CJIS Active Directory password policy requirements
Criminal Justice Information Services (CJIS) enables law enforcement professionals to access and share critical criminal justice information (CJI) including biometrics, identity history information, and case history. Any organization with access to CJI in any of it's forms must ensure that they comply with mandated CJIS regulations.
To be CJIS complaint, organizations must enforce the password policy requirements mentioned in section 5 to authenticate Active Directory (AD) user accounts.
CJIS, section 18.104.22.168.1
This section specifies requirements for all domain user passwords used to login to the system through which CJI could be accessed.
- Be a minimum of eight characters.
- Not be a dictionary word.
- Not be the same as the username.
- Expire within a maximum of ninety days.
- Not be identical to the previous ten passwords.
- Not to be transmitted outside the secure location.
- Not be displayed when entered.
Simplify CJIS compliance with ADSelfService Plus
ADSelfService Plus offers advanced password policy settings that makes sure that your company complies with the requirement of CJIS. You can create a custom password policy that meets all the CJIS requirements and enforce it to all or specific AD users based on their domain, OU, or group membership.
- Ban dictionary words and patterns: Blacklist leaked or weak AD passwords, patterns, and palindromes.
- Restrict characters from username: Restrict specific or repeated characters from the username.
- Enforce password history: Ensure password strength by enforcing password history during native password resets in the ADUC console.
- Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
Password Policy Enforcer also enables admins to:
- Enforce OU and group-based policies: Granularly enforce multiple password policies in the same AD domain based on OU and group memberships.
- Create custom templates: Utilize 17 advanced password policy settings available to create multiple password policies that comply with PCI, HIPAA, CJIS, and NIST.