When it comes to the CJIS Security Policy, Microsoft is committed to providing law enforcement agencies with trusted cloud services that are uniquely equipped and will help meet or exceed their CJIS compliance requirements.
The CJIS Security Policy provides a secure framework of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the criminal justice and noncriminal justice communities.
While the CJIS Security Policy is to some extent aligned with NIST 800-53, Rev 4., there are unique CJIS Policy requirements which law enforcement agencies must adhere to. These include:
Security Awareness Training: The Policy requires basic security awareness training be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to Criminal Justice Information (CJI) to include all personnel who have unescorted access to a physically secure location. At Microsoft, we have enhanced our approach to request all employees with potential access to CJI be trained at the highest security awareness training level 4 prior be being assigned to support CJI and contractually commit the training will be done within 30 days rather than six months.
CJIS Security Addendum: The Policy requires all private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. At Microsoft, all employees with potential access to CJI have signed the CJIS Security Addendum as well as Microsoft as a corporation, acknowledging the CJIS Security Policy and applicable regulations.
Personnel Security: The Policy requires all personnel who have access to unencrypted CJI, including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI, meet the minimum fingerprint-based background checks within 30 days of assignment. At Microsoft, all employees with access to encrypted or unencrypted CJI are screened, or in the process of being screened, within 30 days of assignment in the 22 states that Microsoft has attested to meet the applicable CJIS requirements.
Formal Audits: The Policy requires formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. At Microsoft, the State CJIS Systems Agencies with an Information Agreement shall be permitted to access the Microsoft facilities, applicable records, and Covered Entity Data, as directly related to the Covered Services. If required, the CSA has the right to conduct on-site audits of the covered cloud services, in accordance with the CJIS Policy, to ensure Microsoft is in compliance.
In summary, when you’re thinking about CJIS and digital transformation across government priorities, you should be seeking a partner committed to CJIS compliance today and in the future. Microsoft is the innovator committed to compliance!
For more information on Microsoft's CJIS compliance you can go to this article.
For additional implementation information, review the Microsoft CJIS Implementation Guidelines. This document provides guidelines and resources to assist criminal justice entities in implementing and utilizing Microsoft Government Cloud features. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails by clicking “Subscribe by Email!” on the Azure Government Blog.