CJIS ISO Program Office
http://www.fbi.gov/about-us/cjis

George White and Ron Buchanan from the CJIS ISO Program Office with the Federal Bureau of Investigation. There has been lots of discussion across the state regarding two-factor authentication and what constitutes compliance, the staff has invited Ron and George to provide us with a presentation regarding compliance through CJIS.

• George went through the process that the ISO program office used to devise the process and what would be considered compliance through the FBI.
• George stated that authentication is the process of verifying a claimed identity, determining if the subject is really who he/she claims to be. It is based on at least one of the following three factors: something a person has (smart card, token, key, swipe card, badge), something a person knows (password, passphrase, PIN), something a person is (fingerprint, voice, retina/iris characteristics). *Strong, or two-factor, authentication contains two out of these three methods.
• George also stated that a single form of authentication (standard authentication* = password) is not a very secure means of authentication. Therefore, many organizations have introduced into policy a second means, or form of, authenticating a person’s identity.
• Additionally George stated, for the purpose of the CJIS Security Policy (CSP), the process of requiring more than a single factor of authentication is most often referred to as Advanced Authentication, or AA.
• George also expressed that the requirement to use AA is dependent upon the physical, personnel and technical security controls associated with the user’s location.
• George explained that AA shall not be required for users requesting access to CJI from within a physically secure location and when the technical security controls have been met and AA is required when it can’t be determined from where a user is originating, e.g. utilizing wireless or web.
• George also made the point those agencies that bought equipment to be in compliance for the previous set of protocols, are still good for a few more years, but need to look into the cost of being in compliance for the new set of authentication protocols.
• CJIS does not endorse any product; however they will assist an agency who has a potential solution to ensure that the potential solution is in compliance.