The Importance of CJIS Compliance: Meeting the Identity Security Requirements of the CJIS Security Policy
If your organization has access to sensitive data from government agencies, you will most likely have to adhere to the Criminal Justice Information Services (CJIS) compliance requirements.
CJIS compliance helps prevent unauthorized access to sensitive data, or Criminal Justice Information (CJI), and protect organizations from potential threats such as ransomware attacks and sanctions.
In this article, you will learn about the CJIS Security Policy, and how Silverfort can help organizations comply with its identity security requirements, including the mandatory Advanced Authentication requirement of risk-based authentication and MFA.
Table Of Contents
What is CJIS Compliance?
CJIS compliance is a set of minimum requirements for accessing and handling Criminal Justice Information (CJI), which is essentially any information that cannot be publicly disclosed except under certain circumstances, like by court order or when necessary for public safety. In particular, it refers to Federal Bureau of Investigation (FBI) data such as biometrics, biographics, case records, and other identifiable information about individuals, vehicles, or properties related to criminal activity.
CJIS compliance requirements include access control, identification and authentication, the adoption of advanced authentication measures such as MFA and risk-based authentication, incident response, visibility into all accounts, and auditing.
Contrary to what may be assumed, CJIS is not only relevant to law enforcement agencies, but to civil agencies as well. Specifically, state and local governments are increasingly becoming targets. First, attackers who gain access to state and local government networks could potentially infiltrate the FBI’s networks using their CJIS credentials. And while it would probably be pretty challenging to shut down the entire FBI, the immediate threat is ransomware attacks, in which CJI data could be encrypted or even exposed.
The specific guidelines for protecting data that falls under the category of CJI are outlined in the FBI’s CJIS Security Policy.
Quick Overview of the CJIS Security Policy
The CJIS Security Policy defines the minimum security requirements for accessing and handling FBI criminal justice information throughout the entire CJI lifecycle, from creation to viewing, modification, transmission, dissemination, storage, and destruction.
Currently, the CJIS Security Policy consists of 19 modules, or Policy Areas, each of which covers a different security aspect. This article will focus on the policy areas concerning identity security.
The Identity Security Components of the CJIS Security Policy
Policy Area 3: Incident Response (IR)
- IR Handling: Agencies are required to establish an operational incident response plan for managing, monitoring, documenting and reporting incidents. The plan should address every stage of the IR process, including preparation, training, detection, evidence collection, analysis, containment, eradication, and recovery.
- IR Assistance: Agencies should employ an IR assistance team that will provide expert advice and support in the handling, investigation, and reporting of incidents.
Policy Area 4: Auditing and Accountability
- Agencies should implement audit and accountability controls to ensure that users do not deviate from their authorized behavior patterns.
- Audit logs should be retained for a minimum of 365 days, and include authentication logs for both successful and unsuccessful access attempts to systems and resources, password changes, attempts to access or modify user/resource/directory permissions, and actions involving privileged accounts.
Policy Area 5: Access Control
Integrate mechanisms to restrict access to CJI data, as well as to systems, applications, and services that provide access to CJI, including:
- Account Management: Maintain visibility into all accounts in your environment and perform annual validations.
- Access Enforcement: Assign and manage access privileges based on the least privileges necessary for each system, application or process to operate.
- Remote Access: Implement automated monitoring & access policies.
Policy Area 6: Identification and Authentication
To gain access to systems, services, and resources, users must be identified and authenticated in accordance with the Advanced Authentication requirement. As outlined in Section 5.6.2.2 of the CJIS Security Policy, advanced authentication is mandatory and subject to audit as of October 1, 2024. Advanced authentication consists of:
- Multi-Factor Authentication (MFA): Requires the use of two or more different factors to authenticate successfully. The CJIS Security Policy breaks down authentication factors into the following categories: something you know (such as a personal identification number [PIN]), something you have (such as an authenticator or token), and something you are (such as biometrics).
- Risk-based Authentication (RBA): Authentication requests are accepted based on the risk calculated by a combination of factors such as network information, user information, user profiling, request patterns, geolocation, browser metadata, IP addresses previously authenticated successfully, and other adaptive authentication techniques.
Getting CJIS Compliant with Silverfort
Policy Area 3: Incident Response (IR)
Silverfort provides full visibility into and continuous monitoring and risk analysis of all authentication and access attempts, including sources, destinations, risk levels, and more. In addition, you can apply access policies, either created by you or by Silverfort, to ensure that if an access attempt deviates from normal behavior, the policy will provide alerts and/or deny access. If you experience an incident, Silverfort is able to assist you in containing the compromised accounts, investigating, and recovering.
Policy Area 4: Auditing and Accountability
In the Silverfort log screen you can view all authentication and access attempts, including those of user accounts, privileged accounts, and service accounts. You can filter by authentication type, account type, domain type, risk level, risk indicator, sources, destinations, protocols, time range, and more.
Policy Area 5: Access Control
Access policies are configured based on users, groups, and organizational units (OUs), as well as the least privileges necessary for your systems, processes, and applications. With full visibility into user accounts, privileged accounts, and service accounts in your environment, you can create and monitor log files to detect malicious or irregular activity, as well as perform validations at any time or interval.
Policy Area 6: Identification and Authentication
Silverfort can enforce MFA on all access requests, including on-prem, remote, legacy applications and more, and for all users, from regular users to privileged users and admins.
Access policies can be configured as static or risk-based. As opposed to static policies, which are applied regardless of authentication risk level, risk-based policies are applied according to risk levels and risk indicators, such as abnormal authentication, users with SPNs, old passwords, old operating systems, malicious IPs, and more.
For more information on how Silverfort can help you comply with the CJIS identity security requirements, schedule a call with one of our experts or request a quote.