New CJIS Security Policy Changes the Game for MFA for Criminal Justice Organizations

Criminal Justice Information Services (CJIS), a division of the FBI that collects, stores, and shares information about criminal activities and people involved in the criminal justice system, recently released its latest security policy. While an updated policy might not seem like a big deal, Chris Weatherly, the information security officer in the FBI/CJIS Division, told Government Technology that the policy is “roughly 50% new,” with a goal to make the entire criminal justice system more secure.This means that all entities that rely on CJIS information must understand and adhere to this new policy to access the data. This includes police departments and courts, as well as non-criminal justice agencies, like departments of education, vendors, and contractors.CJIS information drives programs like:

  • National Crime Information Center (NCIC and NCIC2000)
  • National Instant Crime (NIC) background check
  • Uniform Crime Reporting (UCR)
  • Integrated Automated Fingerprint Identification System (IAFIS)
  • National Incident-Based Reporting System (NIBRS)
  • Bioterrorism Risk Assessment Group
  • Law Enforcement Records Management Systems (RMSs)

One of the key areas noted in the updated policy is the requirement that all systems and applications that store and provide access to criminal justice information must be protected by multifactor authentication (MFA) by October 1, 2024. MFA is intended to make CJIS systems more secure by stopping the current wave of identity-based attacks, such as phishing.

Not All MFA is the Same

The policy requires that at least two of the following three factors must be used as part of MFA protection:

  • Something you know, like passwords, PINs, or security codes
  • Something you have or possess, like smart cards, mobile devices, security keys, or tokens
  • Something you inherently “are”, represented by fingerprints, facial scans, iris scans, or other biometric tools

CJIS does not specify which form of MFA is best, but to make this determination it points readers to the National Institute of Standards and Technology’s (NIST) Special Publication 800-63 Digital Identities Guidelines. In this document, NIST details how to achieve phishing-resistant MFA, an approach that provides security against phishing and other identity attacks that have been so successful because of the widespread harvesting of passwords, passphrases, and PINs by criminal actors. This is an important consideration because there are types of MFA that are not phishing resistant, and they will not be allowed under the new CJIS security policy.Some security practitioners who take the CJIS policy literally are taken by surprise by this concept, because it is referenced in a separate NIST document. But, the bottom line is, failure to adhere to phishing-resistant MFA could prevent law enforcement and related professionals from accessing CJIS data.

Phishing-Resistant MFA Required

To achieve phishing-resistant MFA, the new CJIS security policy mandates using assurance standards recommended in NIST document SP 800-63B. The level of identity assurance required by NIST is called Authenticator Assurance Level 2 (AAL2). The document strongly recommends that, when using MFA, AAL2 be achieved by using a combination of cryptographic devices and cryptographic software.While the CJIS policy points to NIST and its SP 800-63B document as key references, it also contains its own requirements for authentication’s process and strength:

  • CJIS 5.6: IA-5.n(9) – “At enrollment, the CSP SHALL bind at least one, and SHOULD bind at least two, physical (something you have) authenticators…”
  • CJIS 5.6: IA-5.(k 2) – “…the ability to revoke or suspend the authenticator”

Solution architects who design these systems (and the auditors who verify them) should keep both the CJIS and NIST documents in mind as they ideate and evaluate their MFA.

Moving to Phishing-Resistant MFA

We’ve written an entire blog defining phishing-resistant MFA, but to put it succinctly, it is MFA that is built to defeat identity attacks by using certificate-based authentication (CBA), backed by public key infrastructure (PKI), or authentication technology complying with the Fast Identity Online (FIDO) standard. There is no other way to comply with NIST standards for phishing-resistant MFA. The following section goes into more detail on each phishing-resistant technology:

  • 509 Certificates — Digital certificates used for authentication and backed by PKI. The process for creating and managing public and private certificates is called the “transport layer” (TLS) or the “secure socket layer” (SSL) and both are based on the X.509 standard. In the context of phishing resistance, certificates use cryptography and PKI to prove the authenticity of every person or nonhuman (machine) trying to access systems. Most enterprises have some sort of PKI solution in place to manage their web properties, domain names, email, and machine-to-machine connections. And in cases where managing an internal PKI is too complicated, it can be outsourced to PKI-as-a-Service partners like Axiad.
  • FIDO Passkeys — FIDO passkeys represent a new era in phishing-resistant authentication. Axiad recently announced it has integrated a FIDO2 passkey API for Microsoft Entra ID into the Axiad Cloud advanced authentication toolset. This enables customers to efficiently manage FIDO2 credentials and, for the first time, makes FIDO2 passkeys practical for enterprises that rely on Entra ID for access management. FIDO passkeys are expected to become the gold standard in authentication because they dramatically improve enterprise security by enabling phishing-resistant M. Plus, they substantially improve the end-user experience by eliminating passwords and providing a variety of account lockout and other self-serve capabilities that take IT out of the authentication process.

For most use cases, customers will need to use x.509 certificate-based authentication and FIDO to achieve phishing resistance. This helps to eliminate gaps that could be exploited for identity-based cyberattacks. We recently wrote a blog about this that goes into greater detail.The good news is, moving to phishing-resistant MFA does not have to involve a “rip and replace” of existing authentication systems. Axiad Cloud allows customers to move to phishing-resistant MFA by providing an advanced authentication toolset that combines the technologies needed to enhance existing MFA – it enhances the native capabilities of existing IdPs and requires no “rip” or “replace.” It helps organizations deploy and manage strong authentication processes across people, machines, and applications without replacing existing systems.For law enforcement and related organizations, the new CJIS requirements for phishing-resistant MFA do not need to be a showstopper in terms of time and effort. By taking the right steps, phishing-resistant MFA can be done efficiently so access to CJIS data is unimpeded.