The 4 As of CJIS Compliance
Starting in September of 2014, any law enforcement agency that wishes to access the FBI’s Criminal Justice Information Services (CJIS) databases needs to be 100 percent compliant with the new, extensive security guidelines outlined in a 200+ page document. The document includes specific requirements regarding password security, login audit reports, and more.
Come September, any law enforcement agency that is found to be non-compliant with the CJIS security standards will not be able to access the CJIS databases—an incredibly valuable tool that officers and investigators use daily to tap into resources like criminal records, license plate and DMV information, and stolen property records.
If you’ve just begun to look over the lengthy CJIS document, you might feel lost. A good place to start (when it comes to user authentication security) might be with the 4 A’s: auditing, accountability, access control, and authentication.
In Policy Area 4, CJIS guidelines require that reports be generated for certain security-related events, like failed login attempts. When looking for a password management solution that will help your agency become CJIS compliant, you should look for a security solution that can be easily set to generate and keep records of such events. An administrator should be able to quickly look over an audit report based on users, passwords, and permissions.
Again covered in Policy Area 4, the area of accountability is addressed with detailed event reports. If you use a password management package that automates detailed reporting, when a security incident occurs, the event can be traced back to a user who can be held accountable for their part in the incident.
Policy Area 5 pertains to access control. CJIS guidelines require that only users who need access to the CJIS databases for their job are able to access them, and that the extent of their CJIS permissions be determined by their job role and authority level. The guidelines also require that permissions be changed or prohibited should a user change jobs or be terminated, and that privileged functions, like the ability to change permissions or passwords, be limited only to authorized users.
The best way to meet CJIS access control guidelines is to use a password management solution that allows administrative users to quickly and easily see who has access to which passwords, as well as when passwords and permissions are changed. To be effective, the password management solution must keep in sync with a variety of sites and applications, so that if permissions need to be restricted from a user (say, in the event of a termination), these restrictions can be quickly put in place for all of the user’s logins and applications.
The password management solution must also be able to meet the other CJIS guidelines pertaining to access control: to limit unsuccessful login attempts to five, and to log a user out of the system after 30 minutes of inactivity.
Covered in Policy Area 6, the CJIS rules on authentication are based on ensuring the identity of anyone trying to access the CJIS database. The first requirement of Policy Area 6 requires that users use strong passwords that meet CJIS specifications. To meet policy requirements, password management software should allow administrators to create password templates that meet CJIS specifications.
The second requirement in Policy Area 6 deals with multi factor authentication (MFA). According to CJIS rules, any user trying to access CJIS data from a non-secure location must use advanced authentication, or MFA, in order to prove their identity. With MFA, a user must present not only their password, but also another security “factor” in order to gain access. The second security factor could be a biometric fingerprint scan or a one-time access code generated by a secure app on their mobile phone.
Once protected by MFA, a system is nearly impenetrable to an outside attack. This enhanced security covers many security bases, and also opens the door to other security options like single sign-on (SSO). With SSO, a user authenticates with MFA and can then easily log in to all needed applications from a one-stop SSO portal—eliminating the need for tedious logins while still providing premium security.