Just Dropped: CJIS Security Policy 5.6

It just dropped and it's hot! The CJIS Security Policy, version 5.6 just came out:

CJIS Security Policy 5.6
Okay, maybe I'm over-hyping it. There really isn't much in the way of policy changes, the revisions to the policy are mostly clarifications and guidance which make it easier to use and understand.

Here's What's different:

Authenticators (section

This section now includes hard or soft tokens, also one-time passwords as examples of authenticators.

Encryption (section

Three new subsections are added, clarifying encryption requirements. Now instead of having the use of FIPS 197 for CJI at rest as an exception, the standards for CJI at rest appear as their own section. Also, PKI rules were moved to their own section.  The result is a much more readable standard.

Not new, but noteworthy:

One thing of note to LASO's is the password requirements for CJI at rest.  Although this is not new, just something that has been placed in a more prominent area in this version of the policy and will undoubtedly get noticed.  Section has stronger password standards in some areas for this data than the password standards in section Here's a comparison:

Passwords for accessing CJIS systems ( for unlocking CJI at rest (
At least 8 charactersAt least 10 characters
Not a dictionary wordNot be a dictionary word
Not be the same as the user IDInclude at least one letter in each upper and lower case, a number and a symbol
Expire within 90 days
be changed when previously authorized personnel no longer require access

Not be identical to the previous ten passwords
Not be transmitted in the clear
Not displayed when entered

 To apply these differences, understand that password standards in section apply to CJIS systems with uniquely identified users storing CJI.  The passphrase standards in section apply to documents stored separately of those systems. An example would be an agency warrant list collected by a system administrator who burned to a CD using WinZip to encrypt and created a password to unlock the file.  Keeping in mind that these documents can be opened by anyone who has the password, a slightly stronger password makes sense.

An easy rule of thumb is that if the user has an ID for the system, use the former, if they need a password only, use the latter.

Definitions (Appendix A)

Definitions added for Asymmetric and Hybrid Encryption

Acronyms (Appendix B)

OTP = One-time password. That's the change.

Cloud Computing (Appendix G.3)

The section formatting was improved and some elaboration added.  Of note are three use cases on cloud utilization.  Before implementing cloud solutions, be sure to also download and review the FBI CJIS' Recommendations for Implementation of Cloud Computing Solutions.

Encryption Best Practices (Appendix G.6)

This appendix is entirely new. It explains types of encryption and key management.  It also explains how NIST certification is achieved and warns about claims of being "NIST compliant."


Popular posts from this blog

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?

How an Auditor Looks at Your Network Diagram