Skip To Content

Compliance

ArcGIS has been designed and is managed in alignment with regulations, standards and best practices. Esri's compliance initiatives are grouped into four categories:

  • Products and services security—Esri product and service based security compliance
  • Privacy initiatives—Company and product Privacy commitments
  • Solution-based—Deployment patterns that align with compliance requirements
  • Cloud providers—ArcGIS Online cloud infrastructure provider compliance

Products and services security

The following compliance initiatives are specific to products and services offered by Esri:

  • FedRAMP Moderate: Esri Managed Cloud Services (EMCS) Advanced Plus
    • A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise.
    • Questions: ManagedCloudServices@esri.com
  • SSAE 18 / SOC: Cloud Service Providers (CSP) and EMCS
    • ArcGIS Online does not perform a duplicative/separate SOC audit as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly: Amazon Web Services and Microsoft Azure.
    • Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization, can instead utilize a SOC2 Type2 EMCS offering.
    • Request EMCS SOC2 report (under NDA): ManagedCloudServices@esri.com
  • USGCB & FDCC: Federal agency requirement for Desktop-based products
    • ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
    • ArcGIS Pro 1.4.1 and higher are USGCB self-certified
  • Section 508: WCAG, ADA: Federal agency software accessibility requirements for people with disabilities
    • Esri's commitment to accessibility is to design and implement accessible GIS products and technologies that align with the objectives of Section 508, WCAG and ADA
    • Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.

Privacy initiatives

Esri as a company and its products are aligned with the following privacy standards/regulations:

  • HIPAA Health Insurance Portability Accountability Act
    • Provides federal protections for personal health information held by covered entities and gives patients an array of rights.
    • Product alignment details: ArcGIS Trust Center HIPAA Privacy

Solution-based

ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:

  • CJIS: Law Enforcement
    • CJIS applies to all Law Enforcement institutions to provide appropriate controls to protect the full lifecycle of Criminal Justice Information (CJI)
  • STIGs: Defense
    • STIG available for ArcGIS Server. See DISA website.
  • FIPS 140-2: Cryptographic modules
    • Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows.
  • PCI DSS: Payment Card Industry
    • Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today.

Cloud providers

ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:

  • ISO 27001
  • FedRAMP
  • SOC

For more details see the Amazon Web Services and Microsoft Azure websites.

FedRAMP logo GDPR logo