Azure Government or Azure Commercial for CJIS 6.0: Choosing Your Compliance Path
Since 2014, United States criminal justice agencies have trusted Microsoft Azure Government to manage Criminal Justice Information (CJI). Built exclusively for regulated government data, it provides datacenters with physical, network, and logical isolation and is operated by CJIS-screened U.S. persons—the "gold standard" for compliance. However, we understand that flexibility is critical for modern agencies. As first announced with the release of CJIS Security Policy (CJISSECPOL) v5.9.1, agencies have the option to utilize Azure Commercial for CJIS workloads by leveraging advanced technical controls in place of traditional personnel screening. With the release of CJIS Security Policy 6.0, this hybrid landscape has evolved. The new policy moves beyond simple access control toward a "Zero Trust" framework which minimizes implicit trust, verifies all requests, and requires continuous monitoring. What’s New in CJIS 6.0? The 6.0 update (released late 2024) is a modernization overhaul. Key changes include: Phishing-Resistant MFA: Strict requirements for FIDO2 or certificate-based authentication for all privileged access. Continuous Monitoring: A shift from point-in-time audits to real-time threat detection and automated logging. Supply Chain Risk Management: Enhanced vetting of third-party software and vendors. The Choice: Azure Government or Azure Commercial: Criminal Justice Agencies can still choose between our two distinct offerings, but the "How" of compliance differs: Azure Government: The path of personnel screening. Microsoft executes CJIS Management Agreements with state CJIS Systems Agencies that include their screening of Microsoft personnel. This offers the broadest feature set with the simplest compliance burden. Azure Commercial: The path of technical controls. Because Azure Commercial support staff are not CJIS-screened, compliance relies on an agency implementing Customer Managed Keys (CMK) encryption. This way, Microsoft cannot access unencrypted criminal justice information, effectively removing Microsoft staff from the scope of trust. Our Commitment Whether you choose the physically secure location of Azure Government or the global scale of Azure Commercial, Microsoft provides the tools—Entra ID, Azure Key Vault, and Microsoft Sentinel—to meet the rigorous demands of CJIS 6.0. Step-by-Step Walkthrough for CJIS 6.0 in Azure Commercial Managing CJI in Azure Commercial requires you to bridge the gap between "standard commercial security" and "CJIS compliance" using your own configurations. Because Microsoft Commercial staff are not CJIS-screened, you must ensure they can never see unencrypted data. Phase 1: Foundation & Residency Step 1: Restrict Data Residency CJIS 6.0 mandates that CJI must not leave the United States. Action: Deploy all Azure resources (compute, storage, disks, networking, monitoring, logging, backups, etc.) exclusively in US regions (e.g., East US, West US, Central US). Policy: Use Azure Policy to deny the creation of resources in non-US regions to prevent accidental drift. o Documentation: Tutorial: Manage tag governance with Azure Policy (See the concept of "Allowed Locations" built-in policy). o Documentation: Azure Policy built-in definitions and assignment (Allowed locations) o Documentation: Details of the "Allowed locations" policy definition. Phase 2: The "Technical Control" (Encryption) This is the most critical step for Azure Commercial. Step 2: Implement Customer Managed Keys (CMK) To meet CJIS requirements in Azure Commercial, which is operated by Microsoft personnel who aren’t CJIS-screened, you must use encryption where you hold the keys, and Microsoft has no access. Action: Provision Azure Key Vault (Premium) or Managed HSM for FIPS 140-2 Level 2/3 compliance. o Documentation: About Azure Key Vault Premium and HSMs. o Documentation: Secure your Azure Managed HSM deployment. Action: Generate your encryption keys within your HSM or import them from on-premises. o Documentation: How to generate and transfer HSM-protected keys (BYOK). Action: Configure Disk Encryption Sets and Storage Account Encryption to use these keys. Do not use the default "Microsoft Managed Key" setting. o Documentation: Server-side encryption of Azure Disk Storage (CMK). o Documentation: Configure customer-managed keys for Azure Storage. o Documentation: Services that support customer-managed keys (CMKs) Step 3: Client-Side Encryption (For SaaS/PaaS) For data processing, encryption should happen before data reaches Azure. Action: Ensure applications encrypt CJI at the application layer before writing to databases (SQL Azure, Cosmos DB). This ensures that even a database admin with platform access sees only ciphertext. Step 3b (optional): Protecting CJI While In Use (Confidential Compute) CJIS Security Policy 6.0 requires that Criminal Justice Information be protected while at rest, in transit, and in use. In Azure Commercial, once CJI is decrypted for processing by an application, traditional encryption controls (including CMK) no longer protect the data from platform-level access risks such as memory inspection, diagnostics, or hypervisor operations. To address this risk, agencies may implement Azure Confidential Computing, which uses hardware-backed Trusted Execution Environments (TEEs) to cryptographically isolate data in memory and prevent access by cloud provider personnel—even at the infrastructure layer. o Documentation: Always Encrypted for Azure SQL Database. o Documentation: Client-side encryption for Azure Cosmos DB. o Documentation: Confidential Computing o Documentation: Confidential Compute Offerings Phase 3: Identity & Access (CJIS 6.0 Focus) Step 4: Phishing-Resistant MFA CJIS 6.0 raises the bar for Multi-Factor Authentication (MFA). SMS and simple push notifications may no longer suffice for privileged roles. Action: Deploy Microsoft Entra ID (formerly Azure AD). o Documentation: What is Microsoft Entra ID?. Action: Enforce FIDO2 security keys (like YubiKeys) or Certificate-Based Authentication (CBA) for all users accessing CJI. o Documentation: Enable passkeys (FIDO2) for your organization. o Documentation: How to configure Certificate-Based Authentication in Entra ID. Phase 4: Continuous Monitoring Step 5: Unified Audit Logging You must retain audit logs for at least one year (or longer depending on state rules) and review them weekly. Action: Enable Diagnostic Settings on all CJIS resources to stream logs to an Azure Log Analytics Workspace. o Documentation: Create diagnostic settings in Azure Monitor. Action: Deploy Microsoft Sentinel on top of Log Analytics. o Documentation: Quickstart: Onboard Microsoft Sentinel. Action: Configure Sentinel analytic rules to detect anomalies (e.g., "Mass download of CJI," "Access from foreign IP"). o Documentation: Detect threats out-of-the-box with Sentinel analytics rules. Phase 5: Endpoint & Mobile Step 6: Mobile Device Management (MDM) If CJI is accessed on mobile devices (MDTs, tablets), CJIS 6.0 requires remote wipe and encryption capability. Action: Enroll devices in Microsoft Intune. o Documentation: Enroll Windows devices in Intune. o Documentation: Enroll iOS/iPadOS devices in Intune. Action: Create a Compliance Policy requiring BitLocker/FileVault encryption and complex PINs. o Documentation: Create a compliance policy in Microsoft Intune. o Documentation: Manage BitLocker policy for Windows devices with Intune. Action: Configure "App Protection Policies" to ensure CJI cannot be copied/pasted into unmanaged apps (like personal email). o Documentation: App protection policies overview. Phase 6: Personnel & Documentation Step 7: Update your SEIP/SSP Since you are using Azure Commercial, your System Security Plan (SSP) must explicitly state that you are using encryption as the compensating control for the lack of vendor personnel screening. Action: Document the CMK architecture in your CJIS audit packet. Action: Ensure your agency's "CJI Administrators" (who manage the Azure keys) have met the policy’s personnel screening requirements o Documentation: Microsoft CJIS Audit Scope & Personnel Screening (Reference).A CISO's Guide to Securing AI - Securing AI for Federal, DIB, and DoW Entities
Artificial Intelligence (AI) is rapidly reshaping federal missions, defense operations, and critical infrastructure. From intelligence analysis to logistics and cyber defense, AI’s transformative power is undeniable. Yet, with great power comes great responsibility and risk.Join Microsoft at IACP 2025: Empower public safety operations with trusted AI
The International Association of Chiefs of Police (IACP) Annual Conference and Exposition is the premier global event for law enforcement leaders, bringing together more than 16,000 public safety professionals. This year, IACP 2025 takes place October 18–22 at the Colorado Convention Center in Denver, and Microsoft is proud to be part of the conversation. As your trusted partner in public safety innovation, we invite you to connect with us at booth #362 to discover how Microsoft and our ecosystem of partners are helping agencies modernize operations, improve decision-making, and build safer communities through trusted AI. Microsoft’s presence at IACP 2025 centers around three key pillars that reflect the evolving needs of law enforcement and public safety agencies: Empower the government workforce Streamline workflows with secure AI copilots, enhance collaboration across departments, and boost efficiency with intuitive digital tools. Enable AI-driven decision making Accelerate officer workflows with real-time insights and unify data to support faster, more informed decisions. Transform emergency response Modernize communications, integrate systems for real-time situational awareness, and automate operations to improve coordination and outcomes. Experience Innovation Firsthand At booth #362, attendees can explore hands-on demos of Microsoft solutions including Microsoft 365 Copilot, Researcher and Analyst agents, and Copilot Studio agents tailored for first responders. These tools are designed to help agencies work smarter, respond faster, and serve communities more effectively. You’ll also have the opportunity to connect with our partners, Altia, DisasterTech, Insight, Pimloc, Remark, Revelen.AI, Triangula, and Zencos who are showcasing their solutions that support officer workflows, evidence management, reporting, and analytics. Don’t miss the Emergency Response Platform vehicle demo, supported by Darley, Dejero, and 3AM which highlights how AI and real-time data can transform field operations and emergency response at the tactical edge. Attend Our Thought Leadership Session Join us for a featured education session in the Leadership Track: Is "Technology Sharing" the Key to Law Enforcement Innovation? 📅 Saturday, October 18 🕤 9:30 – 10:30 AM MT 📍 Room 505/506 This session explores how collaborative platforms and shared technology models can reduce costs, accelerate deployment, and improve outcomes across jurisdictions, offering a blueprint for scalable innovation. Let’s Connect We’d love to meet with you one-on-one to discuss your agency’s goals and challenges. Request a meeting with a Microsoft expert to explore how AI and cloud technologies can support your mission. Visit Microsoft at booth #362 to explore AI-powered public safety solutions and skilling opportunities. Together, we can build safer, more resilient communities through innovation.Transforming Emergency Response: How AI is reshaping public safety
Brand new released Smart City Trend Report: Discover how AI is transforming emergency response and public safety in cities worldwide. In an era of escalating climate events, urban complexity, and rising public expectations, emergency response systems are under pressure like never before. From wildfires and floods to public health crises and infrastructure failures, cities must respond faster, smarter, and more collaboratively. The newly released Transform Emergency Response Trend Report offers a compelling roadmap for how artificial intelligence (AI) is helping cities meet these challenges head-on, by modernizing operations, improving situational awareness, and building resilient, resident-centered safety ecosystems. As Dave Williams, Director of Global Public Safety and Justice at Microsoft, puts it: AI models are increasingly embedded in public safety workflows to enhance both anticipation and real-time awareness. Predictive analytics are used to forecast crime hotspots, traffic incidents, and natural disasters by analyzing historical and real-time data, enabling proactive resource deployment and faster response times. This transformation is not theoretical, it’s happening now. And at the upcoming Smart City Expo World Congress in Barcelona, November 4–6, Microsoft and leading technology innovators will showcase how AI is driving real-world impact across emergency services, law enforcement, and city operations. Government AI Transformation in Action: Oklahoma City Fire Department: Digitizing Operations for Faster Response Serving over 700,000 residents, the Oklahoma City Fire Department (OKCFD) faced mounting challenges due to outdated, paper-based workflows. From rig inspections to fuel logging, manual processes slowed response times and increased risk. Partnering with AgreeYa Solutions and leveraging Microsoft Power Platform, OKCFD built 15+ custom mobile-first apps to digitize core operations. The results were transformative: Helped drive a 40% reduction in manual tasks Real-time dashboards for leadership visibility Improved data accuracy and faster emergency response This modernization not only boosted internal efficiency but also strengthened community trust by ensuring timely, reliable service delivery. North Wales Fire and Rescue Service: Empowering Remote Teams with Secure Access With 44 stations and a mix of full-time and on-call firefighters, North Wales Fire and Rescue Service (NWFRS) needed a better way to support staff across a wide geographic area. Their legacy on-premises systems limited remote access to critical data. By deploying a SharePoint-based intranet integrated with Microsoft 365 tools, NWFRS enabled secure, mobile access to documents, forms, and departmental updates. Improved communication and workflow efficiency Reduced travel time for on-call staff Enhanced compliance and data security This shift empowered firefighters to stay informed and prepared—no matter where they were. San Francisco Police Department: Real-Time Vehicle Recovery Reporting Managing thousands of stolen vehicle cases annually, the San Francisco Police Department (SFPD) struggled with a slow, manual reporting process that delayed updates and eroded public trust. Using Microsoft Power Apps, SFPD built RESTVOS (Returning Stolen Vehicle to Owner System), allowing officers to update vehicle status in real time from the field. Helped reduce reporting time from 2 hours to 2 minutes Supported 500 officer hours saved per month Improved resident experience and reduced mistaken stops This digital leap not only streamlined operations but also reinforced transparency and accountability. Join Us in Barcelona: See Emergency Response in Action At Smart City Expo World Congress 2025, Microsoft and our AI transformations partners will showcase emergency response AI transformation with immersive demos, theater sessions, and roundtable discussions. Transform Emergency Response will be a central focus, showcasing how AI, cloud platforms, and agentic solutions are enabling cities to: Modernize emergency operation centers Enable real-time situational awareness Foster community engagement and trust Featured AI demos from innovative partners: 3AM Innovations Disaster Tech PRATUS Sentient Hubs Tomorrow.io Unified Emergency Response with Microsoft Fabric and Copilot These solutions are not just about technology, they’re about outcomes. They help cities cut response times, improve coordination, and build public trust. Why This Matters Now As Dave Williams emphasizes, the future of emergency response is not just faster, it’s smarter and more resilient: Modern emergency response increasingly relies on unified data platforms that integrate inputs from IoT sensors, satellite imagery, social media, and agency databases. AI-powered analytics systems synthesize this data to support real-time decision-making and resource allocation across agencies. Cities must also invest in governance frameworks, ethical AI policies, and inclusive design to ensure these technologies serve all residents fairly. Let’s Connect Whether you’re a city CIO, emergency services leader, or public safety innovator, we invite you to join us at Smart City Expo World Congress in Barcelona, November 4–6. Explore how Microsoft and its partners are helping cities transform emergency response, and build safer, more resilient communities. Visit our booth at Hall 3, Stand #3D51, attend our theater sessions, and see demos from AI transformation partners delivering demos on Transform Emergency Response. Together, we can reimagine public safety for the challenges of today and the possibilities of tomorrow.Understanding Compliance Between Commercial, Government, DoD & Secret Offerings - July 2025 Update
Understanding compliance between Commercial, Government, DoD & Secret Offerings: There remains much confusion as to what service supports what standards best. If you have CMMC, DFARS, ITAR, FedRAMP, CJIS, IRS and other regulatory requirements and you are trying to understand what service is the best fit for your organization then you should read this article.
