Phishing-resistant MFA for CJIS data reduces audit burden

At a glance

What this is: This is a vendor case study showing how phishing-resistant MFA shortened a police department's CJIS audit and strengthened protection for sensitive criminal justice information.

Why it matters: It matters because identity controls for human users remain central to safeguarding regulated data, and audit readiness depends on more than policy documentation.

👉 Read RSA Security's case study on phishing-resistant MFA for CJIS compliance

Context

Phishing-resistant MFA is authentication that does not rely on passwords that can be phished or replayed. In this case, RSA Security describes a police department that used hardware-backed, passwordless authentication to reduce the operational burden of a CJIS audit while protecting sensitive criminal justice information.

The governance issue is not whether police departments need authentication. It is whether their access controls can withstand both adversarial credential attacks and sudden compliance scrutiny. For regulated public-sector environments, the control has to support day-to-day security and audit evidence at the same time.

Key questions

Q: How should agencies apply phishing-resistant MFA to regulated data access?

A: Agencies should require phishing-resistant MFA for users who access regulated or sensitive records, especially where compliance audits are frequent. The priority is to remove reusable secrets from the login path and to make enforcement consistent across critical systems. That approach improves both security and the ability to prove control effectiveness during review.

Q: Why does strong authentication matter for audit readiness?

A: Strong authentication matters because auditors need evidence that access to sensitive data is controlled in a way that is both enforceable and provable. If users rely on passwords or replayable factors, the organisation must defend a weaker assurance model. Hardware-backed authentication reduces that gap and shortens the evidence trail reviewers need to inspect.

Q: What breaks when access controls still depend on passwords for sensitive records?

A: Password-based access breaks down because phished or reused credentials can be used to bypass policy intent, even when MFA exists in name only. In regulated environments, that weakens the security boundary and creates more audit exceptions. It also leaves teams exposed to last-minute compliance pressure when reviewers ask how identity assurance is actually enforced.

Q: Who is accountable when a public agency fails a CJIS identity review?

A: Accountability sits with the agency's identity, security, and compliance owners together, because authentication policy, enforcement, and audit evidence are shared responsibilities. Frameworks such as the NIST Cybersecurity Framework 2.0 help structure that accountability across protect and detect functions. The practical test is whether the agency can demonstrate control, not just claim it.

Technical breakdown

Phishing-resistant authentication for CJIS access

Phishing-resistant MFA removes the most common interception point in identity attacks: the reusable secret. Hardware authenticators and passkeys bind authentication to a device and a user gesture, which makes credential replay and adversary-in-the-middle phishing far harder than with OTP or push-based MFA. In CJIS environments, that matters because access is not just about logging in. It is about proving that sensitive criminal justice data is only reachable through strong identity assurance.

Practical implication: replace phishing-prone factors for users who touch CJI, especially where audit scrutiny is high.

Passwordless hardware authenticators and assurance level

Passwordless authentication changes the control model by removing shared or remembered secrets from the login path. A FIPS-certified hardware authenticator adds tamper-resistant proof of possession, which supports stronger assurance than passwords or mobile approvals. The important point for IAM teams is that the control is not only about user convenience. It reduces the chance that a compromised password or stolen one-time code becomes the entry point for regulated data access.

Practical implication: align authentication strength to data sensitivity, not just to user preference or rollout speed.

Audit readiness in regulated law enforcement environments

Audit readiness depends on whether identity controls can be demonstrated quickly, consistently, and with evidence. When authentication is centrally managed and phishing-resistant, reviewers can more easily validate that the department is enforcing stronger access boundaries for CJI. That shortens the operational drag of compliance events and reduces the staffing pressure that comes from long audit windows. Identity assurance becomes part of the control evidence, not an afterthought.

Practical implication: build audit evidence around authentication strength, admin visibility, and policy enforcement before the next review.

Threat narrative

Attacker objective: The attacker aims to gain unauthorized access to sensitive criminal justice information by defeating weak authentication.

1. Entry begins with phishing attempts against user credentials, which is the most likely route into a weakly protected law-enforcement identity estate.
2. Escalation follows when stolen passwords or replayable factors are used to reach systems containing criminal justice information.
3. Impact is the exposure or misuse of sensitive CJI, along with the operational burden of proving compliance under audit pressure.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Microsoft Midnight Blizzard breach — Midnight Blizzard (APT29) exploited legacy test account without MFA to breach Microsoft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing-resistant MFA is now an audit control, not just a login control. In regulated law-enforcement environments, authentication strength directly affects how quickly a team can satisfy compliance review. When a department can demonstrate hardware-backed, passwordless access, auditors spend less time challenging the identity layer and more time validating governance evidence. The practitioner conclusion is straightforward: treat strong authentication as part of audit readiness architecture, not as a user-facing convenience project.

CJIS-grade access control exposes the cost of weak identity assurance. Password-based or replayable authentication creates a larger gap between policy intent and actual access risk. That gap matters most where the data is sensitive, the user base is operationally distributed, and audit deadlines can arrive with little notice. The implication for public-sector IAM teams is that the weakest factor in the login chain becomes the weakest link in compliance posture.

Identity governance for public safety data must reduce both attack surface and audit surface. The same control that blocks phishing also reduces the evidence burden during reviews, because it provides a clearer, more defensible access model. This is where human IAM and compliance work converge: strong authentication has to be operationally provable, not just technically available. Practitioners should measure whether authentication controls shorten review cycles and narrow the number of exceptions auditors must inspect.

Access assurance for regulated human identities should be designed for scrutiny under pressure. The department's experience shows that the test is not whether the control works on a normal day. The test is whether it still works when auditors arrive early, evidence is incomplete, and staff capacity is constrained. That is the standard IAM teams should apply to any environment handling regulated records. The practitioner conclusion is to design authentication so it holds up when governance pressure is highest.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That persistence window is one reason teams should pair phishing-resistant human authentication with the NHI Lifecycle Management Guide for machine access governance.

What this signals

Phishing-resistant authentication will increasingly be judged by whether it shortens operational review cycles, not just by whether it blocks login attacks. For public-sector and regulated organisations, the control now has to do two jobs at once: resist social engineering and produce clean audit evidence. That makes authentication design a governance issue, not just an access-management one.

Access assurance is becoming a cross-programme metric. IAM, compliance, and security operations all feel the same pressure when auditors arrive with short notice or when sensitive records are in scope. The organisations that move fastest are the ones that can show, with evidence, that their strongest factors are enforced where the risk is highest.

The broader signal is that regulated identity programmes need stronger alignment between authentication policy and review mechanics. If the control cannot be demonstrated quickly, it is not mature enough for high-scrutiny environments.

For practitioners

• Replace phishable factors for regulated users Move personnel who access CJI or similarly sensitive records to phishing-resistant authentication, prioritising roles that are most visible to auditors and most likely to be targeted for credential theft.
• Document authentication evidence for audits Maintain clear records showing which users are on hardware-backed or passwordless methods, how those methods are enforced, and which systems require them for access to sensitive records.
• Test audit readiness under short notice Run a surprise readiness exercise that checks whether identity evidence, enforcement settings, and exception handling can be produced quickly enough for a CJIS-style review.
• Limit exceptions to strong authentication policy Track and time-box any temporary exceptions, because every workaround increases the number of questions auditors must resolve and weakens assurance around regulated access.

Key takeaways

• Phishing-resistant MFA turns identity assurance into a compliance asset for sensitive public-sector data.
• The audit improvement in this case shows that strong authentication can reduce both attack exposure and review burden.
• IAM teams should design authentication controls that can be proven under pressure, not only deployed in steady state.

Key terms

• Phishing-Resistant MFA: Authentication that cannot be easily replayed, phished, or intercepted because it relies on cryptographic proof instead of shared secrets. In regulated environments, it reduces the chance that a stolen credential can be reused to access sensitive systems or records.
• Passwordless Authentication: A login method that removes passwords from the primary authentication flow and replaces them with stronger proof such as hardware-backed keys or device-bound credentials. It lowers reliance on reusable secrets, which are still a common failure point in identity programmes.
• CJIS Security Policies: The identity and security requirements used to protect criminal justice information across law-enforcement systems and related services. They demand stronger access assurance, evidence of control enforcement, and operational discipline suitable for sensitive public-sector data.
• Hardware Authenticator: A physical device that generates or stores cryptographic material used to verify a user's identity. It is harder to phish than passwords or one-time codes and is often used when organisations need stronger assurance for high-risk access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or IAM programme maturity, it is worth exploring.

This post draws on content published by RSA Security: Protecting Sensitive Police Department Data with Phishing-Resistant Multi-Factor Authentication. Read the original.