CJIS Compliance Checklist for Authentication in Law Enforcement IT
Still unsure about Criminal Justice Information Services (CJIS) guidelines? You’re not alone.
Since the announcement of the FBI’s September 2014 deadline, by which all organizations that use the CJIS databases must become fully compliant with the new security and technical safeguards, many law enforcement agencies and organizations are scrambling to get their systems compliant. The sense of urgency is real; if an organization is found to be non-compliant, they’ll be unable to access the centralized CJIS information that they depend upon and use daily.
But while every law enforcement IT service provider wants to make sure their department is 100 percent compliant by September of 2014, many are unsure of where to even begin. Planning and implementing new CJIS-specific policies and procedures can seem impossible, especially when others in your organization don’t have a strong understanding of IT and password security.
Fortunately, you have at least two things going for you:
1) Your organization needs access to CJIS, even if they don’t seem to understand the importance of compliance. If you educate them on the risks involved with not meeting the compliance deadline—like not being able to access CJIS data—they will have no choice but to do whatever they can to become compliant.
2) Today, there are password management and security software solutions that make CJIS compliance and implementation much easier than you think—both in terms of cost and convenience.
Below is a simplified checklist of rules from the CJIS compliance guidelines, as well as a password management solution that will help you comply with that rule. This checklist deals with the three most relevant (and complex) sections of the CJIS Security Standards: Policy Areas 4-6.
Policy Area 4: Auditing and Accountability
This policy area deals with the reports agencies are required to generate (and keep) that pertain to certain security-related events that occur on the system used to access CJIS. To comply with this policy area, your password management solution should:
- Allow privileged users to easily see who has access to which passwords, and when/how they’re being used.
- Be able to generate detailed reports (that include all of the CJIS-required data like user IDs, date, etc.) based on users, permissions, and passwords.
Policy Area 5: Access Control
This policy area section regulates who (within an agency) should have access to CJIS data, and the extent of each user’s access. To comply with this policy area, your password management solution should:
- Allow access to passwords (and the ability to change them) to be segmented by role, based upon a user’s job duties and authority level.
- Use a centralized password management system that stays in sync with a wide range of sites and applications (including cloud-based applications) so that a user’s access and permissions can be easily changed or restricted should they leave their role.
- Lock out a user after five failed login attempts, and automatically notify administrators of such an event.
- Require advanced authentication after a set period of inactivity (The CJIS guidelines call for 30 minutes)
Policy Area 6: Identification and Authentication
This policy area deals with ensuring the identity of a user trying to access the CJIS database. To comply with this policy area, your password management solution needs to:
- Allow administrators to create password policy templates that meet their specific complexity requirements and the CJIS requirements (at least eight characters long, expire within 90 days, don’t contain a dictionary word, etc.)
- Require multi-factor authentication (MFA or two-factor authentication) for users who are trying to log in from a non-secure location. MFA requires users to authenticate using not only a password, but also another security factor, like a one-time access code generated from a token device or secure mobile app on their phone.
A strong MFA solution provides such enhanced security that it helps greatly with CJIS compliance across the board. However, it’s important to find an MFA option that’s both convenient and cost-effective.