Skip To Content

Compliance

ArcGIS is designed and managed in alignment with regulations, standards, and best practices. Esri's compliance initiatives are grouped into four categories:

  • Products and services security—Esri product and service-based security compliance
  • Privacy initiatives—Company and product privacy commitments
  • Solution-based—Deployment patterns that align with compliance requirements
  • Cloud providers—ArcGIS Online cloud infrastructure provider compliance

Products and services security

The following compliance initiatives are specific to products and services offered by Esri:

  • FedRAMP Moderate—Esri Managed Cloud Services (EMCS) Advanced Plus
    • A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise
    • For questions, contact ManagedCloudServices@esri.com.
  • SSAE 18/SOC—Cloud Service Providers (CSP) and EMCS
    • ArcGIS Online does not perform a duplicative or separate SOC audit, as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly from Amazon Web Services and Microsoft Azure.
    • Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization can instead use the EMCS Advanced offering, which complies with SOC 2 Type 2.
  • USGCB and FDCC—Federal agency requirement for desktop-based products
    • ArcGIS Desktop 9.3, 9.3.1, and 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, so ArcGIS Desktop 10.1 and later are USGCB self-certified.
    • ArcGIS Pro 1.4.1 and later are USGCB self-certified.
  • Section 508: WCAG, ADA—Federal agency software accessibility requirements for people with disabilities
    • Esri's commitment to accessibility is to design and implement accessible GIS products and technologies that align with the objectives of Section 508, WCAG, and ADA.
    • Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.

Privacy initiatives

Esri as a company and its products are aligned with the following privacy standards and regulations:

  • Health Insurance Portability and Accountability Act (HIPAA)
    • Provides federal protections for personal health information held by covered entities and gives patients an array of rights.
    • Product alignment details: ArcGIS Trust Center HIPAA Privacy

Solution-based

ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with third-party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as the following:

  • Criminal Justice Information Services (CJIS) Security Policy—Law enforcement
    • CJIS applies to all law enforcement institutions to provide appropriate controls to protect the full life cycle of criminal justice information.
  • STIGs—Defense
    • STIG is available for ArcGIS GIS Server. See the DISA website.
  • FIPS-140-2—Cryptographic modules
    • Note: Esri products are compatible with the Use FIPS compliant algorithms security setting in Windows.
  • PCI DSS—Payment card industry
    • Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment but instead use PCI as a basic security compliance validation mechanism, as it is built into many scanners today.

Cloud providers

ArcGIS Onlineuses cloud infrastructure providers that are compliant with the following:

  • ISO 27001
  • FedRAMP
  • SOC

For more details, see the Amazon Web Services and Microsoft Azure websites.

FedRAMP logo GDPR logo