TL;DR: A midsized police department cut a state CJIS audit from about a week to roughly five hours after moving to phishing-resistant, passwordless MFA with hardware authenticators, according to RSA Security. The case shows that strong authentication can materially reduce compliance overhead while improving protection for sensitive criminal justice information.
NHIMG editorial — based on content published by RSA Security: Protecting Sensitive Police Department Data with Phishing-Resistant Multi-Factor Authentication
Questions worth separating out
Q: How should agencies apply phishing-resistant MFA to regulated data access?
A: Agencies should require phishing-resistant MFA for users who access regulated or sensitive records, especially where compliance audits are frequent.
Q: Why does strong authentication matter for audit readiness?
A: Strong authentication matters because auditors need evidence that access to sensitive data is controlled in a way that is both enforceable and provable.
Q: What breaks when access controls still depend on passwords for sensitive records?
A: Password-based access breaks down because phished or reused credentials can be used to bypass policy intent, even when MFA exists in name only.
Practitioner guidance
- Replace phishable factors for regulated users Move personnel who access CJI or similarly sensitive records to phishing-resistant authentication, prioritising roles that are most visible to auditors and most likely to be targeted for credential theft.
- Document authentication evidence for audits Maintain clear records showing which users are on hardware-backed or passwordless methods, how those methods are enforced, and which systems require them for access to sensitive records.
- Test audit readiness under short notice Run a surprise readiness exercise that checks whether identity evidence, enforcement settings, and exception handling can be produced quickly enough for a CJIS-style review.
What's in the full article
RSA Security's full article covers the operational detail this post intentionally leaves for the source:
- The specific deployment path from traditional MFA to FIDO2 passkeys and hardware authenticators.
- The audit context around CJIS review timing, staffing impact, and the follow-on federal check.
- The product and hardware details behind the iShield Key 2 Series and its certification posture.
- The law-enforcement use case showing how identity controls affected both security and compliance operations.
👉 Read RSA Security's case study on phishing-resistant MFA for CJIS compliance →
CJIS compliance and phishing-resistant MFA for police data?
Explore further
Phishing-resistant MFA is now an audit control, not just a login control. In regulated law-enforcement environments, authentication strength directly affects how quickly a team can satisfy compliance review. When a department can demonstrate hardware-backed, passwordless access, auditors spend less time challenging the identity layer and more time validating governance evidence. The practitioner conclusion is straightforward: treat strong authentication as part of audit readiness architecture, not as a user-facing convenience project.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a public agency fails a CJIS identity review?
A: Accountability sits with the agency's identity, security, and compliance owners together, because authentication policy, enforcement, and audit evidence are shared responsibilities. Frameworks such as the NIST Cybersecurity Framework 2.0 help structure that accountability across protect and detect functions. The practical test is whether the agency can demonstrate control, not just claim it.
👉 Read our full editorial: Phishing-resistant MFA for CJIS data reduces audit burden