The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) – for example, fingerprint records and criminal histories. Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security requirements and controls to safeguard CJI.
The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community's Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The CJIS Security Policy is updated periodically to reflect evolving security requirements.
In addition to the controls each law enforcement or criminal justice agency is responsible for evaluating, the CJIS Security Policy defines areas that private contractors such as cloud service providers (CSP) must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. These areas correspond closely to control families in NIST SP 800-53, which is also the basis for the US Federal Risk and Authorization Management Program (FedRAMP). The FBI CJIS Information Security Officer (ISO) Program Office has published a security control mapping of CJIS Security Policy requirements to NIST SP 800-53. The corresponding NIST SP 800-53 controls are listed for each CJIS Security Policy section.
A CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps ensure the security and confidentiality of CJI required by the Security Policy. It commits the contractor to maintaining a security program consistent with federal and state laws, regulations, and standards. The addendum limits the use of CJI to the purposes for which a government agency provided it.
In October 2022, the CJIS Security Policy was updated to v5.9.1, which provided important clarifications for the safeguarding of CJI in a cloud computing environment. Two areas with significantly updated guidance are related to personnel screening and data encryption with customer managed keys (CMK). For example, Section 5.12.1 Personnel Screening Requirements for Individuals Requiring Unescorted Access to Unencrypted CJI provides important supplemental guidance, as follows:
For cloud computing services that involve the storage, processing, or transmission of CJI, Section 5.12 security terms and requirements apply to all CSP personnel when their unescorted logical or physical access to any information system results in the ability, right, or privilege to view, modify, or make use of unencrypted CJI. As described in Section 5.12 for IaaS and PaaS implementations, when law enforcement agency maintains sole access to the encryption keys and CSP personnel have no ability, right, or privilege to view modify, or make use of unencrypted CJI, then fingerprint-based background checks may not be required for CSP personnel to comply with the CJIS Security Policy.
As stated in the CJIS Security Policy Executive Summary regarding the use of data encryption, the essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether in transit or at rest. However, one of the scenarios described in Appendix G.3 Cloud Computing states that "since the CJI is decrypted within the cloud’s virtual environment, any administrative personnel employed by the cloud provider having the ability to access the virtual environment must be identified and subjected to security awareness training and personnel security controls as described in the CJIS Security Policy." This reasoning implies that full protection of CJI in a cloud computing environment that obviates the need for CSP personnel fingerprint-based background checks requires not just data encryption in transit and at rest but also data encryption in use, with law enforcement agencies having sole control over encryption keys at every stage. Data encryption in use requires some form of a hardware-based trusted execution environment (TEE), also known as an enclave in confidential computing. With this approach, when data is in the clear, which is needed for efficient data processing in memory, the data is protected inside a TEE with no possibility of unauthorized external access.
In summary, the CJIS Security Policy version 5.9.1 introduced important clarifications for scenarios that require CSP personnel fingerprint-based background checks and placed additional emphasis on the responsibility of agencies to encrypt CJI in transit, at rest, and in use while maintaining sole control over encryption keys.
If you use cloud computing services to store, process, or transmit CJI, then CSP personnel fingerprint-based background checks may not be required to comply with the CJIS Security Policy if you:
There are other important requirements outlined in the CJIS Security Policy, including the need to store and process CJI in the United States. However, with the aforementioned approach, CSP personnel have no logical or physical access to any information system resulting in the ability, right, or privilege to view, modify, or make use of unencrypted CJI.
In December 2022, the CJIS Security Policy v5.9.2 introduced important revisions in Section 5.6 Identification and Authentication (IA) and Section 5.15 System and Information Integrity (SI) among other changes. Of particular significance to law enforcement and criminal justices agencies using cloud services for the transmission, storage, or processing of CJI are the updated multi-factor authentication (MFA) requirements for identification and authentication of organizational users. For example, MFA is required at Authenticator Assurance Level 2 (AAL2), as described in the National Institute of Standards and Technology (NIST) SP 800-63 Digital Identity Guidelines. Moreover, authenticators and verifiers operated at AAL2 shall be validated to meet the requirements of the Federal Information Processing Standard (FIPS) 140 Level 1.
For cloud workloads that must comply with the CJIS Security Policy, Microsoft provides you with a choice of cloud environments: Azure or Azure Government. The decision will rest with you based on your business needs.
The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. The areas defined in the CJIS Security Policy correspond closely to control families in NIST SP 800-53. As mentioned previously, the FBI CJIS Information Security Officer (ISO) Program Office has published a security control mapping of CJIS Security Policy requirements to NIST SP 800-53. The corresponding NIST SP 800-53 controls are listed for each CJIS Security Policy section. Therefore, you can use a FedRAMP audit to gain insight into CSP's control implementation details that are relevant for the CJIS Security Policy requirements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).
Both Azure and Azure Government can help you meet your CJIS Security Policy compliance requirements. These two cloud environments have the same controls for data protection, including the ability to help you maintain sole control over encryption keys when encrypting CJI in transit, at rest, and in use. Both Azure and Azure Government enable you to select United States regions into which CJI and corresponding cloud services will be deployed. For more information about location of customer data, tenant separation, data encryption, multi-factor authentication, restrictions on insider access, and more, see the following guidance document:
All Azure and Azure Government employees in the United States are subject to Microsoft background checks. For more information, see Screening. However, Azure operations personnel aren't subject to fingerprint-based background checks mandated by the CJIS Security Policy, so there's extra burden on you to implement CJI encryption that precludes Azure operations personnel access to unencrypted CJI while in transit, at rest, and in use. In contrast, Azure Government provides you with an extra layer of protection through contractual commitments that limit potential access to systems processing your data to screened US persons that have completed fingerprint-based background checks and criminal records checks to address CJIS Security Policy requirements.
Contact a licensing specialist or your Microsoft account team for access to a Microsoft CJIS customer agreement. Microsoft provides separate CJIS customer agreements for Azure and Azure Government. These agreements specify how certain requirements of the CJIS Security Policy will be fulfilled, what Microsoft responsibilities are, which cloud services are covered, and many other important provisions.
Azure as a cloud service environment is sometimes referred to as Azure commercial, Azure public, or Azure global. Even though Azure infrastructure is globally distributed, Microsoft provides strong customer commitments regarding cloud services data residency and transfer policies. Most Azure services are deployed regionally and enable you to specify the region into which the service will be deployed, for example, United States. This commitment helps ensure that CJI stored in a US region will remain in the United States and won't be moved to another region outside the United States.
The CJIS Security Policy v5.9.1 updates released in October 2022 indicate that state, local, and federal law enforcement and criminal justice agencies can meet the policy requirements through technical controls under their purview. Consequently, you can use Azure for CJI workloads and not have to rely on fingerprint-based background checks for CSP personnel if you can encrypt CJI during all data lifecycle stages – in transit, at rest, and in use – while maintaining sole control over encryption keys. You are wholly responsible for the implementation and management of these technical controls to support your compliance with the CJIS Security Policy. For more information, see Azure support for public safety and justice.
Microsoft will sign the CJIS Security Addendum in states with CJIS Management Agreements to support the use of Microsoft government cloud solutions. These agreements tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operations personnel with potential access to CJI.
Microsoft has agreements signed with nearly all 50 states and the District of Columbia except for the following states: Delaware, Louisiana, Ohio, South Dakota, and Wyoming. Microsoft continues to work with these state governments to enter into CJIS Management Agreements. The FBI doesn't certify cloud services for compliance with CJIS Security Policy requirements. Instead, a Microsoft attestation is included in agreements between Microsoft and a state's CJIS authority, and between Microsoft and its customers.
Microsoft's commitment to meeting the applicable CJIS regulatory controls help criminal justice organizations be compliant with the CJIS Security Policy when implementing cloud-based solutions. Based on the signed CJIS Management Agreements, Microsoft can accommodate customers subject to the CJIS Security Policy requirements in:
Microsoft has assessed the operational policies and procedures of Microsoft Azure Government, Dynamics 365 US Government, and Office 365 GCC, and will attest to their ability in the applicable services agreements to meet FBI requirements. These cloud environments maintain fingerprint-based background checks on operations personnel with potential access to unencrypted CJI.
For more information about Office 365 compliance, see Office 365 CJIS documentation.
Where can I request compliance information?
Contact your Microsoft account representative for information on the jurisdiction you are interested in. Contact cjis@microsoft.com for information on which services are currently available in your state.
How does Microsoft demonstrate that its cloud services enable compliance with my state's requirements?
For both Azure and Azure Government, see Azure support for public safety and justice for guidance on how to encrypt CJI and retain sole control over encryption keys to address key CJIS Security Policy requirements. Moreover, for Azure Government, Microsoft has signed the CJIS Management Agreements with state CJIS Systems Agencies (CSA) in nearly all 50 states – you may request a copy from your state's CSA. Microsoft also provides you with in-depth security, privacy, and compliance information. For example, you can review audit reports prepared by independent, third-party auditors. These audit reports validate that Microsoft has implemented security controls (such as the NIST SP 800-53 controls) appropriate to the relevant audit scope. A good place to start would be the Azure FedRAMP compliance offering.
The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).
I am using Azure Government for my CJI workloads. Does that mean that I don't have to worry about CJI safeguarding?
No. Azure Government gives you extra assurances and peace of mind through contractual commitments regarding storage of your data in the United States and limiting potential access to systems processing your data to screened US persons that have completed fingerprint-based background checks and criminal records checks to address CJIS Security Policy requirements. However, you still need to address the CJIS Security Policy requirements regarding CJI protection.
My state doesn't have a CJIS Management Agreement signed with Microsoft. What should I do?
You can use either Azure or Azure Government for your CJI workloads but in either case you would need to ensure that CJI is encrypted while in transit, at rest, and in use with encryption keys under your exclusive control at all times. See Azure support for public safety and justice for guidance on how to encrypt CJI and maintain sole control over encryption keys. Per the updated CJIS Security Policy v5.9.1, if you encrypt CJI in transit, at rest, and in use while maintaining sole control over encryption keys, the CSP personnel fingerprint-based background checks may not be required to comply with the CJIS Security Policy.
Do I need to use confidential computing VMs for IaaS workloads involving CJI?
Our reading of the updated CJIS Security Policy v5.9.1 Appendix G.3 Cloud Computing indicates that the policy is aiming for absolute assurances that CSP personnel can never access the virtualized environment if the requirement for fingerprint-based background checks on CSP personnel were to be removed. Azure doesn't mandate fingerprint-based background checks for operations personnel whereas Azure Government does. Therefore, to ensure compliance with the CJIS Security Policy in Azure, you need to encrypt CJI while in use and maintain sole ownership of encryption keys. The risk of Azure operations personnel access to unencrypted CJI is extraordinarily low as explained in Restrictions on insider access even for guest VM memory crash dumps. Nonetheless, when data is loaded into VM memory for processing, it must be in the clear and the most expedient way to safeguard access with certainty is via confidential computing VMs, which protect data in a hardware-based trusted execution environment (TEE), also known as an enclave.
Where do I start with my agency's compliance effort?
The CJIS Security Policy covers the requirements that your agency must address to protect CJI. In addition, your Microsoft account representative can put you in touch with Microsoft subject matter experts familiar with the requirements of your jurisdiction.