Ensuring CJIS Compliance: Mandatory MFA and What It Means for Municipal IT Directors

On October 1, 2024, the FBI’s Criminal Justice Information Services (CJIS) began requiring multi-factor authentication (MFA) for all systems accessing Criminal Justice Information (CJI). Previously, MFA was only required for remote or non-secure access, but this policy change eliminates exemptions for users logging in from physically secure locations such as police departments or municipal IT facilities.   

This shift aligns with best practices in cybersecurity, recognizing that compromised credentials remain a top attack vector for threat actors targeting government entities. Research shows that MFA can mitigate 99.9% of account compromise attempts. For municipalities handling sensitive law enforcement data, MFA has become an essential security control.

Why Your Municipality Must Prioritize This Change

You understand the importance of MFA, but other priorities—especially if you’re understaffed—may delay implementation at police departments, courts, or other facilities. However, you must prioritize this implementation for a few key reasons.

1. Mandatory Compliance and Audit Risk

Non-compliance with CJIS requirements can result in audit failures, penalties, and potential loss of access to CJI data. This impact extends beyond local law enforcement to broader government functions that rely on CJI for operations. Ensuring that all applicable systems enforce MFA is now an essential compliance requirement.

2. Increased Cyber Threats to Government Entities

Law enforcement agencies are prime targets for cybercriminals, nation-state actors, and ransomware gangs who frequently exploit stolen credentials in attacks against municipal networks. This makes MFA a necessary defense to prevent account takeovers and unauthorized access to criminal justice systems.

3. Insider Threat Mitigation

Beyond external attackers, municipalities must account for insider threats, whether malicious or accidental. Weak authentication practices, shared credentials, and lack of MFA increase the risk of unauthorized access by internal personnel. This CJIS policy change ensures that users must verify their identity through multiple factors, reducing opportunities for credential misuse.

4. Minimizing Incident Response Costs and Breach Recovery Efforts

When municipalities suffer data breaches involving CJI, they face significant costs related to forensic investigations, legal liabilities, service disruptions, and emergency security upgrades. Implementing MFA prevents reactive spending on breach containment and remediation efforts down the line.

Actionable CJIS MFA Steps for Municipal IT Directors

Your municipality likely has a complex IT infrastructure, with multiple agencies accessing CJI data across various systems. Implementing MFA requires a strategic approach to minimize operational disruptions while achieving compliance.

1. Identify Systems and Users Requiring MFA

Conduct a full inventory of systems, applications, and remote access solutions interacting with CJI. Which systems currently enforce MFA? Where do gaps exist?

2. Implement Strong MFA Solutions

Consider leveraging federated authentication and identity providers (IdPs) to enforce MFA across multiple systems. Avoid overreliance on SMS-based MFA, which remains vulnerable to SIM-swapping attacks and interception. Each device accessing CJI data must have MFA enabled so that users are prompted to authenticate with multiple factors when they log into the device.    

3. Integrate MFA with Existing Security Controls

Implement Conditional Access Policies to enforce risk-based MFA requirements (such as triggering MFA for logins from untrusted locations or devices), align MFA implementation with Zero Trust security principles, and integrate MFA with Privileged Access Management (PAM) to secure administrative accounts.

4. Train Users and Monitor Adoption

Roll out structured training for law enforcement and government personnel on the new MFA requirements. Sometimes, people can resist a shift in how they log into devices and applications, so it’s important to deploy user-friendly authentication solutions to minimize resistance and improve adoption rates.

Beyond MFA: Other CJIS Compliance Considerations

While addressing MFA implementation, IT directors should review broader CJIS security mandates to ensure comprehensive compliance. Key areas include:

• Access Control: Unique user IDs, role-based access, and principle of least privilege.
• Encryption: Strong encryption for CJI data at rest and in transit.
• Audit Logging: Centralized logging and real-time monitoring of authentication events.
• Incident Response: A structured incident response plan for security breaches involving CJI.
• Regular Security Training: Ongoing education on security best practices and evolving threats.

For municipalities, the CJIS MFA mandate is not just a compliance requirement—it’s a necessary security enhancement. Implementing robust authentication strategies will reduce the risk of credential-based attacks, insider threats, and costly breaches. IT directors should take a proactive stance in deploying MFA and ensure that all security controls align with CJIS best practices.

For assistance with implementing MFA and meeting CJIS requirements, contact us today to discuss security solutions tailored for your municipality.