The ArcGIS Platform has been designed and is managed in alignment with regulations, standards and best practices. Esri's compliance initiatives are grouped into four categories:
- Products and Services - Esri product and service based compliance
- Solution Based - Deployment patterns that align with compliance requirements
- Corporate Operations - Esri's corporate operations compliance alignment
- Cloud Providers - ArcGIS Online cloud infrastructure provider compliance
Products and Services
The following compliance initiatives are specific to products and services offered by Esri:
- FISMA Low: Federal Agency Production System Security Accreditation
- ArcGIS Online has been granted FISMA Low Authority to Operate. FISMA Low controls align with National Institute of Standards and Technology (NIST) Special Publication 800-53 which maps to International Standards Organization (ISO) controls.
- FedRAMP Moderate: Federal Agency Requirement for Cloud-Based Production Systems
- Esri Managed Cloud Services (EMCS) is a FedRAMP Moderate agency-authorized offering under Managed Services. EMCS achieved FedRAMP Moderate Authority to Operate (ATO) from the US Census Bureau. It is a cloud-based secure infrastructure and operations environment that meets increased security needs for hosted ArcGIS Server and Portal.
- SOC 1, 2, and 3 Reports: The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) framework
- Esri does not perform duplicative/separate SOC audits for Products & Services that have more advanced certification and authorizations already in-place such as FISMA and FedRAMP listed above. Customers interested in SOC reports concerning the cloud infrastructure providers utilized by our services can obtain the reports directly from the respective providers.
- USGCB & FDCC: Federal Agency Requirement for Desktop based products
- ArcGIS Desktop versions 9.3, 9.3.1, and version 10 were FDCC self-certified. FDCC has been superseded and evolved into USGCB, therefore ArcGIS Desktop version 10.1 and higher are USGCB self-certified.
- ArcGIS Pro 1.4.1 and higher are USGCB self-certified
- Section 508: Federal Agency Software Accessibility Requirements for People with Disabilities
- Esri's goal is to design and implement accessible GIS products and technologies that align with the objectives of Section 508.
The ArcGIS platform is frequently implemented in different enterprise geospatial deployment patterns to align with many security standards. This is accomplished with either hybrid or on-premises deployments that can be supplemented with 3rd party security components. Esri is working on documenting and validating best practice guidance to facilitate alignment with security requirements, such as:
- CJIS: Law Enforcement
- HIPAA: Healthcare
- STIGs: Defense
- FIPS 140-2: Cryptographic modules
- Note: Esri products are compatible with the "Use FIPS compliant algorithms..." security setting in Windows XP and later versions of Windows.
- PCI DSS: Payment Card Industry
- Note: Unlike other solutions listed above, most Esri customers are not looking for payment card industry alignment, but instead utilize PCI as a basic security compliance validation mechanism as it is built into many scanners today. In 2015, PCI checks included assurance of TLS 1.1 and higher only for systems. Please reference TLS guidance with the ArcGIS Platform for more information.
Esri has aligned with the following corporate level standards and audits:
- ISO 27001: International security standards
- Esri's Corporate Security Charter aligns with ISO 27001 standards
- Privacy Shield: Privacy assurance certification
ArcGIS Online utilizes cloud infrastructure providers that are compliant with the following:
- ISO 27001
- SSAE16 SOC1 Type 2