April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Law enforcement must act soon to comply with the FBI’s database security mandate

Tom Flynn

An important deadline is fast approaching for federal, state, local and tribal law enforcement agencies. Starting September 30, 2014, the FBI will require advanced authentication for anyone accessing its criminal justice information (CJIS) system to keep highly sensitive law enforcement data from falling into the wrong hands. 

Most law enforcement agencies and officers are familiar with authentication -- it’s the way you prove your identity to an information system or service provider. In the case of CJIS, this is usually done with a login ID (username) and password. The very nature of the data contained in the CJIS database makes it a prime target for cybercrime. 

The mandate for advanced authentication provides for additional security by recommending an “authenticator” in addition to the login ID and password. This is also referred to as two-factor authentication, because identity must be proven in two ways. For example, when you withdraw cash at an ATM, your ATM card (something you have) and your PIN code (something you know) are the two factors that provide you with advanced authentication. 

With the FBI’s deadline just around the corner, here are some key considerations for how to implement advanced authentication and satisfy the mandate in your agency. 

How to implement advanced authentication 

There are two main areas of focus that must be addressed in order to implement the advanced authentication requirement. You must provide users with authenticators, and you need to upgrade your identity and access management infrastructure. 

Authenticators can be pocket-sized tokens that provide a one-time password (OTP), or they can be smart cards. 

OTP tokens -- These devices display a numeric password that changes with every login. Pressing a button on the token gives a unique code, which is used to access the device. OTP tokens ensure interoperability with devices and can be conveniently implemented. 

Smart cards with digital certificates -- A smart card is a driver’s license-sized piece of plastic that contains a microprocessor that can process and store data. Smart cards are a well-established digital security technology that today protects more than two billion mobile phones and 600 million credit cards worldwide. 

There are three steps to ensuring your authenticators will interact with your identity and access management infrastructure:

  1. Modify your systems and networking infrastructure to accept advanced authentication;
  2. Implement an advanced authentication server;
  3. Upgrade desktops, laptops and police cars to work with authenticators.

As law enforcement agencies move to comply with the CJIS mandate, they will need a staff rollout plan. This plan should include: 

A registration process -- Enroll participants and issue their authentication method; attach the authenticator/certificate to the individual’s identity; 

Staff training -- Explain why advanced authentication is necessary and how to set up and use the authenticator; 

Administrator and helpdesk training -- Ensure that staff members know what to do in the case of lost or stolen credentials, a forgotten PIN code or if the authenticator is not working; 

Compliance audit -- Validate that advance authentication is successfully implemented when accessing CJIS from outside a secure facility in compliance with the CJIS mandate. 

Smart card-based digital ID certificates and OTP tokens are widely used in government and private sector organizations. Systems for issuing and managing digital identities with authenticators are provided by leading IT infrastructure companies. 

Using these technologies is not only a mandate of the CJIS security policy, but an essential tool for law enforcement information security at every level of government. 

Tom Flynn is vice president of identity and access for Gemalto North America. He can be reached at:

[email protected] 

 

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...