Date Published: March 13, 2025
Comments Due:
Email Comments to:
Author(s)
William Fisher (NIST), Jason Ajmo (MITRE), Sudhi Umarji (MITRE), Spike Dog (MITRE), Mark Russell (Appian Logic), Karen Scarfone (Scarfone Cybersecurity)
Announcement
Criminal and non-criminal justice agencies in the U.S. require the use of multi-factor authentication (MFA) to protect access to criminal justice information (CJI). MFA is important for protecting against credential compromises and other cyber risks such as attacks by cybercriminals or other adversaries that threaten CJI.
CJI is commonly accessed using computer-aided dispatch (CAD) and record management system (RMS) software, which communicate with a state-level message switch application. MFA architectures will likely need to integrate with one or both technologies. As agencies around the country begin to implement MFA solutions, the approaches they use require careful consideration and planning. This document provides a general overview of MFA, outlines design principles and architecture considerations for implementing MFA to protect CJI, and offers specific examples of use cases that agencies face today. It also outlines how CAD/RMS and message switch technologies can support standards and best practices that provide agencies with maximum optionality to implement MFA in a way that promotes security, interoperability, usability, and cost savings.
NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical guidance to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.
Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information...
See full abstract
Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical guidance to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.
Hide full abstract
Keywords
authentication; credentials; criminal justice information (CJI); identity; identity federation; law enforcement; multi-factor authentication (MFA); single sign-on (SSO)
Control Families
Identification and Authentication
