ADVANCED CJIS AUTHENTICATION
Active MFA for modern CJIS compliance.
Accessing CJIS databases requires strict adherence to Criminal Justice Information Services (CJIS) standards, such as activity monitoring and securing inactive workstations. Automate session lockouts, dynamic password settings, and password lengths.
Police-grade MFA made automatic, easy, and secure for critical data protection. GateKeeper password manager and access control system is a practical, cost-effective solution for compliance needs.
"Halberd is a Bluetooth proximity–based, access-control device that permits the user to their computer and have it automatically lock as they depart. Upon their return, Halberd restores the screen — all with no pins and passwords. The device saves computer security from breach as soon as a user leaves the immediate area as well as saves any lost work time logging on and off computers. Personal security is also greatly enhanced by the automatic lock and unlock capability based on proximity. Industries such as medicine, law, security, transportation and logistics will get a competitive advantage, as their competitors waste time, manpower and put themselves at potential of serious and costly data breach."
Minimize time spent collecting audit logs - GateKeeper automates this for every user and PC.
Auto-lock unattended PCs - complying with CJIS Advanced Authentication Section 188.8.131.52.
SIMPLIFY SHARED CREDENTIALS
Easily set access to multiple computers, simplifying the complex tasks of managing multiple credentials.
REAL-TIME LOCATION & REPORTING
Valuable time and motion data. Know exactly who accessed each computer in real time.
Automation of policy and password. Let GateKeeper police passwords.
GateKeeper Enterprise CJIS Compliance Summary
Prevent unauthorized users from gaining access to data and systems they are not privy to. Comply with multiple policy areas of CJIS automatically or with ease.
|Section||Key Activity||Performance Criteria||GateKeeper Solution|
|5.5.1||Account Management||Account Management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group memberships, and assignment of associated authorizations. The agency shall identify authorized users of the information system and specify access rights/privileges.|
The agency responsible for account creation shall be notified when:
(1) A user's information, system usage or need-to-know or need-to-share changes.
(2) A user is terminated or transferred or associated accounts are removed, disabled, or otherwise secured.
|GateKeeper Hub allows administrators to tie individual accounts to users and group accounts to computers to distinguish between them. Accounts with different privileges can be allowed/restricted access to different computers. The logs maintained in the Hub application record all the changes made to a user's account and permission roles.|
|5.5.2||Access Enforcement||The information system shall enforce assigned authorizations for controlling access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Explicitly Authorized Personnel include, for example, security administrators, system and network administrators, and other privileged usurers with access to system control, monitoring, or administration functions.|
Access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users in the information system.
|The administrator can create access control policies on GateKeeper Hub to only allow authorized personnel to access computers with sensitive information using their GateKeeper token. Adding, updating, and deleting these policies can only be done by users with administrative privileges to the GateKeeper Hub application.|
|5.5.5||Session Lock||The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Users shall directly initiate session lock mechanisms to prevent inadvertent viewing when a device is unattended.||GateKeeper desktop application triggers lock/unlock events on the computer based on the user's proximity. As soon as the user walks away, the computer locks to prevent inadvertent data exposure on unattended terminals.|
|5.6.1||Identification Policy and Procedures||Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be kept current by adding new users and disabling add/or deleting former users.||The administrator. Each user on the network needs to have a user account associated with their full name and token's serial number. Even in a shared credential environment, users can be uniquely identified along with the session count and time on each computer.|
|184.108.40.206.2||Personal Identification Number (PIN)||When agencies utilize a PIN in conjunction with a token for the purpose of advanced authentication, agencies shall follow the PIN attributes described below.|
1. Be a minimum of six (6) digits.
2. Have no repeating digits (i.e. 112233).
3. Have no sequential patterns (i.e. 123456).
4. Not be the same as Userid.
5. Expire within a maximum of 365 calendar days.
6. Not be identical to the previous three (3) PINs.
7. Not be transmitted in the clear outside the secure location.
8. Not be displayed when entered.
|GateKeeper Hub allows Administrators to set custom PIN complexity settings adhering to CJIS requirements for all users on the network.|
|220.127.116.11.1||Advanced Authentication Requirement||Organizations must use multi-factor authentication if employees are accessing CJI. This is alike to using a debit or credit card that requires PIN input.||GateKeeper allows administrators to auto-enforce multi-factor authentication login requirements on each computer on the network, restricting the use of Windows credentials for logging in.|
See GateKeeper proximity access control in action.
Take a self-guided tour of how your proximity-based access control can work.
Touchless, contactless, passwordless 2FA solution with continuous authentication. All passwords centralized and only accessible by you with your proximity key fob. Experience fully automated access and security before full deployment. Instant 2FA, auto-OTP, password manager and worry-free workflow with proximity-based privileged access management for Windows 10, 8, 7, and macOS.