CJIS compliance and phishing-resistant MFA for police data

TL;DR: A midsized police department cut a state CJIS audit from about a week to roughly five hours after moving to phishing-resistant, passwordless MFA with hardware authenticators, according to RSA Security. The case shows that strong authentication can materially reduce compliance overhead while improving protection for sensitive criminal justice information.

NHIMG editorial — based on content published by RSA Security: Protecting Sensitive Police Department Data with Phishing-Resistant Multi-Factor Authentication

Questions worth separating out

Q: How should agencies apply phishing-resistant MFA to regulated data access?

A: Agencies should require phishing-resistant MFA for users who access regulated or sensitive records, especially where compliance audits are frequent.

Q: Why does strong authentication matter for audit readiness?

A: Strong authentication matters because auditors need evidence that access to sensitive data is controlled in a way that is both enforceable and provable.

Q: What breaks when access controls still depend on passwords for sensitive records?

A: Password-based access breaks down because phished or reused credentials can be used to bypass policy intent, even when MFA exists in name only.

Practitioner guidance

• Replace phishable factors for regulated users Move personnel who access CJI or similarly sensitive records to phishing-resistant authentication, prioritising roles that are most visible to auditors and most likely to be targeted for credential theft.
• Document authentication evidence for audits Maintain clear records showing which users are on hardware-backed or passwordless methods, how those methods are enforced, and which systems require them for access to sensitive records.
• Test audit readiness under short notice Run a surprise readiness exercise that checks whether identity evidence, enforcement settings, and exception handling can be produced quickly enough for a CJIS-style review.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

• The specific deployment path from traditional MFA to FIDO2 passkeys and hardware authenticators.
• The audit context around CJIS review timing, staffing impact, and the follow-on federal check.
• The product and hardware details behind the iShield Key 2 Series and its certification posture.
• The law-enforcement use case showing how identity controls affected both security and compliance operations.

👉 Read RSA Security's case study on phishing-resistant MFA for CJIS compliance →

CJIS compliance and phishing-resistant MFA for police data?

Explore further

View Full Forum →  |  NHI Foundation Course →