CJIS Mandate Update: Law Enforcement Organizations Get More Time to Move to Advanced Authentication1
CJIS is the U.S. Federal Bureau of Investigation’s Criminal Justice Information System (CJIS). It is the primary central repository for criminal justice information and the focal point for information exchange at all levels—federal, state, local and tribal.
The FBI is strengthening its security requirements by mandating a new level of ‘advanced authentication’ to access the information. Briefly stated, advanced authentication recommends as a best practice use of the personal security device, such as a token or a smart card-based credential, whenever accessing CJIS from outside a secure police facility, such as from a police cruiser, an investigation scene, a hotel room or from home. Replacing basic usernames and passwords with advanced authentication will greatly enhance the security of the nation’s sensitive information.
Law enforcement agencies have until September 30th 2014 – one year later than the original deadline – to implement advanced authentication and meet the mandate. The extension is a good thing because it gives organizations more time to pick the right solution to meet their security needs.
What does implementing advanced authentication require? Law enforcement organizations will need to provide users with authenticators and upgrade the identity and access management infrastructure to work with them.
The first step is to choose an authenticator technology, or a combination of them. One good alternative is a hardware-based one-time-password (OTP) token. These small devices display a numeric password that changes with every login. When logging in, the user presses a button on the device to get the unique code, and then types it into the keyboard.
The big advantages of OTP are that it can be implemented quickly because it does not require changes at the user device level and it is simple to administer.
Another good choice is to use smart card identity credentials with digital certificates. With proper security and certificate provisioning, only the legitimate user is able to access the network and sensitive data. This allows for additional security features such as digital signature and email encryption and enables officers to officially sign and file reports from the field. Smart cards are a well-established digital security technology that today protects more than two billion mobile phones and 600 million smart credit cards worldwide from fraud.
By putting a digital ID certificate on a smart card, you not only create a very powerful advanced authenticator, you also get a highly secure ID credential for secure visual identity verification and physical access control.
In a time of criminal hackers, hackitivists and potentially cyber warfare, advanced authentication is now an essential tool for law enforcement information security at every level of government.