CJIS Compliance Made Easy: Integrating Advanced Authentication
If you are a reader with an interest in CJIS compliance, then you’re in luck; I’ve compiled all the information you’ll need. In the past I’ve talked about CJIS compliancy at length. I’ve expanded upon the various components and aspects of CJIS, and how AuthAnvil can make CJIS compliance a simpler process. I’ve even touched on the topic of Advanced Authentication in the past; However, in this post I’m going to focus specifically on the process of integrating an authentication solution to meet the CJIS compliancy requirement of advanced authentication, and the considerations you should make prior to the process.
Let’s start out with a quick review of policy areas 5.6.1, 126.96.36.199, and 188.8.131.52.
5.6.1 “Identification Policy and Procedures” requires each user, who accesses CJIS data, to have an individual and unique login account. This means no account sharing!
184.108.40.206 “Passwords” requires that the individual logins from 5.6.1 have passwords which are a minimum length of eight characters long, neither a word nor a name, different from the username, set to expire every ninety or less days, are uniquely different than the previous ten passwords, are not displayed when entered, and are not transmitted outside of the secure location.
220.127.116.11 “Advanced Authentication” details the accepted types of Advanced Authentication, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, etc. This section also defines the situations where such means of authentication are necessary. Those situations are well defined; however, they boil down to two scenarios. Either Advanced Authentication is necessary everywhere, in the case that the technical security requirements from section 5.9 are not met for physically secure locations, or alternately, anywhere that’s not a technically and physically secure location. This makes it apparent that having the Advanced Authentication would be ideal in any situation; however, there is some leeway given to those in areas of lesser risk.
We know being compliant can be difficult, but we are here to help.
Here are some considerations you should be making when choosing how you will meet CJIS compliancy.
Does your vendor provide you all the methods of authentication you require?
Selecting the right type of authentication solution is in no way an exact science. The decision of what solution to go with heavily depends on who, where, when, and how a user will be deploying the solution. For some, a software token on their phone would be ideal, for others a physical token would be more ideal. If your potential provider is limiting you to less solutions, then you have less options in the event that one solution doesn’t work well for all groups.
Will the method of authentication impede officer productivity?
Five seconds is rarely the difference between life and death, but of any line of work law enforcement is one of the most likely to encounter such a situation. That is why it is so crucial that the method of authentication be both time efficient and reliable, while still remaining secure.
Does the solution ease the pain of increased password security?
Good authentication solutions find methods to ease the pain of security requirements. One such method is known as Single sign-on (SSO). Single sign-on can increase productivity while decreasing the pains of CJIS password requirements. If SSO is signed into with an approved means of advanced authentication, users only need to remember the one password to automate their other login processes. This works because, at that point, they have already proven their identity to the FBI’s standards.
Is the solution cloud compatible?
Some authentication solutions support both physical and virtual (cloud) environments. If your solution supports virtual environments, regardless of your current configuration, the transition is that much easier. AuthAnvil, for example, can run physically and virtually, both locally and in the cloud.
Will the solution require substantial changes to the existing infrastructure?
Down-time is a major problem for any organization. If the solution can be integrated with minimal changes to the infrastructure then down-time is minimized as well. Simply put, the less work the solution requires to implement, the better it is for everyone.
AuthAnvil can help to meet many of these CJIS requirements and provide positive responses to these considerations.