April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Law enforcement must act soon to comply with the FBI’s database security mandate
An important deadline is fast approaching for federal, state, local and tribal law enforcement agencies. Starting September 30, 2014, the FBI will require advanced authentication for anyone accessing its criminal justice information (CJIS) system to keep highly sensitive law enforcement data from falling into the wrong hands.
Most law enforcement agencies and officers are familiar with authentication -- it’s the way you prove your identity to an information system or service provider. In the case of CJIS, this is usually done with a login ID (username) and password. The very nature of the data contained in the CJIS database makes it a prime target for cybercrime.
The mandate for advanced authentication provides for additional security by recommending an “authenticator” in addition to the login ID and password. This is also referred to as two-factor authentication, because identity must be proven in two ways. For example, when you withdraw cash at an ATM, your ATM card (something you have) and your PIN code (something you know) are the two factors that provide you with advanced authentication.
With the FBI’s deadline just around the corner, here are some key considerations for how to implement advanced authentication and satisfy the mandate in your agency.
How to implement advanced authentication
There are two main areas of focus that must be addressed in order to implement the advanced authentication requirement. You must provide users with authenticators, and you need to upgrade your identity and access management infrastructure.
Authenticators can be pocket-sized tokens that provide a one-time password (OTP), or they can be smart cards.
OTP tokens -- These devices display a numeric password that changes with every login. Pressing a button on the token gives a unique code, which is used to access the device. OTP tokens ensure interoperability with devices and can be conveniently implemented.
Smart cards with digital certificates -- A smart card is a driver’s license-sized piece of plastic that contains a microprocessor that can process and store data. Smart cards are a well-established digital security technology that today protects more than two billion mobile phones and 600 million credit cards worldwide.
There are three steps to ensuring your authenticators will interact with your identity and access management infrastructure:
- Modify your systems and networking infrastructure to accept advanced authentication;
- Implement an advanced authentication server;
- Upgrade desktops, laptops and police cars to work with authenticators.
As law enforcement agencies move to comply with the CJIS mandate, they will need a staff rollout plan. This plan should include:
A registration process -- Enroll participants and issue their authentication method; attach the authenticator/certificate to the individual’s identity;
Staff training -- Explain why advanced authentication is necessary and how to set up and use the authenticator;
Administrator and helpdesk training -- Ensure that staff members know what to do in the case of lost or stolen credentials, a forgotten PIN code or if the authenticator is not working;
Compliance audit -- Validate that advance authentication is successfully implemented when accessing CJIS from outside a secure facility in compliance with the CJIS mandate.
Smart card-based digital ID certificates and OTP tokens are widely used in government and private sector organizations. Systems for issuing and managing digital identities with authenticators are provided by leading IT infrastructure companies.
Using these technologies is not only a mandate of the CJIS security policy, but an essential tool for law enforcement information security at every level of government.
Tom Flynn is vice president of identity and access for Gemalto North America. He can be reached at: