The CJIS Compliance Deadline is Fast Approaching | Is your state / local government ready?

The deadline for CJIS compliance is rapidly approaching – it is mandated that all entities accessing criminal justice information (CJI) must have an acceptable multi-factor authentication (MFA) solution in place by October 1st, 2024. As per Criminal Justice Information Services (CJIS) Security Policy 5.9.3, non-compliance with this policy (i.e. not having an acceptable MFA solution) will become sanctionable as of this date. Protect your data, stay in compliance and avoid costly sanctions with robust MFA solutions that are fully aligned with CJIS requirements.

How to Comply with MFA requirements under CJIS 5.9.3

The FBI CJIS Security Policy mandates that agencies, including state and local governments implement multi-factor authentication (MFA) for all personnel accessing Criminal Justice Information (CJI) by October 1st, 2024. To achieve compliance, consider the following steps:

1. Assess Your Current Authentication Methods:

• Evaluate existing authentication processes and identify any vulnerabilities or gaps.
• Determine if your current MFA solutions are phishing-resistant, aligning with NIST SP 800-63B and FIDO standards.
• Accutive Security offers Identity and Access Management (IAM) assessments.

2. Selecting Your CJIS-Compliant MFA Solution:

• Selecting a NIST and FIDO aligned MFA solution is critical.
• Consider factors like user experience, ease of deployment, scalability, and integration with existing systems.
• Map the different user groups and organizations that require access and how the solution provisions access.
• Accutive Security partners with HID to offer a range of FIDO-certified MFA solutions that meet and exceed CJIS requirements.

3. Implement CJIS-Aligned MFA:

• Plan and design your MFA rollout strategy and timeline, including organizational change management that features role-specific user training.
• Configure and implement the MFA solution, integrating it into your existing IAM infrastructure.
• Conduct robust testing of the solution prior to deployment.

4. Integrate MFA into a robust IAM framework:

   • Incorporate MFA into your broader Identity and Access Management (IAM) framework for comprehensive security. The MFA requirements outlined in CJIS 5.9.3 are the minimum standard, and NIST recommends exceeding these standards.
   • Integrating physical and digital access control such as combining Digital Persona with Crescendo smartcards is an excellent way to bolster your authentication regimen.

5. Cybersecurity Awareness, including MFA Training:

• Cybersecurity awareness training is required under CJIS 5.9.3, section 5.2 for all users accessing CJI.
• Provide comprehensive training to personnel on the importance of MFA and how to use the new authentication methods securely.
• Emphasize the risks of phishing, ransomware and other access-driven attacks.

CJIS Compliance MFA Action Plan for State and Local Governments

State and local government agencies who access Criminal Justice Information (CJI) need a proactive plan and partner to achieve CJIS compliance ahead of the October 1^st, 2024 deadline. Accutive Security works with state and local governments, including their law enforcement agencies and court agencies to rapidly implement HID’s CJIS-aligned MFA solutions for CJIS compliance.

Understanding your CJIS compliance needs + responsibilities

We start each engagement with an assessment of your agency’s current Identity and Access Management (IAM) framework, identifying any vulnerabilities and gaps that must be closed to be CJIS compliant. Based on our assessment, we recommend an easy to use, flexible MFA solution that is aligned with your CJIS compliance needs. Robust MFA solutions, such as HID DigitalPersona, combine something you have such as a HID Crescendo smartcard or an authenticator on your mobile device with either biometrics (fingerprints, facial identification) or a password / passcode / PIN.

HID DigitalPersona for CJIS Compliance

We recommend HID DigitalPersona to our state and local government clients for CJIS compliance for several reasons:

• HID is a trusted leader in IAM with proven track record of success: HID is a global leader in secure authentication with a proven track record of successful deployments for state and local governments across the United States.
• Flexible combination of MFA options: HID DigitalPersona supports a wide array of authentication methods and factors to ensure that there is a suitable convenient solution that balances the need secure access with user experience.
• Rapid deployment: We can rapidly deploy your CJIS compliant MFA solution within days using HID DigitalPersona.
• Native integration with Microsoft Active Directory, Azure AD and Microsoft 365 for seamless integration into your existing IT infrastructure.
• Built with Compliance in mind: In addition to CJIS compliance, DigitalPersona is aligned with NIST 800-63 digital identity guidelines, ISO 27001, and FIDO certified.

Act Now to Stay CJIS Compliant

With the October 1st deadline fast approaching, now is the time to start planning for a CJIS-compliant MFA solution. Accutive Security’s IAM experts will work with you to perform an assessment of your MFA needs and recommend a robust, user-friendly, and flexible MFA solution. Accutive Security’s expertise working with state and local governments means that we understand your solution selection and procurement process. We will work with your agency to make the MFA selection, planning, and implementation process as seamless as possible, ensuring that you have a CJIS-compliant MFA solution in place ahead of the October 1^st deadline.

Secure your complimentary consultation with a CJIS expert today!