Implemented and Upcoming 2023 ArcGIS Security & Privacy Advancements

As we kick off the new year, it’s worth taking a few minutes to summarize key milestones which can significantly enhance how your organization uses ArcGIS, such as:

1. FedRAMP MODERATE – As 2022 came to a close we wrapped up a 20+ week, third-party assessment of ArcGIS Online.  The agency authorization process has started which will be completed over the next several months.  If you are not a US government organization and just need to see the 3^rd party audit report to confirm ArcGIS Online stores your data in alignment with FedRAMP moderate security controls, we can provide that under NDA in the next several months, just ask your account manager.  US agencies will need to wait for the below authorization process to be completed as described here.  There is no migration for our customers, these security improvements are already in place for your ArcGIS Online organizations.  This is a major milestone for many geospatial customers to expand their usage of ArcGIS Online cloud services, as FedRAMP Moderate means it is designed to handle sensitive information, with over 3x more security controls then ISO 27001 – Start talking with your organization’s security leadership now to determine what new geospatial use cases may now be considered for use in ArcGIS Online.
2. PRIVACY PAPER – We posted a major refresh of our Location Sharing Privacy Best Practices paper to be in alignment with products and regulations as they have evolved including extending security and privacy setting recommendations summarized at the end of the document.
3. VULNERABILTY AUDIT – Esri, as a CVE Numbering Authority (CNA), was recently audited by the NIST National Vulnerability Database (NVD) and achieved the highest acceptance level of “Provider” for both the metrics we use to communicate the impact of software security vulnerabilities in our products via CVSS v3.1 scores as well as Common Weakness Enumeration (CWE) used to baseline weakness identification, mitigation, and prevention efforts for product vulnerabilities.  This level of assurance concerning the vulnerability information we provide to customers is achieved by less than 1% of software organizations around the globe.  Additional information about this program and audit result details may be found here.

Upcoming additional assurance:

1.  CLOUD SECURITY ALLIANCE – Expect to not only see a major update of our ArcGIS Online Cloud Security Alliance CAIQ answers for the newer 4.0.2 framework within the next several months, but also some of our other cloud-based service offerings.
2. SECURE CYBER SUPPLY CHAIN – The importance of ensuring software providers have a secure cyber supply chain to minimize customer risk continues to increase rapidly.  We are actively completing an Open Trusted Technology Provider Standard (O-TTPS) / International Organization for Standardization (ISO) 20243 gap analysis and expect our ArcGIS Online self-assessed certification to be completed within 2023 Q1.  Expect to see additional Secure Cyber Supply Chain evidence for our products later in 2023.
3. ARCGIS ENTERPRISE SECURITY HARDENING GUIDE – While there is a DISA STIG for ArcGIS Server available, the cadence for DISA being able to engage to issue a new revision spanning ArcGIS Enterprise has resulted in us deciding to release a general security hardening guide for our product first in 2023.
4. EU REGION ASSURANCE – Through the latter half of 2023, we will be aligning our ArcGIS Online European Union (EU) operations to align with ISO 27001, in preparation for achieving certification in 2024.
5. TRUST CENTER EXPANSION – As there are so many advancements, we will be expanding the compliance section of the ArcGIS Trust Center over the next several weeks and throughout the year as we align with additional certifications/standards.

2023 is an exciting year for us, as our customers can now more effectively balance cloud and on-premises geospatial implementation needs while meeting more rigorous security and privacy requirements – gone are the days of utilizing cloud services for only public-facing content.  Now is the time to start considering what it means to your organization’s strategic plans.  Feel free to reach out to us if you would like to provide us feedback concerning early release materials for the above items.

– Esri’s Software Security & Privacy team – SoftwareSecurity@esri.com