Customer uses Certes’ high assurance encryption overlay to achieve a FIPS certified CJIS compliant network.

Customer Situation

Columbia County Sheriff’s Office is a law enforcement agency based in the State of Florida.

Their data network is comprised of six sites connected over a carrier provided MPLS backbone. The MPLS network delivered Service Level Agreement (SLA) on prioritization of delay sensitive traffic to ensure high quality voice over IP and video over IP traffic.  Also required was support for multicast applications in use on the Sheriff’s Office network.

The six locations consist of:

  • Central Administration
  • Data Center
  • The County Jail
  • Dispatch
  • The Courthouse
  • The Task Force

Each location other than the Central Administration site is unmanned in terms of IT skills and requires an engineer callout on any issues at each site.

The Challenge

The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) division enforces a security policy that specifies that all Criminal Justice Information (CJI) in transit should be encrypted when it moves across data network connectivity that sits outside of a trusted location, meaning when wide area connectivity such as MPLS, VPLS, SD-WAN, Dark Fiber, Metro-E, Microwave or Long range WiFi is used.

Being a Law Enforcement agency, Columbia County Sheriff’s office requires access  to CJI, which is shared from one location to another. Therefore it must comply with the CJIS Security Policy.

In addition to deploying an encryption technology, the CJIS Security Policy states that the standard to be deployed must be FIPS-140-2 certified encryption.

In addition, recommendations are made that:

  • An encryption key management control process should ensure only authorized users have access to encryption keys. The most practical way to meet this recommendation was to ensure that encryption keys were owned and managed by the Sheriff’s Office.

The final challenge for the Sheriff’s office was that any standard encryption solution would;

Remove the ability for the carrier to see the Quality of Service (QoS) markings on the data traffic that allows them to prioritize delay sensitive traffic needed to meet their SLA.

  • Introduce delay to network traffic
  • Not support multicast applications
  • Remove infrastructure and configuration changes to the existing network
  • Require additional costs for licenses on the firewalls, routers or switches

The Solution

Certes’ High Assurance Encryption Overlay was deployed utilizing Certes Layer 4 patented encryption.  

A single instance of the CryptoFlow® Net Creator Orchestration platform was deployed at the Administration/Data Center as a virtual machine to enable centralized management for all deployed enforcement points. 

At each site a Certes Enforcement Point (CEP) was deployed. The process was simple in terms of planning and execution as the following three step process was used:

  1. The Certes physical appliance which would run as an enforcement point was deployed at each location behind the WAN router. This was a simple task of unplugging the LAN connection and inserting the Certes device during a scheduled change window.
  2. A management IP address was configured on each CEP device, and the device was added to the Orchestration platform.
  3. Each enforcement point was adopted, a policy was created to encrypt all traffic between sites using an Easy-Mesh layer 4 policy, and the policy was pushed to the enforcement points.

Once the CEP’s were deployed over a period of one week (across all 6 locations), the adding of the devices and the pushing of a policy to encrypt the required data took less than an hour, creating a very happy customer.

In addition to the technical deployment, the Sheriff’s Office was also provided with all the supporting documentation for inclusion within their CJIS Audit Documentation Set which would enable them to provide evidence to a CJIS auditor that technology controls were deployed in accordance with the requirements of the CJIS Security Policy.

Key Benefits

    • Quick and easy deployment enabling the Sheriff’s Office to quickly react to and meet the requirements of the CJIS Security Policy.
    • The Sheriff’s Office retains ownership and control of all encryption keys and can automatically rotate (change) the keys in use every hour with Zero impact to traffic and with Zero touches required.
    • Certes Patented Layer 4 Encryption is an ‘Overlay’ and fully transparent to the network and Service Provider, resulting in no impact to SLA’s, traffic performance or multicast application traffic.
    • Subscription based pricing with low cost of entry but fully scalable and upgradeable to meet future requirements.
Columbia County Network - FIPS Certified and CJIS Compliant
All Certes units meet the FIPS 140-2 requirements of the CJIS Security Policy

Download the Case Study now to learn more about the County’s CJIS Audit Challenges in our interview with Wayne Craig, Director of IT at Columbia County Sheriff’s Office.


Case Study

Columbia County – FIPS Certified & CJIS Compliant
Customer uses Zero-Trust WAN to maintain existing networks and achieve CJIS compliance.

Want to learn more?

One of our team members would be happy to help!