This blog focuses on the technical controls required to use Azure Commercial for CJIS workloads. With the release of CJIS Security Policy 6.0 in late 2024, agencies now have a clear pathway to leverage Azure Commercial through Customer Managed Keys (CMK) and other advanced security measures, rather than relying solely on vendor personnel screening. However, it's critical to understand: Microsoft provides the tools; your agency and your state CJIS Systems Agency (CSA) determine compliance. 3/19/2026 Update Step 3.b-Confidential Computing Clarification: Azure Commercial and Customer Managed Key (CMK) encryption satisfy the requirements of the CJIS Security Policy but customers can choose to add an additional control through a Confidential Computing enclave.
Since 2014, United States criminal justice agencies have trusted Microsoft Azure Government to manage Criminal Justice Information (CJI). Built exclusively for regulated government data, it provides ...
Updated Mar 27, 2026
Version 3.0
Mike Smucny
Microsoft
Microsoft