Criminal Justice Information Services (CJIS)

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) Division provides federal, state, local, and tribal agencies with guidance on how to protect criminal justice information (CJI) when using cloud service providers (CSPs) like Google Cloud.

Customers can achieve compliance with v6.0 of the CJIS Security Policy on Google Cloud by leveraging Data Boundary via Assured Workloads and Assured Controls for Google Workspace.

Introduction to CJIS

The FBI CJIS Division oversees many national databases that are leveraged by Criminal Justice Agencies (CJAs) across the country. Much of the data maintained in these databases is considered to be Criminal Justice Information (CJI), and is subject to protection from unauthorized use and release. The CJIS Security Policy (“CJISSECPOL”), published by the FBI CJIS Division, provides the minimum set of security requirements for protecting and safeguarding CJI.

The FBI also provides a Requirements Companion Document that highlights recent changes to the CJIS Security Policy and helps identify security roles and responsibilities for entities who access CJI. While the CJA accessing CJI is always ultimately accountable for ensuring CJIS compliance, the Requirements Companion Document guides the CJA in determining who (e.g., FBI CJIS Division, CJA, Service Provider, etc.) has the technical capability to ensure a particular requirement is being met. 

Customers can use Data Boundary via Assured Workloads and Assured Controls for Google Workspace to achieve compliance with v6.0 of the CJIS Security Policy. Google Cloud’s compliance with v6.0 has been independently assessed and validated by Coalfire, a Third-Party Assessment Organization (3PAO). We have also made available a CJIS Implementation Guide to simplify customer compliance with CJIS v6.0. Additional compliance information can also be provided on request to demonstrate how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers. 

Google Cloud also attends meetings of the CJIS Advisory Policy Board and reviews new versions of the CJIS Security Policy and the Requirements Companion Document to ensure that our policies and procedures are compliant with any changes.

Google Cloud and CJIS Compliance

Google Cloud

Google Cloud’s Data Boundary via Assured Workloads provides a modern approach for customers to achieve compliance with v6.0 of the CJIS Security Policy and enables compliance with additional frameworks such as FedRAMP High and Department of Defense IL2 / IL4 / IL5.

Data Boundary via Assured Workloads takes a zero-trust, software-driven approach to regulatory compliance. It helps customers meet strict government cloud compliance requirements, while providing the performance, scale, service availability, cost, and reliability benefits that customers may forgo when using physically separated cloud architectures. Public sector customers and criminal justice agencies (CJAs) can leverage Data Boundary via Assured Workloads to process, store, and transmit CJI in their Google Cloud environment and can fill out this form to request a free trial.

Data Boundary via Assured Workloads simplifies security and compliance for state, local, tribal and federal law enforcement (and any other criminal justice or non-criminal justice users of CJI) by:

  • Setting data location controls to restrict CJIS workloads to US-only regions (“data residency”)
  • Restricting unescorted access to unencrypted CJI to US persons located in the US who have completed fingerprint-based background checks by a state CJIS Systems Agency (CSA) or CJA
  • Enabling the use of customer-managed encryption keys (CMEK), hosted either on Google Cloud or using an External Key Manager
  • Allowing customers to gain control and visibility over administrative access
  • Continuously monitoring customer environments for compliance violations

Google Workspace

Assured Controls for Google Workspace allows organizations to meet organizational and compliance requirements, whether that involves limiting Google personnel access to customer data, or ensuring that the location of customer data is restricted to the United States.

Customers looking to deploy CJIS solutions using Google Workspace can use Assured Controls to set policies in alignment with the CJIS Security Policy. A configuration guide for CJIS solutions on Google Workspace can be found here.

Google Personnel and CJIS Screening

Customers in all 50 states and DC can confidently host or migrate CJIS applications to Google Cloud, assured of our ability to support customer implementations and demonstrate compliance with the CJIS Security Policy.

Google Cloud’s CJIS-scoped personnel have been vetted in the following states that support centralized vetting - Alabama, Alaska, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, Pennsylvania, Tennessee, Utah, Washington, West Virginia, and Wyoming. 

Our personnel are ready to undergo background checks in all other states. To learn more about how our personnel can be vetted in a state not listed above, please reach out to your state CSA or to cjis@google.com.

FAQs

An independent third-party assessment organization recently evaluated Google Cloud’s security controls and found that Google Cloud successfully enables compliance with v6.0 of the CJIS Security Policy. 

If requested by a customer or state CJIS Systems Agency (CSA), Google Cloud will execute a Management Agreement that provides customers with detailed information on how Google Cloud enables compliance with the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions. You can request a copy of the Google Cloud CJIS Management Agreement by emailing cjis@google.com.

The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers.

Yes. Google Cloud enables customers to restrict CJIS workloads to US-only regions through Assured Workloads and Assured Controls. Google will store your data at rest in accordance with our Service Specific Terms.

Google works with state CSAs (or local agencies) to ensure Google personnel who may have unescorted access to a state’s unencrypted CJI undergo fingerprint-based background checks consistent with the CJIS Security Policy. In-scope Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each CSA or local agency.

This process ensures that in-scope personnel will be granted unescorted access to unencrypted CJI only after completing the fingerprint-based background check, completing CJIS Security Awareness training, and signing the CJIS Security Addendum.

Google has implemented zero trust at the core of our services and our operations; our infrastructure does not assume any trust between the services that are running on it. In other words, every resource access request is inspected, authenticated, and verified as if it originates from an untrusted network.

Customer environments within Google Cloud are also logically segregated to prevent users and customers from accessing resources not assigned to them. Customer data (including CJI) is logically segregated by domain to allow data to be produced for a single tenant. The ability of Google Cloud to protect customer data in this manner, while also allowing for more rapid feature development and customer cost benefits, makes it the better choice for government customers.

Yes - Google Cloud uses a FIPS 140-3 validated encryption module called BoringCrypto (certificate 4735) in our production environment. Google Cloud encrypts all customer content stored at rest and in transit between our facilities, without any action required from the customer, using one or more encryption mechanisms. 

This allows customers to maintain compliance with the CJIS Security Policy while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-3 validated encryption and eliminate the requirement to run products and services in FIPS mode.

No. Since Google provides customer managed encryption keys and restricts unescorted access to unencrypted CJI to CJIS-scoped personnel that have been appropriately screened, confidential computing is not required for CJIS on Google Cloud. However, customers can choose to utilize confidential computing on top of the secure and restricted CJIS Data Boundary.

The CJIS Security Policy does not require the use of a Government Cloud (‘GovCloud’) and there is no definition in the CJIS Security Policy or standard regarding what constitutes a GovCloud. Google Cloud’s CJIS Data Boundary supports customer compliance with the CJIS Security Policy and Google Cloud’s compliance has been validated by an independent third-party assessment organization and numerous state CSAs. 

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This, along with the zero-trust implementation described above, provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB). 

We see validation of our approach in Office of Management and Budget (OMB) Memo M-24-15 (‘Modernizing the Federal Risk and Authorization Management Program (FedRAMP)’), which recommends federal agencies move away from isolated GovCloud architectures:

“FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.”

Yes, Google Cloud customers own their customer data when using Google Cloud or Google Workspace. See the Cloud Data Processing Addendum (CDPA) and our Privacy Resource Center for details on our data processing commitments.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
send_spark
    DocsSupport
    Console
    Sign in
    Security
    Threat IntelSecOpsCloud securityConsultingSecurity resources
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Featured Products
    • Business Intelligence
    • Hybrid and Multicloud
    • Industry Specific
    • Media Services
    • Mixed Reality
    • Productivity and Collaboration
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud