We are committed to helping organizations everywhere stay connected and productive. Read more

Since 2014, United States criminal justice agencies have been managing Criminal Justice Information in Microsoft Azure Government. This cloud platform was developed to support critical compliance standards including the Federal Bureau of Investigation’s (FBI’s) Criminal Justice Information Services (CJIS) Security Policy and:

  • Has the physical controls required by Section 5.9 of the Policy.
  • Its data centers are considered “physically secure locations” as defined in Section 5.9.1 of the Policy.
  • Is operated by United States persons who have been screened in accordance with Section 5.12 of the Policy, completed Level 4 CJIS security awareness training, and signed the CJIS Security Addendum.
  • Restricts the storage of Criminal Justice Information to the United States as required by Section 5.10.1.5 of the Policy.

Microsoft backs Azure Government with CJIS Management Agreements executed with state CJIS Systems Agencies so that all criminal justice agencies in a state can use Azure Government while respecting their compliance obligations under the CJIS Security Policy. Azure Government conformance with the CJIS Security Policy has been validated by the countless agencies using it having passed CJIS audits since 2014.

Male police office holding a Surface Go 3 in a ruggedized case with Teams calendar screen shown.

Microsoft for Public Safety and Justice

Empowering agencies. Improving operations. Protecting communities.

Manage Criminal Justice Information in Azure Commercial

On October 1, 2022, the FBI released CJIS Security Policy Version 5.9.1, and among its updates, the FBI enables criminal justice agencies to meet the requirements of the policy through technical controls alone, rather than through technical controls and screened personnel. In accordance with this updated policy, Microsoft announces the addition of Azure Commercial to our cloud platforms available for Criminal Justice Information. Microsoft customers can manage Criminal Justice Information in Azure Commercial and facilitate their compliance with the CJIS Security Policy v5.9.1 by first geo-restricting storage of Criminal Justice Information to the member countries of the CJIS Advisory Policy Board (United States, United States territories, Indian tribes, and Canada). For infrastructure-as-a-service workloads that do not process CJIS data, customers can implement customer managed key (CMK) encryption through Azure Key Vault, a generally available and widely adopted option used today by many security-focused customers. For data processing workloads, customers can establish an Azure confidential computing enclave for Azure Confidential VMs (including SQL Server VMs) and connect to platform-as-a-service services or implement other scenarios where data will be processed in the cloud. Microsoft will continue to invest in confidential computing capabilities for our customers, exemplified in part through our establishment of the open-source Confidential Consortium Framework.   

In addition to this new Azure Commercial option, Microsoft will continue its long-standing commitment to protecting Criminal Justice Information in Azure Government, which United States criminal justice agencies have used since 2014. A fundamental principle for using the cloud is an understanding of the shared responsibility model. An organization that manages a completely on-premises computing infrastructure has full responsibility for its security and compliance. Organizations leveraging cloud services share this responsibility with their cloud provider but are still accountable to the appropriate regulators. Criminal justice agencies must determine whether Azure Government or Azure Commercial is the appropriate cloud platform for their needs and should consult their state’s CJIS Systems Officer for questions on compliance in the cloud.

Choose the appropriate cloud platform for Criminal Justice Information

The Microsoft mission is to empower every person and every organization on the planet to achieve more. Criminal justice agencies manage especially sensitive data, and those in the United States can now choose between Azure Government with its proven combination of technical and personnel controls, and Azure Commercial with technical controls in accordance with CIJS Security Policy v5.9.1—only Microsoft can provide this kind of choice across the United States. Microsoft led the way for compliant use of the cloud by United States criminal justice agencies and with the release of CJIS Security Policy v5.9.1 continues this leadership.

United States criminal justice agencies can work with their Microsoft account teams to assess requirements and determine the appropriate cloud platform for managing their Criminal Justice Information.

Learn more

You can learn more about how Azure Commercial and Azure Government support Criminal Justice Information by visiting the Criminal Justice Information Services documentation page. Interested in discovering more Microsoft solutions for Public Safety and Justice? Visit our website to learn more.