ArcGIS is designed and managed in alignment with regulations, standards, and best practices. Esri's compliance initiatives are grouped into four categories:
- Products and services security—Esri product and service-based security compliance
- Privacy initiatives—Company and product privacy commitments
- Solution-based—Deployment patterns that align with compliance requirements
- Cloud providers—ArcGIS Online cloud infrastructure provider compliance
Products and services security
The following compliance initiatives are specific to products and services offered by Esri:
- FedRAMP Tailored Low—ArcGIS Online United States-based
- Security controls for this multitenant, cloud-based SaaS align with National Institute of Standards and Technology (NIST) Special Publication 800-53 (Revision 4), which maps to International Standards Organization (ISO) 27001 and 15408 controls.
- Thirty pages of ArcGIS Online CSA CAIQ answers are available on the Trust Center Documents page, or if you want to see the annual FedRAMP Tailored Low: ArcGIS Online United States-based operations assessment, contact your account manager to obtain it under NDA.
- For questions, contact SoftwareSecurity@esri.com.
- FedRAMP Moderate—Esri Managed Cloud Services (EMCS) Advanced Plus
- A cloud-based secure infrastructure and operations environment that meets customer single-tenant requirements for hosted ArcGIS Enterprise
- For questions, contact ManagedCloudServices@esri.com.
- SSAE 18/SOC—Cloud Service Providers (CSP) and EMCS
- ArcGIS Online does not perform a duplicative or separate SOC audit, as a more advanced FedRAMP authorization (which includes annual third-party assessments) is already in place. Request CSP SOC reports directly from Amazon Web Services and Microsoft Azure.
- Customers not requiring the rigor of EMCS Advanced Plus with FedRAMP Moderate authorization can instead use the EMCS Advanced offering, which complies with SOC 2 Type 2.
- USGCB and FDCC—Federal agency requirement for desktop-based products
- ArcGIS Desktop 9.3, 9.3.1, and 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, so ArcGIS Desktop 10.1 and later are USGCB self-certified.
- ArcGIS Pro 1.4.1 and later are USGCB self-certified.
- Section 508: WCAG, ADA—Federal agency software accessibility requirements for people with disabilities
Esri as a company and its products are aligned with the following privacy standards and regulations:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
ArcGIS is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with third-party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as the following:
- Criminal Justice Information Services (CJIS) Security Policy—Law enforcement
- CJIS applies to all law enforcement institutions to provide appropriate controls to protect the full life cycle of criminal justice information.
- STIG is available for ArcGIS GIS Server. See the DISA website.
- FIPS-140-2—Cryptographic modules
- Note: Esri products are compatible with the Use FIPS compliant algorithms security setting in Windows.
- PCI DSS—Payment card industry
- Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment but instead use PCI as a basic security compliance validation mechanism, as it is built into many scanners today.
ArcGIS Onlineuses cloud infrastructure providers that are compliant with the following:
- ISO 27001