The Criminal Justice Information Services (CJIS) Division of the Federal Bureau of Investigation (FBI) is responsible for providing secure access to criminal justice information to authorized law enforcement agencies across the United States. To ensure the security and integrity of this information, the CJIS Security Policy was created to establish minimum security requirements for accessing and handling this sensitive data. One of the most significant changes coming to the CJIS Security Policy in 2024 is the new Multi-Factor Authentication (MFA) guidelines.

The new CJIS MFA guidelines will require all CJIS users to implement MFA when accessing Criminal Justice Information (CJI) from remote locations. MFA is a security process that requires users to provide multiple forms of authentication to access a system, such as a password and a fingerprint or facial recognition scan. This helps to ensure that only authorized users can access sensitive data and adds an extra layer of protection against unauthorized access and data breaches.

Under the new guidelines, all CJIS users who access CJI from a remote location must implement MFA by September 30, 2024. This includes state and local agencies, federal agencies, and private contractors who handle CJI on behalf of law enforcement agencies. The MFA solution used must be on the CJIS-approved list of MFA solutions, which is updated periodically by the CJIS Division.

The CJIS Division is also requiring all MFA solutions to be compliant with the Federal Risk and Authorization Management Program (FedRAMP), which is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. This requirement ensures that all MFA solutions used to access CJI meet the highest standards for security and data protection.

The CJIS Division is currently working with state and local agencies to help them prepare for the new MFA guidelines, which includes not allowing SMS or email use for the transmission of an MFA token. The CJIS Division and States are providing guidance on selecting and implementing an MFA solution, as well as resources for training staff on how to use MFA effectively. The CJIS Division is also conducting outreach and education efforts to raise awareness of the new guidelines and the importance of securing CJI.

In conclusion, the new CJIS MFA guidelines coming in 2024 will significantly enhance the security of Criminal Justice Information by requiring all users to implement MFA when accessing CJI from remote locations. This change is part of the ongoing effort to improve the security and integrity of CJI and protect against unauthorized access and data breaches. Agencies and contractors who handle CJI should start preparing now for the new MFA requirements to ensure compliance by the September 30, 2024 deadline.

Contact GTEL Advisors, LLC for assistance to ensure CJIS compliance.