Functional Architect

Job Responsibilities:

The project aims to implement Multi-Factor Authentication (MFA) solutions for the Criminal Justice Information Services (CJIS) in Pennsylvania. The project consists of two (2) major tasks. First is to determine and deploy a CJIS compliant MFA solution. Second is to address a CJIS compliant approach for address machine registration and identification. The project involves integrating various technologies and services, including Azure, Microsoft Entra, Active Directory (AD), Commonwealth Public Key Infrastructure (PKI), AD certificate services, Commonwealth applications, IBM Secure Verify and potentially a Card Management System (CMS).

Position:

Functional Architect - Will be responsible for designing, implementing, and overseeing the FIDO (Fast Identity Online) authentication framework within the project. The architect will work closely with the project team to ensure the successful architecture and integration approach of FIDO-based MFA solutions into the existing infrastructure and Public Safety applications.

Responsibilities:

Architectural Design: Develop a comprehensive architectural design for the integration of FIDO-based MFA solutions with the existing systems, including Azure, Microsoft Entra, AD, Commonwealth PKI, certificate services, and Commonwealth applications.

Technology Evaluation: Evaluate FIDO2 security keys, smartcards, and Windows Hello for Business as potential authenticators to meet the CJIS Security Policy requirements.

Compliance Assurance: Ensure that the FIDO-based MFA solutions comply with the CJIS Security Policy, CJIS Requirements Companion Document, NIST SP 800-63 guidelines, and other relevant regulatory requirements.

Integration and Testing: Oversee the integration of FIDO-based MFA solutions with the existing infrastructure, conduct thorough testing, and ensure seamless interoperability.

Documentation and Training: Prepare detailed technical documentation, guidelines, and training materials for the implementation and maintenance of FIDO-based MFA solutions. This includes working with solutions architects, designers, and developers within public safety.

Requirements:

Experience:

Proven experience in designing and implementing FIDO-based authentication solutions, preferably in the context of CJIS compliance. Proven experience and working knowledge of unified endpoint identification, registration, and authentication, preferably in the context of CJIS compliance.

Technical Expertise:

In-depth knowledge of FIDO2 security keys, smartcards, Windows Hello for Business, and their integration with Azure, Entra, AD, and other relevant systems.

Regulatory Knowledge: Familiarity with CJIS Security Policy, NIST SP 800-63 guidelines, and other relevant regulatory frameworks.

Communication Skills: Strong communication and collaboration skills to work effectively with cross-functional teams and stakeholders.

Deliverables:

Comprehensive architectural design for FIDO-based MFA and device registration and integration which starts with workstation CJIS MFA secured logon and moves towards CJIS MFA security at the application(s).

Phased approach and timeline for achieving the full architectural design. The first focus should address the FIDO2 MFA with users starting with the Pennsylvania State Police and rolling out to the other Public Safety Deliver Center Agencies. The second focus should address machine registration and identification.

Evaluation report on FIDO2 security keys, smartcards, and Windows Hello for Business.

Evaluation report on machine registration process and existing repositories; Microsoft Intunes, Workspace One, and AD.

Application integration guidance and compliance assessment documentation for integrating the FIDO security solution. This document will be used solutions developers and application support configuring third-party hosted applications and solutions.

Integrated and tested FIDO-based MFA solutions including a break glass solution.

Technical documentation and training materials.

Timeline:

The Functional Architect will be engaged to complete the architectural design, phased implementation approach, and documentation to assist architects and solutions team with the implementation of the CJIS MFA and end point solution.

Conclusion:

The Functional Architect will play a crucial role in ensuring the successful implementation of multi-factor authentication solutions for the CJIS project in Pennsylvania, contributing to the security and compliance of the Commonwealth's criminal justice information systems.

Citations:

The CJIS Security Policyv5.9.2 introduced important revisions in Section 5.6 Identification and Authentication (IA) and Section 5.15 System and Information Integrity (SI)among other changes. Of particular significance to law enforcement and criminal justice agencies using cloud services for the transmission, storage, or processing of CJI are the updated multi-factor authentication (MFA) requirements for identification and authentication of organizational users.

Microsoft Entra ID supports both authenticator and verifier NIST SP 800-63B AAL3requirements, including the underlying FIPS 140 validation requirements. Microsoft Entra ID support for NIST SP 800-63B AAL3 exceeds the CJIS Security Policy MFA requirements.

In Microsoft's continuous effort to provide resources and guidance to agencies to help them meet their CJIS regulatory requirements, Microsoft collaborated with CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing and former CJIS Information Security Officer (ISO).