Criminal Justice Information Systems (CJIS) control package

This page describes the set of controls that are applied on CJIS workloads in Assured Workloads. It provides detailed information about data residency, supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products. The following additional information applies to CJIS:

• Data residency: The CJIS control package sets data location controls to support US-only regions. See the Google Cloud-wide organization policy constraints section for more information.
• Support: Technical support services for CJIS workloads are available with Enhanced or Premium Cloud Customer Care subscriptions. CJIS workloads support cases are routed to US Persons located in the US who have completed CJIS background checks. For more information, see Getting support.
• Pricing: The CJIS control package is included in Assured Workloads' Premium tier, which incurs an 20% additional charge. See Assured Workloads pricing for more information.

Prerequisites

To remain compliant as a user of the CJIS control package, ensure that you satisfy and adhere to the following prerequisites:

• Create an CJIS folder using Assured Workloads and deploy your CJIS workloads only in that folder.
• Only enable and use in-scope CJIS services for CJIS workloads.
• Don't change the default organization policy constraint values unless you understand and are willing to accept the data residency risks that might occur.
• Consider adopting the general security best practices provided in the Google Cloud security best practices center.
• When accessing the Google Cloud console, you have the option of using the Jurisdictional Google Cloud console. You are not required to use the Jurisdictional Google Cloud console for CJIS. It can be accessed at one of the following URLs:
  • console.us.cloud.google.com
  • console.us.cloud.google for federated identity users

Supported products and API endpoints

Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings, are listed in the following table.

If a product is not listed, that product is unsupported and has not met the control requirements for CJIS. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model. Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

Restrictions and limitations

The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on CJIS folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.

Google Cloud-wide

Affected Google Cloud-wide features

Feature

Description

Google Cloud console

To access the Google Cloud console when using the CJIS control package, you have the option of using the Jurisdictional Google Cloud console. The Jurisdictional Google Cloud console is not required for CJIS, and can be accessed using one of the following URLs: console.us.cloud.google.com console.us.cloud.google for federated identity users For more information, see the Jurisdictional Google Cloud console page.

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across Google Cloud.

Organization policy constraint	Description
gcp.resourceLocations	Set to the following locations in the allowedValues list: us-locations us-central1 us-central2 us-east1 us-east4 us-east5 us-south1 us-west1 us-west2 us-west3 us-west4 This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable. Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
gcp.restrictCmekCryptoKeyProjects	Set to under:organizations/your-organization-name, which is your Assured Workloads organization. You can further restrict this value by specifying a project or folder. Limits the scope of approved folders or projects that can provide Cloud KMS keys for encrypting at-rest data using CMEK. This constraint prevents unapproved folders or projects from providing encryption keys, thus helping to guarantee data sovereignty for in-scope services' at-rest data.
gcp.restrictNonCmekServices	Set to a list of all in-scope API service names, including: bigquery.googleapis.com compute.googleapis.com container.googleapis.com logging.googleapis.com sqladmin.googleapis.com storage.googleapis.com Some features may be affected for each of the services listed above. Each listed service requires Customer-managed encryption keys (CMEK). CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms. Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
gcp.restrictServiceUsage	Set to allow all supported products and API endpoints. Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage.
gcp.restrictTLSVersion	Set to deny the following TLS versions: TLS_1_0 TLS_1_1 See the Restrict TLS versions page for more information.

BigQuery

Affected BigQuery features

Feature	Description
Enabling BigQuery on a new folder	BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps: In the Google Cloud console, go to the Assured Workloads page. Go to Assured Workloads Select your new Assured Workloads folder from the list. On the Folder Details page in the Allowed services section, click Review Available Updates. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them. If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care. After the enablement process is completed, you can use BigQuery in your Assured Workloads folder. Gemini in BigQuery is not supported by Assured Workloads.
Unsupported features	The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Assured Workloads. Interaction with remote data sources Externally-trained BQML models are not supported. Internally-trained BQML models are supported. Dynamic data masking GDrive export Remote functions Saved queries Workflow scheduling For BigQuery Studio, notebooks are unsupported. Gemini in BigQuery is not supported.
BigQuery CLI	The BigQuery CLI is supported.
Google Cloud SDK	You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
Administrator controls	BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard.
Loading data	BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for CJIS workloads.
Third-party transfers	BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
Non-compliant BQML models	Externally-trained BQML models are not supported.
Query jobs	Query jobs should only be created within Assured Workloads folders.
Queries on datasets in other projects	BigQuery does not prevent Assured Workloads datasets from being queried from non-Assured Workloads projects. You should ensure that any query that has a read or a join on Assured Workloads data be placed in an Assured Workloads folder. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
Cloud Logging	BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command: gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink See Regionalize your logs for more information.

Compute Engine

Affected Compute Engine features

Feature	Description
Suspending and resuming a VM instance	This feature is disabled. Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Local SSDs	This feature is disabled. You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
Guest environment	It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint. See the Building a custom image page for more information.
instances.getSerialPortOutput()	This API is disabled; you will be unable to get serial port output from the specified instance using this API. Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.
instances.getScreenshot()	This API is disabled; you will be unable to get a screenshot from the specified instance using this API. Change the compute.disableInstanceDataAccessApis organization policy constraint value to False to enable this API. You can also enable and use the interactive serial port by following the instructions in Enabling access for a project.

Compute Engine organization policy constraints

Organization policy constraint	Description
compute.disableGlobalCloudArmorPolicy	Set to True. Disables the creation of new global Google Cloud Armor security policies, and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.
compute.disableInstanceDataAccessApis	Set to True. Globally disables the instances.getSerialPortOutput() and instances.getScreenshot() APIs. Enabling this constraint prevents you from generating credentials on Windows Server VMs. If you need to manage a username and password on a Windows VM, do the following: Enable SSH for Windows VMs. Run the following command to change the VM's password: gcloud compute ssh VM_NAME --command "net user USERNAME PASSWORD" Replace the following: VM_NAME: The name of the VM you're setting the password for. USERNAME: The username of the user who you're setting the password for. PASSWORD: The new password.
compute.restrictNonConfidentialComputing	(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.
compute.trustedImageProjects	(Optional) Value is not set. Set this value to provide additional defense-in-depth. Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

Cloud Interconnect

Affected Cloud Interconnect features

Feature	Description
High-availability (HA) VPN	You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Affected Cloud VPN features section.

Cloud KMS

Cloud KMS organization policy constraints

Organization policy constraint	Description
cloudkms.allowedProtectionLevels	Set to allow creation of Cloud Key Management Service CryptoKeys with the following protection levels: SOFTWARE HSM EXTERNAL EXTERNAL_VPC See Protection levels for more information.

Cloud Logging

Affected Cloud Logging features

Feature	Description
Log sinks	Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
Live tailing log entries	Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.

Cloud Monitoring

Affected Cloud Monitoring features

Feature	Description
Synthetic Monitor	This feature is disabled.
Uptime checks	This feature is disabled.
Log panel widgets in Dashboards	This feature is disabled. You cannot add a log panel to a dashboard.
Error reporting panel widgets in Dashboards	This feature is disabled. You cannot add an error reporting panel to a dashboard.
Filter in EventAnnotation for Dashboards	This feature is disabled. Filter of EventAnnotation cannot be set in a dashboard.
SqlCondition in alertPolicies	This feature is disabled. You cannot add a SqlCondition to an alertPolicy.

Cloud Run

Affected Cloud Run features

Feature	Description
Unsupported features	The following Cloud Run features aren't supported: Cloud Trace integration Cloud Run functions Eventarc triggers

Cloud VPN

Affected Cloud VPN features

Feature	Description
VPN endpoints	You must use only Cloud VPN endpoints that are located in the US. Ensure that your VPN gateway is configured for use in a US region only.

Google Cloud Armor

Affected Google Cloud Armor features

Feature	Description
Globally scoped security policies	This feature is disabled by the compute.disableGlobalCloudArmorPolicy organization policy constraint.

Spanner

Spanner organization policy constraints

Organization policy constraint	Description
spanner.disableMultiRegionInstanceIfNoLocationSelected	Set to True. Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.

Speech-to-Text

Affected Speech-to-Text features

Feature	Description
Custom Speech-to-Text models	It is your responsibility not to use Custom Speech-to-Text models because they are not compliant with CJIS.

Vertex AI Search

Affected Vertex AI Search features

Feature	Description
Search tuning	It is your responsibility not to use the Vertex AI Search search tuning feature because it is not compliant with CJIS.
Generic recommendations	It is your responsibility not to use the Vertex AI Search generic recommendations feature because it is not compliant with CJIS.
Media recommendations	It is your responsibility not to use the Vertex AI Search media recommendations feature because it is not compliant with CJIS.

What's next

• Learn how to create an Assured Workloads folder
• Understand Assured Workloads pricing