Back

DOJ and CJIS Compliance in Microsoft 365

Advancements and evolution in cloud computing over the last couple of years have brought with it new challenges especially as it pertains to data sec...

5 min read
Published on Nov 30, 2022
DOJ and CJIS Compliance in Microsoft 365

Advancements and evolution in cloud computing over the last couple of years have brought with it new challenges, especially as it pertains to data security, compliance, and incident reporting and response. This is particularly true for law enforcement agencies and contractors involved with DOJ and the Criminal Justice System. If sensitive data were to get into the wrong hands, the consequences would be detrimental. This, then, necessitates the need for compliance. Enters Criminal Justice Information Services (CJIS) compliance.

Overview of CJIS Compliance

Established in 1992, CJIS remains the largest division of the FBI and consists of a number of departments. It acts as a primary source of information and service for partners in law enforcement, national security, and intelligence communities. Further, it is in charge of keeping the different government agencies protected from threat actors in cyberspace. It is in light of this that CJIS released a Security Policy comprising 13 policy areas that government agencies are required to stay compliant with.

These 13 policy areas that fall under the CJIS requirements include Policy Area:

  1. Information Exchange Agreement
  2. Security Awareness Training
  3. Incident Response
  4. Auditing and Accountability
  5. Access Control
  6. Identification and Authentication
  7. Configuration Management
  8. Media Protection
  9. Physical Protection
  10. Systems and Communications Protection and Information Integrity
  11. Formal Audio
  12. Personnel Security
  13. Mobile Devices

This CJIS Security leans into presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions as well as those from the National Institute of Standards and Technology (NIST). With the ever-changing rate and sophistication of cyber security threats, these security standards ensure that your agency has the utmost protection. CJIS compliance is paramount for law enforcement agencies at the local, state, and federal levels. Failure to comply with this comprehensive and stringent cyber security standard could see the entity being denied access to any FBI database or CJIS system. What’s more, non-compliance does attract fines and even criminal charges.

Microsoft and CJIS Security Policy

When it comes to CJIS compliance, Microsoft is a private contractor. As such, it has to sign the CJIS Security Addendum, an agreement approved by the US Attorney General, in accordance with the Security Policy.

Specifically, Microsoft signs the CJIS Security Addendum in states with CJIS Information Agreements. This is proof on Microsoft’s part that it is committed to protecting the entire lifecycle of data. What’s more, it is a show of commitment that Microsoft will make it easy yet mandatory for appropriate background screening of all operating personnel with access to the CJI. Additionally, Microsoft maintains a security program that’s consistent with both state and federal laws, regulations, and standards. Microsoft commits to providing law enforcement partners with trusted cloud services uniquely designed to help exceed the CJIS compliance requirements.

Here’s a breakdown of measures implemented by Microsoft in compliance with the 13 Security Policies include:

  • Microsoft mandates that all personnel with potential access to CJI have training at the highest security awareness training level 4 before they can be assigned to support CJI and goes further to contractually mandate the training
  • All employees with access to encrypted or unencrypted CJI are screened within 30 days of assignment
  • The State CJIS Systems Agencies with an Information Agreement have access to Microsoft facilities and all pertinent records

Cloud Solutions Used by Law Enforcement and Contractors

FBI agent following CJIS Compliance in Microsoft 365 The influx of new video footage and the need to store police records, photographic evidence, crime mapping, biometrics, and other classified and sensitive information has seen DOJ agencies become more reliant on cloud technology. The latter helps these law enforcement agencies securely store valuable information while still remaining CJIS compliant. There’re, however, still questions on which cloud law enforcement and contractors should use. These questions root in the understanding of the cyber security obligations that these entities have, particularly CJIS compliance.

Microsoft’s in-scope cloud platforms and services are compliant enough with DOJ and CJIS regulations and, thus, safe enough to use. Microsoft is committed to ensuring compliance and goes as far as signing Information Agreements with the different state CJIS Systems Agency (CSA). Further, as a customer, you can review security and compliance reports drawn up by independent auditors.

As a multi-tenant hyper-scale cloud platform, Microsoft 365 offers a multitude of solutions, including GCC High. The latter is designed according to DoD Security Requirement Guidelines Level 4 controls and supports strictly regulated federal and defense information. You should consider checking out compliance in GCC High to ascertain your organization’s regulatory compliance.

CJIS Compliance Audit

It is important to highlight that the FBI doesn’t provide certification of Microsoft complianc with CJIS requirements. In fact, there’s no central CJIS authorization body or an accredited pool of independent assessors nor a standardized assessment approach. This means that as a law enforcement agency or contractor, it is upon you to ensure CJIS compliance even when you’ve zeroed in on Microsoft 365 as your cyber partner of choice.

Note that on top of data security, you must prove that your security processes and policies align with the internal procedures and all other external regulations.

The truth is this can be intimidating, but it doesn’t need to be! This is mainly since using a CSP doesn’t automatically mean that their CSP’s security posture aligns with CJIS security requirements.

Learn More About CJIS Compliance

At Agile IT, we walk with you to ensure that your cloud platforms meet regulatory requirements. If you are thinking about CJIS and digital transformation, you should get in contact with us! We ensure that your agency maintains the right protocols while allowing your internal team to focus on more pressing tasks at hand.

Related Posts

Key Features and Benefits of Azure Backup

Overview of Azure Backup: Features and Benefits

Explore the core features and advantages of Azure Backup, including built-in security, scalability, and compliance for cloud-based data protection.

Oct 6, 2025
6 min read
NIST 800-53 vs. NIST 800-171: Key Differences and Why They Matter

NIST 800-53 vs. NIST 800-171: What’s the Difference?

Understand the key differences and importance of NIST 800-53 and NIST 800-171, how they apply to agencies and contractors, and which framework your organization needs for compliance.

Oct 6, 2025
5 min read
Tenant-to-Tenant Migration for CMMC Compliance

How to Perform a Tenant-to-Tenant Migration for CMMC Compliance

Planning a tenant-to-tenant migration for CMMC compliance? Learn best practices, tool options, and common pitfalls when moving data between tenants under CMMC.

Oct 6, 2025
7 min read
Critical Data Backup in Azure | Identify & Protect What Matters

Identifying Critical Data and Applications for Backup in Azure

Learn how to identify and prioritize your critical data and applications for backup in Azure to reduce risk, ensure business continuity, and meet compliance requirements.

Oct 3, 2025
5 min read
Microsoft 365 Backup Compliance | Key Risks & Best Practices

Compliance Considerations When Backing Up Microsoft 365 Data

Ensure your Microsoft 365 backups meet compliance requirements for CMMC, NIST 800-171, and other regulations. Learn key considerations to avoid violations.

Oct 3, 2025
6 min read
Azure Backup Needs Assessment | Plan Your Cloud Data Protection

Assessing Your Organization's Backup Needs for Azure Workloads

Learn how to assess your backup needs for Azure workloads, from compliance and recovery objectives to choosing the right tools for data protection and resilience.

Sep 26, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don’t want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122