Keeping critical information safe from cybercriminals is an imperative for every organization, but none more so than the law enforcement agencies that maintain large volumes of highly sensitive data. This is why the Federal Bureau of Investigation (FBI) recently introduced strict new requirements for accessing its Criminal Justice Information Services (CJIS) database, which contains restricted information including fingerprint records and criminal histories.
Starting in October 2024, the FBI will mandate the adoption of advanced authentication measures by any entity seeking access to its CJIS database under any conditions. While this move significantly improves security, it also presents significant compliance challenges for the civil agencies and police departments who rely on continuous access to CJIS data for effective law enforcement and public safety operations. This blog post explores the requirements of the new CJIS policy, explains the challenges of advanced authentication, and shows how Silverfort can help organizations achieve compliance.
Table Of Contents
The Role of CJIS and Its Security Evolution
Beginning with its first incarnation in 1924 as the Identification Division of the FBI, the agency has provided a searchable repository for all criminal records collected in the US. Formally established as CJIS in 1992, it is now the largest division in the FBI with responsibility for several technological initiatives, including the Integrated Automated Fingerprint Identification System (IAFIS) and the National Incident-Based Reporting System (NIBRS). The centerpiece of CJIS is its database, which contains criminal history records, fingerprints, biometric data, and other critical information that federal, state, local, and tribal law enforcement agencies need to access.
To address emerging cybersecurity threats, CJIS regularly updates its policies to strengthen the security of its sensitive data and incorporate best practices. Most recently, the agency began revamping its access policies to align with President Joe Biden’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, signed in 2021, which mandated that more stringent security standards be put in place for all federal agencies starting in October 2024, specifically by implementing “advanced authentication” methods.
Understanding Advanced Authentication
In cybersecurity, advanced authentication means taking a multi-layered approach to verifying the identity of users attempting to access a system or sensitive data. Advanced authentication goes beyond requiring standard credentials and incorporates at least one additional factor in order to establish a higher level of assurance for user identification. These can include elements such as passwords or PINs (“something you know”) plus hardware tokens or smart cards (“something you have) or biometric factors such as fingerprints or facial recognition (“something you are”).
But EO 14028 specifies that starting in October 2024, advanced authentication methods used by federal agencies must be “phishing-resistant,” making it harder for attackers to gain access if they are able to get a user to reveal their credentials via phishing or by when they use tactics such as prompt bombing to exhaust users into allowing access. Phishing-resistant thus means not relying on push authentications like text messages or app-generated codes but instead including elements such as certificate-based authentication (CBA), personal identity verification (PIV) cards, or hardware tokens compliant with the latest standards developed by the Fast Identity Online (FIDO) Alliance, known as FIDO2.
The New Requirements to Access CJIS
Last December, CJIS released a new version of its security policy, CSP 5.9.2, that introduced several major changes to its security and control requirements. One of the most significant is that multi-factor authentication (MFA) will be required every time a user seeks to access criminal justice information, even when in a physically secure location (such as a dispatch center) or a “criminal justice conveyance” (i.e., a police cruiser). As well, the policy states that simply unlocking a device (for example, using a PIN or a biometric) will no longer be considered an acceptable form of MFA to gain access to the CJIS database.
These changes to the CJIS security policy will make accessing criminal justice information more secure, but they will also make gaining fast, easy access to the database more difficult since advanced authentication will be required every time a user logs in to a device connected to CJIS. Furthermore, if organizations don’t implement phishing-resistant MFA on all devices connected to CJIS by October 1, 2024, they could be hit with sanctions and potentially lose access to the database altogether.
The Challenge Ahead for Police Departments
Municipalities rely on police officers to respond rapidly in high-pressure situations where every minute counts. An officer’s ability to do so depends on their ability to access criminal justice data instantly on their mobile data computers (MDCs)/mobile data terminals (MDTs) to make informed decisions quickly. This is why it’s critical for municipalities to find the best way to simultaneously empower their police departments while also complying with the new CJIS security policy requirements.
MDCs have traditionally accessed criminal justice information sources such as CJIS via a VPN connection from the police cruiser to the department’s data center, a connection that is verified via MFA push back to the device. But there are issues with this method. First, the wireless routers located inside cruisers don’t always spin up immediately, leaving officers waiting critical moments to receive the MFA prompt that will enable them to connect. Secondly, officers regularly need to connect when outside of their cruiser and not on a secure network, such as while doing paperwork in a location like a hospital or a hotel. This is why some police forces have started using FIDO2-enabled access control cards as a second factor to establish a secure connection quickly.
How Silverfort Enables Advanced Authentication With FIDO2
Silverfort’s Unified Identity Protection platform enables organizations to extend MFA protection to any device, no matter how the user is connecting — including police officers who need to access their terminals securely while in a remote location. Silverfort can support numerous options for second-factor authentication, including FIDO tokens, which can be used to authenticate in situations like this where push MFA is not allowed.
Silverfort does this by applying security policies on the device layer. With Silverfort for Windows Logon, the credential provider first checks to see whether a policy should be applied to require MFA, then can allow the officer to use their FIDO2-enabled access card as the second factor for advanced authentication. This enables police departments to secure all Windows endpoints, including the Windows-based tablets and laptops that officers use in the field.
Silverfort for Windows Logon is the only solution that can integrate MFA with a policy engine that allows organizations to apply conditional access policies to Windows devices, even when they’re being operated offline. As well, additional MFA step-up can be required for specific applications, such as the criminal justice database maintained by CJIS. Thus a critical balance is achieved: officers get the access they need quickly, saving them precious time, while their devices remain fully compliant with the new federal security requirements.
Is your agency prepared for advanced authentication? Talk to one of our experts today and find out how Silverfort can help you achieve compliance.