CJIS and Mandated MFA (S1:E33)

September 15, 2022

All U.S. federal and state law enforcement personnel are required to follow the Criminal Justice Information Services (CJIS) mandate to access specific information. John Guerrero, CEO of Identify Systems, joins us to talk about CJIS compliance, multi-factor authentication (MFA), and the steps all businesses need to take to keep data safe.

Full Transcript

Speaker 1 (00:01): You're listening to Humans in Tech. Our podcast explores today's most transformative technology, and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cyber security, and IOT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging figital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of Global Marketing at Identiv. Leigh (00:43): Thank you for tuning in. Today, we're joined by John Guerrero, CEO of Identify Systems. Hi, John. John (00:49): Hello, Leigh, how you doing? Leigh (00:50): Great. You're here to discuss authentication solutions in criminal justice information systems, a space where Identiv definitely plays a role. All federal and state law enforcement personnel are required to follow the CJIS mandate to access specific information. What is the mandate and why was it created? John (01:09): The FBI introduced integrated presidential directives, and federal laws, and FBI directives, and the criminal justice community decisions, creating the CJIS mandate. The mandate was given, or what I guess should say, was created to give law enforcement agencies quick and secure access to systems that provide information from anywhere, at any time, while protecting the information and user's ID from cyber criminals, or any persons not allowed to access its information. One of the most common use cases for the CJIS mandate would be a police officer is in his patrol car and he pulls over a vehicle. The officer can use his secure access to log some information that gives him background on vehicles, background on the vehicle owner. The information can tell the officer if the vehicle is properly titled or stolen, or even if the owner has a clean record, or if they have a warrant out for their rest. This is all information that the police officer needs to access in a very secure and timely manner to keep himself, and potentially anybody in the vehicle, safe. Leigh (02:22): What are some of the most effective ways to keep law enforcement agencies and citizens safe in the criminal justice system? John (02:28): Well, I hate to sound like a cliche or a tech nerd, but information is the key, and we have to protect citizens and law enforcement by keeping the right information secure. For example, at any given time, there are hundreds of law enforcement officers that are working undercover to [inaudible 00:02:48] the bad element of our society. Can you imagine what would happen if a list of these officers who put their lives on the line would be released to the very same criminals they are trying to bring to justice? Nothing good can come from that. Leigh (03:00): I think one of the things that I've found really interesting, and that the average citizen probably doesn't know, is the access that law enforcement has to national databases of information. For instance, I think most people don't realize that most law enforcement agencies, and police officers, have access to things like air travel information and things like that. I've always found that interesting that most people probably don't know what information they have access to, but it is outlined and mandated by the federal government. John (03:36): The information that they have access to is vast. It's understandable why it needs to be secure. There's a lot of data out there that people need to keep private, whether it's for their benefit, for the benefit of their family, or the benefit of law enforcement themselves. You really don't want this information falling into the wrong hands. Leigh (03:56): What is CJIS compliance? And you said it's called CJIS. John (04:00): Yeah, the acronym is CJIS but people's in their necessity to shorten, quicken things just have referred to it as CJIS, but they're just an [inaudible 00:04:13] of the CJIS mandate. However, the purpose of the discussion that we're having here, I'm specifically speaking to the piece that requires law enforcement agencies to identify and authenticate themselves that are accessing the information systems and processes that are available to them. Each individual's identity has to be authenticated at either the local agency level, the CJIS systems agency level, the state identification bureaus level, or at the Chandler level. The authentication strategy should be part of the agency's audit for policy compliance. The FBI CJIS division also identifies and authenticates all individuals who establish direct web-based interactive sessions with the FBI CJIS services. Leigh (05:00): What are some of the standard authenticators, advanced authentication, and risk based authentication methods? John (05:08): All different types of authenticators. The standard ones are basically going to be passwords, hard, soft tokens, biometrics, OTP, things of that nature. Pins. When you moved into the advanced authenticators, you're getting more into biometrics, smart cards, PKI infrastructure solutions, Fido, U2F, or Fido2 security keys, and then you have the risk based authentication. That's more network information, user information, or high risk challenge response questions there. Leigh (05:42): As we know in this industry, criminals and conspirators are constantly trying to stay many, many steps ahead and trying to do people out of their private information. What would you say is an effective way to increase security for this? John (05:55): Well, I say across the board, the best way to increase security is going to be using a multifactor authentication solution. It's been deemed not only in the federal space or the state and local agencies, but in the enterprise space, as well, as one of the most effective ways to increase security. The process where you add more than one authenticator, especially from the ones that we previously mentioned, to the authentication process. The more authenticators you require, the more secure your information is, and there has to be a line drawn, though. Too many authenticators and you take away that timely part of accessing the information. If you make somebody type in a pin, use their smart card, and use a Fido key, and use a soft token, well, that's going to take some time, but when the reality of a situation is you can really focus it down to two or three authentication methods based on the use case of where they're trying to access the information, and make it a very seamless and quick, as well as secure authentication. Leigh (06:53): What is a recurrent strategy for multifactor authentication? John (06:58): For MFA, it's to use software applications or physical devices. They generate a unique one time password that has limits on how long it's viable, and what's proven to be the most effective secure method is to add a physical device requirement to the authentication process, like a smart card or a Fido key, along with any other form of authentication, or authenticator, that we mentioned earlier. This means without the actual possession of that physical authenticator, you can't access the information at all. Leigh (07:32): What are some of the use cases for first responders and justice department officials? John (07:37): Well, if I can revert back to my earlier use case of the patrol officer in his vehicle, each officer has a laptop in their vehicle that they use to access the CJIS information systems while in the field. To authenticate to this network, the officer must follow the MFA requirements. They typically, right now, enter a pin, a password, and also tap his or hers smart card, which is also their ID badge, or a Fido token onto a smart card reader, or an NSC reader, to be granted access. If any of you authenticators are denied or missing, then access isn't granted. Using that tap method is a very quick and seamless way for them to get the information. The last thing you want is an officer struggling to spend time authenticating to get the information while something is going on that's beyond their control in the vehicle in front of them, or in a building in front of them, or even just standing there as a passerby, walking by. You want to make sure that everything's accessed quickly, securely, and in a timely manner to keep everybody safe. Leigh (08:40): What are some steps businesses should absolutely take to ensure their data is secure? John (08:45): Well, the MFA requirement by the CJIS mandate is governed by a federal agency. It's the FBI and the criminal justice system. In my opinion, it's the absolute best requirement for all business practices, whether the business is small or an enterprise organization. It's proven to be one of the most effective ways to secure information and protect user identities. Some of the authenticators that we're speaking of, like the Fido2 keys, whether it's either by Fido2 or the Fido standard, the federal government in the [inaudible 00:09:19] agency has verified that they're one of the strongest authentication methods that are out there and available, and the best way to see your data. Again, I'll go back to the whole physical possession of the device. If you have the device in your hand, then it's impossible for a hacker, whether they be in Russia, in China, in Arkansas, in your next town over to access that information without the key that's physically in your possession. Even if you lost that key, for whatever reason it was stolen, you still are required to have another authentication method to access the information. Whether you are accessing CJIS, or you're accessing your company's IP information, or you're just on your network, or on a business network, looking at resources that are available. You want to make sure that it's secure and using MFA typically is. Leigh (10:17): How does Identiv support MFA for CJIS compliance? John (10:21): Well, Identiv's been manufacturing very secure authenticators and credentials for decades. These devices are being used globally in numerous government and enterprise authentication practices. As you know, [inaudible 00:10:34] has been the leading supplier of smart card readers to the US government since the inception of HSPD-12. This means that there are millions of active and retired users in the US that possess and use the attentive device as part of their authentication process. To me, that speaks so highly of the company and the product. It's amazing. Leigh (10:54): Well, thank you for joining us today, John. It's always a pleasure to talk shop with you. We appreciate you taking the time out of your day, and as for the rest of the audience, if you like this podcast, please like and subscribe. Thanks a lot, John. John (11:06): Thank you, Leigh. Take care. Speaker 1 (11:07): Our new IP rated contactless smart card reader writer is perfect for clean rooms and industrial facilities. uTrust 3700 IG combines the world class technology of uTrust 3700 F with a unique industrial grade, dustproof, water resistant enclosure crafted with polished, high grade plastics, and ultrasonic welded seams. It stays clean inside and out. Learn more at identiv.com. Eliminate the risk of data, breaches, phishing, password theft, and replay attacks with hardened multifactor authentication, cybersecurity. Passwordless logins are simple and secure with uTrust Fido2 NFC plus security keys. Insert the device, tap the button, and get secure access. It really is that easy. Learn more at identiv.com. Physical security. Identity verification. The IOT. The hyper connectivity of our lives will only grow more pervasive as technology becomes more automated, and experiences more augmented, it's up to us to preserve our humanity, and use new tools and trends for good. The only question is, are we up for the challenge?