We have law enforcement agencies that are interested in Laserfiche Cloud however I need to ensure that Laserfiche Cloud is (or can be configured) to be compliant with CJIS Standards for CJI. Are there any considerations for an organization considering a move to Laserfiche Cloud?
Question
Question
Answer
Hi Nathan,
While Laserfiche Cloud meets many compliance standards, including undergoing an annual SOC 2 Type 2 audit, CJIS is not currently one of them. The current U.S.-based Laserfiche Cloud offering is based in AWS's commercial regions, not AWS GovCloud. As I understand it, there are technical, policy, and personnel controls required for CJIS compliance that are only present in AWS GovCloud at this time.
Law Enforcement agencies looking for a cloud-based option to store CJI in Laserfiche can self-host Laserfiche in AWS GovCloud or Microsoft Azure Government. Both offer CJIS compliance resources, some of which you can find below:
Building CJIS Compliant Solutions in AWS GovCloud
Criminal Justice Information Service Compliance on AWS
CJIS Security Policy on AWS - Quick Start
Microsoft 365/Azure Government CJIS Overview
Azure CJIS Implementation Guidelines
This is excellent, thanks for the clarification!
Welcome!
Sam, do you know if there are any plans to offer it in the AWS GovCloud in the future?
Bryan, while on our radar, it's not something we're actively working toward at the moment. Offering Laserfiche Cloud on AWS GovCloud in and of itself doesn't accomplish much. What organizations are really after is CJIS and FedRAMP compliance for the solution as a whole. While the SOC 2 controls Laserfiche Cloud currently addresses mostly overlap with CJIS/FedRAMP by merit of their shared basis in NIST SP 800-53, there are numerous areas that would require small changes for full alignment, not to mention the audit work itself.
We're currently focusing our Laserfiche Cloud development efforts in two main areas:
- Achieving functional parity with self-hosted systems
- Enabling ways for self-hosted systems to leverage Cloud features
Once we're satisfied with the progress on those fronts, we'll likely turn to addressing more specific use cases like CJIS.
Any updates on CJIS compliance with Laserfiche Cloud?
No updates for CJIS on Laserfiche Cloud at this time. It's something we remain aware of. If you have specific customers with CJIS workloads that are interested in migrating to Laserfiche Cloud, it would be helpful if you reached out to your Laserfiche sales contact with the list. This can help us gauge demand and prioritize accordingly during long-term roadmap planning.
CJIS compliance for a SaaS offering is both a huge amount of upfront and ongoing work to check all the boxes and has significant associated expenses, especially if we have to use higher cost AWS Gov Cloud services on the backend.
Replies
I just wanted to check in and see if this was actively being worked on by Laserfiche? I have a few clients that really want to move to Laserfiche Cloud, but are unable to because of this issue.
We are looking at it alongside a broader FedRAMP initiative for Laserfiche Cloud, as there is significant overlap in the controls. That's not an official statement that we're definitely doing it, just a note that yes, it's on the table and if we proceed, likely something we'd tackle while working on FedRAMP over the next ~1-3 years or so.
There has been one significant development on AWS' side in this regard. Previously, only AWS GovCloud was validated for CJIS workloads. Supporting CJIS in Laserfiche Cloud would have necessitated creating an entirely new region on AWS GovCloud, a significant undertaking.
However, on 06 Oct 2023, AWS announced that their US Commercial regions (where LF Cloud US runs today) supported the necessary controls for CJIS workloads. See: AWS Public Sector Blog - Continued innovation in CJIS compliance in both AWS GovCloud (US) and AWS US Commercial Regions
With a separate GovCloud region no longer a pre-req, the feasibility of CJIS on Laserfiche Cloud has gone way up. There's still a ton of work to implement and document all the CJIS controls though. Just because those controls are now available in the AWS US Commercial cloud doesn't mean they're automagically set up for you, only that their absence is no longer a hard blocker.
As I mentioned in an earlier comment, the best thing you can do is reach out (or have your clients reach out) to Laserfiche Sales contacts and express interest to help drive prioritization.
Has there been any update? I have a client asking about CJIS compliance. Thanks!
No updates. Sam's latest response still holds - you should discuss with your sales contact so we can use that information to prioritize this effort.
Thank you for the update, @████████. Add to your list that the State of Oklahoma is interested in using Laserfiche Cloud when the FedRAMP is in place.