police officer speaking into walkie talkie

The Top 5 Questions About MFA for CJIS (And Their Answers)

Comply with the New Requirements for Accessing Criminal Information

Starting October 1, 2024, the FBI requires all organizations that access criminal justice information (CJI) to implement implement multi-factor authentication (MFA).  The goal is simple: to keep criminal information like case histories and digital evidence out of the hands of cybercriminals.

But many of the civil agencies and police departments who process CJI data still have questions about complying with the new mandate.

In this article, we’ll review five of the most common questions about the new requirements to help you navigate the choices and challenges involved with implementing MFA for CJIS.

CJIS MFA Requirements: 5 Key Questions

Version 5.9.2 of the CJIS Security Policy, released December 2022, requires individuals to provide MFA when accessing criminal data.

1. What is MFA?
Many organizations still rely on usernames and passwords to secure access to sensitive criminal data. Multi-factor authentication (MFA) requires individuals to provide additional proof of their identity through the following:

  • A physical form factor (like a smart card, key or badge) that’s secured by something you know (like a PIN or a password)
    • Example: A smart card that’s secured by a PIN
    • Example: A hardware token that’s secured by a one-time password
  • A physical form factor (like a smart card, key or badge) plus something you are (like a fingerprint or face scan)
    • Example: A smart card plus a fingerprint

2. When do I need to secure with MFA?
MFA is required whenever you use a device to access CJI. This can be within a corporate environment or from a personal device.

Within a corporate environment, if you log into a workstation that is on your corporate network and you have a CJI file repository or database connected to the same network — MFA is required for that workstation. Since the user is authenticated with MFA at the workstation, any file system or application accessed using single-sign on utilizes the credentials presented at the time of authentication to the workstation.

From your personal device, if you’re accessing a web application or Software-as-a-Service (SaaS) that contains CJI — MFA is required at the application layer. If you are able to download the web app or if the application caches data on your device, your device will need to have MFA in place.

So what counts as criminal data? There is a difference between personally identifiable information (PII) and CJI. The latter is any data associated with crime accompanied by any personally identifiable information (PII). When PII is removed, it becomes a criminal statistic and falls out of scope of the CJIS security policy.

It’s a bit of a gray area, but HID recommends that organizations use MFA to protect all the data that they generate, store or access.

3. What’s the best way to implement MFA?
There’s no one-size-fits-all solution when it comes to complying with CJIS requirements — and the best way to implement MFA will differ from agency to agency. The decision often hinges on each organization’s budget, needs and the systems that are already in place.

Focused on speed and efficiencyMulti-factor authentication software provides device-level protection and can be installed in days, not months. Top solutions increase security without adding friction by supporting the authentication methods and form factors you already have in use, from badges and smart cards to biometrics and mobile devices. It’s especially useful in settings where multiple users need to easily and securely share the same workstation and user session.

Want to take the opportunity to make a long-term infrastructure investment? Consider a smart card based solution, which will resonate well with end users because most sworn officers are already accustomed to carrying an ID badge. Best-in-class smart cards streamline access to both digital and physical resources — your personnel might use the same card and PIN combination to authenticate themselves into the building at headquarters and into the device they use to access criminal data stored digitally. A credential management system (CMS) can also give IT staff an easy way to view, grant and revoke permissions.

4. What happens if I’m not in compliance?
In situations where law enforcement officials need access to criminal data, time is always of the essence. That’s why compliance with the new CJIS requirements is so critical — failure to do so could lead to a denial of access to CJI data, in addition to monetary fines. Of course, that’s also why it’s so important to select the right authentication solutions. Your goal should be to minimize friction for individual users while complying with the new mandate.

The FBI will conduct formal audits of CJIS subscribers every three years, though agencies are expected to provide self-reports on an annual basis. During these audits, there is a “risk vs realism” clause that recognizes not all agencies are built the same and may not be able to immediately comply with all the requirements. When approaching an audit, simply identify the missing requirement(s) as a risk and identify a remediation plan. This will not exempt the requirement, but will show due diligence to the auditor.

5. Where can I turn for more help with MFA for CJIS?
HID is a worldwide leader in trusted identity solutions, and we’ve helped several state and local agencies navigate evolving CJIS requirements. If you’ve got questions or concerns about implementing MFA, get in touch and we’ll connect you with one of our specialists.

CJIS doesn’t have to be complicated. Read our case study and find out how the Columbia County Sheriff’s Office complied with the new regulations while streamlining its officers’ workflow >>

Nicholas Hawkins is an IAM Solutions Architect at HID Global and brings nearly 20 years of first-hand experience in various fields including US federal government, hospitality, and healthcare.  Prior to joining HID, his work as an innovation engineer focused on designing end user experiences for healthcare workers. His focus today is on being a trusted advisor to customers interested in solving business challenges in identity management and authentication, particularly in highly regulated industries.