top of page

Mario Tagaras

May 1, 2026

The 95% Problem: Is your technical reality a fail-safe or a vulnerability?

Hi all, 


In the CJIS world, we’re no strangers to the increasing volume of security breaches or vulnerabilities surrounding us. Estimates even predict that up to 95% of breaches involve a human element. Whether it’s a fatigued worker clicking a phishing link after a long day or a distracted user accidentally reusing a password, human error remains one of the greatest vulnerabilities.


Training (as required in the Awareness and Training (AT) control family of the CJIS Security Policy) is a great start to preventing these scenarios, but when the “human firewall” fails, your technical hardening is the only thing standing between a mistake and a catastrophe.

 

Here are four critical areas your agency can double-check:

  1. [AC-7] Access Control: Do your settings limit users to 5 login attempts before they are locked out? If they get locked out, do your procedures only permit an administrator to reset it or do you have a set lockout duration time?

  2. [AC-11] Device Lockouts: While patrol MDTs and dispatch systems are exempt due to operational speed (requiring a 12-hour session lock), are your standard office workstations set to lock out after 30 minutes of inactivity? 

  3. [IA-5] Password Integrity: Are your systems set to require minimally 8 character passwords that expire after 365 days? Does your agency have a banned password list? Have you implemented MFA? Are you checking that settings are in place to ensure passwords aren’t being stored using reversible encryption?

  4. [SC-28] Encryption: Are you validating your workstations and applications are using FIPS 140-2 or FIPS 140-3 certified encryption? 


Checking these boxes manually, or even deciphering the technical jargon, can be daunting. That’s where CJIS ACE comes in with our services specifically for local agencies! 


  • CJIS ACE Assessment: We help you understand what the requirements mean, how they apply to your specific setup, and if you are meeting the standards. 


  • Technical Security Services (TSS): We provide the "technical validation" that your environment is built to withstand the 95% Problem by deep-diving into your OS settings to validate that over 60 requirements are actually being met. 


Ready to hear more about how we can help? Just reach out to us at info@cjisace.com.


Talk soon,

Mario Tagaras

bottom of page