Skip to content Skip to footer

A Guide to CJIS Password Compliance

The FBI’s Criminal Justice Information Services Division, known as CJIS, regulates and protects criminal justice information. Established in 1992, it represents the largest division in the FBI. Since it grants government agencies access to sensitive information such as fingerprint records and criminal background history, the data must be protected.

Below is a guide to the password requirements and some ways to accomplish them! This shows the latest version 5.9 that was released June 1st, 2020. You can find the complete list of CJIS compliance guidelines here.

When agencies use a password as an authentication for an individual’s unique ID, they shall use the basic password standards in 5.6.2.1.1.1, OR follow the advanced password standards in 5.6.2.1.1.2.

NOTE: “There is not option to combine or select particular options between the two separate lists below.”

5.6.2.1.1.1          Basic Password Standards

When agencies choose to follow the basic password standards, passwords have to

  • Use at least eight characters
  • Prevent password reuse of the last ten (10) passwords
  • Shall be changed within a maximum of ninety (90) days
  • Cannot be the username
  • Cannot contain a word from the dictionary
  • Must not be viewable on the screen when typing
  • Cannot be spread outside secure locations

The nFront Password Filter allows allows you to have up to 10 different password policies in the same Windows domain. Each policy can be associated with one or more security groups and/or OUs. You can use different custom dictionaries for different password policies, and we have a new updated global dictionary with full customization.

Checking to see how many employee usernames contain weak passwords can be scary, but we have the tool to see exactly who is using weak passwords. Check out the free nFront Weak Password Scanner.

5.6.2.1.1.2          Advanced Password Standards

When agencies choose to have added security and follow the advanced password standards, there are nine stricter guidelines to follow. In summary, these rules are:

  • Increasing character length to twenty (20) characters
  • Not allowing password hints
  • Maintaining a banned password list that also prevents repetitive characters
  • Notify any users using a password from the “banned password” list, and let them know why it is rejected
  • Limit failed login attempts
  • Require a password change once per year or if there’s evidence that it has been compromised
  • Use encryption and an authenticated protected channel
  • Maintain stored passwords by salting and hashing the password using a one-way key derivation function when stored to prevent offline attacks. Stored salt and hash values must be protected using a password or PIN.

nFront helps numerous government agencies including law enforcement fulfill the password requirements by CJIS. Contact us today to help your team! [email protected]

Leave a comment