Find out how FusionPipe’s Authentication Solutions can improve productivity, efficiency and security within your organization.

Request a Demo

Request a free demo session today!

Request a Demo

Watch Product Video

Watch the official QuikID™ product video

Play the Video
Back to List

November 9, 2016 by FusionPipe

The importance of Security Compliance and the Criminal Justice System

cjis password security

The importance of Security Compliance and the Criminal Justice System
By: A. Csinger, Interim CTO, FusionPipe Software

August 2016


The Criminal Justice Information Services Division (CJIS) of the FBI has issued and periodically revises the CJIS Security Policy.  This is a set of minimal standards for organizations and individuals to follow if they process or store Criminal Justice Information (CJI).  Agencies can be audited to demonstrate compliance with the CJIS Security Policy and failure to comply can have serious consequences for agencies, both in terms of sanctions as well as information loss from non-compliance systems.  A 2014 attack on the Washington State Administrative Office of the Courts, for instance, exposed as many as 160,000 Social Security Numbers and a million driver’s license numbers. Compliance matters.

While an enterprise implementation can be audited against the criteria and “certified” as compliant, vendors are not certified for, or by, CJIS.  Typically, agencies attest to their compliance by self-certifying via a combination of internal and external audit.  Compliance is an on-going enterprise activity that comprises policies and practices, hardware and software, and training in procedures.

While there are no vendor certifications related to CJIS, FusionPipe can help agencies achieve, maintain and even enhance CJIS compliance.  For instance, substantial attention is devoted in the CJIS to the management of passwords: password expiry, minimum complexity, forced lock-out after a fixed number of unsuccessful login attempts, etc.  These issues are dramatically mitigated by a system that either automates these requirements or eliminates them by replacing passwords, as does the FusionPipe approach.  Refer to Section of the CJIS Security Policy, where the following are stipulated: Password

1. Be a minimum length of eight (8) characters on all systems.

2. Not be a dictionary word or proper name.

3. Not be the same as the UserID.

4. Expire within a maximum of 90 calendar days.

5. Not be identical to the previous ten (10) passwords.

6. Not be transmitted in the clear outside the secure location.

7. Not be displayed when entered.


Another example is Section 5.5.5, Session Lock, wherein:

The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user re-establishes access using appropriate identification and authentication procedures. Users shall directly initiate session lock mechanisms to prevent inadvertent viewing when a device is unattended. A session lock is not a substitute for logging out of the information system.


FusionPipe Security Standards

FusionPipe provides authentication solutions to the enterprise that provide a unique combination of convenience and compliance, delivered within an uncompromising security envelope, using best practices to deliver robust security using FIPS 140-2 compliant encryption algorithms.

FusionPipe’s QuikID™ authentication solutions make it easy for users and enterprises to comply with CJIS compliance requirements, as arbitrarily complex passwords can now be used with no cognitive burden on the user, and no additional management requirements for the agency; passwords are never transmitted in the clear, nor are they ever displayed.

In summary: CJIS is a compliance standard released by the FBI against which agencies processing or storing CJI can be audited.  Compliance is important for many reasons, and non-compliance carries penalties and risks.  There is no vendor certification available for CJIS.  FusionPipe’s solutions can help agencies become, and remain, CJIS compliant.