By David J. Roberts, Senior Program Manager, IACP Technology Center
aw enforcement agencies throughout the United States and around the world are increasingly considering cloud computing as a viable option to support information management and operations. The IACP and SafeGov recently cohosted a symposium called “Leveraging the Cloud for Law Enforcement,” held January 31 at the Newseum in Washington, D.C.
The symposium featured presentations by IACP President Craig T. Steckler, chief of the Fremont, California, Police Department; IACP Executive Director Bart R. Johnson; Michael Chertoff, chairman of the Chertoff Group and former U.S. Department of Homeland Security secretary; U.S. Rep. Mike Rogers (R-MI), chairman of the U.S. House of Representatives Permanent Select Committee on Intelligence; Richard Holgate, chief information officer of the Bureau of Alcohol, Tobacco, Firearms, and Explosives; and Jerome Pender, executive assistant director of the Information and Technology Branch at the Federal Bureau of Investigation. In addition, several IACP members spoke on panel discussions throughout the day with other subject matter experts to address cloud planning and implementation issues, challenges, and successes. Approximately 110 people attended the event and participants remained engaged throughout the day.
The IACP released preliminary results of a new survey on cloud computing in law enforcement and announced the publication of Guiding Principles on Cloud Computing for Law Enforcement during the symposium.
Cloud Computing Survey
The IACP, the Ponemon Institute, and SafeGov recently completed a survey of IACP member agencies regarding cloud computing and its application to law enforcement. The survey examined how state and local law enforcement officials view the potential of cloud computing in law enforcement, their concerns, and their plans for the future. Invitations to participate in the online survey were distributed over three weeks in late December 2012 through mid-January 2013 to 4,771 IACP members representing municipal and county police departments, sheriffs’ departments, and state police agencies. A total of 272 agencies responded, representing a response rate of 6 percent.
Nearly three-quarters (71 percent) of survey respondents were the chief executive officers of their agencies, and an additional 11 percent were command staff (see table 1).
It is worth noting that respondents closely reflected the agency size stratification (in number of sworn officers) of the IACP membership from which they were drawn (see table 2).
Survey results illustrate that chiefs and sheriffs broadly understand the potential value of this new computing paradigm, are actively engaged in considering the adoption of the technology, and are seeking guidance for effective planning and implementation. More than half (54 percent) of the 272 IACP member respondents indicated that they had implemented or were planning or considering implementing cloud-based solutions in the next two years (see chart 1).
|Respondent Position ||n||%|
|Command Staff ||31||11|
|Information Technology Director||15||6|
|Information Technology Manager||22||8|
|Municipal/County Chiefs, Sherifs, and State Police|
|Agency Size (Sworn Officers)||Sample||IACP|
|Fewer than 25||36%||43%|
|1,000 or more||5%||3%|
Of those agencies that indicated they are not now considering cloud computing, more than half (54 percent) indicate the their current law enforcement applications are not presently offered as cloud-based solutions, and 44 percent expressed concerns that cloud-based services do not provide sufficient security for their information systems and data.
Email is the application most frequently used by agencies who have already adopted cloud solutions, but several others—including cloud storage; the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) access; records management systems (RMS); crime reporting; and analysis and mapping applications—are being considered for implementation among responding agencies (see table 3).
|Applications||Using (%)|| Considering (%)||Not Considering (%)||TOTAL (%)|
|RMS, Crime Reporting, and Analysis||10||37||53||100|
Although backup and disaster recovery and email were viewed as the two applications “most suitable” for cloud computing, survey respondents also identified a wide range of law enforcement applications as “potentially suitable,” including crime analysis and mapping applications; crime reporting; CJIS/National Crime Information Center (NCIC) access; and access to key state systems, such as computerized criminal history (CCH), departments of motor vehicle (DMVs), and warrants, as well as RMS and computer-aided dispatching (see chart 2).
Realizing cost savings was the most popular reason (61 percent) responding agencies indicated they were adopting, planning, or considering to adopt cloud computing, followed by an expectation that they will be able to eliminate their need to manage their own software and hardware (52 percent) (see chart 3).
Respondents viewed external threats, either to the cloud service provider’s infrastructure (70 percent) or their own infrastructure (60 percent), as the greatest threats surrounding cloud computing (see chart 4)
Nearly three-quarters (71 percent) of respondents view compliance with FBI CJIS security policies as a “make-or-break” requirement for cloud service providers, and 74 percent view the requirement that employees of cloud providers pass criminal background checks as “very important.” More than half of respondents indicated that they were “very familiar” (23 percent) or “somewhat familiar” (35 percent) with FBI CJIS security policies, but 10 percent had no knowledge of the policies, and nearly one-third (32 percent) indicated they were aware of but not familiar with them.
Eighty-nine percent of respondents indicated that cloud providers must abstain from mining of their data, and 87 percent of respondents supported having the IACP develop model clauses for cloud procurement contracts banning inappropriate or unauthorized use of customer data by cloud providers and reinforcing the confidentiality and security requirements of law enforcement data
Guiding Principles on Cloud Computing for Law Enforcement
The IACP also released Guiding Principles on Cloud Computing for Law Enforcement. Developed in collaboration with experts from SafeGov.org and key law enforcement subject matter experts from around the United States, the principles establish clear and concise parameters and a path forward for the exploration of cloud-based computing solutions and services by law enforcement. The principles cover such issues as ensuring that
- cloud providers comply with FBI CJIS security policies;
- law enforcement agencies retain ownership of their data;
- the cloud provider does not mine or otherwise process or analyze their data for any purpose not explicitly authorized by the law enforcement agency;
- regular audits are scheduled and conducted on the use and access to their data, and compliance with the terms of any agreement;
- data are portable and interoperable with other systems;
- the cloud provider will maintain the physical and logical integrity of the data and ensure their ongoing confidentiality, availability, reliability, and performance; and
- the terms of the agreement and the service provided survive irrespective of the commercial viability of the service providers or changes in operations, ownership, structure, and so forth. The Guiding Principles document also provides sample contractual language that agencies may consider using in contracts or service-level agreements.
The IACP will be working in the coming months to develop model policies associated with cloud computing through the IACP National Law Enforcement Policy Center. Model policies are expected to be released at the annual IACP conference, October 19–23, 2013, in Philadelphia, Pennsylvania.
More details regarding preliminary survey figures and the Guiding Principles on Cloud Computing for Law Enforcement are available on the IACP website at http://www.theiacp.org/About/PressCenter/CloudComputing/tabid/1113/Default.aspx (accessed February 8, 2013). ♦
Please cite as:
David J. Roberts, "Cloud Computing in Law Enforcement: Survey Results and Guiding Principles," Technology Talk, The Police Chief 80 (March 2013): 56–58.