For customers migrating to the cloud, compliance plays a significant role, especially in handling government data. Oracle is committed to assisting customers and addressing the challenges of a constantly changing and complex regulatory environment. This blog post focuses on the Criminal Justice Information Services (CJIS) Security Policy compliance and follows a series of blogs that explain the applicability of various security standards to government and commercial entities supporting criminal justice workloads in the cloud. This post aims to help customers looking to migrate existing or build new solutions on the Oracle Cloud Infrastructure (OCI) platform and managed services US Government regions.

An overview of CJIS

In the constantly evolving world of technology, now more than ever governments rely on service providers to help with business functions using information systems. Governments and contractors need to process sensitive federal information and turn to cloud service providers to increase velocity, scale, and return on investment.

The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) was established in 1992 and comprised the largest division of the FBI. These standards for data security and encryption are for professionals in criminal justice and law enforcement at local, state, and federal levels. CJIS data includes information for detaining criminals, performing background checks, and tracking criminal activity.

With the objective of preventing cyberattacks, CJIS devised a set of standards to ensure best practices concerning wireless networks, remote access, data encryption, and multiple-step authentication. The primary goal of the standards in the CJIS Security Policy is to provide appropriate controls to protect the entire lifecycle of Criminal Justice Information (CJI), whether at rest or in transit.

The CJIS Security Policy requires multiple security controls that ensure that only authorized individuals have access to the Criminal Justice Information. Oracle provides building blocks that these public safety agencies can apply to build highly available and secure applications to meet the expectations of this policy. One foundational element of the CJIS Security Policy is the principle of least privilege, which is based on a “need-to-know, right-to-know” standard. Oracle customers can enforce this standard by securely encrypting their Criminal Justice Information and limiting all access to this information to only those with access to the encryption keys. Oracle also provides data masking and subsetting options within Oracle databases and the obfuscation of data to aid in designing data protection policies.

Oracle Government Cloud compliance versus customer responsibility

Currently, no formal third-party assessed CJIS compliance program exists for IaaS/PaaS providers. Oracle US Government Cloud is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO). It supports the cloud computing needs of US federal, state, and local public sector agencies, the US Department of Defense (DoD), and approved commercial entities. Customers must demonstrate CJIS compliance and accredit the solutions that they build in OCI and platform-as-a-service (PaaS). The cloud provider can’t influence or manage many controls, which are instead owned and operated by the customer.

The CJIS Security Policy defines 13 areas that cloud service providers must evaluate to determine if their use of cloud services complies with CJIS requirements. These areas relate to NIST 800-53, the basis for FedRAMP. With the implementation of FedRAMP requirements, Oracle Government Cloud recognizes in-scope cloud services meet or exceed the requirements of many security standard controls, and customers can effectively comply instantaneously with the controls Oracle owns.

OCI services span applications and infrastructure solutions across software-as-a-service (SaaS), PaaS, and infrastructure-as-a-service (IaaS), making it easy for government agencies to digitally transform legacy mission systems securely, efficiently, and effectively. Customers can successfully migrate their critical workloads to our Oracle Government Cloud, knowing that Oracle can maintain compliance with US federal security requirements and continue to adapt.

Customers are responsible for analyzing their cloud strategy to determine the suitability of Oracle Cloud services, considering their regulatory compliance duties. Oracle has continuously proven to be one of the most outstanding government cloud services providers by meeting several compliance standards. We also have resources and a dedicated team to help you complete your journey to the cloud and your pursuit to achieve multiple accreditation goals.

Want to know more?

For more information about CJIS visit their official website. You can also visit the Oracle Cloud Infrastructure US Government Cloud documentation for specific information regarding Oracle Government Cloud instances.

Let us help you find the right option for your use case using Oracle Cloud Infrastructure. You can select either the Oracle Cloud Free Tier or a 30-day free trial in our commercial regions, which includes US$300 in credits to get you started with a range of services, including compute, storage, and networking. The Oracle Cloud Infrastructure regions dedicated to the Government consist of FedRAMP high federal and civilian authorized regions and IL5 Department of Defense (DoD) authorized regions. If you prefer Oracle Government Cloud, consult your Oracle sales representative for a proof of concept in the appropriate region.

For more information from our compliance series, see the following posts: