Spring 2015

Esri Managed Cloud Services Achieves FedRAMP Moderate Compliance

This article as a PDF.

On January 29, 2015, Esri Managed Cloud Services (EMCS) achieved Federal Risk and Authorization Management Program (FedRAMP) Moderate compliance. This milestone provides assurance to customers that EMCS aligns with the latest rigorous security controls required for cloud systems at the moderate impact level (specifically, FedRAMP Rev. 4 Baseline).

EMCS enables customers to quickly leverage the full ArcGIS platform in a secure/compliant cloud environment. GIS services within EMCS are provisioned through ArcGIS for Server and Portal for ArcGIS.

The EMCS offering can be utilized in a stand-alone deployment or as a hybrid deployment that incorporates ArcGIS Online. If ArcGIS Online Federal Information Security Management Act (FISMA) Low Security is not considered adequate for your organization's needs, or if your organization wants to utilize specific geospatial capabilities only available in ArcGIS for Server, supplementing an ArcGIS Online implementation with EMCS is a viable option. [ArcGIS Online was granted FISMA Low Authority to Operate (ATO) by the United States Department of Agriculture in June 2014.]

Beyond this, EMCS provides these key security benefits:

  • 24/7 Security Operations Center for monitoring and threat detection
  • An Intrusion Detection System (IDS) to detect malicious activity
  • Continuous security monitoring of log data through a Security Information and Event Management (SIEM) platform that is reviewed by security experts
  • A Web Application Firewall (WAF) to mitigate against common web application attacks such as cross-site scripting (XSS)
  • FIPS 140-2 compliant encryption for data in transit and data at rest
  • A hardened network and virtual machine environment utilizing advanced inbound/outbound firewall traffic rules
  • Mandatory continuous application, system, and database vulnerability scans
  • Yearly vulnerability assessment, penetration testing, and security control reviews by an accredited Third Party Assessment Organization (3PAO)

For more information about FedRAMP Moderate, visit the official FedRAMP site. Additionally, you may want to view the official listing of the EMCS package.