CJIS Password Policy Requirements

The Criminal Justice Information Services Division (CJIS) is a division of the FBI that provides a number of tools and services to law enforcement agencies around the country. Through systems like the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS), CJIS helps agencies manage investigations, conduct background checks, and track criminal activity.

What is the CJIS security policy?

Given the sensitive nature of Criminal Justice Information (CJI), technical controls must be put in place to ensure that it does not end up in the wrong hands. The CJIS Security Policy sets the minimum requirements for all entities accessing this data, as well as guidelines to protect its transmission, storage, and generation. In particular, Section 5 of the policy details 13 key areas of security, including Identification and Authentication, which governs how access to CJI systems is managed.

This article focuses on the password requirements defined in Policy Area 6: Identification and Authentication, including both the Basic and Advanced Password Standards. It also covers recent updates — most notably from the CJIS Security Policy version 6.0 (effective October 1, 2024) — which introduce stronger password practices and require multifactor authentication.

Policy Area 6: Identification and Authentication

This area applies to systems that process, store, or transmit CJI. Each person with access to such system must be uniquely identified. Passwords are listed as a standard authenticator during the identification process, with a number of requirements, including:

Basic Password Standards

When agencies elect to follow the basic password standards, passwords shall:

1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.

2025 update: CJIS Security Policy v6.0

There have been some significant updates to the CJIS Security Policy since its last major revision in June 2019. The most recent version, v6.0, was released on December 27, 2024, and became effective on October 1, 2024. This update introduced several key changes, particularly in areas like password management and authentication.

1. Advanced Password Standards

A section called Advanced Password Standards (5.6.2.1.1.2) was introduced in 2019 as an alternative to the Basic Password Standards. This means that if a password is used to verify an individual user, it must follow the Basic or Advanced Standards. There is no option to combine or select particular options between the two separate lists.

As of 2025, password standards have been updated to align more closely with the latest Digital Identity Guidelines from the National Institute of Standards and Technology (NIST). The updated requirements include:

1. Minimum password length: Passwords must be at least 20 characters long, with no additional complexity requirements.
2. Banned password list: Verifiers must maintain a list of “banned passwords” that includes commonly used, expected, or compromised passwords.
3. Password change protocol: If a password is found on the banned list, the user must be advised to select a different password.
4. Authentication attempts: Limit the number of failed authentication attempts to prevent unauthorized access.
5. Password expiration: Passwords must be changed every 365 days, or immediately if there is evidence of compromise.
6. Secure transmission: Passwords must be transmitted over encrypted and authenticated channels to protect against eavesdropping and man-in-the-middle attacks.
7. Secure storage: Passwords must be stored in a manner resistant to offline attacks by salting and hashing the password using a one-way key derivation function.

2. Multifactor Authentication (MFA)

As of October 1, 2024, the CJIS Security Policy mandates that all agencies accessing Criminal Justice Information (CJI) must implement multifactor authentication (MFA). MFA must include two of the following three factors:

• Something you know: Passwords, security codes, or personal identification numbers.
• Something you have: Physical authenticators such as USBs, access cards, or mobile devices.
• Something you are: Biometric identifiers such as facial recognition, iris scans, or fingerprints.

This change aims to enhance security by adding an additional layer of protection against unauthorized access.

Agencies accessing CJI should review the latest CJIS Security Policy v6.0 to ensure compliance with the latest standards.

Meet CJIS password requirements with Specops Password Policy

If you find yourself needing to comply with the CJIS standards, make sure that your password policy is up to the challenge. Remember, every law enforcement agency that uses CJIS is audited at least once every three years. If your organization fails to adhere to the CJIS Security Policy it risks losing access to the CJIS database. Luckily, Specops Password Policy can address your password requirements.

Specops Password Policy simplifies compliance with modern password standards by helping you enforce banned password rules directly in Active Directory. With built-in Breached Password Protection, the solution automatically checks user passwords against a continuously updated list of compromised credentials curated by Specops. If a user selects a known leaked password during a change, they’re instantly alerted and required to choose a safer alternative.

Stay ahead of threats and block weak passwords with a solution designed for seamless integration and proactive protection. Try Specops Password Policy for free today.

Benefits of Specops Password Policy for CJIS compliance

• Continuously scan your Active Directory on a daily basis against an evolving list of over 4 billion known breached passwords
• Create an unlimited custom dictionary of blocked words unique to your organization
• Real-time, dynamic feedback at password change with the Specops Authentication client
• Quickly create and enforce compliant password policies that comply with regulations including NIST, CJIS, NCSC, ANSSI
• Our client supports wrapping, making it easy to pair with your chosen MFA solution

Interested in finding out how Specops Password Policy could help you comply with regulations and strengthen your cybersecurity? Request a live demo.