ArcGIS has been designed and is managed in alignment with regulations, standards and best practices. Esri's compliance initiatives are grouped into four categories:
- Products and services security—Esri product and service based security compliance
- Privacy initiatives—Company and product Privacy commitments
- Solution-based—Deployment patterns that align with compliance requirements
- Cloud providers—ArcGIS Online cloud infrastructure provider compliance
Products and services security
The following compliance initiatives are specific to products and services offered by Esri:
- FedRAMP Tailored Low: ArcGIS Online
- Security controls for this multi-tenant, cloud-based SaaS align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4) which maps to International Standards Organization (ISO) 27001 & 15408 controls.
- 30 pages of ArcGIS Online CSA CAIQ answers are available within the Trust Center Documents or if you would like to see our annual FedRAMP assessment, contact your account manager to obtain it under NDA.
- Questions: SoftwareSecurity@esri.com
- FedRAMP Moderate: Esri Managed Cloud Services (EMCS) Advanced Plus
- A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise.
- Questions: ManagedCloudServices@esri.com
- SSAE 18 / SOC: Cloud Service Providers (CSP) and EMCS
- ArcGIS Online does not perform a duplicative/separate SOC audit as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly: Amazon Web Services and Microsoft Azure.
- Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization, can instead utilize a SOC2 Type2 EMCS offering.
- Request EMCS SOC2 report (under NDA): ManagedCloudServices@esri.com
- USGCB & FDCC: Federal agency requirement for Desktop-based products
- ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
- ArcGIS Pro 1.4.1 and higher are USGCB self-certified
- Section 508: WCAG, ADA: Federal agency software accessibility requirements for people with disabilities
Esri as a company and its products are aligned with the following privacy standards/regulations:
- GDPR: General Data Protection Regulation
- CCPA: California Consumer Privacy Act
ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:
- CJIS: Law Enforcement
- CJIS applies to all Law Enforcement institutions to provide appropriate controls to protect the full lifecycle of Criminal Justice Information (CJI)
- STIGs: Defense
- STIG available for ArcGIS Server. See DISA website.
- FIPS 140-2: Cryptographic modules
- Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows.
- PCI DSS: Payment Card Industry
- Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today.
ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:
- ISO 27001