Shared devices create risk because the security boundary is the active session, not the physical terminal. If one user can inherit, view, or reuse another user’s session state, accountability breaks and case information can leak across shifts. Agencies need user switching and session isolation, not just a successful login.
Why This Matters for Security Teams
CJIS environments are unforgiving because shared devices collapse the gap between physical access and identity assurance. A successful login on a kiosk, workstation, or tablet does not prove the next person at the terminal is the same approved user, especially when shift changes, interrupted workflows, and cached session state are involved. That is why session control, not just device possession, becomes the real security boundary.
Security teams often underestimate how quickly accountability breaks when one user can see another user’s open records, tokenized state, or authenticated browser session. The risk is not only accidental exposure. It also includes unauthorized case lookups, privilege reuse, and weak attribution during investigations. NIST’s Cybersecurity Framework 2.0 treats identity, access, and continuous protection as operational requirements, not one-time login checks. NHIMG’s Ultimate Guide to NHIs makes the same point for machine identities: the protected state is the live credentialed session, not the asset label. In practice, many agencies discover exposure only after a shift handoff, a desk-side login reuse, or a records audit that cannot cleanly attribute who actually accessed the data.
How It Works in Practice
Shared-device risk in CJIS settings is best managed by designing for session isolation and user switching, not by assuming a terminal is trustworthy once it has passed a login screen. Each user should enter with a distinct identity context, and the prior session must be fully closed, scrubbed, and revalidated before the next user begins. This is where controls like automatic logout, profile separation, device re-authentication, and per-user application state become essential.
Operationally, teams should focus on four layers:
- Terminate the prior session at handoff, including browser state, cached tokens, and open files.
- Require user switching that creates a new authenticated context instead of reusing the current one.
- Bind access to the person and the task, so a device does not become a standing gateway to case data.
- Log every session transition with time, user, device, and application context for auditability.
Current guidance aligns with zero trust principles: trust the authenticated session only while it is continuously valid and contextually justified. CISJ workflows often benefit from short-lived credentials and stronger revalidation when the user moves between terminals. For broader identity governance, NHIMG’s Key Challenges and Risks section is useful because it frames why long-lived access state creates persistent exposure. For CJIS operators, the practical lesson is simple: if the next user can inherit the previous user’s authenticated context, the device has become an identity bridge rather than a controlled endpoint. These controls tend to break down when agencies rely on shared browsers, legacy thick-client apps, or unattended terminals that cannot reliably clear state between users.
Common Variations and Edge Cases
Tighter session isolation often increases operational friction, requiring organisations to balance faster shift turnover against stronger accountability. That tradeoff matters in CJIS offices, dispatch centers, field units, and mobile evidence review stations, where staff may need frequent handoffs and rapid re-entry to case systems.
Not every shared-device workflow can use the same control set. Kiosk modes may be sufficient for read-only access, but they are often too weak for record editing or sensitive casework. Tablet deployments can add risk if the app stores offline tokens or local copies of case data. Remote desktop solutions improve separation only if the user session itself is isolated and the remote environment is reset cleanly between users.
Best practice is evolving, but the direction is consistent: agencies should treat shared devices as untrusted by default and push authorization decisions into the live session. That means pairing device hardening with identity controls, short-lived authentication, and strong audit trails. NHIMG’s 52 NHI Breaches Analysis is a reminder that persistent credentials and poor lifecycle control create repeatable exposure patterns, even when the underlying asset appears well managed. For CJIS, the same logic applies to human sessions on shared endpoints: if a terminal preserves too much identity state, the next user may inherit more than just a screen.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared-device risk is fundamentally an identity and access control problem. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero trust requires continuous validation, not trust in the terminal itself. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Session reuse and credential persistence mirror core non-human identity risks. |
Eliminate persistent session state and enforce short-lived, isolated authentication contexts.
