Law enforcement agencies handling Criminal Justice Information (CJI) face strict data security requirements under the FBI's CJIS Security Policy. Scene documentation, investigation records, and evidentiary materials must reside in compliant infrastructure with auditable access controls and encryption standards that satisfy CJIS Security Policy Version 5.9. The CJIS-compliant mapping platform you deploy determines whether your 3D documentation workflow meets FBI requirements or creates audit findings that jeopardize funding and information sharing agreements.
Key Takeaways
- CJIS Security Policy Section 5.9.1.1 mandates seven requirements for cloud platforms handling CJI: encryption in transit and at rest, access controls, FBI-fingerprint background checks, security training, incident response procedures, audit logs, and an executed CJIS Security Addendum.
- Consumer cloud services (Dropbox, Google Drive, iCloud) are non-compliant and routinely cited in FBI audits — agencies using them risk data admissibility challenges and suspension of NCIC access.
- SkyeBrowse Premium and Premium Advanced tiers operate on AWS GovCloud infrastructure with a CJIS Security Addendum available — compliant once the agency's state CISO approves the vendor.
- Agencies should initiate state CISO review before procurement; approval timelines range from weeks to months, and purchasing before approval wastes budget and delays deployment.
- For agencies processing 200+ annual scenes, CJIS-compliant video-based 3D documentation compresses on-scene time from several hours to 15–20 minutes, reducing personnel access to raw CJI and shrinking audit surface.
Contents
- What does CJIS Security Policy require from cloud mapping platforms?
- How do different platforms compare for law enforcement data handling?
- How should agencies prepare for FBI CJIS compliance audits?
- What is the state CISO approval process for mapping vendors?
- What are the incident response obligations under CJIS?
- FAQ
What does CJIS Security Policy require from cloud mapping platforms?
CJIS Security Policy Section 5.9.1.1 requires cloud service providers handling Criminal Justice Information to demonstrate data encryption in transit and at rest, personnel background checks, auditable access controls, and a signed CJIS Security Addendum formalizing compliance obligations. Providers operating on commercial cloud infrastructure must verify that their specific region and workflow configurations isolate CJI from non-compliant environments. Agencies bear responsibility for ensuring every vendor they use has satisfied these requirements before any CJI is uploaded or processed.
The seven core requirements under Policy 5.9.1.1 are: (1) encryption in transit and at rest, (2) access controls limiting personnel contact with CJI, (3) FBI-fingerprint-based background investigations for personnel with potential CJI access, (4) security awareness training, (5) incident response procedures, (6) audit logs documenting access, and (7) executed CJIS Security Addendum agreements. Many cloud mapping platforms operate on AWS, Azure, or Google Cloud, which can support CJIS compliance but do not guarantee it by default. Agencies must verify infrastructure region, addendum execution, and workflow isolation — not merely accept a vendor's marketing claims. The FedRAMP Marketplace provides a reference for cloud services that have undergone federal security authorization, which can accelerate state CISO review.
How do different platforms compare for law enforcement data handling?
SkyeBrowse Premium and Premium Advanced tiers operate on AWS GovCloud infrastructure and offer a CJIS Security Addendum — making them compliant when properly configured and approved by the agency's state CISO. Consumer cloud storage services such as Dropbox, Google Drive, and iCloud are non-compliant: they lack CJIS addendums and adequate access controls. Generic photogrammetry cloud platforms are presumptively non-compliant without a documented CJIS framework.
| Platform Type | CJIS Considerations | Compliance Status |
|---|---|---|
| SkyeBrowse Premium/Advanced (AWS GovCloud) | CJIS-ready infrastructure, Security Addendum available, access controls, encryption | Compliant when properly configured and state-CISO approved |
| Consumer Cloud Storage (Dropbox, Google Drive, iCloud) | Commercial infrastructure, no CJIS agreements, inadequate access controls | Non-compliant — FBI audits cite this as a common violation |
| On-Premise Processing | Agency controls infrastructure, no third-party data sharing | Compliant but requires agency IT resources for ongoing maintenance |
| Generic Photogrammetry Cloud Services | Variable — most lack CJIS addendums and use commercial cloud regions | Presumptively non-compliant without documented CJIS framework |
On-premise solutions avoid third-party data handling but transfer the full infrastructure burden to the agency — including storage, backup, and security patching. For agencies without dedicated IT staff, a vetted cloud provider with an executed CJIS Security Addendum is typically the more practical path to compliance. SkyeBrowse's videogrammetry platform (which converts drone video into 3D maps and 2D orthomosaics) supports both deployment models, with cloud processing available at app.skyebrowse.com and on-premise options available for Premium and Advanced tier customers.
How should agencies prepare for FBI CJIS compliance audits?
FBI and state audit authorities conduct triennial CJIS compliance audits reviewing access control policies, encryption implementation, personnel background checks, security awareness training records, incident response procedures, and system usage logs. Auditors specifically ask agencies to document every cloud service in use, confirm where data is stored, and produce signed CJIS Security Addendums for each provider. Non-compliance findings trigger corrective action plans and can suspend NCIC access.
Cloud service usage is a primary audit focus. Auditors ask: What cloud services does your agency use? Where do those services store data? Has your CISO approved each service? Are CJIS Security Addendums executed? Do contracts include right-to-audit provisions? Agencies unable to document affirmative answers face findings. Proactive preparation includes maintaining a cloud service registry with approval status, addendum copies, and last-reviewed dates for every vendor that touches CJI.
What is the state CISO approval process for mapping vendors?
State CJIS Systems Officers vet technology vendors to ensure FBI compliance requirements are met before agencies may use cloud services to store or process CJI. The process generally requires the vendor to complete a security questionnaire, provide infrastructure documentation, execute the CJIS Security Addendum, and submit to state CISO review. Approval timelines range from weeks to months depending on state workload and documentation completeness.
Agencies should initiate CISO approval before procurement — purchasing technology that later fails CISO review wastes budget and delays operational deployment. The recommended approach is to contact your state CISO early: "We're evaluating 3D mapping technology for crime scene documentation. We're considering SkyeBrowse — have they been approved in our state, or do we need to initiate a vendor review?" SkyeBrowse's compliance team can provide infrastructure documentation, encryption specifications, and a pre-populated CJIS Security Addendum to accelerate the state review process. The FBI CJIS Security Policy Resource Center publishes the current policy version and addendum templates agencies can reference.
What are the incident response obligations under CJIS?
CJIS-covered incidents include unauthorized access to CJI, accidental disclosure, and infrastructure breaches. Agencies must report confirmed or suspected CJI breaches to their state CISO — and potentially to the FBI — within defined timeframes that often run 24 to 72 hours from discovery. Cloud service contracts must include incident notification provisions requiring the provider to alert agencies promptly so they can meet their own reporting deadlines.
If a cloud provider suffers a breach affecting agency data, the provider must notify affected agencies immediately under contractual CJIS Security Addendum terms. Agencies then assess whether CJI was compromised and report per state CJIS policy. For agencies processing 200 or more annual scenes — collisions, property crimes, outdoor investigations — CJIS-compliant video-based 3D documentation compresses on-scene time from several hours to 15-20 minutes, significantly reducing the number of personnel who interact with raw CJI data. Fewer access points mean a smaller audit surface and lower breach risk. The National Institute of Standards and Technology (NIST) SP 800-61 Computer Security Incident Handling Guide provides a widely adopted framework that aligns with CJIS incident response expectations.
FAQ
Does SkyeBrowse meet CJIS Security Policy requirements?
SkyeBrowse Premium and Premium Advanced tiers operate on AWS GovCloud infrastructure and offer a CJIS Security Addendum. Compliance is confirmed when your agency's state CISO approves the vendor and the addendum is executed. Contact SkyeBrowse to request compliance documentation for your state review.
What cloud mapping platforms are not CJIS compliant?
Consumer cloud storage services such as Dropbox, Google Drive, and iCloud lack the CJIS Security Addendums, access controls, and background-check requirements mandated by CJIS Security Policy Section 5.9.1.1. FBI audits routinely cite these services as compliance violations. Generic photogrammetry cloud services are presumptively non-compliant without documented CJIS frameworks.
How long does CJIS vendor approval take?
State CISO approval timelines vary from a few weeks to several months depending on state workload and the completeness of the vendor's security documentation. Agencies should submit the vendor security questionnaire and infrastructure documentation well before anticipated deployment. SkyeBrowse can supply a pre-populated documentation package to expedite review.
