ADVANCED AUTHENTICATION

Section 5.6.2.1.1 requires a password and section 5.6.2.1.2 requires a pin. CJIS Solution’s 2 Factor Authentication solution requires the user to create their own PIN number at time of token enrollment. For tokens that are programmed prior to shipment, a PIN that meets the strict sequence requirements is generated for the user.
Users can still use a password for local access however a PIN with One Time Passcode will always be required when accessing with our solution.

Section 5.6.2.2.1 of the CJIS Security Policy describes the “something you have” “something you know” requirement. CJIS Solutions 2 Factor Authentication combines both of these requirements. The something you “have” would be your USB or Phone tokens and the something you “know” would be your PIN number issued at enrollment.

The following AA Decision Tree, coupled with figures 9 and 10 in the CJIS Policy, assists decision makers in determining whether or not AA is required.

1. Can request’s physical originating location be determined? If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 2. a. The IP address is attributed to a physical structure; or b. The mnemonic is attributed to a specific device assigned to a specific location that is a physical structure.

If neither (a) or (b) above are true then the answer is “no”. Skip to question number 4.

2. Does request originate from within a physically secure location as described in Section 5.9.1?

If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 3.

a. The IP address is attributed to a physically secure location; or b. If a mnemonic is used it is attributed to a specific device assigned to a specific physically secure location.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.

3. Are all required technical controls implemented at this location or at the controlling agency?

If either (a) or (b) below are true the answer to the above question is “yes”. Decision tree completed. AA requirement waived.

a. Appropriate technical controls listed in Sections 5.5 and 5.10 are implemented; or b. The controlling agency (i.e. parent agency or agency leveraged as conduit to CJI) extends its wide area network controls down to the requesting agency and the extended controls provide assurance equal or greater to the controls listed in Sections 5.5 and 5.10.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.

4. Does request originate from an agency-controlled user device? If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 5.

a. The static IP address or MAC address can be traced to registered device; or b. Certificates are issued to agency managed devices only and certificate exchange is allowed only between authentication server and agency issued devices.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.

5. Is the agency managed user device associated with and located within a criminal justice conveyance?

If any of the (a), (b), or (c) statements below is true the answer to the above question is “yes”. Proceed to Figure 9 Step 3.

a. The static IP address or MAC address is associated with a device associated with a criminal justice conveyance; or b. The certificate presented is associated with a device associated with a criminal justice conveyance; or c. The mnemonic presented is associated with a specific device assigned and that device is attributed to a criminal justice conveyance.

If none of the (a), (b), or (c) statements above are true then the answer is “no”. Skip to question number 7.

6. Is the user device an agency-issued and controlled smartphone or tablet?

If both (a) and (b) below are true, the answer to the above question is “yes.” Proceed to question number 7.

a. The law enforcement agency issued the device to an individual; and b. The device is subject to administrative management control of the issuing agency.

If either (a) or (b) above is false, then the answer is “no.” Decision tree completed. AA required.

7. Does the agency-issued smartphone or tablet have CSO-approved AA compensating controls implemented?

If (a) and (b) below are true, the answer to the above question is “yes.” Decision tree completed. AA requirement is waived.

a. An agency cannot meet a requirement due to legitimate technical or business constraints; and b. The CSO has given written approval permitting AA compensating controls to be implemented in lieu of the required AA control measures.

If either (a) or (b) above is false then the answer is “no.” Decision tree completed. AA required.

Section 5.6.3.1 of the CJIS Security Policy delineates that agencies shall individually secure the device but authenticate the user. Although you’re able to “group” users to a device, the CJIS Solutions 2 Factor Authentication system authenticates each user individually to prevent “shared access”.

Section 5.6.3.2 of the CJIS Security Policy requires that there be strict controls over lost access devices (ie: tokens). CJIS Solutions meets this requirement by using a process that renders any lost/stolen token completely useless in any system. In addition, new users can be reassigned the same physical USB token (without the need to purchase one). The original issue One Time Passcode functionality is completely wiped and reset. This meets the policy’s needs while saving you money.

The Advanced Authentication section of the CJIS Security Policy requires that any solution that is used must be Out of Band. This means that the authentication method cannot be delivered to the same device being secured. By using a USB key, that would make it impossible to violate this section. By using a phone app, the same holds true as it’s not possible to generate and view a key on the same phone you would try to access. Therefore, both methods delivered by CJIS Solutions meet this requirement.