Criminal Justice Information Services (CJIS)

Access Context Manager

Apigee

Artifact Registry

BigQuery

Certificate Authority Service

Cloud Build

Cloud Composer

Cloud DNS

Cloud External Key Manager (Cloud EKM)

Cloud HSM

Cloud Identity

Cloud Interconnect

Cloud Key Management Service

Cloud Logging

Cloud Monitoring

Cloud NAT (Network Address Translation)

Cloud Router

Cloud Run

Cloud SQL

Cloud Storage

Cloud VPN

Compute Engine

Connect

Dataflow

Dataproc

Filestore

Firestore

GKE Hub

GKE Identity Service

Google Admin Console

Google Kubernetes Engine

Identity and Access Management

Identity-Aware Proxy

Memorystore for Redis

Network Connectivity Center

Persistent Disk

Pub/Sub

Resource Manager

Secret Manager

Sensitive Data Protection

Service Mesh

Spanner

Text-to-Speech

Virtual Private Cloud

VPC Service Controls

Calendar

Docs

Drive

Forms

Gmail

Google Chat

Google Meet

New Sites

Sheets

Slides

An independent third-party assessment organization recently evaluated Google Cloud’s CJIS security controls and found that Google Cloud successfully enables CJIS compliance. Google is planning on refreshing this assessment once CJIS Security Policy v6.0 has been published. 

If requested by a customer or state CJIS Systems Agency (CSA), Google Cloud will execute a Management Agreement that provides customers with detailed information on how Google Cloud enables compliance with the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions. You can request a copy of the Google Cloud CJIS Management Agreement by emailing cjis@google.com.

The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers.

Yes. Google Cloud enables customers to restrict CJIS workloads to US-only regions through Assured Workloads and Assured Controls. Google will store your data at rest in accordance with our Service Specific Terms.

In states where Google employees may have unescorted access to unencrypted CJI, Google works with the CSA (or a local agency) to ensure personnel who may have unescorted access to a state’s unencrypted CJI undergo fingerprint-based FBI background checks. Qualifying Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each CSA.

This process ensures that authorized personnel will be granted unescorted access only after completing the background check and CJIS security awareness training.

Google has implemented zero trust at the core of our services and our operations; our infrastructure does not assume any trust between the services that are running on it. In other words, every resource access request is inspected, authenticated, and verified as if it originates from an untrusted network.

Customer environments within Google Cloud are also logically segregated to prevent users and customers from accessing resources not assigned to them. Customer data (including CJI) is logically segregated by domain to allow data to be produced for a single tenant. The ability of Google Cloud to protect customer data in this manner, while also allowing for more rapid feature development and customer cost benefits, makes it the better choice for government customers. 

Lastly, all customer data in transit is encrypted and data is encrypted at rest, by default, for ALL customers. This ensures that there are multiple layers of defense in a multi-tenant cloud architecture and provides strong isolation for all customers.

No. Since Google provides customer managed encryption keys and personnel data access controls restricting CJI access, confidential computing is not required for CJIS on Google Cloud. However, customers can still utilize confidential computing as a supplemental security control on top of the secure and restricted environment Google offers for CJIS customers.

Yes - Google Cloud uses a FIPS 140-3 validated encryption module called BoringCrypto (certificate 4735) in our production environment. This means that both data in transit (to the customer and between data centers) and data at rest is encrypted by default using FIPS 140-3 validated encryption. 

This allows customers to maintain FIPS compliance while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-3 encryption and eliminate the requirement to run products and services in FIPS mode.

The CJIS Security Policy does not require the use of a Government Cloud (‘GovCloud’) and there is no universal definition or standard regarding what constitutes a GovCloud. Google Cloud can enable CJIS compliance with the CJIS Security Policy and has demonstrated our compliance to an independent third-party assessment organization and to numerous state CSAs. 

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This, along with the zero-trust implementation described above, provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB). 

We see validation of our approach in Office of Management and Budget (OMB) Memo M-24-15 (‘Modernizing the Federal Risk and Authorization Management Program (FedRAMP)’), which recommends federal agencies move away from isolated GovCloud architectures:

“FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.”

At Google Cloud, we believe that trust is created through transparency, and we want to be transparent about our commitments and what you can expect when it comes to our shared responsibility for protecting and managing your data in the cloud.

When you use Google Workspace or Google Cloud:

1. You own your data, not Google
2. Google does not sell customer data to third parties
3. Google Cloud does not use customer data for advertising
4. All customer data is encrypted by default
5. We guard against insider access to your data
6. We never give any government entity "backdoor" access
7. Our privacy practices are audited against international standards

See the Cloud Data Processing Addendum (CDPA) for further details on our data processing commitments.