CJIS-Compliant Multi-Factor Authentication

Objective

A county government required a secure authentication solution to meet Criminal Justice Information Services (CJIS) compliance standards for securing criminal justice data. Their existing authentication framework utilized Absolute Secure Access (formerly NetMotion) with Windows Authentication. They sought to implement Multi-Factor Authentication (MFA) post-Windows Authentication while ensuring compliance with CJIS mandates.

The county’s user base included:

• 26 Communications personnel
• 300 mobile users (237 currently on domain with estimated growth considered)
• All users managed via Active Directory (AD)

A critical consideration was the CJIS compliance deadline in October, necessitating a rapid and effective solution.

Solution

The county initially explored One-Time Password (OTP) devices for MFA. However, concerns arose regarding smartphone access, privacy, and operational efficiency. Following further evaluation and consultation with the FBI, the county opted for FIDO-based K9-PIV security keys to enhance security and streamline authentication.

Envoy Data, through Southern Computer Warehouse, provided a comprehensive security solution tailored to the county’s needs. The implementation included:

• 326 Digital Persona security keys
• 326 K9-PIV authentication devices
• 20 hours of Envoy Data professional services to assist with deployment and integration

This solution ensured:

• CJIS compliance within the required timeline
• Seamless integration with Active Directory (AD) for centralized user management
• Enhanced security with FIDO-based authentication, reducing reliance on OTP devices
• Improved user experience by minimizing authentication friction for mobile users