Azure Government or Azure Commercial for CJIS 6.0: Choosing Your Compliance Path
Since 2014, United States criminal justice agencies have trusted Microsoft Azure Government to manage Criminal Justice Information (CJI). Built exclusively for regulated government data, it provides datacenters with physical, network, and logical isolation and is operated by CJIS-screened U.S. persons—the "gold standard" for compliance. However, we understand that flexibility is critical for modern agencies. As first announced with the release of CJIS Security Policy (CJISSECPOL) v5.9.1, agencies have the option to utilize Azure Commercial for CJIS workloads by leveraging advanced technical controls in place of traditional personnel screening. With the release of CJIS Security Policy 6.0, this hybrid landscape has evolved. The new policy moves beyond simple access control toward a "Zero Trust" framework which minimizes implicit trust, verifies all requests, and requires continuous monitoring. What’s New in CJIS 6.0? The 6.0 update (released late 2024) is a modernization overhaul. Key changes include: Phishing-Resistant MFA: Strict requirements for FIDO2 or certificate-based authentication for all privileged access. Continuous Monitoring: A shift from point-in-time audits to real-time threat detection and automated logging. Supply Chain Risk Management: Enhanced vetting of third-party software and vendors. The Choice: Azure Government or Azure Commercial: Criminal Justice Agencies can still choose between our two distinct offerings, but the "How" of compliance differs: Azure Government: The path of personnel screening. Microsoft executes CJIS Management Agreements with state CJIS Systems Agencies that include their screening of Microsoft personnel. This offers the broadest feature set with the simplest compliance burden. Azure Commercial: The path of technical controls. Because Azure Commercial support staff are not CJIS-screened, compliance relies on an agency implementing Customer Managed Keys (CMK) encryption. This way, Microsoft cannot access unencrypted criminal justice information, effectively removing Microsoft staff from the scope of trust. Our Commitment Whether you choose the physically secure location of Azure Government or the global scale of Azure Commercial, Microsoft provides the tools—Entra ID, Azure Key Vault, and Microsoft Sentinel—to meet the rigorous demands of CJIS 6.0. Step-by-Step Walkthrough for CJIS 6.0 in Azure Commercial Managing CJI in Azure Commercial requires you to bridge the gap between "standard commercial security" and "CJIS compliance" using your own configurations. Because Microsoft Commercial staff are not CJIS-screened, you must ensure they can never see unencrypted data. Phase 1: Foundation & Residency Step 1: Restrict Data Residency CJIS 6.0 mandates that CJI must not leave the United States. Action: Deploy all Azure resources (compute, storage, disks, networking, monitoring, logging, backups, etc.) exclusively in US regions (e.g., East US, West US, Central US). Policy: Use Azure Policy to deny the creation of resources in non-US regions to prevent accidental drift. o Documentation: Tutorial: Manage tag governance with Azure Policy (See the concept of "Allowed Locations" built-in policy). o Documentation: Azure Policy built-in definitions and assignment (Allowed locations) o Documentation: Details of the "Allowed locations" policy definition. Phase 2: The "Technical Control" (Encryption) This is the most critical step for Azure Commercial. Step 2: Implement Customer Managed Keys (CMK) To meet CJIS requirements in Azure Commercial, which is operated by Microsoft personnel who aren’t CJIS-screened, you must use encryption where you hold the keys, and Microsoft has no access. Action: Provision Azure Key Vault (Premium) or Managed HSM for FIPS 140-2 Level 2/3 compliance. o Documentation: About Azure Key Vault Premium and HSMs. o Documentation: Secure your Azure Managed HSM deployment. Action: Generate your encryption keys within your HSM or import them from on-premises. o Documentation: How to generate and transfer HSM-protected keys (BYOK). Action: Configure Disk Encryption Sets and Storage Account Encryption to use these keys. Do not use the default "Microsoft Managed Key" setting. o Documentation: Server-side encryption of Azure Disk Storage (CMK). o Documentation: Configure customer-managed keys for Azure Storage. o Documentation: Services that support customer-managed keys (CMKs) Step 3: Client-Side Encryption (For SaaS/PaaS) For data processing, encryption should happen before data reaches Azure. Action: Ensure applications encrypt CJI at the application layer before writing to databases (SQL Azure, Cosmos DB). This ensures that even a database admin with platform access sees only ciphertext. Step 3b: Protecting CJI While In Use (Confidential Compute) - Azure Commercial and Customer Managed Key (CMK) encryption satisfy the requirements of the CJIS Security Policy but customers can choose to add an additional control through a Confidential Computing enclave CJIS Security Policy 6.0 requires that Criminal Justice Information be protected while at rest, in transit, and in use. In Azure Commercial, once CJI is decrypted for processing by an application, traditional encryption controls (including CMK) no longer protect the data from platform-level access risks such as memory inspection, diagnostics, or hypervisor operations. To address this risk, agencies may implement Azure Confidential Computing, which uses hardware-backed Trusted Execution Environments (TEEs) to cryptographically isolate data in memory and prevent access by cloud provider personnel—even at the infrastructure layer. o Documentation: Always Encrypted for Azure SQL Database. o Documentation: Client-side encryption for Azure Cosmos DB. o Documentation: Confidential Computing o Documentation: Confidential Compute Offerings Phase 3: Identity & Access (CJIS 6.0 Focus) Step 4: Phishing-Resistant MFA CJIS 6.0 raises the bar for Multi-Factor Authentication (MFA). SMS and simple push notifications may no longer suffice for privileged roles. Action: Deploy Microsoft Entra ID (formerly Azure AD). o Documentation: What is Microsoft Entra ID?. Action: Enforce FIDO2 security keys (like YubiKeys) or Certificate-Based Authentication (CBA) for all users accessing CJI. o Documentation: Enable passkeys (FIDO2) for your organization. o Documentation: How to configure Certificate-Based Authentication in Entra ID. Phase 4: Continuous Monitoring Step 5: Unified Audit Logging You must retain audit logs for at least one year (or longer depending on state rules) and review them weekly. Action: Enable Diagnostic Settings on all CJIS resources to stream logs to an Azure Log Analytics Workspace. o Documentation: Create diagnostic settings in Azure Monitor. Action: Deploy Microsoft Sentinel on top of Log Analytics. o Documentation: Quickstart: Onboard Microsoft Sentinel. Action: Configure Sentinel analytic rules to detect anomalies (e.g., "Mass download of CJI," "Access from foreign IP"). o Documentation: Detect threats out-of-the-box with Sentinel analytics rules. Phase 5: Endpoint & Mobile Step 6: Mobile Device Management (MDM) If CJI is accessed on mobile devices (MDTs, tablets), CJIS 6.0 requires remote wipe and encryption capability. Action: Enroll devices in Microsoft Intune. o Documentation: Enroll Windows devices in Intune. o Documentation: Enroll iOS/iPadOS devices in Intune. Action: Create a Compliance Policy requiring BitLocker/FileVault encryption and complex PINs. o Documentation: Create a compliance policy in Microsoft Intune. o Documentation: Manage BitLocker policy for Windows devices with Intune. Action: Configure "App Protection Policies" to ensure CJI cannot be copied/pasted into unmanaged apps (like personal email). o Documentation: App protection policies overview. Phase 6: Personnel & Documentation Step 7: Update your SEIP/SSP Since you are using Azure Commercial, your System Security Plan (SSP) must explicitly state that you are using encryption as the compensating control for the lack of vendor personnel screening. Action: Document the CMK architecture in your CJIS audit packet. Action: Ensure your agency's "CJI Administrators" (who manage the Azure keys) have met the policy’s personnel screening requirements o Documentation: Microsoft CJIS Audit Scope & Personnel Screening (Reference).Understanding Compliance Between Commercial, Government, DoD & Secret Offerings - July 2025 Update
Understanding compliance between Commercial, Government, DoD & Secret Offerings: There remains much confusion as to what service supports what standards best. If you have CMMC, DFARS, ITAR, FedRAMP, CJIS, IRS and other regulatory requirements and you are trying to understand what service is the best fit for your organization then you should read this article.Microsoft Reference Identity Architectures for the US Defense Industrial Base
The white paper “Microsoft Reference Identity Architectures for the US Defense Industrial Base” is the result of deep collaboration among the National Defense ISAC "MSCloud" Working Group. It provides the group’s consensus on common challenges coupled with guidance on potential ways to overcome those challenges.DIB Embraces Cloud PCs: Streamlined Compliance, Risk Mitigation, and Cost Savings
Aerospace and Defense Distributor Embraces Cloud PCs: Streamlined Compliance, Risk Mitigation, and Cost Savings Jaco Aerospace holds a pivotal role in the aerospace and defense industry. As a distributor, they serve a remarkably diverse clientele, including the Defense Industrial Base, airlines, Maintenance, Repair, and Overhaul (MRO) operations, general aviation, space exploration, rocketry, satellites, supersonic aircraft, lunar landers, Air-Taxi initiatives, and Defense Technology companies. This diversity brings heightened responsibilities, especially in meeting stringent compliance requirements. Beyond the standard distributor regulations, they have to adhere to rigorous standards such as the Federal Aviation Administration (FAA), the Department of Defense (DoD), AS9120, and the DoD’s Cybersecurity Maturity Model Certification (CMMC). For a detailed breakdown of these requirements, check out their whitepaper here. Early Adoption of Cloud PCs Jaco Aerospace was an early adopter of cloud technology, transitioning their operations to Cloud PCs in February 2022. They recognized the transformative potential of cloud computing for IT infrastructure and firmly believe traditional PCs will soon become a thing of the past. By integrating Cloud PCs, they enhanced their AS9120-certified quality system, prioritizing risk reduction. The decision to migrate to the cloud in a post-COVID-19 world has unlocked numerous benefits, including: Enhanced Compliance Their operating environment meets the requirements of CMMC Level 1 (self-attestation). The straightforward in-house implementation enabled them to achieve and maintain compliance with ease. Robust Cybersecurity Cloud PCs help mitigate cybersecurity risks by enabling granular control over user permissions through conditional access policies. For example, they restrict most users' access to Microsoft apps on mobile devices, ensuring sensitive data remains secure. Consistent User Experience With Cloud PCs, they deliver a uniform user experience across the organization, improving productivity and streamlining workflows for all team members. Cost Savings The reduced need for IT-related user interactions and minimal hardware changes translate to significant cost savings in both the short and long term. Increased Connectivity Employees benefit from breakneck internet speeds when connecting to Cloud PCs, ensuring smooth and uninterrupted workflows. Furthermore, as they use Microsoft Teams for all phone communication, this speed results in high-quality calls not always found in their legacy VOIP solutions. Scalable Resources Cloud PCs allow them to dynamically scale memory and RAM based on individual user requirements, providing flexibility and operational efficiency. Simplified Scalability for Growth As their business grows, onboarding new employees is seamless. In rare employee departures, they can quickly offboard them and repurpose their equipment, ensuring a smooth transition. Risk Mitigation in Action The benefits of risk mitigation are often challenging to quantify, but recent events provided a clear example of its value. Their Valencia headquarters was in an evacuation zone during the Southern California wildfires. Thanks to their cloud infrastructure, employees swiftly transitioned to working from home by taking their thin client devices. Jaco Aerospace was required to maintain uninterrupted operations as a critical part of the Defense Industrial Base during COVID-19. At that time, the absence of a cloud-based system posed significant IT challenges. In contrast, during the wildfire evacuation, their team experienced just a one-hour disruption before resuming full operations—a stark difference that underscores the agility enabled by Cloud PCs. Looking Ahead At Jaco Aerospace, they see Cloud PCs (Windows 365) as a cornerstone of their future, enabling them to stay agile, secure, and ready to tackle any challenges that come their way. Whether it’s meeting stringent compliance requirements or ensuring seamless business continuity during unexpected events, their transition to the cloud has proven to be an invaluable asset. With the upcoming release of Microsoft’s Windows 365 Link, companies shifting to a Cloud PC environment will benefit from its affordability and the streamlined process of embracing this forward-looking technology. As the industry evolves, they remain dedicated to adopting innovative solutions that enhance operational efficiency and deliver unparalleled value to their customers.Microsoft Modern Work, Security, and Surface Evangelist to Speak at Upcoming Cloud Security Event
The Cloud Security and Compliance Series (CS2) is the go-to event for DoD contractors leveraging the Microsoft Cloud who are looking to prepare for CMMC / DFARS compliance; specifically, CS2 sessions will equip those in the Microsoft Gov Cloud with knowledge for CMMC assessment preparations because of the recent submission of the CMMC ruling.
