Criminal Justice Information Services (CJIS)

Access Context Manager

Apigee

Artifact Registry

BigQuery

Certificate Authority Service

Cloud Build

Cloud Composer

Cloud DNS

Cloud External Key Manager (Cloud EKM)

Cloud HSM

Cloud Identity

Cloud Interconnect

Cloud Key Management Service

Cloud Logging

Cloud Monitoring

Cloud NAT (Network Address Translation)

Cloud Router

Cloud Run

Cloud SQL

Cloud Storage

Cloud VPN

Compute Engine

Connect

Dataflow

Dataproc

Filestore

Firestore

GKE Hub

GKE Identity Service

Google Admin Console

Google Kubernetes Engine

Identity and Access Management

Identity-Aware Proxy

Memorystore for Redis

Network Connectivity Center

Persistent Disk

Pub/Sub

Resource Manager

Secret Manager

Sensitive Data Protection

Service Mesh

Spanner

Text-to-Speech

Virtual Private Cloud

VPC Service Controls

Calendar

Docs

Drive

Forms

Gmail

Google Chat

Google Meet

New Sites

Sheets

Slides

An independent third-party attestation organization recently assessed Google Cloud’s CJIS security controls and found that Google Cloud successfully enables CJIS compliance. The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers. 

Additionally, if requested by a customer or state CJIS Systems Agency, Google Cloud will execute a Management Agreement that provides customers with detailed information on how Google Cloud enables compliance with the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions. You can request a copy of the Google Cloud CJIS Management Agreement by emailing cjis@google.com.

Yes. Google Cloud enables customers to restrict CJIS workloads to US-only regions. Google will store your data at rest in accordance with our Service Specific Terms.

In states where Google employees may have unescorted access to unencrypted CJI, Google works with the CSA (or a local agency) to ensure personnel who may have unescorted access to a state’s unencrypted CJI undergo fingerprint-based FBI background checks (in addition to the FBI’s national criminal history report). Qualifying Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each CSA.

This process ensures that authorized personnel will be granted unescorted access only after completing the background check and CJIS security awareness training.

Google has implemented zero trust at the core of our services and our operations; our infrastructure does not assume any trust between the services that are running on it. In other words, every resource access request is inspected, authenticated, and verified as if it originates from an untrusted network.

Additionally, customer environments within Google Cloud are logically segregated to prevent users and customers from accessing resources not assigned to them. Customer data (including CJI) is logically segregated by domain to allow data to be produced for a single tenant. The ability of Google Cloud to protect customer data in this manner, while also allowing for more rapid feature development and customer cost benefits, makes it the better choice for government customers. 

Lastly, all customer data in transit is encrypted and data is encrypted at rest, by default, for ALL customers. This ensures that there are multiple layers of defense in a multi-tenant cloud architecture and provides strong isolation for all customers.

No. Since Google provides customer managed encryption keys and personnel data access controls restricting CJI access, confidential computing is not required for CJIS on Google Cloud. However, customers can still utilize confidential computing as a supplemental security control on top of the secure and restricted environment Google offers for CJIS customers.

Google Cloud uses a FIPS 140-2 (see FIPS 140-2 compliance page) validated encryption module called BoringCrypto (certificate 4407) in our production environment. This means that both data in transit (to the customer and between data centers) and data at rest is encrypted by default using FIPS 140-2 validated encryption. 

The module that achieved FIPS 140-2 validation is part of our BoringSSL library. This allows customers to maintain FIPS compliance while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-2 encryption and eliminate the requirement to run products and services in FIPS mode.

Google is aware of the CJISSECPOL requirement to implement cryptographic modules which are FIPS 140-3 certified. The approved cryptographic modules that Google Cloud leverages are under review for FIPS 140-3 compliancy, and Google already has plans in place to replace the FIPS 140-2 algorithm prior to its certificate sunset in September 2026.

Note: It is also important to note that there is no universal definition or standard regarding what constitutes a GovCloud. 

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB). 

In fact, an isolated GovCloud is the exact type of divided cloud architecture that the Office of Management and Budget (OMB) recommends moving away from in M-24-15 (‘Modernizing the Federal Risk and Authorization Management Program (FedRAMP)’):

“FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.”

At Google Cloud, we believe that trust is created through transparency, and we want to be transparent about our commitments and what you can expect when it comes to our shared responsibility for protecting and managing your data in the cloud.

When you use Google Workspace or Google Cloud:

1. You own your data, not Google
2. Google does not sell customer data to third parties
3. Google Cloud does not use customer data for advertising
4. All customer data is encrypted by default
5. We guard against insider access to your data
6. We never give any government entity "backdoor" access
7. Our privacy practices are audited against international standards

See the Cloud Data Processing Addendum (CDPA) for further details on our data processing commitments.