You are viewing limited content. For full access, please sign in.

Question

Question

Is Laserfiche Cloud compliant with CJIS Standards?

Laserfiche Cloud
Updated March 12
asked on February 21, 2020

We have law enforcement agencies that are interested in Laserfiche Cloud however I need to ensure that Laserfiche Cloud is (or can be configured) to be compliant with CJIS Standards for CJI.  Are there any considerations for an organization considering a move to Laserfiche Cloud?

0 0

Answers

APPROVED ANSWER
replied on March 12 Show version history

March 12, 2025 update:

Laserfiche Cloud, GovRAMP/FedRAMP, and the CJIS (Criminal Justice Information Services) Security Policy

Laserfiche has many self-hosted customer implementations that are used by local law enforcement that handles CJI. Laserfiche Cloud in the U.S. runs in AWS commercial data center regions. Laserfiche has a GovRAMP (formerly StateRAMP) initiative that will address GovRAMP/FedRAMP moderate controls, which will incorporate Version 6.0 of the CJIS Security Policy published on December 27, 2024.

Our plans are to achieve GovRAMP authorization by the end of Q2 2026, which will include appropriate CJI controls for local and state government review. 

Background: Laserfiche has been working with AWS on CJIS requirements. CJIS is a self-certification standard where any agency handling CJI is responsible for compliance. There is no central CJIS authorization organization or certification body that certifies whether products meet CJIS requirements. Local governments typically look to their respective states on what they need to do to secure CJI, which historically have required using GovCloud if they are AWS customers.

Since 2023, AWS has represented that they are actively working with state law enforcement officials on approving the use of AWS commercial regions for CJI as an alternative to GovCloud. Reference: AWS Public Sector Blog | Continued innovation in CJIS compliance in both AWS GovCloud (US) and AWS US Commercial Regions

2 0
SELECTED ANSWER
replied on February 21, 2020 Show version history

Hi Nathan,

While Laserfiche Cloud meets many compliance standards, including undergoing an annual SOC 2 Type 2 audit, CJIS is not currently one of them. The current U.S.-based Laserfiche Cloud offering is based in AWS's commercial regions, not AWS GovCloud. As I understand it, there are technical, policy, and personnel controls required for CJIS compliance that are only present in AWS GovCloud at this time.

Law Enforcement agencies looking for a cloud-based option to store CJI in Laserfiche can self-host Laserfiche in AWS GovCloud or Microsoft Azure Government. Both offer CJIS compliance resources, some of which you can find below:

Building CJIS Compliant Solutions in AWS GovCloud

Criminal Justice Information Service Compliance on AWS

CJIS Security Policy on AWS - Quick Start

Microsoft 365/Azure Government CJIS Overview

Azure CJIS Background

Azure CJIS Implementation Guidelines

 

4 0
View 3 previous replies
replied on February 24, 2020

This is excellent, thanks for the clarification!

0 0
replied on February 24, 2020

Welcome!

0 0
replied on June 18, 2020

Sam, do you know if there are any plans to offer it in the AWS GovCloud in the future?

1 0
replied on June 18, 2020

Bryan, while on our radar, it's not something we're actively working toward at the moment. Offering Laserfiche Cloud on AWS GovCloud in and of itself doesn't accomplish much. What organizations are really after is CJIS and FedRAMP compliance for the solution as a whole. While the SOC 2 controls Laserfiche Cloud currently addresses mostly overlap with CJIS/FedRAMP by merit of their shared basis in NIST SP 800-53, there are numerous areas that would require small changes for full alignment, not to mention the audit work itself.

We're currently focusing our Laserfiche Cloud development efforts in two main areas:

  1. Achieving functional parity with self-hosted systems
  2. Enabling ways for self-hosted systems to leverage Cloud features

 

Once we're satisfied with the progress on those fronts, we'll likely turn to addressing more specific use cases like CJIS.

1 0
replied on November 30, 2022

Any updates on CJIS compliance with Laserfiche Cloud?

0 0
replied on November 30, 2022 Show version history

Please see the March 12, 2025 update here: https://answers.laserfiche.com/questions/170080/Is-Laserfiche-Cloud-compliant-with-CJIS-Standards#227609

-----

No updates for CJIS on Laserfiche Cloud at this time. It's something we remain aware of. If you have specific customers with CJIS workloads that are interested in migrating to Laserfiche Cloud, it would be helpful if you reached out to your Laserfiche sales contact with the list. This can help us gauge demand and prioritize accordingly during long-term roadmap planning.

CJIS compliance for a SaaS offering is both a huge amount of upfront and ongoing work to check all the boxes and has significant associated expenses, especially if we have to use higher cost AWS Gov Cloud services on the backend. 

0 0

Replies

replied on July 8, 2024

I just wanted to check in and see if this was actively being worked on by Laserfiche? I have a few clients that really want to move to Laserfiche Cloud, but are unable to because of this issue.

1 0
replied on July 8, 2024 Show version history

We are looking at it alongside a broader FedRAMP / GovRAMP (formerly StateRAMP) initiative for Laserfiche Cloud, as there is significant overlap in the controls. That's not an official statement that we're definitely doing it, just a note that yes, it's on the table and if we proceed, likely something we'd tackle while working on FedRAMP/ GovRAMP over the next ~1-3 years or so.

There has been one significant development on AWS' side in this regard. Previously, only AWS GovCloud was validated for CJIS workloads. Supporting CJIS in Laserfiche Cloud would have necessitated creating an entirely new region on AWS GovCloud, a significant undertaking. 

However, on 06 Oct 2023, AWS announced that their US Commercial regions (where the Laserfiche Cloud US region runs today) supported the necessary controls for CJIS workloads. See: AWS Public Sector Blog - Continued innovation in CJIS compliance in both AWS GovCloud (US) and AWS US Commercial Regions

With a separate GovCloud region no longer a pre-req, the feasibility of CJIS on Laserfiche Cloud has gone way up. There's still a ton of work to implement and document all the CJIS controls though. Just because those controls are now available in the AWS US Commercial cloud doesn't mean they're automagically set up for you, only that their absence is no longer a hard blocker. 

As I mentioned in an earlier comment, the best thing you can do is reach out (or have your clients reach out) to Laserfiche Sales contacts and express interest to help drive prioritization.

2 0
replied on January 14

Good morning.  I know this update is only about 7 months old.  We are currently reviewing our options for migrating to Laserfiche Cloud.  We are a law enforcement agency and would be interested in the status of CJIS compliance.

1 0
replied on January 14

Hi Aaron,

The previous update that we're looking at it as part of our FedRAMP efforts due to the significant controls overlap is still accurate. I wouldn't expect it to be any sooner than 2 years out though.

0 0
replied on August 15, 2023

Has there been any update? I have a client asking about CJIS compliance. Thanks!

0 0
replied on August 15, 2023

No updates. Sam's latest response still holds - you should discuss with your sales contact so we can use that information to prioritize this effort.

1 0
replied on July 9, 2024

Thank you for the update, @████████.  Add to your list that the State of Oklahoma is interested in using Laserfiche Cloud when the FedRAMP is in place.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...