Content provided by HID
It’s never been more important for law enforcement agencies to safeguard criminal justice information (CJI). From arrest records to digital evidence, CJI is critical to public safety – and, increasingly, a target for malicious actors.
Those considerations are behind the latest updates to the FBI’s Criminal Justice Information Services (CJIS) Security Policy, whose version 5.0 was first published in 2011 to formalize best practices for generating and handling criminal justice records. The new CJIS version 5.9.4 seeks, among other things, to strengthen the way agencies ensure that only authorized individuals can access CJI.
In particular Policy Area 6, “Identification and Authentication,” outlines a framework for CJI-related identity and access management – and mandates that all entities accessing CJI have an acceptable multi-factor authentication (MFA) solution in place by October 1, 2024.
Unfortunately, there’s no one-size-fits-all solution for complying with these requirements, and time is running out. The good news? There are several straightforward MFA options that agencies should consider – options that safeguard data while empowering officers to operate with efficiency and ease.
In this article, we’ll outline three of the most convenient options, along with real-world examples from organizations across the country.
THE BASICS OF CJIS MFA REQUIREMENTS
Most agencies require nothing more than a username and password to access CJI, in spite of growing evidence that those details are dishearteningly easy to steal. MFA strengthens security by requiring individuals to provide multiple authentication factors.
To comply with CJIS MFA requirements in Policy Area 6, you must protect CJI data using something you have (like a smart card, security key or mobile device), combined with either:
- Something you know (like a password, PIN or security code), or
- Something you are (like a fingerprint or face scan).
CJIS MFA requirements apply to all systems or applications that have access to CJI. In other words, whenever you use a device – whether agency issued or personal – to access criminal justice information, you’ll need to use MFA.
3 SIMPLE PATHS TO CJIS POLICY AREA 6 COMPLIANCE
A wide variety of MFA methods and solutions are available on the market, and some are more secure than others. Here are a few options to consider as you weigh which is right for your agency.
1. Use a single ID badge to grant access to physical and digital resources
Does your agency already use Radio Frequency Identification (RFID) badges to control access to physical buildings? If so, you may leverage them to satisfy CJIS MFA requirements by enrolling in a software solution that associates each card with a unique PIN, password or biometric identifier.
When end users want to access CJI, they’ll simply present their card to an RFID desktop reader – already embedded in some mobile devices, including mobile data computers (MDCs) – and enter their PIN/password or present their biometric to authenticate.
MFA capabilities can often be added to existing smart cards within a matter of days, enabling a single ID badge to serve as visual identification and grant access to both physical and digital resources. It is important to note that phishing-resistant security can only be achieved with cards that are powered by PKI or FIDO technology.
The Columbia County Sheriff’s Office in Florida, for example, replaced username and password with PKI-based Crescendo Smart Cards combined with PINs to meet the mandate – relying on our Credential Management System to keep track of access certificates and permissions for the nearly 200 personnel on staff.
2. Use a lightweight, portable USB key to serve as an MFA factor
USB security keys are fast, lightweight devices that can serve as an MFA factor when accessing digital resources. Users enter their log-in info, insert their key into a USB drive – or present it to a high-frequency reader – and enter their PIN/password/biometric to authenticate.
USB keys are easy to deploy, because they don’t require additional reader hardware. Keys that are powered by PKI or FIDO technology are especially secure and phishing resistant. However, there are situations where, if a reader is not an option, their utility will depend on how many (and which) USB ports are available in users’ devices.
3. Take advantage of mobile devices
Whether agency issued or personal, chances are that your personnel’s mobile devices are almost always at hand. Take advantage of that fact by configuring a downloadable app that enables phones to serve as an authentication factor when accessing other systems and devices.
The workflow is simple: users enter their log-in info, then use the mobile app to approve or deny the log-in request or receive a one-time-password (OTP).
Mobile MFA is one of the most flexible solutions on the market. It can secure not just cloud applications but also mainframes, client and server log-ons, desktop client applications, Virtual Desktop Infrastructure (VDI) and Virtual Private Networks (VPN).
However, while mobile MFA solutions do not store or record any personal data, users might be reluctant to use their own devices to authenticate. For that reason, the solution is perhaps better suited to organizations that provide company-issued mobile devices.
GET READY FOR OCTOBER 1, 2024
There’s a lot at stake when it comes to complying with CJIS MFA requirements – including the risk of a loss of access to CJI data, in addition to monetary fines. Audits start October 1, and while organizations won’t be required to have implemented all new solutions, they should be able to identify any missing requirement(s) as a risk and outline their remediation plan.
The good news? Complying with CJIS Policy Area 6 doesn’t have to be hard. HID is a worldwide leader in trusted identity solutions, and we’ve helped many state and local agencies navigate the new requirements. Find us at CopTech from Aug. 14-16 or contact us to learn how we can help your organization prepare for the October 1 deadline.
To learn more, visit HID.