How Okta Helps You on the Path to CJIS Compliance

U.S. law enforcement agencies have to operate within very strict parameters to access and handle criminal information that’s stored on Criminal Justice Information Services (CJIS). Local, state, and federal law enforcement agencies are mandated under the CJIS Security Policy, which guides these institutions in how to avoid vulnerabilities, preventing both financial and reputational loss.

For companies looking to be CJIS compliant, there are a number of things to know—and ways that Okta can help.

First, what is the CJIS Security Policy?

The CJIS Security Policy is a joint program of the FBI, State Identification Bureau, and the CJIS Systems Agency. It outlines necessary security precautions, including how to protect sensitive information, such as fingerprints and criminal background details. It also offers best practices on securing wireless networking, remote access control, data encryption, and multi-factor authentication (MFA).

All United States law enforcement and criminal justice agencies—as well as their providers—must be compliant with this policy. These organizations can leverage the Okta package completed as part of the Federal Risk and Management Program (FedRAMP), which is the standardized policy for assessing and authorizing cloud service providers for US government agencies.

How Okta facilitates CJIS compliance

Because of its FedRAMP compliance, Okta’s identity platform and capabilities are ideally positioned to help law enforcement agencies meet CJIS compliance and remain vigilant against the security threats they face. It uses best practices to help agencies monitor and detect potential attacks, respond to incidents, and control who has access to their systems and information.

Below, we’ve outlined how adopting Okta’s platform helps agencies meet controls across the various policy areas. It’s important to note that any sections within each policy area that aren’t covered by Okta are typically the responsibility of the organization.

Policy area 1: Information exchange agreements

All information that agencies share through any communication medium needs to be protected with appropriate safeguards.

Okta provides a set of security standards and access controls that protect all the information that’s shared across various systems. It also simplifies the granting and revoking of access to CJIS systems.

Policy area 2: Security awareness training

All employees that require access to criminal justice information (CJI) must undergo security awareness training within six months of their assignment and every two years thereafter. This covers CJI usage and behavior, implications of non-compliance, potential threats and vulnerabilities, and web and password usage.

Okta meets these requirements for all its employees.

Policy area 3: Incident response

Government and private agencies face the constant risk of accidental and malicious cyberattacks. They must therefore ensure procedures are in place to prepare, detect, analyze, contain, and recover from threats and be able to track, document, and report them to appropriate officials and authorities when they do occur.

Okta offers a rich set of logs to assist with these controls.

Policy area 4: Auditing and accountability

Agencies need to increase the probability that users conform to a prescribed pattern of behavior to keep data secure. This is reliant on audit and accountability controls on servers and mobile devices, and producing records of what events occurred, the sources of the records, and the outcome.

Okta addresses this by providing rich logging that is exportable to the customer’s system of choice.

Policy area 5: Access control

Keeping sensitive data secure relies on restricting the number of employees that are authorized to read, write, process, and transmit CJIS information and modify systems, services, applications, and communication configurations. Agencies also need tight controls in place around how they activate, manage, review, disable, and remove the rights and privileges of user accounts.

Okta ensures that the right users have access to the right information—and no one else. It provides a feature set that simplifies tasks, eliminates errors, and helps agencies to limit invalid logins, control lock timing, and be alert to remote access activity. With Okta, agencies are able to control access and get a log set that can be imported directly into their system.

Policy area 6: Identification and authentication

Protecting user identity means having authentication as a prerequisite to allowing access to agency systems and services. Every user needs to be uniquely identified, verified, and authenticated, and agencies must also implement strict guidelines dictating strong password attributes.

Okta supports a wide variety of industry-standard authenticators, such as FIPS 140-2-validated MFA via Okta Verify. It also provides adaptive MFA to meet risk-based authentication requirements. Okta’s settings contain rules that ensure agencies meet strong password requirements.

Policy area 7: Configuration management

Changes to hardware, software, and firmware components of agencies’ information systems can have a major impact on security. Only qualified and authorized employees should have access and be able to make upgrades and modifications.

Okta helps agencies to protect the sensitive details of system configuration documentation from unauthorized access.

Policy areas 8 and 9: Media protection and physical protection

Agencies must store electronic and physical media in secure physical locations and ensure they are disposed of when no longer required.

Okta inherits these capabilities from Amazon Web Services, as they have implemented these features in their infrastructure and databases, which Okta uses to store data.

Policy area 10: System and communications protection and information integrity

An agency’s network infrastructure needs to prevent unencrypted CJI transmission, outside traffic, and web requests that aren’t from the internal proxy.

Okta helps firms to control the flow of information between systems, implement encryption, and deploy tools and techniques that monitor network events, detect attacks, and flag unauthorized access.

Policy area 11: Formal audits

Agencies must conduct formal audits to ensure compliance with relevant statuses, regulations, and policies.

Audit requirements should be discussed with Okta’s legal teams in order to determine how we can help.

Out of scope:

While Okta offers robust coverage of the CJIS Security Policy, there are a couple of areas that are meant for the agency to take on internally.

Mobile devices: Okta does not help businesses with monitoring wireless technologies and protocols or cellular devices.

  • Organizations should look to implement wireless protocols that secure their data across multiple devices. This can be done by deploying authentication and encryption mechanisms that operate on each device, for instance.
  • They should also ensure they have visibility into how many devices or access points can access their systems, and have systems for identifying and managing compromised or stolen devices.

Concurrent user sessions: Okta does not currently offer limits on the number of active sessions users can have on applications accessing CJI at a given time.

With its suite of identity and access management tools, Okta is well suited to support law enforcement agencies in meeting the strict data security requirements imposed on them. To find out how Okta can help you on your CJIS journey, contact our team to find out more.

To have a conversation about how we can help with your specific needs get in touch. And for more information on how Okta can help your organization meet CJIS requirements check out our whitepaper Using Okta with Criminal Justice Information Services (CJIS).