In the previous blog on access control, we discussed the various steps that an agency should take in order to restrict unauthorized access to confidential Criminal Justice Information (CJI). In this blog we will understand few other nuances that are associated with CJIS Identification and Authentication. It is very important for an agency to identify users of information systems and also the processes that act on behalf of users and also needs to authenticate them before allowing access to information system or services of the agency.
Identification Policy and Procedures
Each user who is authorized to use, access, store, process or transmits CJI data is to be uniquely identified. Even system administrators and users responsible for system maintenance also need to be identified. The unique identifier can be a username, serial number, badge number or a unique alphanumeric identifier. Additionally, the agencies should identify themselves uniquely before a user s allowed to access or perform duties on a system. It is the responsibility of the agency to ensure that the user IDs belong to authorized users and the list needs to be updated regularly to include the names of new users and delete the names of former users.
Use of Originating Agency Identifiers in Transactions and Information Exchanges
To identify the sending agency and to ensure that a proper level of access is attributed to every transaction, agencies shall use an originating agency identifier (ORI) that has been authorized by the FBI. The original identifier between the State Identification Bureau (SIB)/CJIS Systems Agency (CSA)/Channeler and a requesting agency should be the ORI and other identifiers such as an access device mnemonic, personal identifier or user identification or the IP address. Agencies shall act as a servicing agency and on behalf of the authorized agencies perform transactions based on the queries of the requesting agency. These agencies performing inquiry transactions may use the requesting agency’s ORI when acting on the behalf of another agency. In other cases, the agency can use its ORI to perform inquiry transactions on behalf of another requesting agency only if there are procedures and means in place to provide a proper audit trail for the specified retention period. In such cases where the agency performing the transaction needn’t necessarily is the same agency requesting the transaction, the SIB/channeler/CSA must ensure that the ORI for all the transactions can be traced through an audit trail, to the agency that has requested the transactions.
Authentication Policy and Procedures
There should be robust processes and mechanisms to verify users once they are uniquely identified by the agency. The SIB/CSA shall develop an authentication strategy which decentralizes the daily administration and establishment of security measures for accessing Criminal Justice Information ( CJI). The identity of each user needs to be validated at either at CSA, local agency, Channeler or SIB level. This authentication strategy needs to be a part of the agency’s policy and audit compliance. The FBI CJIS Division shall identify as well as authenticate all the users who directly establish web-based interactive sessions with FBI CJIS services. Furthermore, FBI CJIS Division would also limit its authentication only of the ORI of all message-based sessions between itself and its customer agencies and not the individual user level authentication as it is already done at the SIB, CSA, Channeler or local agency level.
Standard authenticators include biometrics, tokens, personal identification numbers (PIN) and passwords. Users wouldn’t be allowed to use same PIN or password in the same logon sequence. The attributes of a secure password that is used to authenticate the user include many parameters that are listed below
1. Passwords shall not be same as the user ID
2. Shall be a minimum length of eight (8) characters
3. Shall have an expiry period of 90 days
4. Shall not be proper name or a dictionary word
5. Shall not be displayed during the time of entry or after entry
6. Shall not be transmitted outside the secure location
7. Shall not be identical to the previous ten (10) passwords
Personal Identification Number (PIN)
In the cases where the agency uses PIN as a standard mode for authentication, all the attributes followed for the standard authenticators need to be followed. In case the agency is using PIN in conjunction with a token or a certificate then the following guidelines need to be followed.
1. Pin should be a minimum of six (6) digits
2. Shouldn’t have sequential patterns (eg:345678)
3. Shouldn’t have repeating digits (e.g.: 2233344)
4. Should have an expiry period of one year.
5. Shouldn’t be same as the user ID.
6. Shall not be transmitted outside the secure location
7. Shall not be displayed during the time of entry or after entry
8. Shouldn’t be identical to three (3) previous PINs
However, there is an exception to this when the PIN is being used for local device authentication. In this case, only requirement to be fulfilled is that the PIN needs to have six (6) digits.
Depending on the need additional security may be enforced and advanced authentication provides such added security to the conventional user identification and authentication using login ID and password. These additional security measures can be biometric systems, smart cards, hardware tokens, user-based public key infrastructure (PKI) or “risk based authentication” that includes various advanced processes of authenticating a user.
Advanced Authentication Policy and Rationale
The necessity to use or not to use Advanced Authentication (AA) is dependent on several factors such as technical, personnel, physical and technical security controls that are associated with user location and whether CJI is accessed indirectly or directly. AA needn’t be required for users that request accessing CJI data from within the perimeter of a physically secure location that meets the technical security controls. Furthermore, it need not be enforced if the user cannot conduct transactional activities on the state as well as national repositories, services (indirect access) or applications. In the event of these technical security standards not being met, AA should be enforced even if the request for CJI originates within the physically secure location. The original intent of AA is to meet the standards of two-factor authentication. Two-factor authentication involves use of two of the three options to authenticate a user. These include what do you now (password), something you have (hardware token) and what you are (biometric).
CSO approved compensating controls to meet the AA requirement on the appliances such as such as smartphones, iPads and tablets issued by the agency are permitted. Compensating controls are those temporary controls that are implemented in place of AA control measures when the agency is unable to meet the requirement due to business constraints or legitimate technical reasons. These compensating controls shall:
1. Provide same level of security or protection as the original AA requirement
2. Meet the intention of CJIS security policy AA requirement
3. Shall not depend on existing requirements for AA as compensating controls
There is an elaborate process that helps the decision makers in deciding whether or not AA is required. An advanced authentication decision tree aids the decision makers in making informed decisions about enforcing AA when users access CJI.
Identifier and Authenticator Management
The agencies should establish authenticator and identifier management processes.
In order to facilitate proper management of user identifiers, agencies should
1. Identify every user uniquely
2. Verify their identification
3. Receive authorization to issue a user identifier from a competent agency official
4. Issue the said user identifier to intended parties
5. Disable a specific user identifier after a predetermined period of inactivity
6. Archive the old user identifiers
For the management of information system authenticators, agencies should
1. Define the initial authenticator content
2. Establish administrative procedures to distribute initial authenticators, for compromised/lost or damaged authenticators and for revoking authenticators
3. Be changing default authenticators after installation of IT systems
4. Should refresh/change authenticators periodically
Identity providers also can be used to identify individuals and ascertain their identity to a trusted broker or a service. This broker in turn would assert identity to a service. These assertion mechanisms that would be used to communicate the results of a remote authentication to other parties would be
1. Signed digitally by a trusted entity (i.e. the service provider)
2. Procured directly from a trusted entity using a protocol in which the trusted entity authenticates to the relying party using secure protocol that authenticates the user cryptographically and hence protects the assertion.
It is to be noted that assertions that are generated by a verifier would expire 12 hours post generation and wouldn't be accepted by the relying party thereafter.
That is a comprehensive look at CJIS Identification and Authentication. In the next blog we will discuss the policy area – Configuration Management
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement, maintain and offer single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentaryinitial assessment at email@example.com or (855) 618-6423.