In this blog we will understand few other nuances that are associated with CJIS Identification and Authentication. It is very important for an agency to identify users of information systems and also the processes that act on behalf of users and also needs to authenticate them before allowing access to information system or services of the agency.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Â
Understanding CJIS Identification and Authentication
1. Understanding CJIS Identification and
Authentication
In the previous blog on access control, we discussed the various steps that an agency should take
in order to restrict unauthorized access to confidential Criminal Justice Information (CJI). In this
blog we will understand few other nuances that are associated with CJIS Identification and
Authentication. It is very important for an agency to identify users of information systems and
also the processes that act on behalf of users and also needs to authenticate them before allowing
access to information system or services of the agency.
Identification Policy and Procedures
Each user who is authorized to use, access, store, process or transmits CJI data is to be uniquely
identified. Even system administrators and users responsible for system maintenance also need to
be identified. The unique identifier can be a username, serial number, badge number or a unique
alphanumeric identifier. Additionally, the agencies should identify themselves uniquely before a
user s allowed to access or perform duties on a system. It is the responsibility of the agency to
ensure that the user IDs belong to authorized users and the list needs to be updated regularly to
include the names of new users and delete the names of former users.
2. Use of Originating Agency Identifiers in Transactions and Information Exchanges
To identify the sending agency and to ensure that a proper level of access is attributed to every
transaction, agencies shall use an originating agency identifier (ORI) that has been authorized by
the FBI. The original identifier between the State Identification Bureau (SIB)/CJIS Systems
Agency (CSA)/Channeler and a requesting agency should be the ORI and other identifiers such
as an access device mnemonic, personal identifier or user identification or the IP address.
Agencies shall act as a servicing agency and on behalf of the authorized agencies perform
transactions based on the queries of the requesting agency. These agencies performing inquiry
transactions may use the requesting agencyâs ORI when acting on the behalf of another agency.
In other cases, the agency can use its ORI to perform inquiry transactions on behalf of another
requesting agency only if there are procedures and means in place to provide a proper audit trail
for the specified retention period. In such cases where the agency performing the transaction
neednât necessarily is the same agency requesting the transaction, the SIB/channeler/CSA must
ensure that the ORI for all the transactions can be traced through an audit trail, to the agency that
has requested the transactions.
Authentication Policy and Procedures
There should be robust processes and mechanisms to verify users once they are uniquely
identified by the agency. The SIB/CSA shall develop an authentication strategy which
decentralizes the daily administration and establishment of security measures for accessing
Criminal Justice Information ( CJI). The identity of each user needs to be validated at either at
CSA, local agency, Channeler or SIB level. This authentication strategy needs to be a part of the
agencyâs policy and audit compliance. The FBI CJIS Division shall identify as well as
authenticate all the users who directly establish web-based interactive sessions with FBI CJIS
services. Furthermore, FBI CJIS Division would also limit its authentication only of the ORI of
all message-based sessions between itself and its customer agencies and not the individual user
level authentication as it is already done at the SIB, CSA, Channeler or local agency level.
Standard Authenticators
Standard authenticators include biometrics, tokens, personal identification numbers (PIN) and
passwords. Users wouldnât be allowed to use same PIN or password in the same logon sequence.
The attributes of a secure password that is used to authenticate the user include many parameters
that are listed below
1. Passwords shall not be same as the user ID
2. Shall be a minimum length of eight (8) characters
3. Shall have an expiry period of 90 days
3. 4. Shall not be proper name or a dictionary word
5. Shall not be displayed during the time of entry or after entry
6. Shall not be transmitted outside the secure location
7. Shall not be identical to the previous ten (10) passwords
Personal Identification Number (PIN)
In the cases where the agency uses PIN as a standard mode for authentication, all the attributes
followed for the standard authenticators need to be followed. In case the agency is using PIN in
conjunction with a token or a certificate then the following guidelines need to be followed.
1. Pin should be a minimum of six (6) digits
2. Shouldnât have sequential patterns (eg:345678)
3. Shouldnât have repeating digits (e.g.: 2233344)
4. Should have an expiry period of one year.
5. Shouldnât be same as the user ID.
6. Shall not be transmitted outside the secure location
7. Shall not be displayed during the time of entry or after entry
8. Shouldnât be identical to three (3) previous PINs
However, there is an exception to this when the PIN is being used for local device authentication.
In this case, only requirement to be fulfilled is that the PIN needs to have six (6) digits.
Advanced Authentication
Depending on the need additional security may be enforced and advanced authentication
provides such added security to the conventional user identification and authentication using
login ID and password. These additional security measures can be biometric systems, smart
cards, hardware tokens, user-based public key infrastructure (PKI) or ârisk based authenticationâ
that includes various advanced processes of authenticating a user.
4. Advanced Authentication Policy and Rationale
The necessity to use or not to use Advanced Authentication (AA) is dependent on several factors
such as technical, personnel, physical and technical security controls that are associated with user
location and whether CJI is accessed indirectly or directly. AA neednât be required for users that
request accessing CJI data from within the perimeter of a physically secure location that meets
the technical security controls. Furthermore, it need not be enforced if the user cannot conduct
transactional activities on the state as well as national repositories, services (indirect access) or
applications. In the event of these technical security standards not being met, AA should be
enforced even if the request for CJI originates within the physically secure location. The original
intent of AA is to meet the standards of two-factor authentication. Two-factor authentication
involves use of two of the three options to authenticate a user. These include what do you now
(password), something you have (hardware token) and what you are (biometric).
CSO approved compensating controls to meet the AA requirement on the appliances such as
such as smartphones, iPads and tablets issued by the agency are permitted. Compensating
controls are those temporary controls that are implemented in place of AA control measures
when the agency is unable to meet the requirement due to business constraints or legitimate
technical reasons. These compensating controls shall:
1. Provide same level of security or protection as the original AA requirement
2. Meet the intention of CJIS security policy AA requirement
3. Shall not depend on existing requirements for AA as compensating controls
There is an elaborate process that helps the decision makers in deciding whether or not AA is
required. An advanced authentication decision tree aids the decision makers in making informed
decisions about enforcing AA when users access CJI.
Identifier and Authenticator Management
The agencies should establish authenticator and identifier management processes.
Identifier Management
In order to facilitate proper management of user identifiers, agencies should
1. Identify every user uniquely
2. Verify their identification
5. 3. Receive authorization to issue a user identifier from a competent agency official
4. Issue the said user identifier to intended parties
5. Disable a specific user identifier after a predetermined period of inactivity
6. Archive the old user identifiers
Authenticator Management
For the management of information system authenticators, agencies should
1. Define the initial authenticator content
2. Establish administrative procedures to distribute initial authenticators, for compromised/lost or
damaged authenticators and for revoking authenticators
3. Be changing default authenticators after installation of IT systems
4. Should refresh/change authenticators periodically
Assertions
Identity providers also can be used to identify individuals and ascertain their identity to a trusted
broker or a service. This broker in turn would assert identity to a service. These assertion
mechanisms that would be used to communicate the results of a remote authentication to other
parties would be
1. Signed digitally by a trusted entity (i.e. the service provider)
2. Procured directly from a trusted entity using a protocol in which the trusted entity
authenticates to the relying party using secure protocol that authenticates the user
cryptographically and hence protects the assertion.
It is to be noted that assertions that are generated by a verifier would expire 12 hours post
generation and wouldn't be accepted by the relying party thereafter.
That is a comprehensive look at CJIS Identification and Authentication. In the next blog we will
discuss the policy area - Configuration Management
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin,
Texas. Our offerings combine products from the leading Cloud providers and are carefully
designed to meet the emerging technology requirements of Government agencies and
Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement,
6. maintain and offer single source for billing and support of multiple Cloud products. If you are
new to the cloud and not sure how to get started, contact us for a complimentary initial
assessment at solutions@doublehorn.com or (855) 618-6423.