TL;DR: CJIS now requires multi-factor authentication for all access to criminal justice information, including on-site, remote, and third-party access, because password-only controls are too fragile for today’s credential-driven attacks, according to IS Decisions. The shift makes authentication logging, auditability, and AD-integrated enforcement central to compliance and operational security.
NHIMG editorial — based on content published by IS Decisions: CJIS MFA compliance guidance for access to criminal justice information
By the numbers:
- As of 2024, strong authentication is a must on all access to sensitive criminal justice data.
Questions worth separating out
Q: How should organisations implement CJIS MFA across mixed access environments?
A: They should enforce multi-factor authentication on every access path that can reach criminal justice information, including workstation logons, VPN, remote desktop, and cloud-hosted services.
Q: Why do contractors and third-party support users complicate CJIS MFA compliance?
A: Because they often access the same systems from different locations, devices, and support workflows, which creates more opportunities for exception handling.
Q: How can security teams tell whether CJIS MFA is working in practice?
A: They should look for uniform enforcement across all access methods, complete logging of authentication attempts, and evidence that access exceptions are rare and approved.
Practitioner guidance
- Map every CJIS access path Inventory workstation logons, VPN, Remote Desktop, RemoteApp, SaaS, and any cloud-hosted systems that touch CJI.
- Extend policy to third-party access Apply the same authentication standard to contractors, system integrators, and managed service providers that support CJI environments.
- Validate audit log completeness Confirm that authentication attempts, successes, failures, and factor challenges are recorded in a format usable for forensics and compliance review.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for applying MFA across Windows logons, VPN, Remote Desktop Gateway, and RemoteApp.
- Deployment considerations for on-prem and hybrid Active Directory environments that already run existing identity workflows.
- Audit log and reporting capabilities that support evidence collection for compliance reviews and investigations.
- Implementation detail on reducing user disruption while enforcing stronger authentication for CJI access.
👉 Read IS Decisions' guidance on CJIS MFA compliance and AD-based enforcement →
CJIS MFA compliance: what it means for identity teams?
Explore further
CJIS MFA is a human identity control problem, not just a compliance checkbox. The article makes clear that password-only access is no longer acceptable for criminal justice information because the attack surface now includes on-site logins, remote sessions, and third-party support paths. That means identity governance has to treat every authenticated path as part of the compliance boundary. Practitioners should read this as a requirement to control human access consistently across all access modes.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities; 46% confirmed, 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when CJIS access is granted without MFA?
A: The organisation holding or supporting access to criminal justice information remains accountable, including third parties operating under its environment. Compliance does not shift responsibility to a vendor or contractor. If access is not protected by MFA, the governance failure sits with the programme owner and the team that allowed the exception.
👉 Read our full editorial: CJIS MFA compliance exposes the limits of password-only access