compliance on AWS whitepaper.)
March 2017
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as
of the date of issue of this document, which are subject to change without notice. Customers are responsible for making
their own independent assessment of the information in this document and any use of AWS’s products or services, each of
which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any
warranties, representations, contractual commitments, conditions or assurances from AWS, its affiliates, suppliers or
licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this
document is not part of, nor does it modify, any agreement between AWS and its customers.
Contents
Contents 3
Introduction 1
Responsibilities 2
The CJIS Security Policy Template 3
Document Revisions 62
Amazon Web Services – CJIS Security Policy Template
Introduction
The CJIS Security Policy (Security Policy) outlines a minimum set of security requirements that create security controls
for managing and maintaining Criminal Justice Information (CJI). The CJIS Advisory Policy Board (APB) manages the
policy with national oversight from the CJIS division of the FBI. Unlike FedRAMP, there is no centralized adjudication
body for determining what is or isn’t compliant with the Security Policy. As a result, vendors/cloud service providers
(CSPs) that want to provide CJIS compliant solutions to multiple law enforcement agencies may have to gain formal CJIS
authorizations from each of the state/local jurisdictions that they support. For more information, see the CJIS Compliance
page.
The CJIS Security Policy Template, delivered as part of the CJIS Workbook package, describes the shared responsibility
model between AWS and customers when working to achieve a CJIS compliant environment. Customers can use this
information as a template for documenting the implementation of applicable CJIS requirements. The template also
outlines AWS’s response on the shared responsibility controls, which can be submitted to an authorizing agency as part of
a customer’s CJIS solution.
This template, and AWS’s approach to helping support a CJIS compliant environment have been favorably reviewed by
the CJIS APB subcommittee, various state-level CJIS authorizing agencies and AWS partners.
The CJIS Workbook package also contains the CJIS Security Policy Workbook Excel spreadsheet, which consolidates all of
the information provided by the CJIS Security Policy Template and CJIS Security Policy Requirements documents into a
single format.
Page 1
Amazon Web Services – CJIS Security Policy Template
Responsibilities
After evaluating the 13 Policy Areas and 131 security requirements defined in the CJIS Security Policy, AWS has
determined that 10 controls can be directly inherited from AWS; 78 controls represent a shared responsibility between
AWS and the customer, and 43 controls are solely the responsibility of the customer. The following table describes how
these responsibilities are reflected in the CJIS security policy table.
Shared Information to help the customer meet their A description of how AWS meets its
responsibility. responsibility.
“Shared” controls indicate security requirements that AWS has addressed at the infrastructure level for components that
are within AWS’s management responsibility (i.e., infrastructure up to the hypervisor/virtualization management layer).
It also indicates controls that customers must address in their environment (from the guest operating system (OS) to the
customer’s systems). If you have existing CJI workloads and data, you will typically reuse the majority of your existing
compliance documentation.
Page 2
Amazon Web Services – CJIS Security Policy Template
Note: You can replace the italic text in the Customer Details column with your CJIS Systems Security Plan implementation details.
5.1 – Policy Area 1: Information [Customer’s and agencies’ use of AWS services should AWS identifies standardized Rules of Behavior (RoB)
Exchange Agreements be documented within existing governance processes between AWS and the customer to allow end users to fully
(e.g. security policies, procedures and agreements) understand AWS’s security capabilities as well as the
governing the use of AWS services.] Shared Responsibility model.
References:
• AWS Security Center
Page 3
Amazon Web Services – CJIS Security Policy Template
5.1.1 – Information Exchange [Customers (or their partners) may need to establish a AWS has a Control Implementation Summary (CIS) and a
CJIS information exchange agreement with CJIS Control Tailoring Workbook (CTW) outlining the controls
authorizing agencies that include the 12 Security Policy that have been implemented, how they meet requirements
areas documented within Section 5 Policy & within the AWS environment, whether those controls are
Implementation] inherited from AWS, and whether the controls are shared
or are the customer’s sole responsibility.
The AWS FedRAMP System Security Plan (SSP) is a
comprehensive document that explains the controls,
parameters and architecture of the AWS environment.
These documents are a part of the AWS FedRAMP
package that clearly specifies security controls and
implementation details.
Reference:
• FedRAMP Compliance in the Cloud
Page 4
Amazon Web Services – CJIS Security Policy Template
5.1.1.2 – State and Federal Agency [The CJIS Systems Agency (CSA), and the State N/A
User Agreements Identification Bureaus (SIB) are responsible for ensuring
there are appropriate signed written user agreements with
the FBI CJIS Division.]
5.1.1.3 – Criminal Justice Agency [Customers (or their partners) are responsible for ensuring To enable this requirement, AWS supports user
User Agreements Criminal Justice Agency (CJA) receive signed access agreements, where applicable, in accordance with the CJIS
agreements, as appropriate, for personnel with access to Security Policy and CJIS Security Policy Workbook.
CJI as part of their security addendum process]
5.1.1.4 – Interagency and [The Noncriminal Justice Agency (NCJA) shall sign and N/A
Management Control Agreements execute a management control agreement (MCA) with the
CJA, which stipulates management control of the criminal
justice function remain solely with the CJA.]
5.1.1.5 – Private Contractor User [Customers (or their partners) are responsible for ensuring To enable this requirement, AWS supports user
Agreements and CJIS Security the CJA receive signed access agreements for personnel agreements, where applicable, in accordance with the CJIS
Addendum with access to CJI as part of their security addendum Security Policy and CJIS Security Policy Workbook.
process]
Page 5
Amazon Web Services – CJIS Security Policy Template
5.1.1.6 – Agency User Agreements [Customers (or their partners) should work with the AWS is not considered a Non-Criminal Justice Agency as it
appropriate CJA in order to implement these requirements does not access CJI directly or implement systems that
for the affected user environments built on AWS.] connect to CJI. AWS services are consumed by Criminal
Justice Agency and Non-Criminal Justice Agency entities
for the purposes of their systems to connect to CJI. AWS
will comply with the CJIS Security Policy in providing
fingerprints from its covered administrators for the
purposes of performing background checks under Security
Agreements with customers.
5.1.1.7 – Outsourcing Standards [Customers (or their partners) are responsible for ensuring AWS is not a direct “Channeler” because it does not build
for Channelers Criminal Justice Agency (CJA) receive signed access or implement the CJI system or otherwise access CJI. As
agreements for personnel with access to CJI as part of such, the requirement does not apply to AWS.
their security addendum process]
Page 6
Amazon Web Services – CJIS Security Policy Template
5.1.1.8 – Outsourcing Standards [Customers (or their partners) should define the policies AWS is not a “Contractor” because it does not build or
for Non-Channelers that identify functional responsibilities for the implement the CJI system or otherwise access CJI. As
administration of logical access and security of the CJI such, the requirement does not apply to AWS.
data and implement the requirements of this control.]
5.1.2 – Monitoring, Review, and [Customers (or their partners) can and should maintain AWS provides monthly continuous monitoring reporting to
Delivery of Services overall control and visibility into their environment to FedRAMP. These reports include vulnerability scans, plan
include their own vulnerability scanning, pen testing and of actions and milestones (POA&M), and additional
system monitoring.] information such as expected changes upcoming, new
services etc.
5.1.2.1 – Managing Changes to [Customers (or their partners) are responsible for AWS communicates changes to its services through a
Service Providers reviewing these notices and understanding which services variety of methods. These may include notices to
are applicable to their environment.] customers in accordance with the AWS customer
agreement (aws.amazon.com/agreement), notices posted
to AWS public forums, or changes through the monthly
continuous monitoring reporting to FedRAMP.
Page 7
Amazon Web Services – CJIS Security Policy Template
5.1.3 – Secondary Dissemination [Customers (or their partners) should establish exchange N/A
agreements where applicable.]
5.1.4 – Secondary Dissemination [Customers (or their partners) should establish N/A
of Non-CHRI CJI dissemination and local policy requirements.]
5.2 – Policy Area 2: Security [Customers (or their partners) should establish basic AWS provides annual security awareness training for AWS
Awareness Training security awareness training within six months of initial staff with access to the AWS infrastructure. Where
assignment, and biennially thereafter, for all personnel applicable, covered AWS personnel with access to CJI
who have access to CJI.] shall be required within six months of initial assignment,
and biennially thereafter, to complete a CJIS inclusive
security awareness process training.
Page 8
Amazon Web Services – CJIS Security Policy Template
Page 9
Amazon Web Services – CJIS Security Policy Template
Page 10
Amazon Web Services – CJIS Security Policy Template
Page 11
Amazon Web Services – CJIS Security Policy Template
Page 12
Amazon Web Services – CJIS Security Policy Template
Page 13
Amazon Web Services – CJIS Security Policy Template
Page 14
Amazon Web Services – CJIS Security Policy Template
Page 15
Amazon Web Services – CJIS Security Policy Template
Page 16
Amazon Web Services – CJIS Security Policy Template
Page 17
Amazon Web Services – CJIS Security Policy Template
Page 18
Amazon Web Services – CJIS Security Policy Template
5.4.1.1 – Events
[Customers (or their partners) are responsible for AWS logs a variety of activities in order to support
reviewing audit logs generated by their AWS account via investigations and to meet the AWS Audit and
CloudTrail, as well as logs generated by their EC2 Accountability Policy. These activities include:
instances and any applications hosted on EC2. • Successful and unsuccessful account logon
Customers can use CloudWatch Logs as a centralized events
means of analyzing their audit logs generated by
• Account management events
CloudTrail and by their EC2 instances). ]
• Object access
• Policy changes
• Privilege functions
• Process tracking
• System events/error
• Administrator activity
• Authentication/Authorization checks
Page 19
Amazon Web Services – CJIS Security Policy Template
5.4.1.2 – Content
[Customers (or their partners) are responsible for AWS audited events include date, time, component, type of
reviewing audit logs generated by their AWS account via event, user ID, and outcome for auditable events.
CloudTrail, as well as logs generated by their EC2
instances and any applications hosted on EC2.
Customers can use CloudWatch Logs as a centralized
means of analyzing their audit logs generated by
CloudTrail and by their EC2 instances.]
Page 20
Amazon Web Services – CJIS Security Policy Template
Page 21
Amazon Web Services – CJIS Security Policy Template
Page 22
Amazon Web Services – CJIS Security Policy Template
Page 23
Amazon Web Services – CJIS Security Policy Template
Page 24
Amazon Web Services – CJIS Security Policy Template
Page 25
Amazon Web Services – CJIS Security Policy Template
Page 26
Amazon Web Services – CJIS Security Policy Template
Page 27
Amazon Web Services – CJIS Security Policy Template
Page 28
Amazon Web Services – CJIS Security Policy Template
Page 29
Amazon Web Services – CJIS Security Policy Template
5.6.2.1.1 – Password
[Customers (or their partners) are responsible for AWS has a formal access control policy that is reviewed
controlling the creation of user accounts. Identification and and updated on an annual basis (or when any major
Access Management (IAM) features include basic change to the system occurs that impacts the policy). The
password management options for local accounts such as policy addresses purpose, scope, roles, responsibilities
password length and complexity requirements. Customers and management commitment. Access control procedures
(or their partners) should establish a policy for the servers are systematically enforced through proprietary tools.
that align with the applicable CJIS requirements.] Procedures exist so that Amazon employee and contractor
user accounts are added, modified, or disabled in a timely
manner and are reviewed on a periodic basis. In addition,
password complexity settings for user authentication to
AWS systems are managed in compliance with Amazon’s
Corporate Password Policy.
AWS has established formal policies and procedures to
delineate standards for logical access to AWS platform and
infrastructure hosts. Where permitted by law, AWS requires
that all employees undergo a background investigation
commensurate with their position and level of access. The
policies also identify functional responsibilities for the
administration of logical access and security.
5.6.2.1.2 – Personal Identification
[Customers (or their partners) are responsible for N/A
Number
controlling the creation of user accounts. IAM features
include basic password management options for local
accounts such as password length and complexity
requirements. Customers (or their partners) should
establish a policy for the servers that align with the
applicable CJIS requirements.]
Page 30
Amazon Web Services – CJIS Security Policy Template
5.6.2.2.2 – Advanced
[Customers (or their partners) are responsible for creating N/A
Authentication Decision Tree
an Advanced Authentication Decision tree based on their
specific implementation of AWS.]
Page 31
Amazon Web Services – CJIS Security Policy Template
Page 32
Amazon Web Services – CJIS Security Policy Template
5.6.4 – Assertions
[Customers (or their partners) should leverage identity AWS utilizes a combination of internal and trusted external
certificates within various AWS services such as IAM, certification authorities for validating individual identities.
Elastic Load Balancing, and Amazon CloudFront to X.509 certificates are issued internally through a self-
ensure trust of identities within their AWS customer service certificate creation tool signed by the Amazon.com
environment.] IT Security Certificate Authority (CA). For external access
points, commercial CA’s are used. Private keys and
certificates are stored and distributed securely.
Page 33
Amazon Web Services – CJIS Security Policy Template
Page 34
Amazon Web Services – CJIS Security Policy Template
Page 35
Amazon Web Services – CJIS Security Policy Template
Page 36
Amazon Web Services – CJIS Security Policy Template
Page 37
Amazon Web Services – CJIS Security Policy Template
Page 38
Amazon Web Services – CJIS Security Policy Template
Page 39
Amazon Web Services – CJIS Security Policy Template
Page 40
Amazon Web Services – CJIS Security Policy Template
Page 41
Amazon Web Services – CJIS Security Policy Template
Page 42
Amazon Web Services – CJIS Security Policy Template
Page 43
Amazon Web Services – CJIS Security Policy Template
Page 44
Amazon Web Services – CJIS Security Policy Template
• http://docs.aws.amazon.com/AmazonVPC/latest/
UserGuide/VPC_Security.html]
5.10.1.2 – Encryption
[Customers (or their partners) can choose to connect to AWS ensures that the message contents are not readable
AWS through multiple secure protocols. AWS supports in transit by using symmetric encryption of data before
the use of the Secure Shell (SSH) network protocol to transmission. SSL or TLS sessions terminate at load
enable the customer to connect remotely to their balancers or, for Amazon S3 connections, at the web
UNIX/Linux. Customers (or their partners) can also servers. Both the load balancers and the web servers
connect remotely to their Windows instances using employ OpenSSL. Available cryptographic ciphers include:
Remote Desktop Protocol (RDP) by utilizing an RDP AES-256-CBC, AES-128-CBC, and 3DES-EDE-CBC.
certificate generated for their instance.]
Page 45
Amazon Web Services – CJIS Security Policy Template
Page 46
Amazon Web Services – CJIS Security Policy Template
Page 47
Amazon Web Services – CJIS Security Policy Template
5.10.3.1 – Partitioning
[Customers (or their partners) are responsible for properly AWS is responsible for security function isolation for the
implementing security function isolation within any EC2 AWS Infrastructure.
instances.]
5.10.3.2 – Virtualization
[Customers (or their partners) instances have no access AWS uses a highly customized hypervisor, taking
to raw disk devices, but instead are presented with advantage of paravirtualization. Because paravirtualized
virtualized disks that map logical blocks to physical blocks guests rely on the hypervisor to provide support for
on the disk device. Customers (or their partners) should operations that normally require privileged access, the
review their options for setting up EC2 instances and guest OS has no elevated access to the CPU. This explicit
machine images.] virtualization of the physical resources leads to a clear
separation between guest and hypervisor, resulting in
additional security separation between the two.
Page 48
Amazon Web Services – CJIS Security Policy Template
Page 49
Amazon Web Services – CJIS Security Policy Template
Page 50
Amazon Web Services – CJIS Security Policy Template
Page 51
Amazon Web Services – CJIS Security Policy Template
Page 52
Amazon Web Services – CJIS Security Policy Template
Page 53
Amazon Web Services – CJIS Security Policy Template
Page 54
Amazon Web Services – CJIS Security Policy Template
Page 55
Amazon Web Services – CJIS Security Policy Template
5.13.1.2 – Cellular
[Customers (or their partners) should address this control Cellular devices are not allowed within the system
within their AWS environment using appropriate policies boundary. Cellular devices are not permitted to connect to
and procedures.] the AWS infrastructure.
Page 56
Amazon Web Services – CJIS Security Policy Template
5.13.1.3 – Bluetooth
[Customers (or their partners) should address this control N/A
within their AWS environment using appropriate policies
and procedures.]
Page 57
Amazon Web Services – CJIS Security Policy Template
5.13.4.1 – Patching/Updates
[Customers (or their partners) should address this control N/A
within their AWS environment using appropriate policies
and procedures.]
Page 58
Amazon Web Services – CJIS Security Policy Template
Page 59
Amazon Web Services – CJIS Security Policy Template
Page 60
Amazon Web Services – CJIS Security Policy Template
5.13.7.2 – Advanced
[Customers (or their partners) should address this control N/A
Authentication
within their AWS environment using appropriate policies
and procedures.]
5.13.7.2.1 – Compensating
[Customers (or their partners) should address this control N/A
Controls
within their AWS environment using appropriate policies
and procedures.]
Page 61
Amazon Web Services – CJIS Security Policy Template
Document Revisions
Date Description
March 2017 Updates to Criminal Justice Information Service Security Policy 5.5.
Page 62