CJIS MFA changes: what law enforcement IAM teams need to know

TL;DR: CJIS now requires multifactor authentication for systems that store or provide access to criminal justice information by October 1, 2024, and points implementers toward phishing-resistant methods grounded in NIST SP 800-63B, according to Axiad. The practical shift is that identity assurance, revocation, and authenticator binding now matter as much as access itself.

NHIMG editorial — based on content published by Axiad: New CJIS Security Policy Changes the Game for MFA for Criminal Justice Organizations

By the numbers:

• The updated CJIS security policy is roughly 50% new, according to the FBI/CJIS Division.
• CJIS requires multifactor authentication for systems and applications that store and provide access to criminal justice information by October 1, 2024.
• NIST SP 800-63B defines Authenticator Assurance Level 2, the assurance level CJIS references for phishing-resistant MFA.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA for CJIS access?

A: Start by identifying every system and user that reaches CJIS data, then replace weak second factors with cryptographic methods such as certificate-based authentication or FIDO passkeys.

Q: Why do ordinary MFA methods fall short for CJIS-connected systems?

A: Ordinary MFA can still be vulnerable to phishing, token replay, and recovery abuse, especially when the second factor is a code or push approval.

Q: What breaks when authenticator revocation is not governed properly?

A: If revoked, lost, or reassigned authenticators can still be used, access persists beyond the point where trust should end.

Practitioner guidance

• Inventory every CJIS-connected authentication path Map all systems, users, vendors, and contractors that can reach criminal justice information, then identify which paths still rely on non-phishing-resistant MFA.
• Separate phishing-resistant methods from legacy MFA Classify each authenticator by whether it meets phishing-resistant expectations under NIST SP 800-63B, then phase out OTP-only and push-based methods where CJIS data access is in scope.
• Govern authenticator binding and revocation as lifecycle events Require explicit issuance, binding, suspension, and replacement workflows for tokens, smart cards, passkeys, and certificates.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• Specific examples of x.509 certificate-based authentication and how PKI supports strong identity proofing
• A deeper walkthrough of FIDO2 passkey management inside Microsoft Entra ID and Axiad Cloud
• The vendor's implementation framing for moving to phishing-resistant MFA without replacing existing identity infrastructure
• Operational detail on how the platform is positioned to manage people, machines, and applications across existing environments

👉 Read Axiad's analysis of CJIS phishing-resistant MFA requirements →

CJIS MFA changes: what law enforcement IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →