NIST pushes criminal justice agencies toward MFA to secure sensitive data

The National Institute of Standards and Technology (NIST) has issued a sweeping new report urging criminal justice agencies to adopt multi-factor authentication as a core safeguard against credential theft, underscoring the growing urgency of securing law enforcement systems against cyberattacks.

NIST Internal Report 8523: Multi-Factor Authentication for Criminal Justice Information Systems details practical steps and architectural models for state, local, tribal, and territorial agencies as they work to comply with updated Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy requirements.

At the center of the guidance is the recognition that passwords alone have become a dangerously weak line of defense. NIST says that nearly half of public safety data breaches in 2024 stemmed from stolen or compromised credentials.

In the context of criminal justice, such breaches threaten not just data integrity, but also ongoing investigations, officer safety, and the privacy of individuals whose information is stored in government systems.

The report states that migrating to multi-factor authentication (MFA) is the most effective way to cut off that attack vector, reducing the risk of unauthorized access to criminal justice information (CJI).

By issuing this guidance, NIST seems to be signaling a national shift in how criminal justice systems handle identity security. The move away from passwords toward phishing-resistant multi-factor authentication reflects the broader recognition that cybercriminals are relentlessly targeting identity systems as the path of least resistance.

The CJIS Security Policy (v5.9.2 and later; current v6.0) requires MFA at Authentication Assurance Level 2 or higher for access to CJI. This standard demands at least two distinct authentication factors, typically combining something a user knows, such as a password or PIN, with something they have, like a cryptographic token or mobile device, or something they are, such as a biometric signature.

According to NIST, the requirement applies equally to criminal and non-criminal justice agencies that access CJI, ranging from police departments and sheriff’s offices to corrections facilities and administrative units.

NIST’s report goes well beyond policy mandates and offers a detailed roadmap for how agencies can implement MFA in real-world environments where operational needs are complex and resources vary widely.

The report identifies computer-aided dispatch systems, records management platforms, and state-level message switches as the primary points where MFA must be integrated to ensure end-to-end protection of criminal justice data flows.

These systems, which form the backbone of law enforcement information sharing, present both the biggest risks and the biggest opportunities for strengthening identity protections.

One theme running throughout the report is balance. While MFA strengthens cybersecurity, it can also slow down users or add costs if poorly deployed. NIST emphasizes that law enforcement personnel cannot afford authentication systems that introduce delays in high-stakes moments, such as when an officer needs to run a suspect’s record in the field.

To ease these tensions, the report highlights the importance of technologies such as identity federation and single sign-on. Federation allows agencies to trust authentications performed by other entities, avoiding redundant credential requirements across multiple systems.

Single sign-on, meanwhile, lets users authenticate once and access multiple applications without repeated MFA challenges. Both approaches reduce friction for officers while maintaining security, and NIST encourages agencies to work with their vendors to ensure these capabilities are built into their systems.

The report also singles out phishing as one of the most persistent threats facing agencies. Even when MFA is implemented, not all authenticators are equally strong, and many still leave openings for phishing attacks, NIST said, warning that attackers can bypass weaker MFA methods by tricking users into providing one-time codes or passwords.

As a countermeasure, NIST strongly recommends that agencies prioritize phishing-resistant authentication methods, such as FIDO authenticators paired with web authentication protocols. These systems prevent attackers from intercepting or reusing credentials, thereby closing one of the most common loopholes in traditional MFA deployments.

Because agencies differ in size, resources, and technical maturity, NIST frames its recommendations around phased deployment strategies. Rather than attempting a wholesale rollout, the report advises starting with IT staff and help desk personnel, who can test authenticator types and identify support issues before general users are brought online.

Broader rollouts should then expand to representative cohorts of law enforcement officers, with user feedback guiding refinements to policies and communication strategies. By the time the deployment reaches all personnel, agencies will have adjusted instructions, training materials, and help desk procedures to minimize disruptions.

The report also stresses collaboration across jurisdictions. Smaller or rural agencies often lack the resources to develop MFA systems independently, and NIST suggests that state agencies consider offering shared identity services that local departments can opt into. This model not only reduces costs through economies of scale but also improves consistency across agencies that routinely share criminal justice data.

Federation protocols such as SAML and OpenID Connect are presented as critical enablers of this shared-services approach, allowing multiple agencies to authenticate through a central system without passing around passwords or duplicating credentials.

Vendor cooperation emerges as another recurring theme in the report. NIST warns that unless agencies coordinate their vendor requirements, they may end up with siloed MFA solutions that cannot interoperate.

To avoid that outcome, the report urges agencies to demand federation and single sign-on support from vendors, and it even includes sample questionnaires in an appendix that agencies can use when engaging technology providers

Beyond technical hurdles, NIST acknowledges that legal and compliance challenges will shape MFA adoption. Privacy laws in some states may affect how biometric data can be used as an authenticator, and agencies are advised to consult with legal counsel before collecting or storing such identifiers.

Additionally, NIST reminds agencies that personal mobile devices used as authentication factors could be subject to subpoena in criminal proceedings, raising further questions about privacy and evidentiary exposure.

Compliance teams must be involved early in the design process, and the FBI’s CJIS Information Security Officer team should be consulted to confirm whether specific implementations meet federal policy requirements

NIST also confronts a common misstep in security architecture: relying on MFA at the network level alone. Many agencies depend on VPN services to secure remote access, and some attempt to meet MFA requirements by layering an extra factor at the VPN login.

However, NIST cautions that if the criminal justice application itself is still protected only by a password, attackers who gain network access may be able to bypass protections altogether. The recommended model is to integrate MFA directly into the application layer, ensuring that sensitive CJI is never accessible without multiple, phishing-resistant credentials.

While the report is deeply technical, its broader message is clear. Protecting criminal justice information requires a comprehensive approach that blends technology, policy, and operational realities. Passwords are no longer sufficient, and agencies that continue to rely on them are courting disaster.

NIST acknowledges that implementation is not a one-size-fits-all process and that agencies must assess their unique environments, user needs, and resource constraints, then choose architectures that maximize security while minimizing friction.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  digital identity  |  multifactor authentication  |  NIST  |  passkeys