Products and Services Security

The following compliance initiatives are specific to products and services offered by Esri:

• FedRAMP Tailored Low: Federal Agency Requirement for Cloud-Based Production SaaS
  • ArcGIS Online has been granted a FedRAMP Tailored Low Authority to Operate (ATO). The security controls for this authorization align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4) which maps to International Standards Organization (ISO) 27001 & 15408 controls.
• FedRAMP Moderate: Federal Agency Requirement for Cloud-Based Production Systems
  • Esri Managed Cloud Services (EMCS) is a FedRAMP Moderate agency-authorized offering under Managed Services. EMCS achieved FedRAMP Moderate Authority to Operate (ATO) from the US Census Bureau. It is a cloud-based secure infrastructure and operations environment that meets increased security needs for hosted ArcGIS Server and Portal.
• SOC 1, 2, and 3 Reports: The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) framework
  • Esri does not perform duplicative/separate SOC audits for Products & Services that have more advanced certification and authorizations already in-place such as FedRAMP listed above. Customers interested in SOC reports concerning the cloud infrastructure providers utilized by our services can obtain the reports directly from the respective providers.
• USGCB & FDCC: Federal Agency Requirement for Desktop based products
  • ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
  • ArcGIS Pro 1.4.1 and higher are USGCB self-certified
• Section 508: Federal Agency Software Accessibility Requirements for People with Disabilities
  • Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.

Privacy Initiatives

Esri as a company and its products are aligned with the following privacy standards/regulations:

• GDPR: General Data Protection Regulation
  • Our company and products align with this regulation for handling EU citizen private information.
• Privacy Shield: Privacy assurance certification
  • Esri now has a general company privacy statement and a supplemental privacy statement providing enhanced privacy assurance for our products and services such as ArcGIS Online.

Solution Based

The ArcGIS platform is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:

• CJIS: Law Enforcement
• HIPAA: Healthcare
  • Note: While Esri services are currently not validated for HIPAA compliance, many of our customers use our products combined with security/privacy tools and processes to provide HIPAA compliant solutions.
• STIGs: Defense
• FIPS 140-2: Cryptographic modules
  • Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows XP and later versions of Windows.
• PCI DSS: Payment Card Industry
  • Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today. In 2015, PCI checks included assurance of TLS 1.1 and higher only for systems. Please reference TLS guidance with the ArcGIS Platform for more information.

Cloud providers

ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:

• ISO 27001
• FedRAMP
• SSAE16 SOC1 Type 2

For more details see the Amazon Web Services and Microsoft Azure websites.