Best Practices for Complying with CJIS with Password Management
If you are an IT professional who works with a law enforcement organization, you’re probably already familiar with the FBI’s Criminal Justice Information Services (CJIS) Division. CJIS is the gatekeeper of the invaluable data your organization’s agents or officers use every day to investigate crimes and keep the public—and themselves—safe. It’s because the data stored in CJIS databases is so valuable that the FBI makes it a priority to keep it away from unauthorized eyes—and it’s the reason the FBI has been rolling out a revamped CJIS Security Policy.
The new Security Policy was supposed to go into effect this year, but because of widespread failure to comply in time, the FBI issued a stay of execution through September of 2014. But that doesn’t mean you’re off the hook—not by any means. Most observers agree that this is the last extension the FBI will grant and if your organization isn’t compliant by that deadline, the ability of your officers and agents to access the information they need to do their jobs will be severely hampered. Needless to say, they won’t be too happy about it.
Where to Start with CJIS Compliance
There’s still a lot of confusion out there about CJIS compliance. The new standards reference some authentication and password procedures that might be unfamiliar to even the most experienced of law enforcement IT personnel. As you look over the FBI document that outlines the new CJIS guidelines and try to figure out how to make sure your department is in full compliance, you might be wondering, “Where do I begin?”
(If you haven’t read the full document, it’s available here: http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view)
A good place to start is “Section 5: Policy and Implementation.” This section covers different policy areas and how to implement security standards for compliance. In terms of IT security, these are some of the most significant policy areas:
Policy Area 4: Auditing and Accountability
This policy area requires law enforcement agencies to generate (and keep) records of certain events that could be considered “relevant to the security of the information system” used to access CJIS data.
How to comply with Policy Area 4: By using a security suite (password management and authentication) that allows you to see attempted logins, password changes, passwords access, and so on, you can ensure you’re able to effectively audit password and login history. An advanced security solution will automatically generate and store complete reports with all of the data required by CJIS (including user, time, and date). Administrators can audit users’ access, password histories, and more.
Policy Area 5: Access Control
Access control deals with who has access to CJIS data and how to manage the extent of each user’s access.
How to comply with Policy Area 5: With an advanced security suite, access control is easy to manage, record, and automate. One of the most important things CJIS is trying to do here is to ensure that only users and groups who need access to data can access it, and that privileged functions (like password resets) are offered only to those that should have such capabilities. With a good password management systems, passwords (and the ability to reset them) can be easily assigned and tracked depending on a user’s roles and job needs—and those passwords and capabilities can be easily changed should the user be terminated or move on to a different job role. Some systems can be set to lock out users after failed attempts and after a set period of inactivity—both specifically required for CJIS compliance.
Policy Area 6: Identification and Authentication
Policy Area 6 requires that law enforcement agencies ensure users trying to access CJIS information are who they say they are by requiring advanced password and authentication processes.
How to comply with Policy Area 6: One of the new requirements from CJIS is that users who are trying to access information from non-secure locations (on the road, for example) must use “advanced authentication.” What CJIS means by that is multi-factor authentication (MFA). To access a system protected by MFA, a user must present not only a password but also another “security factor,” like a one-time access code generated on a handheld token, or a biometric fingerprint scan.
Good password management systems offer MFA as a key element of their suite of tools. Using such a system, multi-factor authentication can open the door to single sign-on (SSO), which is probably one of the most convenient and effective security and password solutions available for law enforcement.