Understanding the New CJIS MFA Policy: A Guide for iCrimeFighter Users

The FBI’s Criminal Justice Information Services (CJIS) Division has updated its security policy, introducing new measures to better safeguard sensitive criminal justice information (CJI). One of the most significant changes is the requirement for multi-factor authentication (MFA). This post explains the new policy and how iCrimeFighter users can prepare to align with these enhanced security standards.

What is the CJIS Security Policy?

The CJIS Security Policy establishes minimum security requirements for accessing and managing Criminal Justice Information (CJI). It applies to all entities interacting with criminal justice systems, including law enforcement agencies and contractors. These rules incorporate guidance from federal laws, executive orders, and NIST (National Institute of Standards and Technology) guidelines to ensure robust protection against cyber threats.

Key Changes to the MFA Requirements

1. Mandatory MFA Implementation

Starting October 1, 2024, all entities accessing CJI are required to use MFA. This extra layer of security helps prevent unauthorized access by combining at least two forms of authentication:

• Something you know (e.g., a password)

• Something you have (e.g., a security token)

• Something you are (e.g., biometrics).

2. Phishing-Resistant MFA

The updated CJIS policy highlights the importance of using phishing-resistant MFA, aligning with NIST SP 800-63B standards. This ensures systems are more secure against increasingly sophisticated phishing attacks.

3. Compliance Audits

Agencies must prepare for audits that verify whether MFA has been implemented at both system and application levels, as required by the updated CJIS standards.

How Does This Affect iCrimeFighter Users?

While iCrimeFighter is not currently enforcing MFA, we encourage agencies to consider implementing it to align with CJIS recommendations and strengthen their overall security. iCrimeFighter supports MFA through authenticator apps, offering users an easy way to add this additional layer of protection. Supported apps include:

• Google Authenticator

• Microsoft Authenticator

• Authy

• Duo Mobile

These apps work seamlessly with iCrimeFighter, allowing users to generate time-based codes for secure access to the platform.

Preparing Your Agency for MFA

1. Evaluate Your Current Systems

Review your agency’s IT infrastructure to identify where MFA fits into your security framework and ensure CJIS compliance.

2. Set Up Authenticator Apps for iCrimeFighter

Setting up MFA on iCrimeFighter is straightforward. Each user needs to download an authenticator app, link it to their account, and they’re ready to go if MFA is enabled. This proactive step ensures your agency is prepared for future changes.

3. Train Your Team

Educating your staff on the importance of MFA and how to use it effectively is key to smooth adoption. 

4. Stay Ahead of Compliance

By enabling MFA, your agency takes an important step toward aligning with the new CJIS requirements while bolstering data security.

Why MFA Matters

While implementing MFA may feel like an extra step, it significantly enhances your agency’s defense against unauthorized access. Cyber threats targeting CJI are on the rise, and MFA provides a simple yet powerful way to mitigate these risks. iCrimeFighter is committed to helping agencies protect their data and comply with evolving security standards.

Next Steps

If you’d like assistance setting up MFA in iCrimeFighter, please contact our team. We’re here to help your agency transition smoothly into this new era of CJIS compliance and enhanced data security.

By understanding and adopting these new requirements, you can ensure your agency is prepared to meet the highest standards of criminal justice information protection.