CJIS password requirements

What is CJIS?

The Criminal Justice Information Services Division (CJIS) is a division of the Federal Bureau of Investigation of the US that sets standards and appropriate controls to protect, transmit, store, and access criminal justice information (CJI). The CJIS enables law enforcement professionals to access and share critical CJI including biometrics, identity history information, and case history. Any organization with access to CJI in any of its forms must ensure that they comply with mandated CJIS regulations.

What are the CJIS password requirements?

To be CJIS-compliant, organizations must enforce the password policy requirements that section 5.6.2.1.1 of the CJIS Security Policy mentions. This section specifies requirements for all domain user passwords used to log in to the system through which CJI can be accessed. The requirements state that passwords should:

1. Be a minimum of eight characters.
2. Not be dictionary words.
3. Not be the same as the username.
4. Expire within a maximum of 90 days.
5. Not be identical to the previous 10 passwords.
6. Not be transmitted outside the secure location.
7. Not be displayed when entered.

Compliance with CJIS standards made easy with ADSelfService Plus

ADSelfService Plus offers advanced password policy settings that ensure your company complies with the requirement of CJIS. You can create a custom password policy that meets all the CJIS requirements and enforce it for all or specific AD users based on their domain, OU, or group membership. Below are some of the settings that ADSelfService Plus' Password Policy Enforcer offers:

1. Ban dictionary words and patterns: Blocklist leaked or weak AD passwords, patterns, dictionary words, and palindromes.
2. Restrict characters from usernames: Restrict specific or repeated characters from a username.
3. Enforce password history: Ensure password strength by preventing the use of previous passwords during native password resets in the Active Directory Users and Computers console.
4. Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
5. Increase password strength: Restrict users from using copy and paste in the password field. Help users pick strong passwords using the Password Strength Analyzer, which indicates password strength.

Password Policy Enforcer

Benefits of using ADSelfService Plus to comply with CJIS mandates

1. Enforce OU- and group-based policies: Granularly enforce multiple password policies in the same AD domain based on OU and group memberships.
2. Increased password security: Enforce passphrases, and restrict consecutively repeated characters and common character types from passwords.
3. Create custom templates: Utilize advanced password policy settings to create multiple password policies that comply with the PCI DSS, HIPAA, NIST SP 800-63B, SOX, and CJIS standards.
4. Notify users about password expiry: Use password expiration notifications and ensure that users promptly change their passwords once every 90 days.