New CJIS Implementation Guidelines to assist law enforcement achieve security in the Microsoft cloud

Kit McDonald

Microsoft has made substantial efforts to work in compliance with The Criminal Justice Information Services (CJIS), a division of the US Federal Bureau of Investigation that works with sharing information pertaining to law enforcement. This includes, but isn’t limited to, fingerprint records, criminal histories, and other uses that government agencies must process, store, and share between each other.

Cloud service providers and contractors must be thoroughly evaluated to meet the CJIS requirements to make sure that they meet all regulations and standards. Microsoft signed the Security Addendum and met the expectations for Azure Government, Office 365 U.S. Government, and Dynamics CRM Online Government.

Today, Microsoft has released a PDF file of the CJIS Implementation Guidelines for Microsoft Government Cloud Services. This document is meant to provide the public and curious parties an understanding of how CJIS sSystems Agencies and other law enforcement agencies can use the cloud. Providing guidance helps Microsoft assist the government and establishes their cloud services as secure. One step beyond, Microsoft’s Shared Responsibility Matrix can identify responsibility ownership and gives recommendations how the law can implement controls to meet the requirements of the DJIS security expectations.

The guidelines in this document are designed to assist CJIS Systems Officers (CSO), CJIS Information Security Officers (CISO) and Local Agency Security Officers (LASO) with the following:

  • Understanding and performing the control responsibilities of all parties as defined by individual cloud services within the Microsoft Government Cloud. These are based on requirements in the CJIS Security Policy. This includes recommendations for which the LASOs are responsible.
  • Understanding the employee background check process managed by state CSA or delegated entity.
  • Obtaining audit information available for FBI or CSA audit.
  • Conducting security incidence response

Microsoft wants to keep a level of transparency for their customers, emphasizing in the document that the Microsoft Cloud is built on trust. With agreements signed up in up to 19 states across the U.S., Microsoft’s Government Cloud continues to stay committed to meeting applicable CJIS regulation to provide better security for all of their customers.