Free EditionThe Criminal Justice Information Services Division (CJIS) is a division of the Federal Bureau of Investigation of the United States that sets standards and appropriate controls to protect, transmit, store, and access criminal justice information (CJI). The CJIS enables law enforcement professionals to access and share critical CJI, including biometrics, identity history information, and case history. Any organization with access to CJI in any of its forms must ensure that it complies with mandated CJIS regulations.
To be CJIS compliant, organizations must enforce the latest password and authentication requirements that CJIS Security Policy v5.9.1 mentions. The following table states these requirements and explains how ADSelfService Plus helps your organization comply with them.
| CJIS requirement | Requirement description | How ADSelfService Plus helps meet the requirement |
| Section 5.5.2.2 | System access control Prevent multiple concurrent active sessions for one user identification, for those applications accessing CJI, unless the agency grants authority based upon operational business needs. |
ADSelfService Plus prevents a single user from having multiple concurrent active sessions. |
| Section 5.5.2.2 | System access control Ensure that only authorized personnel can add, change, or remove component devices, dial-up connections, and remove or alter programs. |
ADSelfService Plus performs identity verification using strong authentication factors before allowing authorized users to modify necessary settings in the system. |
| Section 5.5.3 | Unsuccessful login attempts Where technically feasible, the system shall enforce a limit of no more than five consecutive invalid access attempts by a user (attempting to access CJI or systems with access to CJI). The system shall automatically lock the account for a ten-minute period unless released by an administrator. |
ADSelfService Plus allows you to configure the number of failed logon attempts that are allowed for users within a specified time. You can also configure the lockout duration and whether admin intervention is required to unlock users. |
| Section 5.5.6 | Remote access The agency shall authorize, monitor, and control all methods of remote access to the information system. |
ADSelfService Plus provides MFA for remote access sessions, which can be applied either at the client or target machine level. It employs strong authenticators such as biometrics, YubiKey, and TOTPs. |
| Section 5.6.1 | Identification policy and procedures Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. |
ADSelfService Plus uniquely stores and identifies each user, assigning authenticators individually for each user. It prohibits the sharing of authentication factors among multiple users. |
|
Basic password standards |
||
| Section 5.6.2.1.1.1 | Passwords shall be a minimum length of eight characters on all systems. | With ADSelfService Plus' Password Policy Enforcer, you can customize the minimum password length to be eight characters or more, depending on your requirement. You can also customize the maximum password length as needed. |
| Section 5.6.2.1.1.1 | Passwords shall not be a dictionary word or proper name. | ADSelfService Plus allows you to restrict users from utilizing dictionary words, palindromes, and predictable patterns while setting new passwords. By integrating with Have I Been Pwned?, a breached password database, it ensures that your users do not set weak or compromised passwords during password resets and changes. |
| Section 5.6.2.1.1.1 | Passwords shall not be the same as the user ID. | ADSelfService Plus allows you to restrict users from utilizing repeated characters as well as consecutive characters from usernames and old passwords while setting new passwords. |
| Section 5.6.2.1.1.1 | Passwords shall expire within a maximum of 90 calendar days. | ADSelfService Plus provides customizable password expiration notifications that can be scheduled to remind users about their impending password expiration every 90 days. |
| Section 5.6.2.1.1.1 | Passwords shall not be identical to the previous ten passwords. | ADSelfService Plus allows you to specify the number of previous passwords that a user cannot repeat while choosing a new password. |
| Section 5.6.2.1.1.1 | Passwords shall not be displayed when entered. | ADSelfService Plus does not display passwords by default when entered but gives users the option to view them, if required. |
|
Advanced password standards |
||
| Section 5.6.2.1.1.2 | Passwords shall be a minimum of twenty characters in length with no additional complexity requirements imposed (e.g., ASCII characters, emojis, all keyboard characters, and spaces will be acceptable). | ADSelfService Plus allows you to customize the minimum password length to be twenty characters or more, depending on your requirement. |
| Section 5.6.2.1.1.2 | Password Verifiers shall not permit the use of a stored “hint” for forgotten passwords and/or prompt subscribers to use specific types of information when choosing a password. | ADSelfService Plus can be configured to not provide password hints for users during identity verification. |
| Section 5.6.2.1.1.2 |
Verifiers shall maintain a list of “banned passwords” that contains values known to be commonly-used, expected, or compromised. For example, the list may include, but is not limited to:
During user password creation, change, or reset requests, verifiers shall compare prospective passwords against the "banned passwords" list and advise that users choose a different password if a match is identified. |
ADSelfService Plus allows you to restrict users from utilizing dictionary words, palindromes, predictable patterns, repeated characters, and consecutive characters from usernames and old passwords while setting new passwords. By integrating with Have I Been Pwned?, a breached password database, it ensures that your users do not set weak or compromised passwords during password resets and changes. |
| Section 5.6.2.1.1.2 | Verifiers shall force a password change annually or if there is evidence of an authenticator compromise. | ADSelfService Plus does not encourage frequent or periodic end-user password changes but allows admins to trigger an automatic password reset action for users with potentially compromised passwords. |
| Section 5.6.2.2 | When user-based certificates, such as smart cards, software tokens, hardware tokens, biometric systems, and public key infrastructure (PKI) certificates, are used for authentication, they must be specific to an individual user and not be shared between multiple users. | ADSelfService Plus assigns authentication factors, like security tokens, smart cards, and PKI certificates, uniquely to individual users and prohibits their sharing among multiple users. |
ADSelfService Plus offers strong password policy and MFA settings that ensure your company complies with the requirements of the CJIS. You can create a custom password policy that meets all the CJIS requirements and enforce it for all or specific AD users based on their domain, OU, or group membership. Below are some of the settings that ADSelfService Plus' Password Policy Enforcer offers:
Satisfy the CJIS password requirements by configuring the minimum password length and the inclusion of alphanumeric characters in passwords.
Restrict users from reusing their previous passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the CJIS password requirements by configuring the minimum password length and the inclusion of alphanumeric characters in passwords.
Restrict users from reusing their previous passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the CJIS requirements by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
Satisfy the CJIS requirements by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
