What You Need to Know About CJIS Policy Area 6

    What You Need to Know About CJIS Policy Area 6

    Policy Area 6 of the new CJIS Security Policy, “Identification and Authentication,” is my favorite. Big surprise there; it deals with multi factor authentication. If you’re a regular reader of this blog, you know it’s a topic I never get sick of.

    5.6 Policy Area 6: Identification and Authentication

    “The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems or services.”

    Basically, with the guidelines set forth in Policy Area 6, CJIS is looking to ensure that users adequately prove their identities before being allowed to log into the system used to access CJIS data.

    Relevant Policy Area 6 Guidelines

    5.6.1 Identification Policy and Procedures

    “Each person who is authorized to store, posses, and/or transmit CJI shall be uniquely identified.”

    Emphasized here is the need for individual login IDs and passwords to the system used to access CJIS data; this is information that should never be shared.

    5.6.2.1.1 Passwords

    This section specifies requirements for all passwords used to login to the system through which CJIS is accessed.

    “Passwords shall:

    • Be a minimum length of 8 (8) characters on all systems.
    • Not be a dictionary word or proper name.
    • Not be the same as the User ID.
    • Expire within a maximum of 90 calendar days.
    • Not be identical to the previous ten (10) passwords.
    • Not be transmitted in the clear outside the secure location.
    • Not be displayed when entered.”

    5.6.2.2.1 Advanced Authentication Policy and Rationale

    “The requirement to use or not use AA [advanced authentication] is dependent upon the physical, personnel and technical security controls associated with the user location...the intent of AA is to meet standards for [multi-factor] authentication.”

    For purposes of CJIS compliance, advanced authentication (AA) is the same as multi factor authentication (MFA) or two factor authentication (2FA).

    The CJIS standards give a pretty good definition of multi factor authentication :

    “[Multi-factor authentication] employs the use of two of the following three factors of authentication: something you know (e.g. password), something you have (e.g. hard token). something you are (e.g. biometric). The two authentication factors shall be unique (i.e. password/token or biometric/password but not password/password or token/token).”

    So, in order to log in remotely, or from a non-secure system, a user must provide not only a password, but also another security factor (like a biometric fingerprint scan or one-time access code from a secure mobile app on their smartphone).

    MFA makes a system nearly impenetrable to an outside attack. Even if a wannabe hacker should learn a system password, he or she would be unable to provide the needed second security factor.

    How to Comply With Policy Area 6

    The advanced security options on the market today make compliance with these guidelines relatively easy. In fact, choosing a software suite that offers the below features will not only help you achieve full CJIS compliance, but it will no doubt make your life as IT pro much easier.

    The password management and security suite you choose should:

    • Allow administrators to create password templates that meet all CJIS requirements.
    • Allow administrators to easily manage and audit passwords, automating password expiration within 90 days.
    • Offer an affordable and convenient MFA option, like a unique one-time access code from an affordable hardware device or from a secure smartphone app.

    Ready to Get Started?

    Let's Talk