top of page

Brooke-Lynn Bottomy

Jun 18, 2025

Your Password's Fancy New Name (and New Rules)

Hey Everyone! 


This month, I want to provide an important update on recent changes to the CJIS Security Policy (CJISSECPOL) and how they affect one of our most common security controls: passwords.


First, you will notice a change in terminology. The updated policy now refers to passwords as  "Memorized Secret Authenticators." While it may seem a bit complex, this change clarifies that the standard applies not just to traditional passwords, but also to passphrases and purely numeric PINs.


It is important to note that the password standards many of us have followed for years are now outdated. The former "Basic Password Standard" is no longer fully compliant on its own, and the "Advanced Standard" has been replaced entirely. These have been consolidated into the Memorized Secret Authenticator control enhancement, referenced as IA-5 (1) (a).


While the full control contains several requirements, I'd like to highlight three significant changes:

  1. Banned Password Lists: Systems must now maintain a "list of commonly-used, expected, or compromised passwords." When a user selects a new password or passphrase, it must be compared against this list and rejected if it appears.

  2. Minimum Length: The CJIS Security Policy now sets the minimum length for a memorized secret at eight (8) characters. Please be aware that your state’s CJIS System Agency (CSA) or internal policies may enforce a longer minimum length.

  3. Change Frequency: This requirement has moved from the password section to IA-5 f. Under the new policy, passwords are only required to be changed annually, or when there is evidence of a compromise. While this may seem like a significant relaxation of previous standards, many CSAs or organizations may still require more frequent changes based on their own risk assessments.

Given these updates, we strongly recommend that all agencies begin reviewing the password requirements for their various CJIS-related applications, including network and Active Directory credentials, to ensure compliance.


At CJIS ACE, we are ready to assist you in navigating these changes. Our CJIS Insight application is an excellent tool for tracking compliance with all controls, including these updated password requirements. Whether you need a formal CJIS ACE Compliance Assessment or simply a tool to document your own progress, CJIS ACE can help ensure you are prepared for your next audit.


You can learn more about our services on our website and feel free to reach out if you have any specific questions! 


Talk soon,

Brooke-Lynn Bottomy

bottom of page