Criminal Justice Information Services (CJIS)

CJIS overview

The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) - for example, fingerprint records and criminal histories. Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security requirements and controls to safeguard CJI.

The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community's Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The CJIS Security Policy is updated periodically to reflect evolving security requirements.

The CJIS Security Policy defines areas that private contractors such as cloud service providers must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. These areas correspond closely to control families in NIST SP 800-53, which is also the basis for the US Federal Risk and Authorization Management Program (FedRAMP). The FBI CJIS Information Security Officer (ISO) Program Office has published a security control mapping of CJIS Security Policy requirements to NIST SP 800-53. The corresponding NIST SP 800-53 controls are listed for each CJIS Security Policy section.

A CJIS Security Addendum is a uniform agreement approved by the US Attorney General that helps ensure the security and confidentiality of CJI required by the Security Policy. It commits the contractor to maintaining a security program consistent with federal and state laws, regulations, and standards. The addendum limits the use of CJI to the purposes for which a government agency provided it.

Azure and CJIS Security Policy

Microsoft will sign the CJIS Security Addendum in states with CJIS Information Agreements. These agreements tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft's cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI.

Microsoft has agreements signed with nearly all 50 states and the District of Columbia except for the following states: Delaware, Louisiana, Maryland, Ohio, South Dakota, and Wyoming. Microsoft continues to work with state governments to enter into CJIS Information Agreements.

Microsoft's commitment to meeting the applicable CJIS regulatory controls help criminal justice organizations be compliant with the CJIS Security Policy when implementing cloud-based solutions. Microsoft can accommodate customers subject to the CJIS Security Policy requirements in:

• Azure Government
• Dynamics 365 US Government
• Office 365 GCC

Microsoft has assessed the operational policies and procedures of Microsoft Azure Government, Dynamics 365 US Government, and Office 365 GCC, and will attest to their ability in the applicable services agreements to meet FBI requirements.

• Learn about Azure Government support for public safety and justice, including CJIS Security Policy requirements. This article discusses technologies that you can use to safeguard CJI stored or processed in Azure services, including data encryption using Azure Key Vault that enables you to have sole control over encryption keys.
• Learn about the benefits of CJIS support on the Microsoft Cloud: Read how Genetec cleared criminal investigations using Azure Media Services.

Attestation documents

The FBI does not certify cloud services for compliance with CJIS requirements. Instead, a Microsoft attestation is included in agreements between Microsoft and a state's CJIS authority, and between Microsoft and its customers.

Frequently asked questions

Where can I request compliance information?
Contact your Microsoft account representative for information on the jurisdiction you are interested in. Contact cjis@microsoft.com for information on which services are currently available in your state.

How does Microsoft demonstrate that its cloud services enable compliance with my state's requirements?
Microsoft signs an Information Agreement with a state CJIS Systems Agency (CSA); you may request a copy from your state's CSA. In addition, Microsoft provides you with in-depth security, privacy, and compliance information. For example, you can review audit reports prepared by independent, third-party auditors. These audit documents validate that Microsoft has implemented security controls (such as NIST SP 800-53 controls) appropriate to the relevant audit scope. A good place to start would be the Azure FedRAMP compliance offering. Finally, as described in Public safety and justice in Azure Government, Azure provides you with strong tenant isolation assurances, including the ability to encrypt CJI and retain sole control over encryption keys.

Where do I start with my agency's compliance effort?
The CJIS Security Policy covers the requirements that your agency must address to protect CJI. In addition, your Microsoft account representative can put you in touch with Microsoft subject matter experts familiar with the requirements of your jurisdiction.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Microsoft government solutions
• Microsoft for public safety and justice
• Criminal Justice Information Services (CJIS)
• CJIS Security Policy
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• Azure FedRAMP compliance offering