Skip To Content


ArcGIS has been designed and is managed in alignment with regulations, standards and best practices. Esri's compliance initiatives are grouped into four categories:

  • Products and Services Security - Esri product and service based security compliance
  • Privacy Initiatives - Company and product Privacy commitments
  • Solution Based - Deployment patterns that align with compliance requirements
  • Cloud Providers - ArcGIS Online cloud infrastructure provider compliance

Products and Services Security

The following compliance initiatives are specific to products and services offered by Esri:

  • FedRAMP Tailored Low: Federal Agency Requirement for Cloud-Based Production SaaS
  • FedRAMP Moderate: Federal Agency Requirement for Cloud-Based Production Systems
    • Esri Managed Cloud Services (EMCS) Advanced Plus is a FedRAMP Moderate agency-authorized offering, initially sponsored by the US Census Bureau. It is a cloud-based secure infrastructure and operations environment that meets increased security needs for hosted ArcGIS Enterprise.
    SOC Reports: The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) framework.
    • ArcGIS Online does not perform a duplicative/separate SOC audit as a more advanced FedRAMP authorization (which includes annual third party assessments) is already in place. Customers interested in SOC reports concerning the cloud infrastructure providers utilized by our services can obtain the reports directly from the respective providers Amazon Web Services and Microsoft Azure.
    • Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization, can instead choose to utilize an EMCS Advanced offering that has a SOC 2 Type 2 assessment and report. A report for EMCS (covered by a non-disclosure agreement) can be requested by sending an email to (not for ArcGIS Online requests).
  • USGCB & FDCC: Federal Agency Requirement for Desktop based products
    • ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
    • ArcGIS Pro 1.4.1 and higher are USGCB self-certified
  • Section 508: Federal Agency Software Accessibility Requirements for People with Disabilities
    • Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.

Privacy Initiatives

Esri as a company and its products are aligned with the following privacy standards/regulations:

Solution Based

ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:

  • CJIS: Law Enforcement
    • CJIS applies to all Law enforcement institutions to provide appropriate controls to protect the full lifecycle of Criminal Justice Information (CJI)
  • HIPAA: Healthcare
    • Note: While Esri services are currently not validated for HIPAA compliance, many of our customers use our products combined with security/privacy tools and processes to provide HIPAA compliant solutions.
  • STIGs: Defense
    • STIG available for ArcGIS Server. See DISA website.
  • FIPS 140-2: Cryptographic modules
    • Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows.
  • PCI DSS: Payment Card Industry
    • Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today.

Cloud providers

ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:

  • ISO 27001
  • FedRAMP
  • SOC

For more details see the Amazon Web Services and Microsoft Azure websites.

FedRAMP logo FISMA LogoPrivacy Shield Logo