Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

CJIS compliance and phishing-resistant MFA for police data


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A midsized police department cut a state CJIS audit from about a week to roughly five hours after moving to phishing-resistant, passwordless MFA with hardware authenticators, according to RSA Security. The case shows that strong authentication can materially reduce compliance overhead while improving protection for sensitive criminal justice information.

NHIMG editorial — based on content published by RSA Security: Protecting Sensitive Police Department Data with Phishing-Resistant Multi-Factor Authentication

Questions worth separating out

Q: How should agencies apply phishing-resistant MFA to regulated data access?

A: Agencies should require phishing-resistant MFA for users who access regulated or sensitive records, especially where compliance audits are frequent.

Q: Why does strong authentication matter for audit readiness?

A: Strong authentication matters because auditors need evidence that access to sensitive data is controlled in a way that is both enforceable and provable.

Q: What breaks when access controls still depend on passwords for sensitive records?

A: Password-based access breaks down because phished or reused credentials can be used to bypass policy intent, even when MFA exists in name only.

Practitioner guidance

  • Replace phishable factors for regulated users Move personnel who access CJI or similarly sensitive records to phishing-resistant authentication, prioritising roles that are most visible to auditors and most likely to be targeted for credential theft.
  • Document authentication evidence for audits Maintain clear records showing which users are on hardware-backed or passwordless methods, how those methods are enforced, and which systems require them for access to sensitive records.
  • Test audit readiness under short notice Run a surprise readiness exercise that checks whether identity evidence, enforcement settings, and exception handling can be produced quickly enough for a CJIS-style review.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

  • The specific deployment path from traditional MFA to FIDO2 passkeys and hardware authenticators.
  • The audit context around CJIS review timing, staffing impact, and the follow-on federal check.
  • The product and hardware details behind the iShield Key 2 Series and its certification posture.
  • The law-enforcement use case showing how identity controls affected both security and compliance operations.

👉 Read RSA Security's case study on phishing-resistant MFA for CJIS compliance →

CJIS compliance and phishing-resistant MFA for police data?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Phishing-resistant MFA is now an audit control, not just a login control. In regulated law-enforcement environments, authentication strength directly affects how quickly a team can satisfy compliance review. When a department can demonstrate hardware-backed, passwordless access, auditors spend less time challenging the identity layer and more time validating governance evidence. The practitioner conclusion is straightforward: treat strong authentication as part of audit readiness architecture, not as a user-facing convenience project.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when a public agency fails a CJIS identity review?

A: Accountability sits with the agency's identity, security, and compliance owners together, because authentication policy, enforcement, and audit evidence are shared responsibilities. Frameworks such as the NIST Cybersecurity Framework 2.0 help structure that accountability across protect and detect functions. The practical test is whether the agency can demonstrate control, not just claim it.

👉 Read our full editorial: Phishing-resistant MFA for CJIS data reduces audit burden



   
ReplyQuote
Share: