Esri has achieved a significant milestone by securing the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization for its cornerstone software as a service (SaaS) product, ArcGIS Online.
In today’s digital age, as cyberthreats continually evolve, organizations across various sectors require dependable solutions to protect their data. FedRAMP Moderate authorization ensures that cloud service providers like Esri meet stringent security standards that are essential for safeguarding sensitive data.
This compliance makes more data eligible for use in ArcGIS Online, which is vital for high-risk sectors, such as finance and health care, that handle sensitive information and are susceptible to data breaches. Additionally, small businesses benefit from these robust security measures, since they gain high-level protection without needing to invest in their own security infrastructure. FedRAMP’s standardized security assessments and ongoing monitoring also improve cybersecurity overall, creating a safer digital environment for everyone.
The authorization reflects Esri’s ongoing commitment to software security and compliance. To achieve FedRAMP Moderate authorization, ArcGIS Online security infrastructure and processes underwent rigorous evaluation and received approval from an independent third party. By meeting FedRAMP Moderate standards, ArcGIS Online provides a secure and reliable environment for the storage, processing, and management of moderate-risk data, including financial, health, and personally identifiable information.
With growing cybersecurity risks and tightening data privacy regulations, organizations across all sectors can enhance their mapping and spatial analysis workflows by adopting and expanding their use of ArcGIS Online.
Key Benefits for Organizations
The FedRAMP Moderate authorization for ArcGIS Online presents a range of advantages for organizations that use the SaaS technology, from expanding the types of data that can be stored and processed to strengthening opportunities to collaborate.
A Reliably Secure SaaS Infrastructure
ArcGIS Online is the first SaaS-based GIS to achieve FedRAMP Moderate authorization based on the US Department of Commerce’s National Institute of Standards and Technology’s (NIST) SP 800-53 Revision 5 security controls. As a cloud-based solution, ArcGIS Online enhances organizational efficiency by reducing the time and costs required to set up the system, since it eliminates the need to invest in infrastructure, engineering, and system administration. Not only did Esri seamlessly increase the security assurance level of ArcGIS Online, but the company also migrated to NIST’s latest security control revision with no impact to customers.
Confidently Store and Process Moderate-Impact Data
Organizations that use ArcGIS Online can confidently collect, maintain, process, disseminate, and dispose of Low- or Moderate-Impact data. This enables users to perform a wide range of geospatial workflows while adhering to the highest standards of security and compliance.
Enhanced Collaboration and Sharing
Organizations can expand their collaboration with external stakeholders to include those that need to ensure a higher degree of security compliance. With more data in the system and more people able to work with that data, processes such as sharing data, conducting analysis, and expanding situational awareness become more powerful.
A Seamless Integration with ArcGIS Enterprise
Organizations can seamlessly integrate ArcGIS Online with their existing ArcGIS Enterprise deployments to scale beyond the reach of on-premises capacity, facilitating data sharing, collaboration, and comprehensive geospatial workflows.
Using Advanced Geospatial Capabilities for Critical Operations
For organizations that engage in emergency response, disaster management, infrastructure planning, and environmental monitoring, they can expand their use of ArcGIS Online to incorporate a wider variety of geospatial data in support of critical operations.
Value and Relevance for International Users
For international users that need to align with standards such as the International Organization for Standardization’s ISO/IEC 27001, the ArcGIS Trust Center provides information on mapping FedRAMP compliance to ISO 27001 security controls. This tool shows how FedRAMP meets international security and compliance requirements, aiding users from around the world in understanding the authorization’s relevance to their needs.
Depend on Continually Monitored Infrastructure
Maintaining FedRAMP Moderate authorization requires Esri to continuously monitor ArcGIS Online services, perform annual penetration testing, and get approval by an independent third party. ArcGIS Online is segmented from corporate systems so that any compromises that affect corporate systems do not affect ArcGIS Online, providing resilience.
The Unique Advantages of Enhanced Security
Since every organization has its own data classifications, IT resources, and specific requirements, each will experience unique benefits from the enhanced security posture of ArcGIS Online.
For example, Organization A, which has stringent security requirements and limited IT resources, can use ArcGIS Online FedRAMP Moderate authorization to meet its compliance obligations and integrate ArcGIS Online into its existing systems. This will allow staff members to access and analyze geospatial data without investing in additional hardware or software. Leaders can be confident that the organization’s data is protected at the highest level, building trust with stakeholders and strengthening the organization’s reputation.
Organization B, which analyzes utility networks, can now efficiently integrate more workflows into ArcGIS Online while maintaining custom database configurations in its ArcGIS Enterprise deployment. This organization has various options for hybrid deployments with ArcGIS Online and ArcGIS Enterprise, allowing users to incorporate moderate-risk data in workflows that extend beyond the reach of on-premises capacities.
Organization C is a federal agency known for its stringent security measures and vast amounts of sensitive data. It offers public information through a scalable external platform. By adopting ArcGIS Online, this agency can now share previously inaccessible data with external stakeholders, improving situational awareness and communication across teams, emergency centers, and local emergency response leaders. This integration streamlines workflows, boosts collaboration, and supports better-informed decision-making.
In each of these scenarios, the ArcGIS Online FedRAMP Moderate authorization helps organizations meet their unique security needs. This enables them to leverage the power of GIS technology to collaborate, share data, and develop innovative location-based solutions in new ways, ultimately allowing them to achieve their missions.
Understanding Your Organization’s Responsibility
Organizations that align their workflows with the FedRAMP Moderate authorization are responsible for implementing and maintaining certain security controls and practices.
These organizations should review the Customer Responsibility Matrix (CRM)—available in the Documents tab of the ArcGIS Trust Center once signed in—and determine how best to implement any required changes. The CRM describes elements of user engagement outside of Esri’s scope, such as the requirement that end-users employ multifactor authentication and categorize datasets to align with Zero Trust Architecture (ZTA) stipulations and privacy regulations, whether at the state or international level.
Visit the ArcGIS Trust Center at trust.arcgis.com to learn more about what the ArcGIS Online FedRAMP Moderate authorization means for your organization.