With CJIS Security Policy 6.0's release, agencies must choose between Azure Government's personnel screening approach or Azure Commercial's technical controls like Customer Managed Keys. This comprehensive guide breaks down both paths, implementation steps, and critical compliance considerations for Criminal Justice Information Systems.
Criminal justice agencies face a critical decision point as Microsoft Azure expands compliance options for Criminal Justice Information Systems (CJIS). The release of CJIS Security Policy 6.0 in late 2024 introduces modernized security requirements while offering agencies flexibility in how they achieve compliance—either through Azure Government's traditional screening approach or Azure Commercial's advanced technical controls.
The Evolution of CJIS Compliance
Since 2014, Azure Government has served as the trusted platform for U.S. criminal justice agencies, providing physically isolated datacenters operated exclusively by CJIS-screened U.S. personnel. This "gold standard" approach offered the simplest path to compliance, with Microsoft executing CJIS Management Agreements that included state CJIS Systems Agency (CSA) screening of all personnel.
However, the landscape has evolved. CJIS Security Policy 5.9.1 first introduced the concept of using technical controls as an alternative to personnel screening for Azure Commercial workloads. Now, with the comprehensive overhaul in version 6.0, agencies can choose between two distinct compliance paths:
Azure Government: The personnel screening path where Microsoft staff undergo CJIS screening through state CSAs, offering the broadest feature set with minimal compliance burden on agencies.
Azure Commercial: The technical controls path requiring Customer Managed Keys (CMK) encryption, ensuring Microsoft cannot access unencrypted criminal justice information and effectively removing Microsoft staff from the trust boundary.
What's New in CJIS 6.0?
The 6.0 update represents a fundamental shift toward a "Zero Trust" framework. Key changes include:
- Phishing-Resistant MFA: Strict requirements for FIDO2 or certificate-based authentication for all privileged access
- Continuous Monitoring: Moving from point-in-time audits to real-time threat detection and automated logging
- Supply Chain Risk Management: Enhanced vetting of third-party software and vendors
The policy now emphasizes protecting CJI while at rest, in transit, and critically, in use—addressing the risk of platform-level access during data processing.
Azure Commercial Compliance: The Technical Control Path
For agencies choosing Azure Commercial, compliance requires implementing a comprehensive security architecture. Here's the step-by-step approach:
Phase 1: Foundation & Residency
Data Residency Requirements: CJIS 6.0 mandates that CJI must not leave the United States. Agencies must deploy all Azure resources exclusively in US regions (East US, West US, Central US, etc.).
Implementation: Use Azure Policy to enforce "Allowed Locations" and prevent accidental resource creation in non-US regions. This geographic restriction forms the foundation of your compliance posture.
Phase 2: The Critical Encryption Layer
Customer Managed Keys (CMK): This is the cornerstone of Azure Commercial compliance. Since Microsoft Commercial staff aren't CJIS-screened, agencies must implement encryption where they control the keys.
Implementation Steps:
- Provision Azure Key Vault (Premium) or Managed HSM for FIPS 140-2 Level 2/3 compliance
- Generate encryption keys within your HSM or import them from on-premises using Bring Your Own Key (BYOK)
- Configure Disk Encryption Sets and Storage Account Encryption to use these keys—never use default Microsoft Managed Keys
- For SaaS/PaaS workloads, implement client-side encryption so data is encrypted before reaching Azure
Confidential Computing: To address CJIS 6.0's requirement to protect CJI "in use," agencies may implement Azure Confidential Computing. This uses hardware-backed Trusted Execution Environments (TEEs) to cryptographically isolate data in memory, preventing access even at the infrastructure layer.
Phase 3: Identity & Access Controls
Phishing-Resistant MFA: CJIS 6.0 raises the bar significantly. SMS and simple push notifications no longer suffice for privileged roles.
Implementation: Deploy Microsoft Entra ID and enforce FIDO2 security keys (like YubiKeys) or Certificate-Based Authentication (CBA) for all users accessing CJI. This aligns with the policy's Zero Trust principles by ensuring strong identity verification.
Phase 4: Continuous Monitoring & Detection
Unified Audit Logging: Agencies must retain audit logs for at least one year (or longer per state rules) and review them weekly.
Implementation:
- Enable Diagnostic Settings on all CJIS resources to stream logs to Azure Log Analytics Workspace
- Deploy Microsoft Sentinel for advanced threat detection and analytics
- Configure Sentinel analytic rules to detect anomalies like "Mass download of CJI" or "Access from foreign IP"
Phase 5: Endpoint & Mobile Security
Mobile Device Management: If CJI is accessed on mobile devices, CJIS 6.0 requires remote wipe and encryption capabilities.
Implementation:
- Enroll devices in Microsoft Intune
- Create compliance policies requiring BitLocker/FileVault encryption and complex PINs
- Configure App Protection Policies to prevent CJI from being copied to unmanaged applications
Phase 6: Documentation & Personnel Requirements
System Security Plan Updates: Your SSP must explicitly document that you're using encryption as the compensating control for the lack of vendor personnel screening.
Implementation: Document the CMK architecture in your CJIS audit packet and ensure your agency's "CJI Administrators" (who manage Azure keys) have met the policy's personnel screening requirements.
Making the Right Choice
Both paths offer valid routes to CJIS compliance, but the choice depends on your agency's specific needs:
Choose Azure Government if:
- You prefer the simplest compliance path with minimal configuration burden
- You need the broadest feature set without architectural constraints
- Your agency values the traditional screening approach and wants Microsoft to handle most compliance responsibilities
Choose Azure Commercial if:
- You need global scale and advanced Azure features not available in isolated regions
- Your agency has strong security expertise and wants granular control over encryption and access
- You're already invested in Azure Commercial and want to leverage existing infrastructure
Microsoft's Commitment
Regardless of your choice, Microsoft provides the tools necessary for CJIS 6.0 compliance. Azure Government offers the physically secure location and screened personnel, while Azure Commercial provides the technical controls—Entra ID, Azure Key Vault, and Microsoft Sentinel—to meet rigorous security demands.
The critical understanding: Microsoft provides the tools; your agency and state CSA determine compliance. This shared responsibility model means agencies must carefully evaluate their capabilities, risk tolerance, and compliance strategy when choosing between these paths.
The evolution from simple access control to Zero Trust represents a significant shift in how criminal justice agencies must think about security. Whether you choose the gold standard of Azure Government or the technical control path of Azure Commercial, success requires understanding these requirements and implementing them with precision.
For detailed implementation guidance, refer to the Microsoft CJIS Audit Scope & Personnel Screening documentation and the Azure Policy built-in definitions.
Comments
Please log in or register to join the discussion