The Criminal Justice Information System (CJIS) is the world’s largest repository of criminal records such as finger prints which can be searched by investigators and police professionals who are fighting crime and ensuring national security. The FBI’s CJIS provides state, local, and federal law enforcement and criminal justice agencies with access to critical personal information such as fingerprint records, criminal history, and sex offender registrations. The state-of-the-art technology also ensures the timely and legal purchase of weapons by instantly returning results to gun shops nationwide. FBI’s Criminal Justice Information Services Division maintains the system.
In order to prevent unauthorized access to this extremely sensitive information, a security policy governing access to the Criminal Justice Information System (CJIS) database was enacted on January 1, 2011. The FBI mandate sets forth the minimum requirements for securing access to the data included within CJIS. The policy requires advanced authentication or multi-factor authentication to be implemented across all organizations which access the information contained in the CJIS database. CJIS compliance affects many organizations and departments such as public safety, judicial, and correctional institutions which must comply or face administrative sanctions and/or criminal penalties.
The first compliance deadline related to unique and strong passwords was September of 2010. The second part of CJIS compliance, (the Advanced Authentication provision), must be in place by 2013 for all mobile systems such as laptops, cell phones and PDAs, and, any devices connecting to the Internet.
Advanced Authentication or two factor authentication requires two forms of credentials to be presented before access to a network or system is allowed. The first set is "something you have" such as a smart card, a security token or a key fob, or, "something you are" like finger prints. The second set is "something you know" like passwords, pin number or answer to a challenge question which is unique to the user and allows for advanced security if for any reason the first factor “what you have” is lost or stolen.
The FBI has released the following regarding "advanced authentication":
"Advanced Authentication provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or "Risk-based Authentication" that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. Advanced Authentication is also called Multi-Factor or Two-Factor authentication.”
In summary, physical and logical controls such as advanced authentication must be deployed to protect the systems which access CJIS.