CJIS compliance: How to meet password and MFA requirements

If you’re responsible for password security at a law enforcement agency or organization that handles criminal justice data, CJIS compliance isn’t optional. It’s the baseline for protecting some of the most sensitive information in the country.

The FBI’s Criminal Justice Information Services (CJIS) Security Policy sets strict standards for anyone accessing criminal justice information. Version 5.9.5 was released in July 2024 and version 6.0 was released in December 2024, both bringing significant updates to password and multi-factor authentication (MFA) requirements that organizations need to meet.

We’ll show you how to make it simple with Specops tools that work within your existing Active Directory environment, adding the controls necessary to meet CJIS requirements without disrupting your operations.

Who needs to comply with CJIS?

CJIS compliance applies to any organization that accesses, stores, or transmits Criminal Justice Information (CJI). This includes:

• Law enforcement agencies at federal, state, and local levels
• Courts and judicial systems
• Correctional facilities
• Private contractors and vendors who work with law enforcement
• Cloud service providers hosting CJI
• Background check companies

If your organization touches CJI in any way, you fall under CJIS requirements. This extends beyond direct law enforcement to any third-party vendor or contractor in the chain.

Why CJIS compliance matters

Non-compliance with CJIS isn’t just a paperwork problem. Organizations that fail to meet requirements face serious consequences, including loss of access to FBI CJIS resources and potential monetary fines. All breaches and major incidents must be reported to the Justice Department, and the reputational damage alone can be devastating for agencies that fail to protect this data.

Every law enforcement agency using CJIS gets audited at least once every three years. Falling short means risking your access to critical databases your organization depends on. The version 6.0 enforcement deadline has passed, which means non-compliant organizations are already at risk of sanctions.

Key updates in CJIS 5.9.5 and 6.0

CJIS 5.9.5 — MFA moves from guidance to requirement

With the release of CJIS 5.9.5, multifactor authentication (MFA) was no longer optional: every account that accesses criminal-justice information must use MFA so that possession of a password alone cannot enable access.

MFA must combine at least two different types of factors, for example:

• Something you know — e.g., a password or PIN (a necessary but insufficient safeguard by itself).
• Something you have — e.g., a smart card, hardware token, or registered mobile device (an additional possession-based barrier).
• Something you are — e.g., fingerprint or facial scan (biometric verification tied to the individual).

Using multiple factor types dramatically lowers the chance an attacker can gain entry even if one credential is compromised.

CJIS 6.0 — Widening and hardening the security perimeter

CJIS 6.0 extends the protections introduced in 5.9.5 with several operational and lifecycle-focused controls:

• Continuous monitoring: Agencies must actively detect and investigate suspicious behavior in near real time so incidents can be contained before they become major breaches.
• Third-party & supply-chain risk management: Vendors, contractors, and partners are held to the same security expectations as agency personnel, including documented risk assessments and explicit access restrictions.
• Lifecycle security planning: Security must be embedded from design through deployment, upkeep, and eventual decommissioning of systems.

These updates reflect the realities of modern law-enforcement IT (data is accessed from many devices, networks, and jurisdictions) and require consistent security controls across that entire environment.

CJIS password requirements

The CJIS Security Policy v6.0 updated the “Memorized Secrets” aka PINs and Passwords Standards to align with NIST Digital Identity Guidelines. These requirements replace traditional complexity rules with length and quality checks:

• Minimum length: Memorized secrets (passwords and/or pins) must be at least 8 characters with no additional complexity requirements, or 6 characters if chosen by the verifier. However, at Specops we would recommend going well above this minimum limit and enforcing passphrases of 15 characters and above.
• Banned password list: Systems must maintain and check against a list of context-specific words, dictionary words, repetitive or sequential characters, or passwords obtained from previous breach corpuses.
• Password change protocol: Users must immediately change passwords found on the banned list.
• Authentication attempts: Max of 5 failed login attempts to prevent brute force attacks.
• Password expiration: Passwords must expire immediately if found to be compromised, and may be allowed to expire after 365 days.
• Secure transmission: Passwords must travel over encrypted and authenticated channels.
• Secure storage: Passwords must be salted and hashed using a one-way key derivation function.

Read more on CJIS password policy requirements.

Where can Specops help?

Specops Password Policy makes it simple to enforce a strong password policy that meets the above standards. You can:

• Set passphrase requirements to help end users create and remember longer passwords. Dynamic feedback guides users to create strong, compliant passwords during the creation process.
• Embed CJIS-approved complexity, rotation, and history rules directly in Active Directory with readymade CJIS compliance templates that apply the correct password requirements without manual policy building.
• Your Active Directory will also be continuously scanned against our growing database of over 4 billion compromised passwords, notifying end users with breached passwords to immediately change.

MFA requirements under CJIS

The CJIS Security Policy now requires MFA for all users accessing CJI, particularly for remote access scenarios. CJIS requires at least two of these three authentication factors:

• Something you know: Passwords, security codes, or personal identification numbers
• Something you have: Physical authenticators like USB keys, access cards, or mobile devices
• Something you are: Biometric identifiers such as facial recognition, iris scans, or fingerprints

It’s worth noting the policy treats remote access as higher risk and mandates stricter controls for any remote connection to CJI.

Where can Specops help?

• Specops Secure Access elevates your MFA by letting you stick to authentication factors that are less resistant for social engineering and phishing.

• Specops uReset gives users a self-service portal (protected by MFA) to unlock their Active Directory accounts securely. Every reset is logged, timestamped, and reportable, ticking the audit-trail box without a mountain of help-desk tickets.
• If you’re already using an MFA provider and want to add Specops Password Policy or uReset, the Specops authentication client wraps easily with your chosen MFA solution, creating a seamless experience that meets CJIS multi-factor requirements without complicating the login process.

Need support with CJIS compliance?

We’d be happy to walk you through where and how Specops can support you on your path to CJIS compliance – reach out to us here and an expert will be in touch.