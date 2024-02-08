Senior Vice President and Head of Identity and Access Management Solutions hid global,

In April 2021, the Washington DC Metropolitan Police Department suffered a massive data leak when hackers breached its network in a ransomware attack. The attackers claimed to have stolen more than 250GB of data, including hundreds of intelligence reports – some of which they began releasing on the dark web.

Such attacks are a law enforcement agency’s worst nightmare, and they are frighteningly common. In 2023, ransomware attacks were up more than 95% from the previous year, including attacks against the Dallas Police Department, Stanford University Department of Public Safety, and several US government agencies.

The FBI’s latest CJIS security policy, which requires organizations to implement multifactor authentication (MFA) in all systems and applications that store and access criminal justice information (CJI), attempts to address this new scenario. . The intention is clear: ensure that the CJI, like arrest records and digital evidence, is accessible only by individuals who are authorized to view it.

However, the path to compliance seems fairly straightforward for many law enforcement officials and agencies. Smaller agencies face funding limitations and lack specialized expertise, while larger agencies are often confused about what to do and when.

This article provides a simple overview of what is needed, along with three practical paths to achieving rapid, cost-effective compliance with the new CJIS MFA requirements.

What does the CJIS Security Policy mean for your agency

The CJIS MFA requirements are designed to strengthen the way organizations provide access to CJI. Instead of a username and password, which are extremely easy to steal, individuals must provide multiple authentication factor To prove that they are who they say they are. These factors typically include:

• Something you know (password, PIN or security code).

• You have something (smart card, mobile device, security key or token).

• Something you are (fingerprint, facial scan, iris scan or other forms of biometrics).

beginning By October 1, 2024, organizations that store and access CJI must have implemented MFA using at least two factors to authenticate individuals across all systems and applications. Failure to comply with the new CJIS requirements may result in denial of access to the FBI’s CJIS resources and data, in addition to monetary fines.

The CJIS security policy also refers to Authenticator Assurance Level 2 (AAL2) – or phishing-resistant MFA – which provides a higher level of security by requiring one of the authentication factors to be physical (something you have). Although phishing-resistant MFA is not a prerequisite to comply with CJIS requirements, it is strongly recommended for stronger security without additional expense or disruption to current operations.

Three Paths to CJIS Compliance

Like many security protocols, MFA has evolved over time to keep up with changing threats, and a variety of methods and solutions are available. Organizations are left with a lot of choices when it comes to finding the best fit – a reality that can seem both daunting and rewarding.

To help agencies strike the best balance between security and convenience, here are three potential CJIS-compliant paths that fit into most law enforcement workflows.

1. Smart Card – Many smart cards that organizations use to access physical locations can also serve as an MFA factor. Here’s how it works: First, cards are enrolled in a software solution that links each card to a unique PIN, password, or biometric. Then, when users access digital resources, they present their card to a contactless reader, using the same PIN, password or biometric to confirm their identity.

2. Mobile Devices – If mobile devices are equipped with an authenticator app they can serve as an MFA factor. When users try to log in to a system, the app enables them to approve the request by sending them a one-time password (OTP) or providing an option to confirm or reject the login attempt.

3. USB Key – Security keys are small devices that look like thumb drives and provide fast, flexible identity assurance in a variety of digital and physical contexts. These are hard to hack and most don’t even require power or a data connection. Users simply enter their login details and then present the PC or laptop key.

As long as they support FIDO or PKI standards, all three paths can be considered phishing-resistant MFA.

Which MFA solution is best? Three questions to guide your decision

From budget to security, organizations must take into account many considerations and constraints when it comes to selecting the right MFA solution. The goal is to keep data secure without getting in the way of important law enforcement functions.

Here are three questions to help you choose the best path for your agency.

1. What infrastructure already exists? Many software-based MFA solutions can support the authentication methods and form factors you already use, from smart cards to mobile devices. This makes it easier to get up and running quickly.

2. What type of personnel should you support? For many organizations, the “best” MFA method is the one that causes the least disruption to their personnel. Field officers are always on the move; Their MFA solutions should be fast, flexible, and user-friendly. Meanwhile, Justice Department officials may be required to maintain an audit trail that logs where they have been and what types of information they have accessed.

3. How far in advance do you need to prepare for the MFA? Organizations have until October 1, 2024 to implement MFA. Every three years, the FBI will conduct official audits on CJIS clients. However, agencies are expected to submit self-reports annually.

security without compromise

The timing of the new MFA mandate shows how important CJI is to public safety and how attractive it is to cyber criminals. Fortunately, there are several safe, practical paths that organizations can take to implement MFA before the October deadline. These solutions are flexible and user-friendly, ensuring data integrity without disrupting law enforcement workflows.

