What the FBI’s criminal VPN warning means for CJIS compliance and public safety access security

Recent FBI guidance highlights attacker use of remote access paths, valid accounts, and anonymized infrastructure. CJIS compliance requires agencies to control and validate access to criminal justice information. In public safety, those controls only work if they are trusted and usable.

A recent FBI FLASH advisory is warning that criminal VPN infrastructure has been used by ransomware groups to support reconnaissance and intrusions. For public safety agencies, the guidance reinforces what we often see at Imprivata: Criminal Justice Information Services (CJIS) compliance is inseparable from trusted, usable access.

The FLASH is especially relevant for CJIS-regulated agencies because the risks it describes are already part of everyday public safety operations.

What the FBI advisory says

The advisory focuses on First VPN Service, a criminally advertised VPN service active since approximately 2014. The FBI says the service has been used by at least 25 ransomware groups and is tied to scanning activity, botnets, denial-of-service attacks, scams, and hacking.

The FBI maps the activity to techniques such as proxy use, remote services, valid accounts, brute-force, network discovery, and denial-of-service. These are the same kinds of access paths agencies often rely on for vendor support, mobile work, shared devices, and legacy systems.

Recommended mitigations include:

• Multifactor authentication for remote access
• VPN-aware access controls
• Least privilege segmentation
• Monitoring for unusual locations or IP addresses
• Investigation of anomalous identity or session activity

The signal for public safety agencies is that blocking suspicious infrastructure helps. But on its own, it’s just not enough. Agencies need access controls that can determine whether a user, device, or session should be trusted.

What CJIS-regulated agencies are facing

In our work with public safety organizations, one challenge keeps coming up: agencies are expected to strengthen CJIS compliance while maintaining fast, mission-critical access.

That’s easier said than done. Public safety environments are full of shared workstations, mobile data terminals, patrol vehicle systems, remote support tools, and legacy applications such as computer-aided dispatch and records management systems. Rather than representing edge cases, these examples represent the daily operating model for many agencies.

This is where the FBI advisory connects directly to CJIS compliance. If attackers are using legitimate-looking access paths, agencies need more than a network view of risk. They need to know:

• Who is accessing critical systems
• Whether that access is appropriate
• Whether they can prove it later

That’s also why access friction is such a major problem. When authentication is too slow or too inconsistent, users look for shortcuts. Think of two people sharing credentials or officers delaying logouts. Those behaviors are understandable in fast-moving environments … but they weaken accountability.

Where agencies should focus now

The FBI guidance points to a broader need for access strategies designed around how public safety work actually happens. From Imprivata’s perspective, three areas deserve immediate attention.

Shared workstations and mobile environments

Shared devices are part of law enforcement operations. Shared credentials should not be. Agencies need fast user switching, individual accountability, and session control so access remains both efficient and auditable.

Third-party and remote access

Vendors often support critical systems, including computer-aided dispatch, records management, jail systems, and infrastructure. That access needs to be verified, limited, monitored, and removed when no longer needed. The FBI’s focus on external remote services and valid accounts makes this especially relevant.

Multifactor authentication that fits the workflow

Multifactor authentication is essential, but it cannot slow down officers, dispatchers, or staff. CJIS compliance depends on strong authentication. User adoption depends on making that authentication simple, consistent, and practical.

The bigger lesson: Compliance has to work where the work happens

CJIS compliance is often discussed in terms of requirements. Public safety agencies experience it as workflow.

It has to work at the dispatch console. In the patrol car. At the booking desk. In the records office. During a vendor support session. Across shared devices and legacy applications.

That is why Imprivata’s CJIS perspective centers on simplifying compliance, rather than simply enforcing it. Agencies need secure access that supports …

• Identification and authentication
• Access control
• Audit and accountability
• Third-party access
• Shared device workflows

… without adding unnecessary complexity.

That’s also consistent with Imprivata’s broader point of view: in mission-critical environments, every second of critical work must be both frictionless and secure. Access management should represent a value-add where itreduces friction instead of creating more of it.

Trusted access is now part of public safety readiness

The FBI advisory reinforces a shift already underway in public safety cybersecurity. Agencies are not only protecting systems. They are protecting the workflows that allow people to respond, dispatch, investigate, document, and serve the public.

Trusted access sits at the center of that shift. It helps agencies enforce CJIS requirements. It gives IT and security teams clearer visibility. It helps reduce reliance on shared credentials. It supports third-party oversight. And when designed around real public safety workflows, it allows officers, dispatchers, and staff to stay focused on the mission instead of the login.

For CJIS-regulated agencies, the goal is not security at the expense of speed. It is simple and secure access that strengthens compliance, improves accountability, and keeps critical work moving.

No matter where your agency is on its CJIS compliance journey, Imprivata can help you make sense of the requirements and apply them to real public safety workflows. Connect with me on LinkedIn or reach out throu gh Imprivata to schedule a conversation.