Modern law enforcement agencies handle highly sensitive Criminal Justice Information (CJI) that requires secure, CJIS-compliant identity management and authentication.
With growing cyber threats, the Criminal Justice Information Services (CJIS) Security Policy set up stringent security standards. Law enforcement agencies are required to follow these criteria to further strengthen data security, user authentication, credentials protection, and access management.
This article discusses the most recent CJIS Authentication requirements, such as the 2024 MFA requisite and best practices in CJIS identity management throughout law enforcement agencies.
MFA Requirements for CJIS Authentication
Agencies must use multi-factor authentication (MFA) to access criminal justice information as of October 1, 2024.
The CJIS Security Policy v5.9.2 directs agencies to authenticate users using two of the following factors:
- Something you know: password or PIN
- Something you have: hardware token, mobile authenticator app
- Something you are: biometrics such as fingerprint or face identification
CJIS currently mandates Authenticator Assurance Level 2 (AAL2) for organizational users, enhancing their protection against credential theft and phishing-related attacks.
In line with this, law enforcement agencies need to implement phishing-resistant MFA, such as:
- Hardware security keys.
- Authorized certified mobile authenticator applications.
- Cryptographically-validated smart cards.
Take note that SMS-based one-time passwords don’t meet CJIS standards, so they shouldn’t be used for accessing CJI.
While these authentication methods provide security, understanding the different types of MFA factors helps agencies select the most appropriate options for their needs.
Understanding MFA Factors
Multi-factor authentication in law enforcement is invaluable as it decreases the risk of unauthorized access by demanding several proofs of identity.
Among the categories of key MFA are:
- Knowledge Factors: passwords, PINs, security questions
- Possession Factors: smart cards, mobile authenticator apps, hardware keys
- Inherence Factors: fingerprint scans, face ID, voice biometrics
Even though MFA reinforces defenses, not every MFA method is similar. SMS codes are susceptible to SIM jacking and phishing, making them unfit for CJIS environments.
Agencies need to select MFA options that are difficult to intercept to dramatically reduce the risk of credential theft. To further enhance security and balance user experience, agencies can implement risk-based or adaptive authentication systems.
Risk-Based or Adaptive Authentication
On top of MFA, risk-based or adaptive authentication improves security of law enforcement agencies.
These systems evaluate risk scores using the real-time login environment, comprising:
- Device and browser info
- Login location
- Time of access
- User behavior patterns
- Past failed attempts at log-in
In case the system notices something suspicious, such as an unfamiliar sign-in point, risk-based authentication automatically goes a step higher to authenticate the user by demanding a biometric scan or hardware token.
The risk-based access control is in line with the CJIS aim of avoiding unauthorized access as well as reducing superfluous friction for authorized users.
Single Sign-On and Centralized Identity
Single Sign-On (SSO) is a system that enables the user to use a single secure set of credentials to access several systems. Law enforcement SSO enhances efficiency in workflow and minimizes password fatigue in law enforcement agencies by using fewer apps and portals.
Compatible with secure law enforcement SSO, PsPortals’ Personal Portal employs:
- One-touch sign-on, so that users don’t juggle passwords
- Integration with enterprise identity systems (e.g., Active Directory, SAML, Azure AD) that streamlines login
- Compulsory MFA verification of every session to guarantee secure access
To prevent law enforcement SSO from becoming a single point of failure that could compromise the entire system, agencies must implement CJIS-compliant MFA mechanisms for all access to CJI data.
Account and Role Management
Strict identity lifecycle and access governance is also a compliance requirement of CJIS. Agencies are obligated to use the principle of least privilege, where a user should have the least access to the system.
Best practices include:
- Implement role-based access control (RBAC)
- Conduct periodic access reviews
- Immediately disable accounts for terminated or inactive personnel
- Centralize management of user rights and password policies
The Super Administrator tool in PsPortals allows agencies to centrally manage user accounts, roles, agencies, and authentication rules, ensuring a consistent, policy-driven access control system.
Password and Session Policies
CJIS requires password hygiene to reduce the chances of compromise.
Law enforcement agencies must enforce:
- Complex passwords
- No password reuse
- Required password rotation
- Lockouts when there are numerous failed attempts to log in
Security systems should also ensure that an automatic session timeout is provided to safeguard sessions that are left unattended, particularly for users accessing CJI.
It’s also necessary to train personnel to be aware of phishing, pretexting, and other social engineering techniques that may cause harm to security systems.
Emerging Technologies
Enhanced authentication methods are becoming more common for law enforcement agencies. To keep up with stricter security standards and maintain CJIS-compliance, agencies increasingly adopt modern technologies, including:
- Certificate-based MFA
- Mobile biometrics (facial recognition, fingerprint)
- FIPS-certified hardcopy tokens.
- Authenticator applications are linked to specific devices.
PsPortals integrates industry-standard MFA solutions with two-factor authentication and security features, which means that it supports hardware keys, OAuth-based authenticator apps, and mobile biometrics on any device. It also logs all authentication events for audits to meet CJIS login standards.
Frequently Asked Questions (FAQs)
Q: Does CJIS require multi-factor authentication (MFA)?
Yes. By October 1, 2024, the Criminal Justice Information Services (CJIS) requires an MFA to open Criminal Justice Information (CJI), safeguarding sensitive data from unauthorized and malicious access.
Q: What types of MFA are allowed under CJIS?
Phishing-resistant MFA, like a hardware token, smart card, mobile authenticator app, etc., is needed by CJIS. Only SMS codes are not compulsory.
Q: What is Authenticator Assurance Level 2 (AAL2)?
CJIS Security Policy v5.9.2 sets the AAL2 from the National Institute of Standards and Technology (NIST) as a standard cybersecurity system for organizational users of CJIS. It provides a high level of protection against phishing and credential theft.
Q: How does risk-based authentication work for CJIS?
It checks the context of login, e.g., location or failure, and can request additional authentication when the level of risk is high.
Q: Can we use single sign-on for CJIS applications?
Yes, but SSO still needs to have a CJIS-compliant MFA before they are granted entry.
Q: How should agencies manage user passwords for compliance?
Password complexity, password rotation, logging, and lockout. These are combined with MFA and user training.
Q: What happens if we don’t implement CJIS MFA on time?
Agencies are at risk of non-compliance, access limitations, audit reports, and possible loss of access to CJI systems.
Q: What is required to secure remote access (VPN) under CJIS?
The remote access should be done through MFA, encrypted communication, validation of devices, and recording of every attempt.