CJIS is forcing a shift from MFA compliance to authenticator governance. The article is not really about adding another login factor. It is about whether an organisation can prove that the factor is resistant to phishing, can be revoked, and can be managed across people and non-human actors that touch CJIS data. Practitioners should read this as a governance requirement, not an authentication feature request.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when CJIS authentication requirements are not met?
A: Accountability usually sits with the organisation that operates the system and with the teams that own identity, access, and audit evidence. In practice, that means security leaders, IAM teams, and auditors all need a shared view of which authenticator types are allowed and how suspension is enforced.
👉 Read our full editorial: CJIS phishing-resistant MFA raises the bar for identity assurance