This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CJIS Compliance and Google Workspace Accounts

Posted on 04-01-2025 02:58 AM
graphite
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Using Open ID Connect to authenticate users of Google Workspace accounts to access a third party application that contains sensitive information such as CJIS data, is it possible to force a user to have to log in again? This is required per FBI CJIS Security Policy.  And I know police departments are using Google Workspace.  Google Workspace is purportedly able to comply with this policy. But, I have yet to find a way to force re-authentication after period of 30 minutes of inactivity within the application. Is this possible? If so, how?

0 2 250
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
KAM
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

@graphite in my $dayjob, I'm a compliance & cyber expert in the Google ecosystem.  LMK if you need to talk more.

For CJIS, you will need to be using Enterprise Plus with the Assured Controls Plus add-on.  Additionally, for the requirement you are discussing which is 5.5.5, the last sentence is your hint: "Note: an example of a session lock is a screen saver with password. "

In short, you want to enforce screen locks for the systems you use to access GWS.  MDM, GPO, and Chrome Enterprise Premium are all possible ways to solve this that should be explored for your specific environment.

Regards,
KAM

0 Likes

Posted on --/--/---- --:-- AM
graphite
Bronze 1
Bronze 1
In response to KAM
Reply posted on --/--/---- --:-- AM

This is not sufficient.  This is fro. the CJIS security policy:  

(8) If a device such as a smartphone is used in the authentication process, then the unlocking of that device (typically done using a PIN or biometric) SHALL NOT be onsidered one of the authentication factors.  SUPPLEMENTAL GUIDANCE: This requirement applies to multi-factor authenticators resident on a smartphone or similar device; single-factor authenticators on such devices would only provide a single (physical) authentication factor. Unlocking of a device such as a smartphone may be done for any number of reasons unrelated to authentication, and such devices are normally in an unlocked state for a period of time thereafter. Human action such as entry of a memorized secret or presentation of a biometric factor needs to be provided that is directly associated with the authentication event. Generally, it is not possible for a verifier to know that the device had been locked or if the unlock process met the requirements for the relevant authenticator type.

The problem is, with google accounts, An officer unlocks his phone to make a call, ends the call and sits down the phone walks away for 2 minutes. Kid picks up the phone opens a web browser and all the sudden has access to CJIS data even though the officer hadn't logged in and used to CJIS application for hours. Google silently authenticates the user and there's no way for the application to determine whether Google actually authenticated the user or not.

 

0 Likes