CJIS Password Policy Requirements
(Last updated on September 26, 2019)
This blog provides an overview of the CJIS Password Policy requirements.
The Criminal Justice Information Services Division (CJIS) is a division of the FBI that provides a number of tools and services to law enforcement agencies around the country. It is also the central repository for Criminal Justice Information (CJI), incorporating key departments like the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and National Instant Criminal Background Check System (NICS). The CJIS database provides all necessary information for detaining criminals, performing background checks, and tracking criminal activity.
Given the sensitive nature of CJI, technical controls must be put in place to ensure that it does not end up in the wrong hands. The CJIS Security Policy sets the minimum requirements for all entities accessing this data, as well as guidelines to protect its transmission, storage, and generation.
To address the technology implementation of the CJIS Security Policy start with Section 5: Policy and Implementation. The section contains 13 policy areas, including: Information Exchange Agreements, Security Awareness Training, Incident Response, Auditing and Accountability, Access Control, Identification and Authentication, Configuration Management, Media Protection, Physical Protection, System and Communications Protection and Information Integrity, Formal Audits, Personnel Security, and Mobile Devices.
This blog will focus on the role of passwords in the CJIS policy as addressed in Policy Area 6: Identification and Authentication. This area applies to systems that process, store, or transmit CJI. Each person with access to such system must be uniquely identified. Passwords are listed as a standard authenticator during the identification process, with a number of requirements, including:
Basic Password Standards
When agencies elect to follow the basic password standards, passwords shall:
- Be a minimum length of eight (8) characters on all systems.
- Not be a dictionary word or proper name.
- Not be the same as the Userid.
- Expire within a maximum of 90 calendar days.
- Not be identical to the previous ten (10) passwords.
- Not be transmitted in the clear outside the secure location.
- Not be displayed when entered.
As of June 2019, the CJIS updated its password requirements. A new section Advanced Password Standards was introduced as an alternative to the Basic Password Standards. This means that if a password is used to verify an individual user, it must follow the Basic or Advanced Standards. There is no option to combine or select particular options between the two separate lists.
Advanced Password Standards
The Advanced Password Standards is closely aligned with the latest Digital Identity Guidelines from NIST. Similar to NIST, the requirements include increasing the minimum password length to 20 characters (with no additional complexity requirements), and not permitting specific types of information (e.g., “What was the name of your first pet?”) when choosing a password. There is also the shared requirement for maintaining a list of “banned passwords” with values known to be commonly used, expected, or compromised. This may include passwords obtained from previous breaches. During a password change, the prospective password should be compared against the banned password list, and require the user to select a different password if a match is found. For the complete Advanced Password Standards, please refer to the CJIS Security Policy.
Specops Password Policy makes it easy to maintain a list of banned passwords. The solution offers a password blacklisting service that integrates with Active Directory. A list of leaked passwords is curated by Specops Software and is updated regularly in response to new leaks. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords. Specops Password Policy keeps out vulnerable passwords, and complies with the latest password banning guidelines.
If you find yourself needing to comply with the CJIS standards, make sure that your password policy is up to the challenge. Remember, every law enforcement agency that uses CJIS is audited at least once every three years. If your organization fails to adhere to the CJIS Security Policy it risks losing access to the CJIS database. Luckily, Specops Password Policy can address your password requirements.
Click here for more information on how Specops Password Policy can address the CJIS Security Policy.