Understanding CJIS MFA requirements

Compromised credentials are the starting point for most cyber attacks today. As attacks get smarter and faster, relying on a username and password to prevent unauthorized access to criminal justice information (CJI) is far too risky. That's why the United States Criminal Justice Information Services (CJIS) multi-factor authentication (MFA) policy has recently been reinforced. As of 2024, strong authentication is a must on all access to sensitive criminal justice data. Any organization accessing the CJIS database, whether directly or via a third-party, must implement MFA to achieve compliance.

Let’s look at what the CJIS MFA requirement is, who it applies to, and how UserLock can support compliance for law enforcement agencies and contractors with an on-prem or hybrid Active Directory environment.

CJIS is a division within the Federal Bureau of Investigation (FBI). Established in 1992, it's the FBI's largest division. Today, CJIS is responsible for gathering prints from nationwide police agencies and searching them on request for potential matches to criminals and crime evidence.

CJIS also manages initiatives such as the National Crime Information Center (NCIC), the Integrated Automated Fingerprint Identification System (IAFIS), and the National Incident-Based Reporting System (NIBRS).

If your organization handles CJI, you're within scope for compliance with the CJIS Security Policy.

Here are a few examples of organizations that often need to achieve CJIS compliance:

• Law enforcement agencies

• The U.S. justice system

• Criminal justice agencies

• Any organization or third-party vendor that accesses CJI

This includes not only officers and analysts within the criminal justice system, but also IT staff, system integrators, and potentially managed service providers (MSPs) who support organizations that store or access CJI.

CJIS Security Policy mandates multi-factor authentication to protect access to CJI. The updated requirement applies whether or not the access happens from within a secure facility or remotely (formerly, MFA was required only for remote access).

This includes:

• Windows logins at the workstation

• Virtual private networks (VPNs)

• Remote desktop sessions

• Access to cloud resources that host or access CJI

The policy defines MFA as requiring at least two of the following:

1. Something you know (e.g., password)

2. Something you have (e.g., smart card, token, mobile app)

3. Something you are (e.g., fingerprint, facial recognition)

With modern cyber attacks getting smarter and faster by the day, CJIS recognizes MFA as an essential security layer to prevent unauthorized access to sensitive CJI.

Implementing MFA for CJIS compliance means ensuring at least two factors of authentication are in place to verify all access to CJI.

In practice, this looks like ensuring that:

• MFA is enforced before access to CJI is granted

• Authentication logs and attempts are tracked and auditable

• The MFA method doesn’t disrupt workflows for officers and staff

Since many systems that treat CJI are built around Active Directory (AD), selecting an MFA solution that integrates well with AD can speed deployment, minimize management overhead, and lower complexity.

UserLock supports CJIS MFA with flexible policies applied on the on-premises AD identity.

With UserLock, agencies can enforce MFA for Windows logins, remote access (Remote Desktop Gateway, RDP, RemoteApp), VPN, SaaS, and more, all without the need to replace existing identity infrastructure or introduce cloud dependencies.

While a primary driver for MFA adoption in law enforcement is compliance with the CJIS Security Policy, the security benefits speak for themselves.

With UserLock, agencies can better:

• Lower the risk of credential-based attacks

• Stop unauthorized or unwanted access

• Perform IT forensics and review audit logs

• Show due diligence in data protection

UserLock also supports secure remote access in offline or off-lan scenarios, which is increasingly important for administrative staff, investigators, and third-party IT partners.