CJIS Password Policy Requirements

The Criminal Justice Information Services Division (CJIS) is a division of the FBI that provides tools and services to law enforcement agencies around the country. Through systems like the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS), CJIS helps agencies manage investigations, conduct background checks, and track criminal activity.

This article focuses on the password requirements defined in Policy Area 6: Identification and Authentication. It also covers recent updates — most notably from the CJIS Security Policy version 6.0 — which introduce stronger password practices and require multifactor authentication (MFA).

2025 update: Identification and Authentication in CJIS Security Policy v6.0

There have been some significant updates to the CJIS Security Policy since its last major revision in June 2019. The most recent version, v6.0, was released on December 27, 2024. This update introduced several key changes, particularly in areas like password management and authentication.

IA-5 (Authenticator Management) is a Priority 1 (P1) control, which means that measures must be implemented immediately for compliance.

1. Password requirements

As of 2025, password standards have been updated to align more closely with the latest Digital Identity Guidelines from the National Institute of Standards and Technology (NIST). The updated requirements include:

Minimum length: Memorized secrets (passwords and/or pins) must be at least 8 characters with no additional complexity requirements, or 6 characters if chosen by the verifier. However, at Specops we would recommend going well above this minimum limit and enforcing passphrases of 15 characters and above.

Banned password list: Systems must maintain and check against a list of context-specific words, dictionary words, repetitive or sequential characters, or passwords obtained from previous breach corpuses.

Password change protocol: Users must immediately change passwords found on the banned list.

Authentication attempts: User have a maximum of 5 failed login attempts to prevent brute force attacks.

Password expiration: Passwords must expire immediately if found to be compromised, and may be allowed to expire after 365 days.

Secure transmission: Passwords must travel over encrypted and authenticated channels.

Secure storage: Passwords must be salted and hashed using a one-way key derivation function.

2. Multifactor Authentication (MFA)

As of the latest release, the CJIS Security Policy mandates that all agencies accessing Criminal Justice Information (CJI) must implement multifactor authentication (MFA). MFA must include two of the following three factors:

Something you know: Passwords, security codes, or personal identification numbers.

Something you have: Physical authenticators such as USBs, access cards, or mobile devices.

Something you are: Biometric identifiers such as facial recognition, iris scans, or fingerprints.

You can read more about the CJIS MFA requirements in our guide. Agencies accessing CJI should review the latest CJIS Security Policy v6.0 to ensure compliance with the latest standards, especially for P1 requirements.

What is the CJIS security policy?

Given the sensitive nature of Criminal Justice Information (CJI), technical controls must be put in place to ensure that it does not end up in the wrong hands. The CJIS Security Policy sets the minimum requirements for all entities accessing this data, as well as guidelines to protect its transmission, storage, and generation. In particular, Section 5 of the policy details 19 key areas of security, including Identification and Authentication, which governs how access to CJI systems is managed.

Who needs to comply with the CJIS security policy?

Any organization that accesses, stores, processes, or transmits Criminal Justice Information (CJI) must comply with the CJIS Security Policy. This includes:

• Law enforcement agencies (local, state, tribal, and federal)
• Courts and judicial offices
• Prosecutors’ offices
• Public safety agencies
• Government departments handling criminal justice data

If your systems touch CJI in any way, CJIS compliance is mandatory, not optional. P1 requirements, such as IA-5 (Authenticator Management), must be implemented immediately. P2 requirements like IA-3 (Device Identification and Authentication), as well as those designated P3 and P4, must be implemented by September 30, 2027.

Why is the CJIS security policy important?

The CJIS Security Policy is important because it protects Criminal Justice Information (CJI), which includes highly sensitive data. The average cost of a data breach is $4.4 million; strong authentication is a necessary safeguard.

Analysis of more than 6 billion breached passwords highlights how credential abuse remains a popular attack route for bad actors. Strong password policies won’t stop every threat, but they significantly reduce the likelihood of a breach, especially for organizations handling sensitive data where the stakes are much higher.

What happens if an organization fails to meet CJIS password requirements?

Failure to meet CJIS password requirements can result in:

• Audit findings and remediation requirements
• Suspension of access to CJIS systems
• Contract termination for vendors
• Increased exposure to cyberattacks
• Reputational damage

CJIS compliance is typically validated through state or federal audits. Password controls are one of the most frequently reviewed areas.

Meet CJIS password requirements with Specops Password Policy

If you find yourself needing to comply with the CJIS standards, make sure that your password policy is up to the challenge. Remember, every law enforcement agency that uses CJIS is audited at least once every three years. If your organization fails to adhere to the CJIS Security Policy it risks losing access to the CJIS database. Luckily, Specops Password Policy can address your password requirements.

Specops Password Policy simplifies compliance with CJIS P1 requirements by helping you enforce banned password rules directly in Active Directory. With built-in Breached Password Protection, the solution automatically checks user passwords against a continuously updated list of compromised credentials curated by Specops. If a user selects a known leaked password during a change, they’re instantly alerted and required to choose a safer alternative.

Stay ahead of threats and block weak passwords with a solution designed for seamless integration and proactive protection. Other benefits of Specops Password Policy for CJIS compliance include:

• Continuously scan your Active Directory on a daily basis against an evolving list of over 5 billion known breached passwords
• Create an unlimited custom dictionary of blocked words unique to your organization
• Real-time, dynamic feedback at password change with the Specops Authentication client
• Quickly create and enforce compliant password policies that comply with regulations including NIST, CJIS, NCSC, ANSSI
• Our client supports wrapping, making it easy to pair with your chosen MFA solution

Interested in finding out how Specops Password Policy could help you comply with regulations and strengthen your cybersecurity? Request a live demo.