Best practices for passwords, MFA & access control

Imagine your organization has just won a contract to handle sensitive law-enforcement data – you might be a cloud provider, a software vendor, or an analytics firm. It won’t be long before CJIS is top of mind.

You know the FBI’s Criminal Justice Information Services Security Policy governs how criminal histories, fingerprints, and investigation files must be protected, but beyond that, it all feels a bit opaque.

Whether you’re a veteran security pro or new to the world of criminal-justice data, understanding CJIS compliance is critical. We’ll start by exploring the origin and purpose of CJIS: why it exists, and why it matters to every organization that comes anywhere near criminal-justice information.

Then we’ll pay special attention to the pillars of identity (passwords, multifactor authentication, and strict access controls) and how to embed those controls seamlessly into your environment.

What is CJIS?

CJIS traces its roots to the late 1990s, when the FBI consolidated various state and local criminal databases into a single, nationwide system. Today, it serves as the nerve center for sharing biometric data, criminal histories, and tactical intelligence across federal, state, local, and tribal agencies.

At its core, the CJIS Security Policy exists to ensure that every party touching this data (government or private contractor alike) adheres to a uniform standard of security. When you think “CJIS,” think “unbreakable chain of custody,” from the moment data leaves a patrol car’s mobile terminal until it’s archived in a forensic lab.

Who needs to comply?

You might assume CJIS concerns only police departments, as it’s the FBI’s policy. In reality, the net is much wider:

• Law-enforcement agencies (SLTF): Every state, local, tribal, and federal agency that stores or queries criminal-justice information.
• Third-Party Vendors and Integrators: If your software ingests, processes, or stores CJIS data (records-management systems, background-check services, cloud-hosting providers) you fall under the policy’s umbrella.
• Multi-jurisdictional task forces: Even temporary coalitions sharing access across different agencies must comply for the duration of their collaboration.

Bottom line: if your systems ever see fingerprints, rap sheets, or dispatch logs, CJIS applies.

Key requirements

CJIS touches many domains (physical security, personnel background checks, incident response) but its beating heart is identity and access management. When the FBI audits your environment, they want to know three things: Who accessed what? How did they prove who they were? And were they allowed to see it? Let’s walk through the story:

• Unique identities & unquestionable accountability: Every individual should have their own user ID. Generic or shared accounts are forbidden. This helps with tracing actions back to specific people.
• Strong passwords: CJIS calls for at least 12-character passwords, blending uppercase, lowercase, numbers, and symbols. However, at Specops we recommend going further and enforcing 16+ character passphrases. CJIS also requires you to enforce history (no reusing the last 24 passwords) and lock out accounts after no more than five failed attempts.
• MFA as another layer of defense: A password alone is no longer sufficient. CJIS requires two factors for any non-console access: something you know (your password) plus something you have (a hardware token, phone authenticator, etc.). By separating those factors, you dramatically reduce the risk of compromised credentials.
• Least privilege and quarterly recertifications: Grant only the permissions each user needs to do their job, and no more. Then, every 90 days, pull together your system owners and review who still needs what access. Users change roles, projects end, and inactive accounts accumulate risk.
• Audit trails and immutable logs: Logging every authentication event, privilege change, and data query is non-negotiable. CJIS mandates at least 90 days of on-site log retention, plus one year off-site. That way, if you need to reconstruct an incident or answer an auditor’s question, your logs tell the full story without gaps.
• Encryption and network segmentation: Data must travel and rest under a cloak of FIPS-validated cryptography: TLS 1.2+ for in-flight data, AES-256 for storage. Beyond encryption, segregate your CJIS environment from the rest of your corporate network. Firewalls, VLANs, or air-gapped enclaves keep your most sensitive systems insulated from everyday operations.

Consequences of non-compliance

Picture this: a breached set of credentials leaves a CJIS database open to the internet. A hacker exploits it, meaning fingerprints and criminal histories of thousands are compromised overnight.

The fallout is swift:

• CJIS access suspended: The FBI can yank your agency’s connection, halting investigations.
• Regulatory scrutiny & fines: State and federal bodies may levy penalties, and civil suits can follow.
• Reputational damage: News of a breach erodes public trust in your company’s capabilities.

Get CJIS right with third party tools

Compliance isn’t just about ticking boxes. it’s about embedding security deeply into your processes, so you can prove it at audit time and fend off attacks day to day.

Here’s how Specops can simplify your CJIS journey:

• Specops Password Policy makes it simple to enforce a strong password policy. It embeds CJIS-approved complexity, rotation, and history rules directly in Active Directory. Your Active Directory will also be continuously scanned against a database of 4 billion compromised passwords, notifying end users with breached passwords to immediately change.
• Specops Secure Access elevates your MFA game with authentication factors that are less resistant for social engineering and phishing.
• Specops uReset gives users a self-service portal (protected by MFA) to unlock their AD accounts securely. Every reset is logged, timestamped, and reportable, ticking the audit-trail box without a mountain of help-desk tickets.

These solutions share a common theme: they dovetail with your existing Active Directory estate, minimize administrative overhead, and give you clear, auditable evidence of CJIS-compliant controls.

Want to know Specops products could fit in with your organization? Get in touch and we’ll arrange a demo.

Sponsored and written by Specops Software.