Skip To Content

ArcGIS Trust Center

  • Overview
  • Security
  • Privacy
  • Compliance
  • Documents
Launch Security Advisor
Back to Top

Compliance

In this topic

  1. Products and services security
  2. Privacy initiatives
  3. Solution-based
  4. Cloud providers

ArcGIS is designed and managed in alignment with regulations, standards, and best practices. Esri's compliance initiatives are grouped into four categories:

  • Products and services security—Esri product and service-based security compliance
  • Privacy initiatives—Company and product privacy commitments
  • Solution-based—Deployment patterns that align with compliance requirements
  • Cloud providers—ArcGIS Online cloud infrastructure provider compliance

Products and services security

The following compliance initiatives are specific to products and services offered by Esri:

  • FedRAMP Tailored Low—ArcGIS Online United States-based operations
    • Security controls for this multitenant, cloud-based SaaS align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4), which maps to International Standards Organization (ISO) 27001 and 15408 controls.
    • Thirty pages of ArcGIS Online CSA CAIQ answers are available on the Trust Center Documents page, or if you want to see the annual FedRAMP Tailored Low: ArcGIS Online United States-based operations assessment, contact your account manager to obtain it under NDA.
    • For questions, contact SoftwareSecurity@esri.com.
  • FedRAMP Moderate—Esri Managed Cloud Services (EMCS) Advanced Plus
    • A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise
    • For questions, contact ManagedCloudServices@esri.com.
  • SSAE 18/SOC—Cloud Service Providers (CSP) and EMCS
    • ArcGIS Online does not perform a duplicative or separate SOC audit, as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly from Amazon Web Services and Microsoft Azure.
    • Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization can instead use the EMCS Advanced offering, which complies with SOC 2 Type 2.
      • To request an EMCS SOC 2 Type 2 report (under NDA), contact ManagedCloudServices@esri.com.
      • The EMCS Advanced SOC 3 report is a general use report that does not require NDA.
  • USGCB and FDCC—Federal agency requirement for desktop-based products
    • ArcGIS Desktop 9.3, 9.3.1, and 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, so ArcGIS Desktop 10.1 and later are USGCB self-certified.
    • ArcGIS Pro 1.4.1 and later are USGCB self-certified.
  • Section 508: WCAG, ADA—Federal agency software accessibility requirements for people with disabilities
    • Esri's commitment to accessibility is to design and implement accessible GIS products and technologies that align with the objectives of Section 508, WCAG, and ADA.
    • Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.

Privacy initiatives

Esri as a company and its products are aligned with the following privacy standards and regulations:

  • General Data Protection Regulation (GDPR)
    • Regulation for handling European Union (EU) citizen personal information
    • Product alignment details: ArcGIS Trust Center GDPR Privacy
    • Company alignment details: General Esri GDPR Privacy
  • California Consumer Privacy Act (CCPA)
    • Provides consumers in California additional rights and protections regarding how businesses may use their personal information.
    • Product alignment details: ArcGIS Trust Center CCPA Privacy
    • Company alignment details: General Esri CCPA Notice

  • Health Insurance Portability and Accountability Act (HIPAA)
    • Provides federal protections for personal health information held by covered entities and gives patients an array of rights.
    • Product alignment details: ArcGIS Trust Center HIPAA Privacy

Solution-based

ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with third-party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as the following:

  • Criminal Justice Information Services (CJIS) Security Policy—Law enforcement
    • CJIS applies to all law enforcement institutions to provide appropriate controls to protect the full life cycle of criminal justice information.
  • STIGs—Defense
    • STIG is available for ArcGIS GIS Server. See the DISA website.
  • FIPS-140-2—Cryptographic modules
    • Note: Esri products are compatible with the Use FIPS compliant algorithms security setting in Windows.
  • PCI DSS—Payment card industry
    • Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment but instead use PCI as a basic security compliance validation mechanism, as it is built into many scanners today.

Cloud providers

ArcGIS Onlineuses cloud infrastructure providers that are compliant with the following:

  • ISO 27001
  • FedRAMP
  • SOC

For more details, see the Amazon Web Services and Microsoft Azure websites.

FedRAMP logo GDPR logo

Feedback on this topic?

In this topic
  1. Products and services security
  2. Privacy initiatives
  3. Solution-based
  4. Cloud providers