CJIS MFA Requirements at a Glance

  • MFA is mandatory and auditable: As of October 1, 2024, multi-factor authentication is a required, sanctionable control for all access to criminal justice information under the CJIS Security Policy.
  • It applies to all access, not just remote: Earlier versions of the policy required advanced authentication mainly for remote access. The current policy requires MFA for both privileged and non-privileged accounts, whether access happens remotely or inside a secure facility.
  • Two of three factor types are required: Compliant MFA must combine at least two different factor types from something you know, something you have, and something you are.
  • It covers everyone who touches CJI: The requirement applies to law enforcement personnel, civilian staff, IT administrators, and third-party contractors and vendors with access to criminal justice information.
  • The policy points to NIST for authentication strength: For guidance on acceptable authentication methods and assurance levels, the CJIS Security Policy references NIST Special Publication 800-63.
  • Non-compliance can cut off database access: Failing an audit can result in losing access to FBI systems such as NCIC, along with potential fines and other sanctions.

What is the CJIS Security Policy?

The Criminal Justice Information Services (CJIS) Security Policy is the FBI’s framework for protecting criminal justice information throughout its lifecycle, from creation and transmission to storage and destruction. It sets the minimum security standards that any agency or organization must meet to access CJIS systems and data.

 

The CJIS Division was established in 1992 and is the largest division of the FBI. It serves as the central hub for criminal justice data and services used by law enforcement, national security, and intelligence partners across the country. The Security Policy itself has been formalized and expanded over the years, with version 5.0 published in 2011 and a series of updates since. The policy draws on Presidential directives, federal law, FBI guidance, and recommendations from the CJIS Advisory Policy Board.

 

Two recent versions matter for compliance planning. Version 5.9.5, released in July 2024, remains the audit standard for many agencies during the current transition period. Version 6.0, released on December 27, 2024, is the most significant update in over a decade. It restructures the policy to align with NIST Special Publication 800-53 at the moderate baseline and introduces a phased compliance timeline, with full compliance required by October 1, 2027. Importantly, the MFA requirement is a Priority 1 control, which means it has been auditable and enforceable since October 1, 2024, regardless of which version an agency is assessed against.

Who Does the CJIS Security Policy Apply To?

The CJIS Security Policy applies to every person and organization that accesses, stores, transmits, or supports criminal justice information. The scope is broad and often surprises organizations that assume it only covers sworn officers. It includes:

  • Law enforcement agencies: Police departments, sheriff’s offices, state police, and federal law enforcement that access criminal justice data during investigations, traffic stops, and daily operations.
  • Courts and prosecution offices: Court systems, district attorneys, and prosecution offices that handle criminal records and case information.
  • Dispatch and emergency services: 911 dispatch centers and public safety answering points that access criminal justice information in real time.
  • Government IT and administrative staff: County and municipal IT departments, records personnel, and administrative staff who manage or support systems containing CJI.
  • Contractors and vendors: Any private company, IT service provider, software vendor, or contractor with access to criminal justice information or to the physical spaces where it is handled. There is no such thing as a “CJIS-certified” vendor; the agency is responsible for ensuring its partners meet the requirements.

A note for Canadian organizations: The CJIS Security Policy is a United States framework governing access to FBI criminal justice data. Canadian organizations generally fall under it only when they provide services or technology to US agencies that access CJI, or when they handle that data under an agreement with a US criminal justice agency. Canadian agencies have their own information-sharing frameworks, but any organization touching FBI CJI is expected to meet CJIS requirements.

What Are the CJIS MFA Requirements?

The authentication requirements live in the Identification and Authentication policy area of the CJIS Security Policy. The current policy requires multi-factor authentication for all access to criminal justice information. The table below maps the key authentication-related requirements to their MFA relevance and how LoginTC supports them.

 

CJIS Requirement Area Requirement MFA Relevance LoginTC Relevance
Identification & Authentication MFA required for all access to CJI, for both privileged and non-privileged accounts Mandatory MFA for Windows logon, VPN, RDP, and applications via RADIUS/LDAP/AD
Privileged Account Access System administrators must authenticate with MFA at the system level Mandatory MFA enforcement for administrative and privileged accounts
Remote Access Remote connections to CJI treated as higher risk, with stricter authentication controls Mandatory MFA for VPN and remote desktop gateway access
Authentication Strength Authenticator selection guided by NIST SP 800-63 assurance levels Method quality Support for phishing-resistant factors including FIDO2 and hardware tokens
Audit & Accountability Authentication and access events must be logged and available for audit Audit evidence Centralized authentication logs for CJIS audit support

What Counts as Multi-factor Authentication

The CJIS Security Policy defines MFA the same way most modern standards do. A compliant solution requires at least two different types of authentication factor from the following three categories:

  • Something you know: A password, PIN, or security code. This is the most common factor but is not sufficient on its own.
  • Something you have: A physical or digital item such as a hardware token, smart card, security key, or mobile authenticator.
  • Something you are: A biometric identifier such as a fingerprint, facial scan, or iris scan.

Using two passwords, or a password plus a security question, does not satisfy the requirement, because both fall into the same category. A compliant setup must draw from two distinct categories, for example a password plus a hardware token.

Privileged and Non-Privileged Accounts

The current policy requires MFA for both privileged and non-privileged accounts. Privileged accounts, such as system administrators, must authenticate with MFA at the system level, and agencies are encouraged to apply additional MFA at the application level based on the account’s level of access and risk. Non-privileged accounts, meaning regular users, are also required to authenticate at the system level using MFA. This is a meaningful change from older versions of the policy, where advanced authentication was focused primarily on remote access.

Alignment with NIST 800-63

The CJIS Security Policy does not mandate one specific MFA product or technology. Instead, it points agencies to NIST Special Publication 800-63, the federal digital identity guidelines, for help selecting appropriate authentication methods and assurance levels. For agencies that want to strengthen their posture, NIST’s Authenticator Assurance Level 2 (AAL2), which corresponds to phishing-resistant MFA, is the benchmark to aim for. This connection makes phishing-resistant methods such as FIDO2 security keys and certificate-based authentication especially relevant for CJIS compliance.

Common CJIS Access Scenarios and Their MFA Challenges

Criminal justice environments include access patterns that do not show up in a typical office setting. A few are worth planning for specifically:

  • Shared workstations: Dispatch desks, booking stations, and other shared terminals are often used by multiple staff across shifts. MFA needs to verify the individual user at each session rather than relying on a single shared login, while still allowing fast handoffs between staff. Per-user authentication tied to individual credentials, rather than a shared account, is the compliant approach.
  • Mobile data terminals in patrol vehicles: Officers in the field access criminal justice information from laptops and mobile data terminals (MDTs) in patrol cars, often in areas with limited connectivity. Authentication factors that work without reliable cellular or internet service, such as hardware tokens or smart cards, fit these conditions better than methods that depend on a live network connection.
  • CAD and RMS systems: Computer-aided dispatch (CAD) and records management systems (RMS) are core to daily operations and hold or provide access to CJI. MFA needs to cover the way staff log into these systems, whether through Windows logon, a thick client, or a web interface, without slowing down time-sensitive work.

Mapping these scenarios early helps avoid a common mistake: deploying MFA on obvious systems like VPNs while leaving shared terminals or field devices on password-only access, which leaves a compliance gap and a real security risk.

Is MFA Required by the CJIS Security Policy?

Yes. As of October 1, 2024, multi-factor authentication is a mandatory and auditable requirement for all access to criminal justice information. It is classified as a Priority 1 control, the highest priority tier, which means it became enforceable and subject to sanctions immediately rather than on the longer timeline that applies to other controls.

 

The requirement is comprehensive. It covers every account that accesses CJI, including regular users, administrators, and third parties. It applies whether the access happens remotely or from inside a physically secure facility. Earlier versions of the policy required advanced authentication mainly for remote connections, so agencies that built their authentication strategy around that older model need to extend MFA to all access points.

 

The policy is also clear that a username and password alone is no longer acceptable. The entire purpose of the requirement is to ensure that a stolen or guessed password cannot, by itself, grant access to criminal justice information. With compromised credentials behind most modern cyberattacks, this control is one of the most important defenses an agency can put in place.

 

For agencies planning ahead, version 6.0 of the policy reinforces and builds on the MFA requirement as part of its broader alignment with NIST 800-53. The bottom line is straightforward: if your agency accesses CJI and any account can reach that data with only a password, you are not compliant.

Consequences of CJIS Non-Compliance

The consequences of failing to meet CJIS requirements are serious and specific to the criminal justice context. Compliance is verified through audits conducted by the FBI and by state-level CJIS Systems Agencies (CSAs), which oversee CJIS access within each state.

 

The most immediate consequence of a failed audit is the potential loss of access to FBI criminal justice databases. For a law enforcement agency, losing access to a system like the National Crime Information Center (NCIC) means officers cannot run criminal history or warrant checks in the field. This is not just an administrative problem; it is a direct public safety risk that affects the agency’s ability to do its job.

 

Beyond loss of access, non-compliance can lead to financial penalties and, in cases involving misuse of criminal justice information, potential criminal charges. Agencies may also face mandatory remediation requirements and increased audit scrutiny going forward. Because the CJIS Security Policy now expects continuous compliance rather than point-in-time checks, agencies are expected to demonstrate that their controls, including MFA, operate effectively over time.

 

There is also a reputational and operational dimension. A breach of criminal justice information can compromise active investigations, expose the personal data of individuals, and erode public trust in the agencies responsible for protecting that information. For vendors, failing to support an agency’s CJIS compliance can mean losing contracts and being passed over for future work, as agencies increasingly scrutinize their technology partners on CJIS readiness before signing.

How to Implement MFA for CJIS Compliance

1. Assess Your Current Authentication Posture

Start by identifying every system, application, and device that stores or provides access to criminal justice information. Document how users currently authenticate to each one, and identify where only a password is in use. Pay attention to both remote access and access from inside secure facilities, since the current policy covers both. This inventory becomes the foundation of your compliance plan.

2. Identify All Users and Account Types

Map out who accesses CJI and through what kind of account. Separate privileged accounts, such as system administrators, from non-privileged user accounts, and include third-party contractors and vendors. Both privileged and non-privileged accounts require MFA, so every category needs to be covered. Vendor and contractor access is a common gap, so account for it explicitly.

3. Select an MFA Solution That Fits Agency Infrastructure

Choose an MFA solution that works with the systems agencies actually run. Many law enforcement environments are built around Active Directory and use a mix of Windows workstations, VPNs, and field applications. Look for a solution that integrates through RADIUS, LDAP, and Active Directory so you can cover these systems without replacing them. Consider whether you need cloud-based, on-premises, or hybrid deployment, and confirm the solution supports the authentication factors that suit your workforce, including options for staff who do not carry personal mobile devices.

4. Prioritize Phishing-Resistant Factors Where Possible

Because the policy points to NIST 800-63 and its AAL2 assurance level, phishing-resistant authentication is the stronger path. Where practical, prioritize methods such as FIDO2 security keys, smart cards, or certificate-based authentication, especially for privileged accounts and high-risk access. These methods defend against the phishing and credential theft attacks that the MFA requirement is designed to stop.

5. Deploy MFA Across All Access Points

Roll out MFA to every system identified in your assessment. This includes Windows logon, VPN and remote access, remote desktop gateways, and the applications used to access criminal justice data. Make sure no access path is left where a password alone is enough. Pay particular attention to administrative and remote access, which carry the highest risk.

6. Enable Logging and Prepare for Audit

CJIS compliance is verified through audits, so your authentication system must produce clear records. Enable logging of authentication events, including successful logins, failed attempts, and account changes, and make sure those logs are retained and easy to retrieve. Good logging both satisfies the audit and accountability expectations of the policy and helps you detect suspicious activity.

 

When it comes to MFA, auditors generally want to see evidence of a few specific things: that MFA is enforced on every system and account that can reach CJI, that it uses at least two distinct factor types, that privileged accounts are covered, that vendor and contractor access is included, and that authentication logs are available to demonstrate the controls are working. Being able to produce a clear inventory of access points and their MFA coverage, along with supporting logs, is what separates a smooth audit from a difficult one.

7. Train Staff and Review Regularly

Make sure everyone who accesses CJI understands how to use MFA and why it matters. Clear training reduces help desk load and improves adoption. Because the policy now expects continuous compliance, schedule regular reviews of your authentication controls, especially when you add systems, change vendors, or onboard new staff, and stay aware of upcoming policy updates such as version 6.0 and its 2027 deadline.

CJIS MFA Best Practices

  • Extend MFA to every account that touches CJI: The policy requires MFA for both privileged and non-privileged accounts. Apply it consistently across all users rather than carving out exceptions, since a single unprotected account can become the entry point for an attack.
  • Favor phishing-resistant authentication: Methods such as FIDO2 security keys and certificate-based authentication align with the NIST AAL2 standard the policy references and offer much stronger protection than SMS-based codes, which can be intercepted.
  • Plan for the field and the front desk: Law enforcement staff work in patrol vehicles, dispatch centers, and other settings where personal phones may not be available or allowed. Offer authentication factors such as hardware tokens or smart cards that do not depend on a personal mobile device.
  • Hold vendors to the same standard: Any contractor or vendor with access to CJI must meet CJIS requirements. Confirm that third-party access uses MFA, that accounts are disabled when no longer needed, and that vendor access is reviewed regularly.
  • Build audit-ready documentation from the start: CJIS audits assess both your controls and your records. Keep clear documentation of your authentication policies, the systems covered, and your authentication logs, so you can demonstrate compliance rather than scramble to assemble evidence before an audit.
  • Prepare for version 6.0 now: With version 6.0 audits underway and full compliance required by October 1, 2027, agencies that align their authentication and broader security controls early will be in a much stronger position than those that wait for an audit notice.

How LoginTC Helps with CJIS MFA Compliance

LoginTC is well suited to the systems that law enforcement agencies and their partners rely on, and offers MFA for government environments specifically. Many of these environments are built around Active Directory and include a mix of Windows workstations, VPNs, remote desktop, and field applications. LoginTC integrates with these systems through RADIUS, LDAP, and Active Directory, so agencies can add MFA across their access points without replacing existing infrastructure.

 

To meet the requirement for MFA on all access to criminal justice information, LoginTC enforces strong authentication for Windows logon, VPN and remote access, remote desktop gateways, and the applications staff use to reach CJI. It supports a range of authentication factors, including hardware tokens, smart cards, and FIDO2 security keys, which matters for officers and staff who cannot rely on a personal mobile device or who need phishing-resistant authentication aligned with the NIST AAL2 standard the policy references.

 

For agencies that need to keep authentication infrastructure within their own environment, LoginTC offers an on-premises deployment option. Detailed authentication logs and centralized administration give compliance teams the records they need to demonstrate MFA coverage during a CJIS audit. For a deeper breakdown of the requirements, LoginTC also maintains a detailed guide to CJIS MFA requirements.

 

View All Connectors | Read the CJIS MFA Requirements Guide

Frequently Asked Questions

Yes. As of October 1, 2024, multi-factor authentication is a mandatory and auditable requirement for all access to criminal justice information. It is a Priority 1 control, meaning it is immediately enforceable and subject to sanctions. The requirement covers privileged and non-privileged accounts and applies to both remote access and access from within secure facilities.

Who does the CJIS Security Policy apply to?

It applies to any person or organization that accesses, stores, transmits, or supports criminal justice information. This includes law enforcement agencies, courts, prosecution offices, dispatch centers, government IT staff, and any contractor or vendor with access to CJI or to the physical spaces where it is handled.

What types of MFA are acceptable under CJIS?

CJIS requires at least two different factor types from three categories: something you know (such as a password or PIN), something you have (such as a hardware token, smart card, or security key), and something you are (such as a fingerprint or facial scan). The policy points to NIST 800-63 for guidance on authentication strength, and phishing-resistant methods that meet the AAL2 standard, such as FIDO2 security keys, are strongly preferred for higher-risk access.

Does CJIS MFA apply to access from inside a secure facility?

Yes. The current policy requires MFA whether access happens remotely or from inside a physically secure location. This is a change from older versions, which focused advanced authentication requirements mainly on remote access. Agencies that previously applied MFA only to remote connections need to extend it to all access to CJI.

Does the CJIS Security Policy apply to Canadian organizations?

The CJIS Security Policy is a United States framework governing access to FBI criminal justice data. Canadian organizations are generally subject to it when they provide technology or services to US agencies that access CJI, or when they handle FBI criminal justice data under an agreement. Any organization that touches this data is expected to meet CJIS requirements regardless of where it is located.

What is the difference between CJIS version 5.9.5 and version 6.0?

Version 5.9.5, released in July 2024, remains the audit standard for many agencies during the current transition period. Version 6.0, released in December 2024, is a major modernization that aligns the policy with NIST SP 800-53 and introduces a phased compliance timeline running to October 1, 2027. The MFA requirement applies under both versions, since it is a Priority 1 control that became enforceable on October 1, 2024.

What happens if an agency fails a CJIS audit?

The most serious consequence is the potential loss of access to FBI criminal justice databases such as NCIC, which directly affects an agency’s ability to run criminal history and warrant checks. Non-compliance can also bring financial penalties, mandatory remediation, increased audit scrutiny, and, in cases involving misuse of data, potential criminal charges.

Get a Free CJIS MFA Strategy Session

Meeting the CJIS MFA requirement across Windows logins, VPNs, remote desktop, and field applications takes planning, especially in agencies that run a mix of older and newer systems and need to support staff who are not always at a desk. Getting the coverage right, and being able to prove it during an audit, is where many agencies want support.

 

Our team helps law enforcement agencies and their technology partners deploy MFA that meets CJIS requirements without disrupting day-to-day operations. If you are preparing for a CJIS audit or extending MFA across your systems, we are ready to help.

 



Start your free trial today. No credit card required.

Sign up and Go