Criminal Justice Information Services (CJIS)

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) Division provides federal, state, local, and tribal agencies with guidance on how to protect criminal justice information (CJI) when using cloud service providers (CSPs) like Google Cloud.

Google Cloud customers can use Assured Workloads for Google Cloud and Assured Controls for Google Workspace to achieve compliance with v5.9.5 of the CJIS Security Policy.

Introduction to CJIS

The FBI CJIS Division oversees many national databases that are leveraged by criminal justice agencies across the country. Much of the data maintained in these databases is considered to be Criminal Justice Information (CJI), which is subject to protection from unauthorized use and release. The FBI CJIS Program Office has published numerous artifacts that provide guidance on protecting CJI. The primary document, the FBI CJIS Security Policy (CJISSECPOL), details a minimum set of security requirements that must be met to protect and safeguard CJI. 

The FBI also provides a Requirements Companion Document that highlights recent changes and helps identify security roles and responsibilities for entities who access CJI. While the Criminal Justice Agency (CJA) accessing CJI is “always ultimately accountable to ensure [CJISSECPOL] compliance”, the Requirements Companion Document guides the CJA in determining who (e.g., FBI CJIS Division, CJA, Service Provider, etc.) has the technical capability to ensure a particular requirement is being met. 

Google Cloud Platform and Google Workspace customers can use Assured Workloads and Assured Controls to achieve compliance with v5.9.5 of the CJIS Security Policy. While no CJIS certification exists, an independent third-party attestation organization recently assessed Google Cloud’s CJIS security controls and found that Google Cloud enables CJIS compliance. The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers. 

Google Cloud also reviews new versions of the CJIS Security Policy and attends meetings of the CJIS Advisory Policy Board to ensure that our policies and procedures are compliant with any changes.

Contact us at [email protected] to learn more about Google’s CJIS compliance.

Hosting CJIS Workloads on Google Cloud Platform

Assured Workloads for CJIS enables customers to achieve compliance with the CJIS Security Policy. Assured Workloads for Google Cloud Platform is Google Cloud’s regulatory cloud and enables compliance with frameworks such as CJIS, FedRAMP High, and Department of Defense IL2 / IL4 / IL5.

Assured Workloads takes a zero-trust, software-driven approach to regulatory compliance. It allows customers to meet strict government cloud compliance requirements, while providing the performance, scale, service availability, cost, and reliability benefits that customers forgo when using physically separated cloud architectures.

Assured Workloads simplifies security and compliance for state, local, tribal and federal law enforcement (and any other criminal justice or non-criminal justice users of CJI) by:

  • Setting data location controls to restrict CJIS workloads to US-only regions (“data residency”)
  • Implementing personnel security and access controls to restrict unescorted access to unencrypted CJI to US persons located in the US who have completed state fingerprint-based FBI background checks
  • Enabling the use of customer-managed encryption keys (CMEK), hosted either on Google Cloud or using an External Key Manager
  • Allowing customers to gain control and visibility over administrative access
  • Continuously monitoring customer environments for compliance violations

Hosting CJIS Workloads on Workspace

Assured Controls for Google Workspace allows organizations to meet organizational and compliance requirements, whether that involves limiting Google personnel access to customer data, or dictating where customer data is located at rest.

Customers looking to deploy CJIS solutions using Google Workspace can use Assured Controls to set policies in alignment with the CJIS Security Policy. A configuration guide for CJIS solutions on Google Workspace can be found here.

FAQs

An independent third-party attestation organization recently assessed Google Cloud’s CJIS security controls and found that Google Cloud successfully enables CJIS compliance. The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers. 

Additionally, if requested by a customer or state CJIS Systems Agency, Google Cloud will execute a Management Agreement that provides customers with detailed information on how Google Cloud enables compliance with the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions. You can request a copy of the Google Cloud CJIS Management Agreement by emailing [email protected].

Yes. Google Cloud enables customers to restrict CJIS workloads to US-only regions. Google will store your data at rest in accordance with our Service Specific Terms.

In states where Google employees may have unescorted access to unencrypted CJI, Google works with the CSA (or a local agency) to ensure personnel who may have unescorted access to a state’s unencrypted CJI undergo fingerprint-based FBI background checks (in addition to the FBI’s national criminal history report). Qualifying Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each CSA.

This process ensures that authorized personnel will be granted unescorted access only after completing the background check and CJIS security awareness training.

Google has implemented zero trust at the core of our services and our operations; our infrastructure does not assume any trust between the services that are running on it. In other words, every resource access request is inspected, authenticated, and verified as if it originates from an untrusted network.

Additionally, customer environments within Google Cloud are logically segregated to prevent users and customers from accessing resources not assigned to them. Customer data (including CJI) is logically segregated by domain to allow data to be produced for a single tenant. The ability of Google Cloud to protect customer data in this manner, while also allowing for more rapid feature development and customer cost benefits, makes it the better choice for government customers. 

Lastly, all customer data in transit is encrypted and data is encrypted at rest, by default, for ALL customers. This ensures that there are multiple layers of defense in a multi-tenant cloud architecture and provides strong isolation for all customers.

No. Since Google provides customer managed encryption keys and personnel data access controls restricting CJI access, confidential computing is not required for CJIS on Google Cloud. However, customers can still utilize confidential computing as a supplemental security control on top of the secure and restricted environment Google offers for CJIS customers.

Google Cloud uses a FIPS 140-2 (see FIPS 140-2 compliance page) validated encryption module called BoringCrypto (certificate 4407) in our production environment. This means that both data in transit (to the customer and between data centers) and data at rest is encrypted by default using FIPS 140-2 validated encryption. 

The module that achieved FIPS 140-2 validation is part of our BoringSSL library. This allows customers to maintain FIPS compliance while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-2 encryption and eliminate the requirement to run products and services in FIPS mode.

Google is aware of the CJISSECPOL requirement to implement cryptographic modules which are FIPS 140-3 certified. The approved cryptographic modules that Google Cloud leverages are under review for FIPS 140-3 compliancy, and Google already has plans in place to replace the FIPS 140-2 algorithm prior to its certificate sunset in September 2026.

Note: It is also important to note that there is no universal definition or standard regarding what constitutes a GovCloud. 

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB). 

In fact, an isolated GovCloud is the exact type of divided cloud architecture that the Office of Management and Budget (OMB) recommends moving away from in M-24-15 (‘Modernizing the Federal Risk and Authorization Management Program (FedRAMP)’):

“FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.”

At Google Cloud, we believe that trust is created through transparency, and we want to be transparent about our commitments and what you can expect when it comes to our shared responsibility for protecting and managing your data in the cloud.

When you use Google Workspace or Google Cloud:

  1. You own your data, not Google
  2. Google does not sell customer data to third parties
  3. Google Cloud does not use customer data for advertising
  4. All customer data is encrypted by default
  5. We guard against insider access to your data
  6. We never give any government entity "backdoor" access
  7. Our privacy practices are audited against international standards

See the Cloud Data Processing Addendum (CDPA) for further details on our data processing commitments.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
  • ‪English‬
  • ‪Deutsch‬
  • ‪Español‬
  • ‪Español (Latinoamérica)‬
  • ‪Français‬
  • ‪Indonesia‬
  • ‪Italiano‬
  • ‪Português (Brasil)‬
  • ‪简体中文‬
  • ‪繁體中文‬
  • ‪日本語‬
  • ‪한국어‬
Console
Google Cloud