Cost-Effective Compliance

Full CJIS compliance to be enforced by 2013

The FBI established the Criminal Justice Information Services (CJIS) division in 1992, and it is now the bureau’s largest division. CJIS provides state, local and federal law enforcement and criminal justice agencies with access to all sorts of centralized information for investigations. Secure records of fingerprint identification, criminal histories and sex offender registrations are just some of the records stored at CJIS. Because this data is so critical for law enforcement, there are mandated enhanced security measures that tightly control access.

As of September 2010, these measures require any organization needing access to CJIS data to have unique IDs and strong passwords in place. Additionally, these organizations must be in full compliance with the rest of CJIS Advanced Authentication requirements by 2013.

There aren’t any shortcuts, but there are fast and cost-effective ways to achieve full CJIS compliance through advanced authentication strategies.

Simply put, advanced authentication means that organizations need security technology that’s more than a simple username and password. Any two-factor authentication solution will do, whether it’s a smartcard, biometrics, a USB token, a soft token or a cellphone-based authentication method. When law enforcement accesses information from a police vehicle or when an agency employee is connecting remotely through a virtual private network, they need a “what-you-have and what-you-know” way to securely connect to the system remotely. Without CJIS compliance, law enforcement agencies could lose access to CJIS systems, thereby losing an effective crime-fighting tool.

For the public sector, protecting access to sensitive data is imperative and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach commonly deployed to mitigate risk and protect against fraud.


Knowledge-based authentication (KBA) comes in two varieties— lexical or graphical knowledge. Lexical knowledge employs passwords, PINs or answers to a challenge question; graphical knowledge uses a picture or pattern recognition for access. These solutions are very cost-efficient but are also low-assurance, weaker methods of authentication.

With KBA, the responsibility is on public employees to maintain strong passwords, remember answers to questions they made up weeks or months before or recognize patterns in what could be critical situations. Oftentimes, employees write down their password on a note and keep it under their keyboard. This defeats the purpose of this type of security. Frequent calls to the help desk regarding forgotten strong passwords also add to the cost of this “low-cost” solution.


Tokens come in a variety of forms that range from high assurance to medium assurance, and their cost can vary just as dramatically. Tokens provide excellent end-point independence but also can be costly and offer a poor user experience because users have to carry another piece of hardware for system access. High-assurance tokens such as X.509 tokens are available, but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation and maintenance.


Biometric two-factor authentication typically includes fingerprints, vein structure, facial recognition or retinal scan. There are even behavioral biometrics that use voice and typing rhythm recognition. True biometric authentication can be high assurance but comes with a price tag to match. Behavioral biometrics are promising but are still in the more experimental phase, and industry analysts warn that they are not yet proven. They offer medium to high assurance but need specialized capture devices to work correctly.

Phone-based Authentication

Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises and globally distributed online services. A number of vendors offering phone-based authentication solutions have emerged in the past few years.

These solutions provide medium- to high-assurance authentication and are low-cost options because users are already provisioned with a phone. Instead of carrying a token, users receive onetime PIN codes to their phone via SMS or voice call. Typically, the only cost associated with phone-based authentication is a per-transaction fee or a per-user fee to cover the cost of placing the call.

For those who lose their phone, many of these authentication schemes can centrally manage the device to find it or easily replace their authentication credentials for a new phone.

Choosing the Right Solution

For fast and cost-effective CJIS compliance, organizations need five things:

  • a good authentication solution;
  • risk-appropriate strength;
  • low total cost of ownership;
  • good user experience; and
  • end-point independence. When choosing the type of authentication, remember:
  • All solutions are not created equal. What two-factor authentication solution is the right one for your workforce?
  • Which solution is best used in the field, and what implementation challenges exist?
  • What might change on your network in the next few years, and can your authentication solution scale for security, ease of use and functionality as your company grows?

Balance of Security and Ease of Use

As more employees in your organization interact with CJIS data, the importance of choosing an efficient authentication solution increases. Phone authentication lets users take advantage of a technology that is already part of their everyday life: the cellphone.

With no extra devices to carry, phone authentication is quick and seamless. Consider the effort it takes to install and maintain a token-based solution. Phone authentication can often help organizations keep costs low and security compliance high because it is easy to deploy and maintain.

This article originally appeared in the August 2012 issue of Security Today.


  • IoT Saves the Day

    IoT Saves the Day

    Today, creating a safe environment across schools, hotels, office buildings, housing complexes and other facilities has become a necessity. There are so many dangers lurking in buildings of all sizes and shapes from fire hazards, vaping issues, chemical/air quality issues, intruders and so much more. Read Now

  • One Pane, Less Pain

    One Pane, Less Pain

    Just because a solution is built on an open-standards platform doesn’t ensure that all the vendors’ systems will work together as promised. Some features may not be supported, or not supported to their fullest potential. Read Now

  • Revamping Wrigley Field

    Revamping Wrigley Field

    When talking about baseball in the United States, it’s hard not to think of the Chicago Cubs and Wrigley Field. With a history spanning more than 100 years, the Chicago Cubs are one of the most recognized teams in professional sports. Read Now

  • Welcome to Big D

    I’ll admit it, I am partial. There is no better place to have a tradeshow event than Dallas. TEC 2023 caught the vision and brought it premier education and networking event to Big D.< Read Now

    • Industry Events

Featured Cybersecurity


New Products

  • Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft focuses on transforming traditional professional surveillance systems into cloud connected solutions via the Videoloft Cloud Adapter. 3

  • LiftMaster Garage Door Opener

    LiftMaster Garage Door Opener

    LiftMaster Transforms the Garage Door Opener Into a Sleek Smart Home Device That Does More Than Open and Close the Garage Door 3

  • PDK IO Access Control Software

    PDK.IO Access Control Software

    ProdataKey now allows for "custom fields" within the interface of its software. Custom fields increase PDK's solutions' overall functionality by allowing administrators to include a wide range of pertinent data associated with each user. 3