CJIS Compliance and Your Information Security Program


CJIS Compliance.jpg

The role of mobile technologies within the field of law enforcement continues to grow in both importance and number of applications. Law officers count on these technologies for much more than simply receiving dispatch calls or looking up arrest records. Officers are using mobile devices in the field for capturing photo evidence, fingerprinting suspects at the scene, conducting interviews, issuing tickets and citations, managing personnel tracking and deployment, and much more.

It’s easy to see why first responders are pushing for greater mobile device usage in the field: These technologies provide law enforcement agencies with timely and secure access to the data they need—wherever and whenever they need it. Law enforcement can also collect, organize, and send mission-critical data from anywhere. With mobile devices, officers in the field have instant, real-time access to criminal justice information (CJI) databases at their fingertips.  

Keeping this access to the CJI database secure is paramount—the database holds a plethora of sensitive information used to catch criminals, perform background checks, and track criminal activity. After all, this information getting into the wrong hands could be the difference between thwarting a criminal operation and allowing another to occur—which is why the FBI has set strict standards on protecting that data.

Those standards are known as Criminal Justice Information Services Security Policy, known as CJIS for short. The document outlines technology compliance standards for government agencies that handle CJI in databases, on desktops, on laptops, and on mobile devices.

CJIS compliance must be kept at the forefront of any technology implementation, and field-ready devices aren’t CJIS-compliant on their own. If you’re planning on adding these technologies for use in the field, it’s vital that you plan and budget for both the devices and advanced authentication to stay CJIS-compliant.

Let’s take a closer look at advanced authentication—what it is, when it’s required by CJIS, and how to strategically plan and budget for it.

What Is Advanced Authentication?

Advanced authentication, also known as two-factor (2FA) or multi-factor authentication (MFA), offers a higher level of security than a mere password, because it requires alternative forms of identification verification.

Here’s how CJIS defines 2FA: “[2FA] employs the use of two of the following three factors of authentication: something you know (e.g. password, passphrase, PIN), something you have (e.g. smart card, token, key, swipe card, badge), something you are (e.g. fingerprint, voice, retina/iris characteristics).”

Additionally, to be considered 2FA, the two authentication factors must be two distinct factors (i.e. password/token or biometric/password, but not password/password or token/token).

CJIS-compliant advanced authentication can also be achieved using a risk-based authentication (RBA) solution that includes a software token element comprising a number of factors, such as network information, user information, positive device identification (i.e., device forensics, user pattern analysis, and user binding), user profiling, and high-risk challenge/response questions.

CJIS Requirements for Advanced Authentication

In order to remain CJIS-compliant, here’s what must happen:

“The requirement to use or not use AA [advanced authentication] is dependent upon the physical, personnel, and technical security controls associated with the user location. ... AA shall not be required for users requesting access to CJI from within the perimeter of a physically secure location, when the technical security controls have been met, or when the user has no ability to conduct transactional activities on state and national repositories, applications, or services (i.e. indirect access). Conversely, if the technical security controls have not been met, AA shall be required even if the request for CJI originates from within a physically secure location” (taken from CJIS guidelines, Policy Area 6:  Identification and Authentication, Advanced Authentication Policy and Rationale).

What does that mean?

If a device is used to access CJI from outside of a physically secure location, advanced authentication is required. CJIS defines a physically secure location as “a facility, a criminal justice conveyance, or an area, a room, or a group of rooms within a facility.”

So, if a user logs into the system used to access CJI data from a non-secure location (such as outside of a police car, agency building, or police station), he or she will need to use 2FA or MFA to do so.

If CJI doesn’t reside on the device but software on the device accesses CJI, only the software needs advanced authentication. In the event that CJI resides directly on the device, the device itself needs two-factor authentication, in addition to full-disk encryption and mobile device management.

While CJIS compliance doesn’t require advanced authentication in all scenarios, we strongly recommend using it for all instances of access.

Planning for Two-Factor Authentication

Complying with CJIS and other legal and cybersecurity demands means that you must keep up with ever-changing technology updates. Advance planning is necessary to ensure that the financial means and resources are available.

When considering the use of new technologies, you must think strategically. This holds true of two-factor authentication. Performing due diligence helps you choose the right two-factor authentication solution—there are many of them out there, and you don’t want a failed implementation, financial loss, or breach. Reach out to agencies that have already implemented such solutions. Furthermore, conduct a needs assessment: Can you implement this solution in-house, or do you need to outsource it? If you’ll outsource, who will oversee the process? Understanding federal CJIS requirements is a must, as is knowing any relevant state or other federal legislation.

Moreover, think about future needs—the threat landscape as well as the regulatory landscape are constantly evolving. Whatever solution you choose now must meet both current and future needs. No one has the resources to frequently update security solutions, so you must choose something that will protect you well into the future.

It’s also important to understand what constraints exist and to plan for them. Many agencies don’t realize how long technology implementations can take. Project delays not only are costly, but also prevent first responders from taking advantage of the efficiencies technology brings. There’s also a time and cost associated with training personnel. A lack of in-house expertise is a constraint, too—most law enforcement officers aren’t cybersecurity experts, after all.

How We Can Help

Helping officers in the field do their jobs more effectively means choosing a secure two-factor authentication solution that won’t affect usability. Luckily, there are many flexible authentication methods on the market that are CJIS-compliant, convenient, secure, affordable, and easy to implement.

Identity Automation offers a broad range of CJIS-compliant authentication methods, including risk-based authentication, one-time password (OTP), fingerprint biometrics, push authentication, smart cards, and more. We’ve helped hundreds of government agencies meet CJIS compliance requirements—contact our CJIS experts today for a free consultation and MFA demo.

Download our guidebook to learn which authentication methods are recommended for different user scenarios.


Subscribe Here!