Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
3 min read

Is Your Municipality Compliant with CJIS’s Updated MFA Security Policy?

Subscribe

On October 1, 2024, the FBI’s Criminal Justice Information Services (CJIS) mandated multi-factor authentication (MFA) on all systems that can access Criminal Justice Information (CJI) data. That means MFA must be deployed on all devices that can access CJI data regardless of location, including mobile devices, physical workstations, and remote access.

Before October 1, MFA was only required when users accessed CJI from non-secure locations (such as remote access or mobile devices). However, if a user logged in from within a physically secure location (such as inside a police station), MFA was not mandatory as long as all other CJIS security controls were followed.

The FBI has realized, like most cybersecurity experts, that MFA can no longer be optional when accessing such sensitive information. We’re seeing a major push for MFA across many compliance frameworks because it’s the number one way to stop cyberattacks. MFA blocks a stunning 99.9% of account compromise attacks.

This new CJIS MFA mandate enhances security by ensuring that only authorized personnel can access sensitive law enforcement data through multiple authentication factors. For example, you may commonly experience signing into a bank account with your username and password. Then, a code is sent to your phone that you input as a second factor of authentication. This is the essence of MFA. Just that one extra factor of authentication is powerful enough to prevent most hacking attempts.

Why This CJIS Mandate Matters for Your Municipality

It’s important to address this mandate as soon as possible for a few reasons.

  1. Compliance and Legal Requirements: Non-compliance with CJIS can lead to audits, penalties, and loss of access to CJI data. It’s also important to protect police records, criminal history reports, and investigative data to avoid legal risks and public embarrassment if a breach were to occur.
  2. Protection Against Cyberattacks: Law enforcement departments are a huge target for cybercriminals. As stated above, you heavily reduce the risk of an account compromise through MFA.
  3. Protection Against Insider Threats: Cybercriminals are not the only people tempted by your data. Insider threats can result from malicious or disgruntled employees, or an accident where shared passwords and single-factor authentication can increase the risk of unauthorized access.
  4. Reducing Incident Response Costs and Recovery Risks: If a breach occurs, lawsuits, downtime, and expensive investigations may result along with quick, unbudgeted upgrades and security overhauls.

While CJIS requirements apply to any organization that handles, processes, or stores criminal justice information (CJI), the majority of CJIS-applicable organizations will be police departments, sheriff’s offices, and courts. If this fits you and you haven’t implemented MFA yet, then proceeding with this implementation will help get you in compliance with CJIS and significantly improve your cybersecurity posture.

What You Need to Do to Implement MFA

So, how do you go about implementing MFA at your police department or other municipal facility? Here are a few tips:

  1. Assess: What systems access CJI? Of those systems, which ones do not currently require MFA? Remember, MFA must be deployed on all devices that can access CJI data, regardless of location.
  2. Implement: Consult with your IT staff or vendor about available MFA options. These can range from authenticator apps (like the banking code example above) to biometric authentication.
  3. Train: Just because you implement MFA doesn’t mean others will automatically start using it. Train staff on why you’re implementing it and how it works. This will lessen resistance and encourage adoption.

Be Aware of Other CJIS Mandates

While you’re addressing the MFA mandate, it’s a good time to make sure you’re in compliance with other CJIS mandates.

  • Access Control: CJIS requires strict access controls including unique user IDs and secure passwords. (MFA falls under this category.)
  • Encryption: Data must be encrypted both in transit and at rest to protect sensitive information.
  • Audit Logging: Comprehensive logging of access and activity is mandatory, with regular audits to detect and respond to unauthorized access.
  • Incident Response: Agencies must have an incident response plan to address security breaches and other incidents.
  • Training: Regular security awareness training is required for all personnel with access to CJI.

Reach out to VC3 today to discuss your CJIS needs. We are happy to talk with your Local Agency Security Officer (LASO) or whoever is responsible for ensuring that you follow CJIS requirements at your municipality.
Mar 21, 2025

VC3

Let's talk about how VC3 can help you AIM higher.