Jump to

Criminal Justice Information Services (CJIS)

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) Division provides federal, state, and local agencies with guidance on how to protect criminal justice information (CJI) when using cloud service providers (CSPs) like Google Cloud.

Google Cloud offers security controls to protect and store CJI through Assured Workloads for Google Cloud and Assured Controls for Google Workspace. Law enforcement agencies can achieve compliance with the CJIS Security Policy by implementing these controls for in-scope Google Cloud services.

Google’s CJIS Compliance

The FBI CJIS Program Office has published numerous artifacts that provide guidance on protecting CJI. The primary document, the FBI CJIS Security Policy, details a minimum set of security requirements that must be met to protect and safeguard CJI. The FBI also provides a mapping of CJIS requirements to the security controls found in NIST SP 800-53.

Google Cloud Platform and Google Workspace customers can use Assured Workloads and Assured Controls to achieve compliance with the CJIS Security Policy. Contact the Google Cloud sales team through our contact form to learn more about Google’s CJIS compliance.

Hosting CJIS Workloads on Google Cloud

Google Cloud’s investment in security-by-default for our infrastructure ensures that security controls are built-in and pre-configured to enable customers to achieve various compliance levels without a traditional isolated government cloud architecture. 

Customers looking to deploy CJIS solutions using Google Cloud can use Assured Workloads to achieve compliance with the CJIS Security Policy. Assured Workloads allows customers to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. It does not rely on physical infrastructure distinct from its public cloud data centers, and instead delivers a Software Defined Community Cloud with cost, speed, and innovation advantages.

Assured Workloads also provides visibility into the compliance state of CJIS workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to auditors of your compliance state.

In addition to the controls satisfied by the Google Cloud infrastructure, state, local, and federal law enforcement and criminal justice agencies (and their contractors) can use Assured Workloads to:

  • Set guardrails to restrict CJIS workloads to be stored within the US,
  • Implement personnel security and access controls to restrict CJI access to US persons located in the US who have completed state fingerprint-based FBI background checks and criminal background checks,
  • Enforce FIPS-140-2 encryption at rest and in transit,
  • Use customer-managed encryption keys (CMEK),
  • Implement logical controls that segment networks and users from in-scope sensitive data, and more.

Hosting CJIS Workloads on Workspace

Assured Controls for Google Workspace allows organizations to meet organizational and compliance requirements, whether that involves limiting Google personnel access to customer data, or dictating where customer data is located at rest.

Customers looking to deploy CJIS solutions using Google Workspace can use Assured Controls to set policies in alignment with the CJIS Security Policy. A configuration guide for CJIS solutions on Google Workspace can be found here.

In addition to the controls satisfied by Google Workspace infrastructure, state, local, and federal law enforcement and criminal justice agencies (and their contractors) can use Assured Controls to:

  • Set guardrails to restrict CJIS workloads to be stored within the US,
  • Implement personnel security and access controls to restrict CJI access to US persons located in the US who have completed state fingerprint-based FBI background checks and criminal background checks,
  • Enforce FIPS-140-2 encryption at rest and in transit, and more.

FAQs

Entities handling CJI (such as Google Cloud) must execute a CJIS Security Addendum with States that wish to use the entity’s services to protect CJI. The Addendum is a templated agreement approved by the US Attorney General that provides customers with detailed information on how Google Cloud meets the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions.

Contact your state’s Google Cloud Platform sales team through our contact form to start the process and obtain access to a Google Cloud CJIS Security Addendum.

Google signs a CJIS Security Addendum with a state CJIS Systems Agency (CSA) or CJIS Security Officer (CSO); you may request a copy from Google or your state's CSA or CSO.

In addition, Google provides CJIS customers with comprehensive control narratives describing how Google Cloud enables customers to meet FBI-mapped technical controls required for CJIS compliance.

Please contact cjis@google.com to obtain a copy of Google’s CJIS mapping.

In states where Google employees may have unescorted access to unencrypted CJI, Google works with each state authority to ensure personnel who may have unescorted access to a state’s unencrypted CJI undergo CJIS background checks in that state (in addition to the FBI’s national criminal history report). Qualifying Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each authority.

This process ensures that authorized personnel will be granted unescorted access only after completing the background check and CJIS security awareness training.

No - since Google provides customer managed encryption keys and personnel data access controls restricting CJI access, confidential computing is not required for CJIS on Google Cloud.

However, customers can still utilize confidential computing as a supplemental security control on top of the secure and restricted environment Google offers for CJIS customers.

Yes. Customers are able to configure resources in US locations, for our key services, and Google will store your data at rest only in the selected region in accordance with our Service Specific Terms.

Google Cloud uses a FIPS 140-2 (see FIPS 140-2 compliance page) validated encryption module called BoringCrypto (certificate 3678) in our production environment. This means that both data in transit (to the customer and between data centers) and data at rest is encrypted by default using FIPS 140-2 validated encryption.

The module that achieved FIPS 140-2 validation is part of our BoringSSL library. This allows customers to maintain FIPS compliance while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-2 encryption and eliminate the requirement to run products and services in FIPS mode.

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB).