The Microsoft approach to CJIS compliance
From criminal histories to fingerprint records to sexual offender registrations, U.S. law enforcement agencies rely on a wide range of FBI data to solve crime. And to access this data, they need to comply with the FBI’s Criminal Justice Information Services (CJIS) security policy, which includes strict requirements for how this data is protected.
A major reason why law enforcement agencies have been slow to move to the cloud is the need to comply with the CJIS security policy in the cloud just like they do within their own datacenters. The good news is that the Microsoft Cloud for Government breaks down this barrier. We take a rigorous approach to CJIS compliance in the cloud—much more rigorous, in fact, than any other enterprise cloud services provider on the market. Because of these commitments, law enforcement agencies at the local, state, and federal levels can now take advantage of the many benefits that the cloud provides.
Microsoft’s approach to CJIS compliance differs in three important ways from other leading cloud providers. First, Microsoft is the only major cloud platform that’s contractually committed to meeting CJIS requirements for federal, state, and local governments. While other cloud providers have simply stated that they’ve read and met the requirements of the CJIS security addendum, there’s been no third-party validation of these statements. In contrast, Microsoft has been continually working on-the-ground with federal and state regulators to address CJIS compliance, signing contractual agreements that legally commit the company to meeting these requirements.
By signing these agreements, we’re entering into dedicated, ongoing partnerships with our customers. We’re contractually committed to conduct background checks on all Microsoft employees who work in government datacenters. We’re required to provide datacenter audit information. And we’re dedicated to working together with our partners on an ongoing basis to improve law enforcement security as requirements change. In short, we’re sitting together at the same table with our customers, sharing both the risk and the responsibility.
Second, we’re the only cloud vendor to develop a completely separate cloud platform dedicated to our US federal, state, and local government clients. Unlike other cloud providers that rope off a corner of their commercial cloud platform and declare it their government cloud, Microsoft delivers completely separate datacenters that aren’t in any way connected to our commercial datacenters. Government information is kept only within these separate datacenters, which are built with the most stringent security controls that meet the CJIS security policy and other government security requirements. By developing a separate government cloud, we’ve provided an important layer of protection for law enforcement agencies.
Another way in which our approach differs from our competitors is that Microsoft is transparent about how it’s meeting CJIS security policy requirements. At Microsoft, we openly share our security strategy so that government leaders and security experts can evaluate the strength of our commitments. This isn’t the case with some of the other cloud providers on the market. For example, Amazon requires customers to sign a non-disclosure agreement to start a CJIS compliance discussion. This doesn’t do much to increase government confidence in the cloud. We believe security commitments should be transparent.
Law enforcement agencies recognize Microsoft’s commitment to security, and they’ve been responding. Roughly 3 million entities now use the Microsoft Cloud for Government, many of which are law enforcement agencies. Moreover, third-party vendors—from VIEVU to NC4 to PublicEye—have been building new solutions on the Microsoft Azure government platform in large part because of our industry-leading commitment to security.
At Microsoft, we understand that compliance with the CJIS security policy is a crucial priority for law enforcement agencies across the US. It’s not just a check box, but an ongoing commitment—one that we take very seriously.
To learn more, please visit the Microsoft in Government website.
