Security Technical Implementation Guides (STIGs) are a configuration standard consisting of cyber security requirements for a specific product overseen by the US Defense Information Systems Agency (DISA). The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and logical designs to enhance overall security.
Esri in-scope Services
Deprecated Approach
The ArcGIS Server STIG does not include Portal for ArcGIS or ArcGIS Data Store as part of a federated deployment and therefore does not provide adequate security guidance for typical ArcGIS Enterprise deployments containing this broader set of capabilities. The ArcGIS Server 10.3 STIG was updated several times to ensure it was compatible through ArcGIS Server 11.0. To better address the scope of typical ArcGIS Enterprise deployments, some customers supplemented the security of their deployment by aligning with the generic DISA Application Security and Development (ASD) STIG, however it provides inadequate guidance for our product's unique capabilities.
Recommended Approach
The ArcGIS Enterprise Hardening Guide, released in 2024, allows customers to transition away from both the ArcGIS Server STIG (sunset in 2023) and generic DISA ASD STIG to more targeted, validated security assurance in alignment with NIST 800-53 and EO-Critical Software security control requirements. Both existing and new ArcGIS Enterprise deployments should transition to utilizing the ArcGIS Enterprise Hardening Guide for the most effective, secure deployment aligning with accreditation requirements moving forwards.
Resources
- ArcGIS Enterprise Hardening Guide (Public)
- ArcGIS Server STIG (Public - Sunset)
- STIG FAQs (Public)