ArcGIS has been designed and is managed in alignment with regulations, standards and best practices. Esri's compliance initiatives are grouped into four categories:
- Products and Services Security - Esri product and service based security compliance
- Privacy Initiatives - Company and product Privacy commitments
- Solution Based - Deployment patterns that align with compliance requirements
- Cloud Providers - ArcGIS Online cloud infrastructure provider compliance
Products and Services Security
The following compliance initiatives are specific to products and services offered by Esri:
- FedRAMP Tailored Low: Federal Agency Requirement for Cloud-Based Production SaaS
- ArcGIS Online has been granted a FedRAMP Tailored Low Authority to Operate (ATO). The security controls for this authorization align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4) which maps to International Standards Organization (ISO) 27001 & 15408 controls.
- Additional questions, concerns, and feedback regarding ArcGIS Online and Esri's product compliance initiatives are welcome and may be directed to Esri's Software Security and Privacy Team at SoftwareSecurity@esri.com.
- FedRAMP Moderate: Federal Agency Requirement for Cloud-Based Production Systems
- Esri Managed Cloud Services (EMCS) Advanced Plus is a FedRAMP Moderate agency-authorized offering, initially sponsored by the US Census Bureau. It is a cloud-based secure infrastructure and operations environment that meets increased security needs for hosted ArcGIS Enterprise.
- SOC 1, 2, and 3 Reports: The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) framework.
- ArcGIS Online does not perform a duplicative/separate SOC audit as a more advanced FedRAMP authorization (which includes annual third party assessments) is already in place. Customers interested in SOC reports concerning the cloud infrastructure providers utilized by our services can obtain the reports directly from the respective providers Amazon Web Services and Microsoft Azure.
- Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization, can instead choose to utilize an EMCS offering that has a SOC 2 Type 2 assessment and report (effective December 14, 2018). A report for EMCS (covered by a non-disclosure agreement) can be requested by sending an email to ManagedCloudServices@esri.com (not for ArcGIS Online requests).
- USGCB & FDCC: Federal Agency Requirement for Desktop based products
- ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
- ArcGIS Pro 1.4.1 and higher are USGCB self-certified
- Section 508: Federal Agency Software Accessibility Requirements for People with Disabilities
- Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.
Esri as a company and its products are aligned with the following privacy standards/regulations:
- GDPR: General Data Protection Regulation
- Our company and products align with this regulation for handling EU citizen private information.
- Privacy Shield: Privacy assurance certification
ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:
- CJIS: Law Enforcement
- HIPAA: Healthcare
- Note: While Esri services are currently not validated for HIPAA compliance, many of our customers use our products combined with security/privacy tools and processes to provide HIPAA compliant solutions.
- STIGs: Defense
- FIPS 140-2: Cryptographic modules
- Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows XP and later versions of Windows.
- PCI DSS: Payment Card Industry
- Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today. In 2015, PCI checks included assurance of TLS 1.1 and higher only for systems. Please reference TLS guidance with ArcGIS for more information.
ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:
- ISO 27001
- SSAE16 SOC1 Type 2