CJIS MFA changes: what identity teams need to do now

TL;DR: CJIS now requires systems handling criminal justice information to use multifactor authentication and points practitioners toward phishing-resistant MFA, including cryptographic devices, certificates, and FIDO-based approaches, according to Axiad. The real change is governance, because access to CJIS data now depends on assurance strength, revocation capability, and deployment choices that identity teams must validate.

NHIMG editorial — based on content published by Axiad: New CJIS security policy changes the game for MFA for criminal justice organizations

By the numbers:

• The policy is roughly 50% new, according to FBI/CJIS information security officer Chris Weatherly.
• CJIS requires multifactor authentication for all systems and applications that store or provide access to criminal justice information by October 1, 2024.

Questions worth separating out

Q: How should organisations implement phishing-resistant MFA for regulated access?

A: Start by mapping each protected system to the identity type that uses it, then choose a phishing-resistant method that fits that subject.

Q: Why is conventional MFA often insufficient for criminal justice environments?

A: Conventional MFA can still be vulnerable to phishing, push fatigue, or replayable credential theft.

Q: What do security teams get wrong about phishing-resistant authentication?

A: They often treat it as a product category instead of a lifecycle and governance model.

Practitioner guidance

• Inventory every CJIS-connected authentication path Map employee, contractor, vendor, and machine access paths to the exact authenticator type in use, then flag any path that still depends on replayable or non-phishing-resistant factors.
• Validate authenticator revocation and suspension workflows Test whether administrators can suspend or revoke authenticators quickly enough to remove access when credentials, devices, or trust relationships change.
• Separate human and machine authentication design Use passkeys where they fit human login flows and certificate-based authentication where PKI-backed machine or application trust is required.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• How Axiad maps CJIS policy language to phishing-resistant MFA implementation choices across existing identity stacks.
• The practical differences between X.509 certificates, PKI-backed workflows, and FIDO passkeys for regulated access.
• Why the article argues that organisations can enhance existing authentication systems without a rip-and-replace migration.
• The product-specific details behind Axiad Cloud support for managing FIDO2 credentials in Microsoft Entra ID.

👉 Read Axiad's analysis of CJIS phishing-resistant MFA requirements →

CJIS MFA changes: what identity teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →