New network authentication protocols set to take effect for law enforcement

Authorities strengthen requirements to access the Criminal Justice Information System


Many information security officers within the law enforcement community have recently had many discussions with regards to security and which elements of identification and authentication constitutes compliance as acceptable forms to access sensitive law enforcement data within the Criminal Justice Information System (CJIS).  

According to standard security principles, authentication is the process of verifying a claimed identity, determining if the subject is really who he/she claims to be. It is based on at least one of the following three factors: something a person has (smart card, token, key, swipe card, badge), something a person knows (password, passphrase, PIN), or a biometric identifier (fingerprint, voice, retina/iris characteristics). Strong, two-factor authentication contains two out of these three methods. A single form of authentication (standard authentication = password) is not a very secure means of authentication.

Therefore, many organizations have introduced policies that require a second means or form of authenticating a person's identity. Additionally, for the purpose of the CJIS Security Policy (CSP), the process of requiring more than a single factor of authentication is most often referred to as Advanced Authentication or AA. The requirement to use AA is dependent upon the physical, personnel and technical security controls associated with the user's location.

It was determined that AA shall not be required for users requesting access to CJIS from within a physically secure location and when the technical security controls have been met. However, AA is required when it can't be determined from where a user is originating, e.g. utilizing wireless or web. This extends beyond traditional workstations or laptops, but includes smartphones, tablet computers, and other Internet protocol-connected devices.

The future requirements mandate that in place systems be brought into compliance prior to the end of this year, at which point it will be required to be in compliance for the new set of authentication protocols supporting AA.

What this means for us is that we need to prepare now for the next wave of strong authentication requirements, which I believe means that we all should get ready (despite the recent data loss, breach, hacking, and clandestine monitoring activities we have recently seen in the news).  Without the use of stronger authentication, we actually open ourselves up to more risks than without them to prove our identity, and protect ourselves from those that want to capture and use our information illegally.