BLOGAnnounced at MongoDB.local NYC 2024: A recap of all announcements and updates — Learn more >

Back to Trust CenterUsing MongoDB Atlas for Criminal Justice Information Solutions

Securing Criminal Justice Information (CJI) and maintaining compliance with the CJIS Security Policy requires that only authorized individuals have access to the CJI. MongoDB Atlas for Government (US) provides necessary security measures and tools that public sector agencies can utilize to build secure applications in alignment with CJIS security policies.

The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operates in support of, criminal justice services and information.

MongoDB Atlas for Government (US) provides strong technical controls to protect data throughout its lifecycle–in use, in transit, and at rest. Moreover, Atlas for Government runs in a dedicated environment built for US government requirements with strong security features built-in by default.


What is CJIS Security Policy?

The CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI). For more in-depth security controls, please refer to the CJIS Security Policy.

Is MongoDB CJIS Compliant?

There is no standardized accreditation or assessment for CJIS compliance. There are set security standards and controls laid out in the CJIS Security Policy and MongoDB is committed to helping customers meet those requirements. Additionally, MongoDB engaged an independent auditor to evaluate how MongoDB Atlas for Government (US) aligns with CJIS requirements. This attestation letter is available to customers subject to CJIS requirements by request.

How does MongoDB comply with encryption at-rest requirements?

MongoDB Atlas for Government uses always-on encryption at rest for disk/volume level encryption with AES 256 symmetric encryption. Additionally, it allows the use of strong database-level encryption for sensitive workloads via the WiredTiger Encrypted Storage, also with AES 256. The use of self-managed keys with the WiredTiger Encrypted Storage Engine can help customers achieve additional levels of confidentiality and data segmentation.

How does MongoDB comply with encryption in transit requirements?

MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client. The default version of supported TLS is v1.2.

Does MongoDB Atlas for Government (US) meet FIPS 140-2 requirements?

Yes. MongoDB Atlas for Government (US) is built on AWS GovCloud and AWS US Regions and meets all FIP 140-2 requirements out of the box without any additional configuration.

This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.

View our other compliance offerings

Ready to get started?

Launch a new app or migrate to MongoDB Atlas with zero downtime
Start with 512MB FreeContact