ArcGIS is designed and managed in alignment with regulations, standards, and best practices. Esri's compliance initiatives are grouped into four categories:
- Products and services security—Esri product and service-based security compliance
- Privacy initiatives—Company and product privacy commitments
- Solution-based—Deployment patterns that align with compliance requirements
- Cloud providers—ArcGIS Online cloud infrastructure provider compliance
Products and services security
The following compliance initiatives are specific to products and services offered by Esri:
- FedRAMP Tailored Low—ArcGIS Online United States-based
operations
- Security controls for this multitenant, cloud-based SaaS align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4), which maps to International Standards Organization (ISO) 27001 and 15408 controls.
- Thirty pages of ArcGIS Online CSA CAIQ answers are available on the Trust Center Documents page, or if you want to see the annual FedRAMP Tailored Low: ArcGIS Online United States-based operations assessment, contact your account manager to obtain it under NDA.
- For questions, contact SoftwareSecurity@esri.com.
- FedRAMP Moderate—Esri Managed Cloud Services (EMCS) Advanced Plus
- A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise
- For questions, contact ManagedCloudServices@esri.com.
- SSAE 18/SOC—Cloud Service Providers (CSP) and EMCS
- ArcGIS Online does not perform a duplicative or separate SOC audit, as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly from Amazon Web Services and Microsoft Azure.
- Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization can instead use the EMCS Advanced offering, which complies with SOC 2 Type 2.
- To request an EMCS SOC 2 Type 2 report (under NDA), contact ManagedCloudServices@esri.com.
- The EMCS Advanced SOC 3 report is a general use report that does not require NDA.
- USGCB and FDCC—Federal agency requirement for desktop-based products
- ArcGIS Desktop 9.3, 9.3.1, and 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, so ArcGIS Desktop 10.1 and later are USGCB self-certified.
- ArcGIS Pro 1.4.1 and later are USGCB self-certified.
- Section 508: WCAG, ADA—Federal agency software accessibility requirements for people with disabilities
- Esri's commitment to accessibility is to design and implement accessible GIS products and technologies that align with the objectives of Section 508, WCAG, and ADA.
- Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.
Privacy initiatives
Esri as a company and its products are aligned with the following privacy standards and regulations:
- General Data Protection Regulation (GDPR)
- Regulation for handling European Union (EU) citizen personal information
- Product alignment details: ArcGIS Trust Center GDPR Privacy
- Company alignment details: General Esri GDPR Privacy
- California Consumer Privacy Act (CCPA)
- Provides consumers in California additional rights and protections regarding how businesses may use their personal information.
- Product alignment details: ArcGIS Trust Center CCPA Privacy
- Company alignment details: General Esri CCPA Notice
- Health Insurance Portability and Accountability Act (HIPAA)
- Provides federal protections for personal health information held by covered entities and gives patients an array of rights.
- Product alignment details: ArcGIS Trust Center HIPAA Privacy
Solution-based
ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with third-party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as the following:
- Criminal Justice Information Services (CJIS) Security Policy—Law enforcement
- CJIS applies to all law enforcement institutions to provide appropriate controls to protect the full life cycle of criminal justice information.
- STIGs—Defense
- STIG is available for ArcGIS GIS Server. See the DISA website.
- FIPS-140-2—Cryptographic modules
- Note: Esri products are compatible with the Use FIPS compliant algorithms security setting in Windows.
- PCI DSS—Payment card industry
- Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment but instead use PCI as a basic security compliance validation mechanism, as it is built into many scanners today.
Cloud providers
ArcGIS Onlineuses cloud infrastructure providers that are compliant with the following:
- ISO 27001
- FedRAMP
- SOC
For more details, see the Amazon Web Services and Microsoft Azure websites.