Blog

Get the inside scoop with LoginTC and learn about relevant security news and insights.

← Back to Blog

CJIS MFA Requirements: Everything you need to know

October 31, 2024Victoria Savage

cjis mfa requirement

As the new CJIS MFA requirements take effect, how can you ensure that your law enforcement agency remains in compliance with the CJIS Security Policy? Government entities like police stations, sheriffs offices, or other entities that access the FBI’s Criminal Justice Information Services must ensure that sensitive criminal justice information is handled with proper cybersecurity procedures.

In this article, we break down the new multi-factor authentication (MFA) requirements, and explore how your agency can easily add a compliant MFA solution to your systems.

Let’s dive in.

What is the Criminal Justice Information Services (CJIS) Security Policy?

The Criminal Justice Information Services (CJIS) Security Policy originated in 1992, when the CJIS Division was first established. The purpose of the policy is to set out the minimum security standards that any agency must have in order to access CJIS systems.

To develop these standards, the CJIS integrates directives from Presidential orders, US federal laws, the FBI, and Advisory Policy Board decisions with guidelines developed by the NIST and others.

The 2022 update to the CJIS introduced new requirements for multi-factor authentication (MFA), which beginning October 1, 2024 are subject to audit.

What is the CJIS MFA Requirement?

Before getting into how to meet the specific MFA requirements in CIJS, let’s understand what is MFA in the first place, and why it’s important.

MFA is the process of proving a user’s identity by providing two or more identity factors during the login process. Those factors can be:

  • Something you know (like a pin or password)
  • Something you have (such a physical hardware token)
  • Something you are (like a fingerprint)

By combining these identity factors, organizations can prevent unauthorized access from malicious actors attempting to breach systems. MFA has been proven to block 99.9% of account compromise attacks.

When is MFA required under the CJIS Security Policy?

The CJIS Security Policy now includes MFA-related security controls in the following cases:

  1. Implement multi-factor authentication for access to privileged accounts.
  2. Implement multi-factor authentication for access to non-privileged accounts.
  3. Supplemental guidance about multi-factor authentication requirements.

Let’s break down each of those requirements, as well as the supplemental MFA guidance that the new CJIS Security policy provides.

Multi-Factor Authentication (MFA) for access to privileged accounts

In the CJIS Security Rule, privileged accounts are defined as “system administrators for various types of commercial off-the-shelf operating systems”. Privileged users must authenticate with MFA at the system level, and can choose to also implement MFA at the application level.

Additional MFA usage and MFA strength should be applied to privileged accounts based on their level of access and risk.

Multi-Factor Authentication (MFA) for access to non-privileged accounts

Similar to the guidance for privileged accounts, non-privileged organizational accounts are required to authenticate at the system level using MFA. Additional MFA implementations at the application level, or based on risk, are also encouraged.

Supplemental Guidance for CJIS MFA

The CJIS Security Rule also includes some supplemental guidance around the specifics of MFA authenticators and their usage, including:

  • Cryptographic-based authenticators must use cryptographic algorithms recognized by FIPS or NIST recommendations.
  • Authenticators need to be replay resistant, i.e. a one-time-password can only be used once during its period of validity.
  • Communication must be authenticated over protected channels.
  • Authenticators must meet FIPS 140 Level 1 requirements.
  • Reauthentication is required every 12 hours, and after a period of inactivity of more than 30 minutes.

Those are just a few of the additional requirements your organization must meet in order to pass a CJIS Security Policy audit.

If you’re unsure how to meet CJIS MFA compliance, you can book a free consultation call with our MFA compliance experts to get a better understanding of the new requirements.

How to implement CJIS MFA

Now that you have a better understanding of the CJIS MFA Requirements, it’s time to implement a solution that fits your organization’s unique needs.

Take the following steps to implement MFA for CJIS:

  1. Conduct an MFA assessment
  2. Choose authentication methods
  3. Configure offline authentication

Step 1: Conduct an MFA assessment

The first step to implementing MFA is matching up the CJIS MFA requirements with your organization’s existing infrastructure.

To do this step, ask yourself questions like:

  • What systems do privileged and non-privileged organizational accounts currently log into?
  • Do those users currently use MFA? If so, what types of MFA do they use?
  • Are there other highly sensitive applications that privileged and non-privileged organizational accounts have access to?
  • Do those applications have MFA implemented? Should they?

These questions will help you gain an understanding of your current security landscape. For example, if you have privileged accounts logging into systems such as Windows Logon and RDP, and they don’t currently authenticate logins with MFA, then you know you’ve found an MFA gap that needs to be addressed to meet CJIS requirements.

For help with this step, you can check out the MFA Gap Calculator. This free tool takes around 10 minutes and delivers an automated report directly to your inbox showing where MFA gaps in your environment are.

Step 2: Choose authentication methods

The next step is to choose authentication methods that are going to meet CJIS guidance, integrate well with your systems, and be easy for end-users and administrators.

Some authentication methods you could consider are:

  • FIDO2 Security Keys provide strong, phishing-resistant authentication that meets NIST guidelines, which are easy to use. FIDO2 tokens can have built-in biometric fingerprint scanners, or require PINs to further strengthen authentication. They also work offline and can be easily enrolled by end-users.
  • Passcode Grids are a hardware-based authentication method that comes with no additional cost. Passcode grids can be printed out or saved to a device for easy access. They work offline and have no external dependencies.
  • Hardware Tokens are physical MFA devices that allow for simple one-time-password based authentication into systems and applications. Hardware tokens can be used offline as well.

Another consideration when it comes to choosing a token is determining whether you’ll need to use shared tokens. Shared authentication tokens allow multiple users to log into the same account securely.

While shared group accounts come with an additional level of risk, NIST offers guidelines on how to safely and securely use shared accounts. MFA authenticators that can be used with shared accounts include: hardware tokens, passcode grids, email passcodes (sent to group email accounts), some authenticator apps, and some FIDO2 tokens.

In addition to the methods themselves, you should look for a solution that allows for easy set-up and day-to-day token management. Also consider solutions that allow for streamlined policy management that help you control user behavior and stay compliant.

Step 3: Configure offline authentication

One important consideration when designing and implementing an MFA solution is what to do in offline scenarios.

In many cases your end users may be accessing systems in situations without reliable or regular access to the internet. To ensure authentication can be made seamlessly and without interruption, you need a solution that won’t require additional enrollment or complicated login procedures simply because the system is offline.

Find a solution that has a wide variety of offline authentication methods, and is designed with high-availability in mind.

Final considerations

Now that the CJIS MFA requirements have come into effect, your organization needs to prepare for changes and be ready to face an audit. However, those changes don’t have to be disruptive, add complications for your administrators, or slow down your end-users.

By choosing an MFA solution designed to meet a wide range of options, you can easily tailor your implementation based on your organization’s unique needs.

To test out an MFA solution that can help you meet CJIS compliance without impacting your end-users or help desk, start a free trial of LoginTC.

← Back to Blog

Free to try for up to 3 users.

Get Started

Start protecting your enterprise assets.

Learn How

Free 2FA Resource Guide.

Download

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close