ADVANCED CJIS AUTHENTICATION
Active MFA for modern organizations and CJIS compliance.
Accessing CJIS requires strict adherence to Criminal Justice Information Services, or CJIS standards, such as activity monitoring and securing inactive workstations. Password strength and multi-factor authentication made easy, secure, and automatic for critical data protection.
“I love it. No password or code needed for me to log onto my computer and it keeps others out. This thing is just too cool. My other question is, why don’t the big companies that are losing customer’s information have something like this on their computers?”
Slimboli, Brentwood CA
GateKeeper Enterprise CJIS Compliance Summary
Gatekeeper Enterprise allows an organization to enable access control systems to prevent unauthorized users from gaining access to data and systems they are not privy to see. Comply with multiple policy areas of CJIS with GateKeeper.
|Section||Key Activity||Performance Criteria||GateKeeper Solution|
|5.5.1||Account Management||Account Management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group memberships, and assignment of associated authorizations. The agency shall identify authorized users of the information system and specify access rights/privileges.|
The agency responsible for account creation shall be notified when:
(1) A user's information, system usage or need-to-know or need-to-share changes.
(2) A user is terminated or transferred or associated accounts are removed, disabled, or otherwise secured.
|GateKeeper Hub allows you to tie individual accounts to users and group accounts to computers to distinguish between them. Accounts with different privileges can be allowed/restricted access to different computers. The logs maintained in the Hub application record all the changes made to a user's account and permission roles.|
|5.5.2||Access Enforcement||The information system shall enforce assigned authorizations for controlling access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Explicitly Authorized Personnel include, for example, security administrators, system and network administrators, and other privileged usurers with access to system control, monitoring, or administration functions.|
Access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users in the information system.
|The administrator can create access control policies on GateKeeper Hub to only allow authorized personnel to access computers with sensitive information using their GateKeeper device. Adding/updating/deleting these policies can only be done by users with administrative privileges to the GateKeeper Hub application.|
|5.5.5||Session Lock||The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Users shall directly initiate session lock mechanisms to prevent inadvertent viewing when a device is unattended.||GateKeeper desktop application triggers lock/unlock events on the computer based on the users proximity. As soon as the user walks away, the computer locks to prevent inadvertent data exposure.|
|5.6.1||Identification Policy and Procedures||Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be kept current by adding new users and disabling add/or deleting former users.||The administrator. Each user on the network needs to have a user account associated with their full name and device serial number. Even in a shared credentials environment, users can be uniquely identified along with the session count and time on each computer.|
|126.96.36.199.2||Personal Identification Number (PIN)||When agencies utilize a PIN in conjunction with a token for the purpose of advanced authentication, agencies shall follow the PIN attributes described below.|
1. Be a minimum of six (6) digits.
2. Have no repeating digits (i.e. 112233).
3. Have no sequential patterns (i.e. 123456).
4. Not be the same as Userid.
5. Expire within a maximum of 365 calendar days.
6. Not be identical to the previous three (3) PINs.
7. Not be transmitted in the clear outside the secure location.
8. Not be displayed when entered.
|GateKeeper Hub allows Administrators to set PIN complexity settings adhering to CJIS requirements for all user devices on the network.|
|188.8.131.52.1||Advanced Authentication Requirement||Organizations must use multi-factor authentication if employees are accessing CJI. This is alike to using a debit or credit card that requires PIN input.||GateKeeper allows administrators to enforce two-factor login policies on each computer on the network, restricting the use of Windows credentials for logging in.|
See GateKeeper Enterprise in action
Take a self-guided tour of GateKeeper Enterprise, the proximity-based centralized access management platform.
GateKeeper Enterprise 45-Day Trial
GateKeeper offers special pricing so you or your organization can try Enterprise before implementing on your entire network. All test packages include deployment assistance, premium support, and additional subscription discounts.