DOJ and CJIS Compliance in Microsoft 365

Advancements and evolution in cloud computing over the last couple of years have brought with it new challenges, especially as it pertains to data security, compliance, and incident reporting and response. This is particularly true for law enforcement agencies and contractors involved with DOJ and the Criminal Justice System. If sensitive data were to get into the wrong hands, the consequences would be detrimental. This, then, necessitates the need for compliance. Enters Criminal Justice Information Services (CJIS) compliance.

Overview of CJIS Compliance

Established in 1992, CJIS remains the largest division of the FBI and consists of a number of departments. It acts as a primary source of information and service for partners in law enforcement, national security, and intelligence communities. Further, it is in charge of keeping the different government agencies protected from threat actors in cyberspace. It is in light of this that CJIS released a Security Policy comprising 13 policy areas that government agencies are required to stay compliant with.

These 13 policy areas that fall under the CJIS requirements include Policy Area:

1. Information Exchange Agreement
2. Security Awareness Training
3. Incident Response
4. Auditing and Accountability
5. Access Control
6. Identification and Authentication
7. Configuration Management
8. Media Protection
9. Physical Protection
10. Systems and Communications Protection and Information Integrity
11. Formal Audio
12. Personnel Security
13. Mobile Devices

This CJIS Security leans into presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions as well as those from the National Institute of Standards and Technology (NIST). With the ever-changing rate and sophistication of cyber security threats, these security standards ensure that your agency has the utmost protection. CJIS compliance is paramount for law enforcement agencies at the local, state, and federal levels. Failure to comply with this comprehensive and stringent cyber security standard could see the entity being denied access to any FBI database or CJIS system. What’s more, non-compliance does attract fines and even criminal charges.

Microsoft and CJIS Security Policy 

When it comes to CJIS compliance, Microsoft is a private contractor. As such, it has to sign the CJIS Security Addendum, an agreement approved by the US Attorney General, in accordance with the Security Policy.

Specifically, Microsoft signs the CJIS Security Addendum in states with CJIS Information Agreements. This is proof on Microsoft’s part that it is committed to protecting the entire lifecycle of data. What’s more, it is a show of commitment that Microsoft will make it easy yet mandatory for appropriate background screening of all operating personnel with access to the CJI. Additionally, Microsoft maintains a security program that’s consistent with both state and federal laws, regulations, and standards. Microsoft commits to providing law enforcement partners with trusted cloud services uniquely designed to help exceed the CJIS compliance requirements.

Here’s a breakdown of measures implemented by Microsoft in compliance with the 13 Security Policies include:

• Microsoft mandates that all personnel with potential access to CJI have training at the highest security awareness training level 4 before they can be assigned to support CJI and goes further to contractually mandate the training
• All employees with access to encrypted or unencrypted CJI are screened within 30 days of assignment
• The State CJIS Systems Agencies with an Information Agreement have access to Microsoft facilities and all pertinent records

Cloud Solutions Used by Law Enforcement and Contractors

The influx of new video footage and the need to store police records, photographic evidence, crime mapping, biometrics, and other classified and sensitive information has seen DOJ agencies become more reliant on cloud technology. The latter helps these law enforcement agencies securely store valuable information while still remaining CJIS compliant. There’re, however, still questions on which cloud law enforcement and contractors should use. These questions root in the understanding of the cyber security obligations that these entities have, particularly CJIS compliance.

Microsoft’s in-scope cloud platforms and services are compliant enough with DOJ and CJIS regulations and, thus, safe enough to use. Microsoft is committed to ensuring compliance and goes as far as signing Information Agreements with the different state CJIS Systems Agency (CSA). Further, as a customer, you can review security and compliance reports drawn up by independent auditors.

As a multi-tenant hyper-scale cloud platform, Microsoft 365 offers a multitude of solutions, including GCC High. The latter is designed according to DoD Security Requirement Guidelines Level 4 controls and supports strictly regulated federal and defense information. You should consider checking out compliance in GCC High to ascertain your organization’s regulatory compliance.

CJIS Compliance Audit 

It is important to highlight that the FBI doesn’t provide certification of Microsoft complianc with CJIS requirements. In fact, there’s no central CJIS authorization body or an accredited pool of independent assessors nor a standardized assessment approach. This means that as a law enforcement agency or contractor, it is upon you to ensure CJIS compliance even when you’ve zeroed in on Microsoft 365 as your cyber partner of choice.

Note that on top of data security, you must prove that your security processes and policies align with the internal procedures and all other external regulations.

The truth is this can be intimidating, but it doesn’t need to be! This is mainly since using a CSP doesn’t automatically mean that their CSP’s security posture aligns with CJIS security requirements.

Learn More About CJIS Compliance

At Agile IT, we walk with you to ensure that your cloud platforms meet regulatory requirements. If you are thinking about CJIS and digital transformation, you should get in contact with us! We ensure that your agency maintains the right protocols while allowing your internal team to focus on more pressing tasks at hand.