Enabling CJIS Compliance Policy
Hosted~FTP~ Enterprise T2+ accounts have the feature to enforce users to be CJIS compliant on an account, group, or individual level. For CJIS compliance to be enabled on a group or user level, the account admin must have certain option(s) enabled. There are 2 levels of CJIS compliance to enforce: CJIS Basic, or CJIS Advanced. Our recommendation is to use CJIS Advanced to be fully compliant.
Steps to enable on an account-level
- Login as the account admin through the web interface and click on the Setup tab in the navigation bar
- Scroll down to the options checklist and enable Create logs in FTP folder… on the same line, also check mark Logins and Transfers (This is mandatory for CJIS compliance)
- Continue to scroll down to Account-level Options and check Customize on Enforce compliance for all users
- Select Enforce compliance for all users CJIS Advanced
- Continue to Enforce password policy for all users and click Customize
- Select Enforce compliance for all users

- Click on the Configure button and set the password policy to be CJIS Advanced compliant
- Minimum length of 20 characters
- Prevent dictionary words must be on
- Prevent any from global list of breached passwords must be on
- Prevent reuse of last 10 passwords
- Password expiry must be lower than or equal to 365 days

- Continue to scroll down to Force only secure protocols for all users (ftps/https/sftp) and check Customize
- Select Enforce compliance for all users

- Click Save to enforce the changes
- The new password policy will take effect immediately
- Passwords aging older than the requirement will need to be changed
- Passwords nearing expiry will be notified 7 days prior to expiry date via email
- The account admin will also be notified if there is no email assigned to the user
Note: If the settings were not properly setup, an error will occur with the following message and requirements to enforce.

Steps to enable for groups
- Login as the account admin through the web interface and click on the Setup tab in the navigation bar
- Scroll down to the options checklist and enable Create logs in FTP folder… on the same line, also check mark Logins and Transfers (This is mandatory for CJIS compliance)
- Continue to scroll down to Account-level Options and check Customize on Enforce compliance for all users
- Select Allow overrides in group/user setup
- Continue to Enforce password policy for all users and click Customize
- Select Allow overrides in group/user setup

- Continue to scroll down to Force only secure protocols for all users (ftps/https/sftp) and check Customize
- Select Allow overrides in group/user setup

- Click Save to enforce the changes
- Click on the Users tab > Groups sub-header to get to your list of Groups
- Select the Group in the list to open settings or create a new Group using the Add button (Learn how to setup groups here)

- Locate Enforce compliance for all users in group and select the Customize option
- Select Enforce compliance for all users in group CJIS Advanced
- Locate Force only secure protocols for all users in group (ftps/https/sftp) and select the Customize option
- Select Force only secure protocols for all users in group (ftps/https/sftp)
- Locate Enforce password policy for all users in group and select the Customize option
- Select Enforce custom password policy for all users in group
- Click the Configure button and set the password policy to be CJIS Advanced compliant
- Minimum length of 20 characters
- Prevent dictionary words must be on
- Prevent any from global list of breached passwords must be on
- Prevent reuse of last 10 passwords
- Password expiry must be lower than or equal to 365 days

- Click Save to enforce the changes
- The new password policy will take effect immediately
- Passwords aging older than the requirement will need to be changed
- Passwords nearing expiry will be notified 7 days prior to expiry date via email
- The account admin will also be notified if there is no email assigned to the user
Note: If the settings were not properly setup, an error will occur with the following message and requirements to enforce.

Steps to enable on individual users
- Login as the account admin through the web interface and click on the Setup tab in the navigation bar
- Scroll down to the options checklist and enable Create logs in FTP folder… on the same line, also check mark Logins and Transfers (This is mandatory for CJIS compliance)
- Continue to scroll down to Account-level Options and check Customize on Enforce compliance for all users
- Select Allow overrides in group/user setup
- Continue to Enforce password policy for all users and click Customize
- Select Allow overrides in group/user setup

- Continue to scroll down to Force only secure protocols for all users (ftps/https/sftp) and check Customize
- Select Allow overrides in group/user setup

- Click Save to enforce the changes
- Note: Alternatively, if the user is part of a group, in the group settings you can select Allow overrides in user setup
- Click on the Users tab and locate the user in the list or by using the search field
- Click on the user to open their settings and scroll down to the list of Options
- Locate Enforce compliance for this user and check Customize
- Select Enforce compliance for this user CJIS Advanced
- Locate Force only secure protocols for this user (ftps/https/sftp) and check Customize
- Select Force only secure protocols for this user (ftps/https/sftp)
- Locate Enforce custom password policy for this user and check Customize
- Select Enforce custom password policy for this user
- Click the Configure button and set the password policy to be CJIS Advanced compliant
- Minimum length of 20 characters
- Prevent dictionary words must be on
- Prevent any from global list of breached passwords must be on
- Prevent reuse of last 10 passwords
- Password expiry must be lower than or equal to 365 days

- Click Save to enforce the changes
- The new password policy will take effect immediately
- If the password age is older than the requirement, it will need to be changed
- If the password is nearing expiry, the user will be notified 7 days prior to expiry date via email
- The account admin will also be notified if there is no email assigned to the user
Note: If the settings were not properly setup, an error will occur with the following message and requirements to enforce.
