CJIS RECERTIFICATION COMPLETE EXAM QUESTIONS AND 100%
VERIFIED ANSWERS GRADED A+ LATEST VERSION 2026/2027
Q1. How often is CJIS Security Awareness Training required? ANSWER
Annually (changed from biennial in version 5.9.4)
Q2. Who must take CJIS Security Awareness Training? ANSWER All
users who access Criminal Justice Information (CJI), receive CJI verbally or in
writing, and any person with unescorted access to areas containing CJI
Q3. What is the purpose of Security Awareness Training? ANSWER To
provide competent understanding of how to handle criminal justice information
in relation to the user's role within their department
Q4. Do personnel with unescorted access to CJI areas need to be
fingerprinted? ANSWER Yes, they must undergo fingerprint-based
background checks with Purpose Code J before unescorted access is granted
Q5. What is the difference between CJIS Online and nexTEST? ANSWER
CJIS Online is for IT personnel, vendors, contractors, and persons with
unescorted access; nexTEST is for LEADS users and practitioners
Q6. When must Security Awareness Training be completed? ANSWER
Prior to having access to CJI or systems with CJI, and annually thereafter
Q7. Is passing the test required for Security Awareness Training?
ANSWER Yes, Security Awareness is mandatory and users must pass the test
Q8. What is CJI? ANSWER Criminal Justice Information, including data
from NCIC, III, N-DEx, and other FBI criminal justice systems
Q9. What is a CSA? ANSWER CJIS Systems Agency - the state agency
responsible for CJIS systems administration
Q10. What is an NCJA? ANSWER Non-Criminal Justice Agency - public or
private entities authorized to access CJI for non-criminal justice purposes
Q11. What is AAL2? ANSWER Authenticator Assurance Level 2 - requires
multi-factor authentication for access to CJI systems
,Q12. What are the three authentication factors? ANSWER Something you
know (password/PIN), something you have (token/device), something you are
(biometric)
Q13. How many consecutive invalid logon attempts are allowed before
lockout? ANSWER Five (5) consecutive invalid attempts during a 15-minute
period
Q14. What happens after the maximum unsuccessful logon attempts?
ANSWER The account or node is automatically locked until released by an
administrator
Q15. What is required for multi-factor authentication at AAL2? ANSWER
A combination of two different authentication factors, including a Memorized
Secret and a possession-based authenticator
Q16. What is the minimum entropy for memorized secrets? ANSWER 64
bits of entropy (approximately 8 random characters)
Q17. What is replay resistance? ANSWER Authentication that prevents
successful authentication by replaying previous authentication messages
Q18. What cryptographic standard must government agency verifiers
meet? ANSWER FIPS 140 Level 1 validation
Q19. What is required for biometric authentication? ANSWER Biometrics
must be used only as part of multi-factor authentication with a physical
authenticator
Q20. What is the maximum false match rate (FMR) allowed for biometric
systems? ANSWER 1 in 1000 or better
Q21. How many consecutive failed biometric authentication attempts are
allowed? ANSWER No more than 5, or 10 if Presentation Attack Detection
(PAD) with 90% resistance is implemented
Q22. What must happen when biometric authentication fails exceed the
limit? ANSWER Either impose a delay of at least 30 seconds (increasing
exponentially) or disable biometric and offer another factor
Q23. What is a PIV credential? ANSWER Personal Identity Verification
credential conforming to FIPS Publication 201
Q24. What is required for device identification and authentication?
ANSWER Devices must be authenticated before accessing CJI systems
, Q25. What is the minimum password length for CJI systems? ANSWER 15
characters (when using only passwords), or 8 characters when combined with
other factors
Q26. How often must passwords be changed? ANSWER Every 90 days
maximum, or 180 days if multi-factor authentication is used
Q27. Can previous passwords be reused? ANSWER No, the last 24
passwords cannot be reused
Q28. What is a compensating control? ANSWER Alternative security
measures implemented when standard controls cannot be met
Q29. What is single sign-on (SSO) and is it allowed? ANSWER Yes, if it
meets AAL2 requirements and session timeout policies are enforced
Q30. What is session timeout requirement for CJI systems? ANSWER 30
minutes of inactivity for non-privileged accounts, 15 minutes for privileged
accounts
Q31. What is the principle of least privilege? ANSWER Users should only
have the minimum access necessary to perform their job functions
Q32. What is required for remote access to CJI? ANSWER Multi-factor
authentication and encryption of all transmissions
Q33. What is split tunneling and is it allowed? ANSWER Split tunneling is
generally prohibited for remote devices accessing CJI
Q34. What is required for wireless access to CJI? ANSWER Authentication
and encryption using WPA2 or stronger
Q35. What is the requirement for mobile devices accessing CJI? ANSWER
Full device encryption or container-based encryption
Q36. What is the requirement for portable storage devices? ANSWER
Encryption and restricted use policies must be in place
Q37. What is required for system use notification? ANSWER Warning
banners must be displayed before system access indicating monitoring and
authorized use only
Q38. What is device lock requirement? ANSWER Devices must lock after
15 minutes of inactivity (5 minutes for high-security areas)
Q39. What is the requirement for session termination? ANSWER Sessions
must terminate after 30 minutes of inactivity
VERIFIED ANSWERS GRADED A+ LATEST VERSION 2026/2027
Q1. How often is CJIS Security Awareness Training required? ANSWER
Annually (changed from biennial in version 5.9.4)
Q2. Who must take CJIS Security Awareness Training? ANSWER All
users who access Criminal Justice Information (CJI), receive CJI verbally or in
writing, and any person with unescorted access to areas containing CJI
Q3. What is the purpose of Security Awareness Training? ANSWER To
provide competent understanding of how to handle criminal justice information
in relation to the user's role within their department
Q4. Do personnel with unescorted access to CJI areas need to be
fingerprinted? ANSWER Yes, they must undergo fingerprint-based
background checks with Purpose Code J before unescorted access is granted
Q5. What is the difference between CJIS Online and nexTEST? ANSWER
CJIS Online is for IT personnel, vendors, contractors, and persons with
unescorted access; nexTEST is for LEADS users and practitioners
Q6. When must Security Awareness Training be completed? ANSWER
Prior to having access to CJI or systems with CJI, and annually thereafter
Q7. Is passing the test required for Security Awareness Training?
ANSWER Yes, Security Awareness is mandatory and users must pass the test
Q8. What is CJI? ANSWER Criminal Justice Information, including data
from NCIC, III, N-DEx, and other FBI criminal justice systems
Q9. What is a CSA? ANSWER CJIS Systems Agency - the state agency
responsible for CJIS systems administration
Q10. What is an NCJA? ANSWER Non-Criminal Justice Agency - public or
private entities authorized to access CJI for non-criminal justice purposes
Q11. What is AAL2? ANSWER Authenticator Assurance Level 2 - requires
multi-factor authentication for access to CJI systems
,Q12. What are the three authentication factors? ANSWER Something you
know (password/PIN), something you have (token/device), something you are
(biometric)
Q13. How many consecutive invalid logon attempts are allowed before
lockout? ANSWER Five (5) consecutive invalid attempts during a 15-minute
period
Q14. What happens after the maximum unsuccessful logon attempts?
ANSWER The account or node is automatically locked until released by an
administrator
Q15. What is required for multi-factor authentication at AAL2? ANSWER
A combination of two different authentication factors, including a Memorized
Secret and a possession-based authenticator
Q16. What is the minimum entropy for memorized secrets? ANSWER 64
bits of entropy (approximately 8 random characters)
Q17. What is replay resistance? ANSWER Authentication that prevents
successful authentication by replaying previous authentication messages
Q18. What cryptographic standard must government agency verifiers
meet? ANSWER FIPS 140 Level 1 validation
Q19. What is required for biometric authentication? ANSWER Biometrics
must be used only as part of multi-factor authentication with a physical
authenticator
Q20. What is the maximum false match rate (FMR) allowed for biometric
systems? ANSWER 1 in 1000 or better
Q21. How many consecutive failed biometric authentication attempts are
allowed? ANSWER No more than 5, or 10 if Presentation Attack Detection
(PAD) with 90% resistance is implemented
Q22. What must happen when biometric authentication fails exceed the
limit? ANSWER Either impose a delay of at least 30 seconds (increasing
exponentially) or disable biometric and offer another factor
Q23. What is a PIV credential? ANSWER Personal Identity Verification
credential conforming to FIPS Publication 201
Q24. What is required for device identification and authentication?
ANSWER Devices must be authenticated before accessing CJI systems
, Q25. What is the minimum password length for CJI systems? ANSWER 15
characters (when using only passwords), or 8 characters when combined with
other factors
Q26. How often must passwords be changed? ANSWER Every 90 days
maximum, or 180 days if multi-factor authentication is used
Q27. Can previous passwords be reused? ANSWER No, the last 24
passwords cannot be reused
Q28. What is a compensating control? ANSWER Alternative security
measures implemented when standard controls cannot be met
Q29. What is single sign-on (SSO) and is it allowed? ANSWER Yes, if it
meets AAL2 requirements and session timeout policies are enforced
Q30. What is session timeout requirement for CJI systems? ANSWER 30
minutes of inactivity for non-privileged accounts, 15 minutes for privileged
accounts
Q31. What is the principle of least privilege? ANSWER Users should only
have the minimum access necessary to perform their job functions
Q32. What is required for remote access to CJI? ANSWER Multi-factor
authentication and encryption of all transmissions
Q33. What is split tunneling and is it allowed? ANSWER Split tunneling is
generally prohibited for remote devices accessing CJI
Q34. What is required for wireless access to CJI? ANSWER Authentication
and encryption using WPA2 or stronger
Q35. What is the requirement for mobile devices accessing CJI? ANSWER
Full device encryption or container-based encryption
Q36. What is the requirement for portable storage devices? ANSWER
Encryption and restricted use policies must be in place
Q37. What is required for system use notification? ANSWER Warning
banners must be displayed before system access indicating monitoring and
authorized use only
Q38. What is device lock requirement? ANSWER Devices must lock after
15 minutes of inactivity (5 minutes for high-security areas)
Q39. What is the requirement for session termination? ANSWER Sessions
must terminate after 30 minutes of inactivity
