In collaboration with the private sector, the California Department of Justice (CalDOJ) is going forward with implementing a new protocol designed to support local law enforcement agencies in deploying cloud solutions for criminal justice data.
Under state government code, CalDOJ is mandated to maintain a network backbone for use by law enforcement agencies. Supporting this responsibility, the department created the California Law Enforcement Telecommunications System (CLETS) and the CLETS Advisory Committee (CAC).
The need for a group like CAC trickles down from the FBI, which has a group called the Advisory Policy Board. It’s the responsibility of the board to provide national standards for agencies across the U.S. to access Criminal Justice Information Services or national criminal justice data. In California, CAC is charged with ensuring data being sent across local, state and federal agencies meets those FBI requirements.
However, technology has come leaps and bounds since CLETS became operational in the 1960s, when it primarily applied to securing data running on dedicated lines via one-way, text-based machines. Following the request of one local police department, DOJ and CAC have been making moves to ensure it keeps up with modern advancements, particularly in the area of cloud technology.
CAC counsels the California Attorney General on the appropriate methods of collecting, storing and disseminating CLETS data. When a local law enforcement entity wishes to implement technology not already approved by the committee, it must first go through an application process explaining how the solution meets security requirements. A CLETS auditor is then assigned to the application, who decides whether the technology is legitimate.
Last year, when the Chula Vista, Calif., Police Department requested approval to deploy Microsoft Office 365 and Azure, the agency’s technology manager, Eric Wood, found a missing piece in the CLETS approval processes. He also learned that there were several neighboring agencies that had submitted requests to deploy cloud services a year prior to his application, all of which never received a response from CAC.
“We discovered that the CLETS agency did not have a protocol to follow on how to authorize a law enforcement agency in the state to use Office 365, Azure or any cloud service for that matter,” Woods said in an interview with Techwire. “They had not gone through and approved it for any agency because they didn’t know how without a protocol.”
Recognizing the potential impacts his discovery could have on the private sector, Wood engaged with Microsoft to explain how the missing protocol was likely a significant reason why law enforcement agencies in California weren’t deploying the company’s cloud services. Prompted by Wood’s application, the company began assessing how to remedy the issue.
Microsoft had begun working with CalDOJ more than five years prior to Wood’s discovery, looking to ensure that CLETS and agencies at both a state and national level understood where the evolution of technology is and where it’s going, an effort Stuart McKee, Microsoft’s chief technology officer of state and local government, was heavily involved in.
“Although CLETS historically was developed for teletypes, we have a fiduciary responsibility to embrace it and work through it in such a way that you mitigate the risk for all the parties involved,” McKee said.
At the time Wood submitted his application for cloud services, Microsoft already had a contractual commitment to CalDOJ in place since 2013, stating the company would provide a level of access to auditing of environments used by agencies, as well as fingerprint-based background checks of employees involved in the development and deployment of those solutions. However, without a CLETS procedure in place to approve Microsoft cloud technology, Wood referred to the agreement as more of an “empty nod of approval.”
Beginning in March 2016, CalDOJ CLETS auditors and engineers held conference calls on a near weekly basis with Microsoft for more than six months, during which the group worked through a list of roles, requirements and responsibilities that would go into law enforcement deploying Microsoft cloud solutions. McKee said the conversations primarily revolved around education.
“Most of the work that went on, from Microsoft’s standpoint, was about trying to get educated and understand CLETS, its history, policies and processes, [as well as] understand Eric [Wood], Chula Vista, their requirements and how they operate as an organization,” McKee said. “Then trying to reconcile that, very often, with what other organizations across California are doing to create some consistency, if you will.”
Conference calls between CalDOJ and Microsoft closed in October. The end product of the collaboration is a security matrix that gives CLETS auditors a framework to review how security issues involving Microsoft Office 365 and Azure would be managed.
“Once the security matrix was established, they agreed that it encompassed essentially A to Z of everything we need to be covered,” Wood said. “Then [CAC] can provide that to an agency who wants to apply and say, ‘In your application complete this security matrix.’ That was the missing piece.”
Agencies that had previously requested to implement Microsoft cloud products were asked to re-submit their applications. Following evaluation from CLETS auditors, the Chula Vista Police Department’s updated proposal was approved by CAC on Dec. 14. Wood said they contracted with Winbourne Consulting to help develop the submission.
In this day and age, many public-sector agencies are strapped for resources and funding, a concept that the Chula Vista PD hasn’t been immune to. However, with the protocol to approve cloud resources now in place with CLETS, Wood’s department and other law enforcement organizations in California have the ability shift their attention away from specific activities, such as racking on-premise servers.
“Me and my staff are now freed up to really focus on the particular needs of our agency, not just the foundational plumbing of having documents flowing and where are they stored on a file server,” Wood elucidated, elaborating on how the changes have helped his department. “You can now enable your people to really keep up with a smaller, more manageable set of compliance [rules].”
As for the private sector, McKee gave insight on how he thinks the CLETS process and the approval for Chula Vista PD is going to impact the market.
“Getting this milestone completed is going to release a lot of pent up demand. Most of these agencies have already embraced the technology, but they now have an additional level of confidence that what they’re doing is right. At a national level, it really acknowledges California’s leadership and how it is continuing to evolve and embrace emerging technologies responsibly.”
