[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

Criminal Justice Information Services (CJIS)

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) Division provides federal, state, local, and tribal agencies with guidance on how to protect criminal justice information (CJI) when using cloud service providers (CSPs) like Google Cloud.

Google Cloud customers can use Assured Workloads for Google Cloud and Assured Controls for Google Workspace to achieve compliance with v5.9.5 of the CJIS Security Policy.

Introduction to CJIS

The FBI CJIS Division oversees many national databases that are leveraged by Criminal Justice Agencies (CJAs) across the country. Much of the data maintained in these databases is considered to be Criminal Justice Information (CJI), and is subject to protection from unauthorized use and release. The CJIS Security Policy (“CJISSECPOL”), published by the FBI CJIS Division, provides the minimum set of security requirements for protecting and safeguarding CJI.

The FBI also provides a Requirements Companion Document that highlights recent changes to the CJIS Security Policy and helps identify security roles and responsibilities for entities who access CJI. While the CJA accessing CJI is always ultimately accountable for ensuring CJIS compliance, the Requirements Companion Document guides the CJA in determining who (e.g., FBI CJIS Division, CJA, Service Provider, etc.) has the technical capability to ensure a particular requirement is being met. 

Google Cloud Platform and Google Workspace customers can use Assured Workloads and Assured Controls to achieve compliance with v5.9.5 of the CJIS Security Policy. An independent third-party assessment organization recently assessed Google Cloud’s CJIS security controls and found that Google Cloud enables CJIS compliance. Additional compliance information can also be provided on request to demonstrate how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers. 

Google Cloud also attends meetings of the CJIS Advisory Policy Board and reviews new versions of the CJIS Security Policy and the Requirements Companion Document to ensure that our policies and procedures are compliant with any changes.

Hosting CJIS Workloads on Google Cloud Platform

Assured Workloads for CJIS enables customers to achieve compliance with the CJIS Security Policy. Assured Workloads for Google Cloud Platform is Google Cloud’s regulatory cloud and enables compliance with frameworks such as CJIS, FedRAMP High, and Department of Defense IL2 / IL4 / IL5.

Assured Workloads takes a zero-trust, software-driven approach to regulatory compliance. It allows customers to meet strict government cloud compliance requirements, while providing the performance, scale, service availability, cost, and reliability benefits that customers forgo when using physically separated cloud architectures.

Assured Workloads simplifies security and compliance for state, local, tribal and federal law enforcement (and any other criminal justice or non-criminal justice users of CJI) by:

  • Setting data location controls to restrict CJIS workloads to US-only regions (“data residency”)
  • Implementing personnel security and access controls to restrict unescorted access to unencrypted CJI to US persons located in the US who have completed fingerprint-based FBI background checks
  • Enabling the use of customer-managed encryption keys (CMEK), hosted either on Google Cloud or using an External Key Manager
  • Allowing customers to gain control and visibility over administrative access
  • Continuously monitoring customer environments for compliance violations

Hosting CJIS Workloads on Google Workspace

Assured Controls for Google Workspace allows organizations to meet organizational and compliance requirements, whether that involves limiting Google personnel access to customer data, or ensuring that the location of customer data is restricted to the United States.

Customers looking to deploy CJIS solutions using Google Workspace can use Assured Controls to set policies in alignment with the CJIS Security Policy. A configuration guide for CJIS solutions on Google Workspace can be found here.

FAQs

An independent third-party assessment organization recently evaluated Google Cloud’s CJIS security controls and found that Google Cloud successfully enables CJIS compliance. Google is planning on refreshing this assessment once CJIS Security Policy v6.0 has been published. 

If requested by a customer or state CJIS Systems Agency (CSA), Google Cloud will execute a Management Agreement that provides customers with detailed information on how Google Cloud enables compliance with the CJIS Security Policy, the responsibilities of each party, which cloud services are covered, and many other important provisions. You can request a copy of the Google Cloud CJIS Management Agreement by emailing cjis@google.com.

The Google Cloud compliance team can also provide detailed compliance narratives demonstrating how Google Cloud satisfies CJISSECPOL requirements applicable to Cloud Service Providers.

Yes. Google Cloud enables customers to restrict CJIS workloads to US-only regions through Assured Workloads and Assured Controls. Google will store your data at rest in accordance with our Service Specific Terms.

In states where Google employees may have unescorted access to unencrypted CJI, Google works with the CSA (or a local agency) to ensure personnel who may have unescorted access to a state’s unencrypted CJI undergo fingerprint-based FBI background checks. Qualifying Google personnel will submit FD-258 fingerprint cards, along with any required documentation, to each CSA.

This process ensures that authorized personnel will be granted unescorted access only after completing the background check and CJIS security awareness training.

Google has implemented zero trust at the core of our services and our operations; our infrastructure does not assume any trust between the services that are running on it. In other words, every resource access request is inspected, authenticated, and verified as if it originates from an untrusted network.

Customer environments within Google Cloud are also logically segregated to prevent users and customers from accessing resources not assigned to them. Customer data (including CJI) is logically segregated by domain to allow data to be produced for a single tenant. The ability of Google Cloud to protect customer data in this manner, while also allowing for more rapid feature development and customer cost benefits, makes it the better choice for government customers. 

Lastly, all customer data in transit is encrypted and data is encrypted at rest, by default, for ALL customers. This ensures that there are multiple layers of defense in a multi-tenant cloud architecture and provides strong isolation for all customers.

No. Since Google provides customer managed encryption keys and personnel data access controls restricting CJI access, confidential computing is not required for CJIS on Google Cloud. However, customers can still utilize confidential computing as a supplemental security control on top of the secure and restricted environment Google offers for CJIS customers.

Yes - Google Cloud uses a FIPS 140-3 validated encryption module called BoringCrypto (certificate 4735) in our production environment. This means that both data in transit (to the customer and between data centers) and data at rest is encrypted by default using FIPS 140-3 validated encryption. 

This allows customers to maintain FIPS compliance while choosing from a variety of Cloud Key Management offerings such as Google Managed Keys, Customer Managed Encryptions Keys, and External Key Management. Since Google Cloud uses this level of encryption by default for data at rest and in transit, customers can inherit FIPS 140-3 encryption and eliminate the requirement to run products and services in FIPS mode.

The CJIS Security Policy does not require the use of a Government Cloud (‘GovCloud’) and there is no universal definition or standard regarding what constitutes a GovCloud. Google Cloud can enable CJIS compliance with the CJIS Security Policy and has demonstrated our compliance to an independent third-party assessment organization and to numerous state CSAs. 

Google has invested in a layered security approach to its public cloud infrastructure, providing features like encryption and strong personnel data access controls. This, along with the zero-trust implementation described above, provides the strong security posture required to meet the stringent requirements of the CJIS Security Policy while also enabling customers to leverage the ongoing product innovations of public cloud.

Google’s implementation of the aforementioned controls (and many others) complies with FedRAMP Moderate and FedRAMP High requirements and has been recognized by the Joint Authorization Board (JAB). 

We see validation of our approach in Office of Management and Budget (OMB) Memo M-24-15 (‘Modernizing the Federal Risk and Authorization Management Program (FedRAMP)’), which recommends federal agencies move away from isolated GovCloud architectures:

“FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace. Commercial providers similarly are incentivized to integrate improved security practices that emerge from their engagement with FedRAMP into their core services, benefiting all customers.”

At Google Cloud, we believe that trust is created through transparency, and we want to be transparent about our commitments and what you can expect when it comes to our shared responsibility for protecting and managing your data in the cloud.

When you use Google Workspace or Google Cloud:

  1. You own your data, not Google
  2. Google does not sell customer data to third parties
  3. Google Cloud does not use customer data for advertising
  4. All customer data is encrypted by default
  5. We guard against insider access to your data
  6. We never give any government entity "backdoor" access
  7. Our privacy practices are audited against international standards

See the Cloud Data Processing Addendum (CDPA) for further details on our data processing commitments.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
  • ‪English‬
  • ‪Deutsch‬
  • ‪Español‬
  • ‪Español (Latinoamérica)‬
  • ‪Français‬
  • ‪Indonesia‬
  • ‪Italiano‬
  • ‪Português (Brasil)‬
  • ‪简体中文‬
  • ‪繁體中文‬
  • ‪日本語‬
  • ‪한국어‬
Console
Google Cloud