
Larry Coffee
Apr 21, 2025
What Kinda of Authentication?
Hey Y’all,
If you haven’t looked at the modernized CJIS Security Policy yet (and you should have by now), there are a boatload of new requirements (they’re called Controls these days). Even though we’re in version 6.0 now, I’m gonna talk about one issue that has been in the Security Policy since December ‘22 that we get questions on, so it’s not really new.
You should know that these days you gotta use some kind of approved multi-factor authentication (MFA) before you can get to CJI, right? Seriously! That ol’ “our patrol cars are a physically secure location” doesn’t matter any more. It doesn’t matter if you’re sitting right in the FBI CJIS building in West Virginia, you still gotta use some kind of MFA solution.
Okay, this is a biggy! Username and password by themselves don’t cut it anymore. You’re going to need something in addition to your username and password (that is if you are still using usernames and passwords, but that’s for another newsletter.)
Since there are a whole bunch of moving parts regarding MFA, I’m just gonna hit on some basic stuff in this newsletter. If you are using passwords as part of your authentication management program, you are limited to five choices for multi-factor authentication solutions: 1) Look-Up Secrets, 2) Out-of-Band authenticators, 3) Single-Factor One-Time-Password Devices, 4) Single-Factor Cryptographic Software, or 5) Single-Factor Cryptographic Devices.
I realize that many of y’all are wondering right now “what the heck is that dude talking about?” Also, several of these things say “single-factor”; I thought we had to do multi-factor. I’m going to ‘splain it to you, but I don’t want to give y’all a headache right now, so I plan to break it down in bite-sized pieces over several letters.
Right now, if you have a solution and you don’t know what type it is, ask your vendor (or IT people) which one of these are you using and if it’s CJIS-compliant, because your auditors are going to be all over this (MFA is designated at Priority 1 in the Policy.) If you don’t have a solution, you got some figurin’ to do; this ain’t going away.
Don’t forget that CJIS ACE is here to help. With our CJIS Insight application, you can track all of these new controls, especially this MFA stuff, and make sure you’re ready. Whether you want us to walk you through the policy with a CJIS ACE Assessment or you wanna tackle it yourself, CJIS Insight can help you show how you’re meeting all those CJISSECPOL Controls
You can always learn more about what we at CJIS ACE can do for you on our website and I’d enjoy a chance to talk with you at info@cjisace.com.
Y'all take care,
Larry Coffee