FBI-CJIS-Password-Management

An Overview of CJIS

Every company out there has sensitive information. Whether it’s their secret to success, customer information, emails or something else, it goes without saying that these organizations want this information protected at all costs from prying eyes that have no business going through this data. One of the best examples of a system that demands this kind of security comes from CJIS. In this case, though, you’re dealing with security demands from the Federal Bureau of Investigation. 

What Is CJIS?

CJIS stands for Criminal Justice Information Service Division. It’s a division of the Federal Bureau of Investigation and has been so for 23 years now. Since 1992, it has become the largest division the FBI has.

The reason it’s important to you, though, is most likely because of its computerized information system related to criminal justice.

This aspect of CJIS is available to not just federal law enforcement, but also state and local authorities too. Criminal justice agencies may also access it through the International Law Enforcement Telecommunications System (INLETS), National Law Enforcement Telecommunications System (NLETS) and various local systems that differ by state.

CJIS is made up of a number of different databases as well as a subsystem. It can be accessed online by anyone with authorization. This helps to serve its most basic purpose, which is to reduce criminal and terrorist activities by optimizing the bureau’s ability to provide relevant information in a timely manner to all approved law enforcement personnel, civilians, academics, employers and licensing agencies.

The information found on CJIS isn’t just about people though. You can also use it to look up data about criminal organizations, various criminal activities, stolen property and other matters relevant to law enforcement.

Why Does CJIS Require Two-Factor Authentication (2FA)?

This should probably be pretty obvious, but it’s worth discussing in a bit more detail to make sure anyone who uses CJIS understands. Obviously, the FBI wants to be very careful about who has access to CJIS. It is full of personal and private information, but that’s hardly all. People who can see the information on CJIS are also privy to some pretty sensitive data where national security is concerned.

As such, the bureau is adamant that any network administering access to CJIS be very careful about how they do so. Specifically, any and all users must prove who they are, beyond a shadow of a doubt, before they get access.

Can you imagine what would happen if a hacker got into CJIS? This would be a great way for a criminal organization to avoid detection. Two-factor authentication of 2FA is a critical component of security. It makes sense that this would be the methodology of choice for most networks with access to CJIS. 2FA does an outstanding job of keeping hackers from being able to get their hands on information like the kind CJIS has.

What Is 2FA?

For those who may not be familiar with it, 2FA is a form of authentication that requires two forms of verification before the user is granted access. However, you don’t simply supply two separate passwords.

Instead, you have to use two completely different types of authentication. A password of the user’s choosing could definitely be one. The other might come from a physical object like a key fob or USB stick that only the authorized user would be in possession of.

Another option is some type of physical characteristic. More and more, you’re seeing 2FA platforms that require a password and a fingerprint, voice authentication or an eye scan.

It makes sense, then, that the FBI would insist in such a high-level of verification before allowing someone access to CJIS. Still, 2FA is also a great way for all kinds of companies to keep their secrets safe as well.

What Qualifies for CJIS-Compliant 2FA?

When it comes to identification and authentication, the FBI outlines what it expects from networks using CJIS. On page 29 of their CJIS Policy, you’ll find the following:

“The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or   processes as a prerequisite to   allowing access to agency information systems or services.”

Now, it should be pretty clear that the FBI expects access to be controlled and limited only to those with approval to go through CJIS. However, it also leaves a lot to be desired in terms of specifics.

Who Is Affected

It’s important to understand that you don’t have much in the way of options where security and CJIS access are now concerned. As of September of 2014, the FBI mandates that advanced authority is required for this type of access. The bureau has extensively outlined its demands in detail via FBI Security Policy section 5.6.2.2.1. You should definitely take time to review this policy on your own, though we’ll supply you with a helpful resource at the end of this article too.

To summarize, though, anyone from your company who is accessing the CJIS’ sensitive information must be put through an advanced authentication process. This is in addition to any security policies your company or agency may have put in place as well.

It should probably come as no surprise that the FBI takes this policy very seriously. Failure to follow it to the letter will result in very heavy fines. Again, no amount of your own security measures will save you if you don’t have the required measures in place, so make these a priority.

Before you start using CJIS, make sure you understand what’s expected of you. Likewise, if you’ve been using CJIS for years, remember that the laws regarding its use changed in 2014 and you were expected to change with them.

Ready to Get Started?

Try AuthAnvil