Stolen credentials remain the leading way attackers gain access to systems, according to the Verizon 2024 Data Breach Investigations Report, and they are the top initial action during breaches. This highlights the vulnerability of relying solely on passwords for security, especially within law enforcement agencies that handle Criminal Justice Information (CJI). As cybercriminals increasingly target identity, the need for stringent security measures has never been more important.
To address these threats, the Criminal Justice Information Services (CJIS) Security Policy mandated the implementation of multi-factor authentication (MFA) by October 1, 2024. Organizations and agencies that store and access CJI must comply with the requirements to ensure their data is protected from bad actors.
Foundations of CJIS Security Policy
The CJIS Security Policy was developed to address the increasing need for secure access to criminal justice information. Originating from the Advisory Policy Board’s (APB’s) recommendations to the FBI in 1998, the policy has evolved into a comprehensive security framework. The policy integrates presidential directives, federal laws, FBI directives, and the criminal justice community’s APB decisions, along with nationally recognized guidance from the National Institute of Standards and Technology (NIST).
The Importance of Multi-Factor Authentication
A critical component of the CJIS Security Policy is the requirement for MFA. Starting October 1, 2024, organizations that store and access CJI must implement MFA using at least two out of three factors to verify a user’s identity:
- Something You Know: Passwords, PINs, or security questions
- Something You Have: Smart cards, mobile devices, security keys, or soft/hard tokens
- Something You Are: Biometric verification methods like fingerprints or facial recognition
Implementing MFA is important because it significantly reduces the risk of unauthorized access. For example, by requiring a physical factor in addition to something you know, MFA significantly reduces the risk of phishing attacks. MFA solutions are often cost-effective and can be implemented without a significant expense, making them accessible to organizations with limited budgets as well. Some solutions are also designed to integrate seamlessly with existing systems, ensuring minimal disruption to operations during deployment and updates. This makes MFA an essential component in enhancing your organization’s security posture.
Compliance Deadline and Consequences
Starting October 1, 2024, compliance with MFA requirements will be mandatory. Organizations that fail to implement MFA may face serious consequences, including denial of access to FBI CJIS resources and monetary fines. Therefore, it is imperative for agencies to start planning and implementing these measures now, to ensure they meet the deadline and protect sensitive information.
How Entrust Supports CJIS Compliance
Entrust offers comprehensive solutions designed to support CJIS compliance by providing MFA options that integrate seamlessly with your existing systems.
Ways Entrust supports CJIS compliance include:
- Phishing-Resistant MFA: Certificate-based authentication (CBA) combined with AI-driven biometrics verification ensures a phishing-resistant passwordless MFA experience.
- Adaptive Risk-Based Authentication (RBA): A customizable risk engine evaluates contextual inputs such as IP addresses and behavioral biometrics, prompting additional authentication steps or denying access if the risk level is high.
- IDV with AI-Driven Biometrics: Entrust's integrated IDV solution uses AI-driven facial biometrics to enhance security and prevent fraud.
- Passwordless Solutions: These solutions can be combined with single sign-on (SSO) capabilities for seamless access.
- Integration With Existing Identity Providers: Organizations can enhance their existing identity provider (IDP) solutions.
Conclusion
The CJIS Security Policy and the requirement for MFA are critical steps in securing Criminal Justice Information and protecting against the increasing threat of identity-based attacks. By understanding and implementing these security measures, organizations can significantly enhance their security posture, ensure compliance, and safeguard sensitive information. To learn more about MFA, read our four-part blog series.
Watch our webinar to learn more about CJIS compliance requirements.