Why does the CJ‑S‑B 18‑10 keep popping up in your agency’s inbox?
Because it’s the memo that tells every law‑enforcement IT team how to lock down the data they’re sworn to protect.
If you’ve ever stared at “Information Bulletin 18‑10” and wondered whether it’s just another bureaucratic checklist, you’re not alone.
The short version is: this bulletin is the CJIS (Criminal Justice Information Services) Security Policy’s “what‑to‑do‑now” add‑on. Because of that, it tightens up password rules, multi‑factor authentication, and the whole “least‑privilege” thing. And if you ignore it, you’re basically inviting a cyber‑intruder to your front door The details matter here..
Below is the only guide you’ll need to actually understand the recommendations, avoid the usual pitfalls, and get your agency compliant without pulling your hair out Took long enough..
What Is Information Bulletin 18‑10?
In plain English, IB 18‑10 is a supplemental security directive issued by the FBI’s CJIS Division. It updates the baseline CJIS Security Policy (the big PDF most agencies treat like a holy text) with a handful of concrete, time‑sensitive requirements.
Think of the CJIS Security Policy as the constitution and IB 18‑10 as a new amendment that says, “Hey, it’s 2024—let’s make sure everyone’s passwords are actually hard to guess and that remote access is locked down.”
The bulletin covers three core areas:
- Password hygiene – minimum length, complexity, and change frequency.
- Multi‑Factor Authentication (MFA) – when and how it must be enforced.
- Remote access & privileged accounts – new rules for VPNs, cloud services, and “admin” rights.
It’s not a brand‑new policy from scratch; it simply tightens the existing CJIS rules. That’s why it feels both familiar and urgent.
Why It Matters / Why People Care
If you’ve ever heard the phrase “data breach” in a police briefing, you know the stakes. A single compromised CJIS record can expose names, Social Security numbers, and even ongoing investigations Less friction, more output..
When agencies fail to follow IB 18‑10, the fallout is real:
- Fines and loss of access – The FBI can suspend your agency’s CJIS connection, effectively cutting off your ability to run background checks.
- Litigation risk – Victims of a breach can sue, and the cost of defending a class‑action lawsuit dwarfs any compliance budget.
- Operational downtime – A compromised system often means weeks of forensic analysis and system rebuilds.
On the flip side, getting the bulletin right means you’re future‑proofing your network, making it harder for ransomware gangs to get in, and keeping the chain of custody for evidence airtight. In practice, that translates to smoother investigations and fewer “oops” moments in court.
How It Works (or How to Do It)
Below is the step‑by‑step playbook most agencies end up using. Feel free to cherry‑pick what fits your environment, but the best results come from doing the whole thing.
1. Password Policy Overhaul
-
Length & Complexity
- Minimum 12 characters (no longer the old 8‑character rule).
- Must include at least three of the four character sets: uppercase, lowercase, numbers, symbols.
-
Prohibited Elements
- No dictionary words, common phrases, or personal identifiers (birthdays, badge numbers).
- Disallow passwords that have been compromised in known data breaches (use a service like HaveIBeenPwned’s API).
-
Change Frequency
- Only require a change if the password is known to be compromised.
- Unlimited reuse is still a no‑go; enforce a “password history” of the last 10 passwords.
-
Storage
- Store hashes using a modern algorithm (bcrypt, Argon2).
- Never store passwords in plain text or reversible encryption.
2. Multi‑Factor Authentication (MFA)
| Scenario | MFA Requirement | Recommended Method |
|---|---|---|
| Remote VPN access | Mandatory | Hardware token (YubiKey) or authenticator app (Google Authenticator, Authy) |
| Local workstation login (admin) | Mandatory | Smart card + PIN |
| Non‑admin local login | Recommended | Phone push notification |
| Cloud services that host CJIS data | Mandatory | FIDO2 security key or biometrics (if supported) |
Implementation tip: Deploy MFA centrally via your identity provider (Okta, Azure AD). That way you can push policy changes without touching each endpoint.
3. Remote Access & Privileged Accounts
- Zero‑Trust Network Access (ZTNA) – Treat every connection as untrusted until verified. Use micro‑segmentation to limit what a remote user can see.
- Least‑Privilege Principle – Audit all admin groups. Remove any “default admin” accounts that haven’t been used in the past 90 days.
- Session Logging – Record all privileged sessions (screen capture, keystroke logs) and store them in a tamper‑evident archive for at least 90 days.
- VPN Hardening – Disable split‑tunneling; enforce TLS 1.3; use certificate‑based authentication instead of shared secrets.
4. Auditing & Monitoring
- Log Retention – Keep all CJIS‑related logs for a minimum of 180 days, per the base CJIS policy.
- Real‑Time Alerts – Set up SIEM rules for:
- Failed login attempts > 5 within 10 minutes.
- New admin account creation.
- MFA bypass attempts.
- Quarterly Review – Run a compliance scan (NIST SCAP, CIS-CAT) and compare results against IB 18‑10 checklists.
5. Training & Awareness
- Annual refresher – 30‑minute mandatory module on password hygiene and MFA.
- Phishing simulations – Run quarterly; any user who clicks must retake the training within 48 hours.
- Policy sign‑off – Every employee must electronically acknowledge they’ve read the updated CJIS IB 18‑10 recommendations.
Common Mistakes / What Most People Get Wrong
-
Treating “password length” as the only metric – Agencies often crank the length to 20 characters but keep the same simple pattern (“Password123!”). Complexity matters more than sheer length.
-
Deploying MFA only for “high‑risk” users – The bulletin is crystal clear: any remote access to CJIS data needs MFA, regardless of rank. Skipping lower‑level staff creates a backdoor Worth knowing..
-
Relying on “password expiration” alone – Forcing a change every 30 days leads to weaker passwords because users resort to predictable variations. The bulletin actually encourages change only when needed Simple, but easy to overlook..
-
Copy‑pasting default admin accounts – Some IT shops clone a “template admin” and never rename or disable it. That account becomes a prime target for attackers.
-
Skipping the audit trail – Logging is mandatory, but many agencies store logs on the same server they’re protecting. If the server is compromised, the logs go with it.
Practical Tips / What Actually Works
-
Use a password manager – Deploy a vetted solution (e.g., KeePassXC, 1Password Business) and enforce it agency‑wide. It eliminates the need to remember complex strings and prevents reuse Simple as that..
-
Make MFA frictionless – Choose methods that don’t require users to carry extra devices. FIDO2 keys work well for admins; push‑notifications are fine for desk‑bound staff.
-
Automate privileged‑account reviews – Scripts that query Active Directory for accounts with “admin” rights and flag any that haven’t been used in 30 days save countless man‑hours That alone is useful..
-
Segment your network – Put all CJIS‑related servers on a dedicated VLAN with strict ACLs. Even if a workstation is compromised, the attacker can’t hop laterally to the database Nothing fancy..
-
Document every exception – If a legacy system can’t support MFA, write a formal risk‑acceptance form, get it signed by the agency head, and set a remediation deadline.
-
use the FBI’s own resources – The CJIS Division offers a “Self‑Assessment Toolkit.” Run it before the official audit; it surfaces gaps you might otherwise miss.
FAQ
Q: Do I need to change every password immediately after IB 18‑10 is released?
A: No. The bulletin allows a reasonable transition period (usually 90 days) as long as new passwords meet the updated complexity rules. Existing passwords only need to change if they’re known to be compromised.
Q: Can I use a single MFA method for all users?
A: Technically you could, but the bulletin recommends stronger methods (hardware tokens or FIDO2) for privileged accounts and remote VPN access. For standard users, a mobile authenticator is acceptable Small thing, real impact..
Q: What if a legacy application can’t store bcrypt hashes?
A: You must either upgrade the application, isolate it on a non‑CJIS network, or obtain a formal risk‑acceptance. Storing weaker hashes is a direct violation of the policy Not complicated — just consistent..
Q: How often should I run a CJIS compliance audit?
A: At minimum annually, but the best practice is a quarterly internal scan plus a full external audit before the next IB 18‑10 renewal cycle.
Q: Does the bulletin apply to contractors who handle CJIS data?
A: Absolutely. Anyone with access—employees, contractors, or third‑party vendors—must comply with the same password, MFA, and remote‑access rules But it adds up..
That’s it. But you’ve got the why, the what, and the how—all wrapped up in one place. Implement the steps, avoid the common traps, and you’ll be on the right side of the FBI’s checklist.
Now go ahead and tighten those passwords; your badge, your department, and the whole justice system will thank you.
