To keep pace with evolving threats and technologies, the FBI has updated its Criminal Justice Information Services (CJIS) Security Policy twice in the past year. Version 5.9.5, issued in July 2024, introduced a firm mandate for multifactor authentication. Agencies must now require at least two forms of identity verification for anyone accessing criminal justice data. In December, version 6.0 expanded those rules further by introducing new requirements for continuous monitoring, supply chain and third-party risk, and access management policies that apply across the entire lifecycle of a system.