You may have heard the news, ArcGIS Online is now FedRAMP Moderate authorized. This is an exciting announcement for many ArcGIS users! This authorization presents the opportunity for many existing ArcGIS Online users to take advantage of ArcGIS Online in new ways by now being able to work with and store United States federal data within ArcGIS Online in ways they may not have been able to before.

If you are an ArcGIS Enterprise user, you may have some questions about what this enhanced authorization for ArcGIS Online means to you. If you are currently using ArcGIS Online, this may allow you to take advantage of the software in new ways such as working with data that policies previously did not allow to be stored in ArcGIS Online. If you are interested in using ArcGIS Online but haven’t been able to use the product yet because your organization requires FedRAMP Moderate authorization, you may be able to start using ArcGIS Online.

Another very common question ArcGIS Enterprise users have been asking is, “Does this mean ArcGIS Enterprise will soon be FedRAMP Moderate too?”  The short answer to this question is simply “no”.

But instead of just leaving it at “no”, let’s get into why the answer is no – which is exactly what we’re going to do in this blog.  We’ll get into a bit of background about FedRAMP and how this affects (or doesn’t affect) ArcGIS Enterprise.

Understanding FedRAMP Moderate

The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program which provides a standard security baseline for Cloud Service Providers to store US federal data.  This reusable set of security standards replaces redundant Agency security assessments with a “do once, use many times” efficiency, maximizing staff and budget resources and promoting continuity across federal agencies. FedRAMP specifies multiple baseline levels of security for cloud systems hosting federal data.  This includes Low, Medium, and High designations.

If you’ve never heard of FedRAMP before, that’s okay.  While significant in some industries, particularly United States federal government agencies, it isn’t significant to all industries.

What does it mean now that ArcGIS Online is FedRAMP Moderate?

ArcGIS Online was designated FedRAMP Low in 2018 and was designated as FedRAMP Moderate earlier this year.  If you’re an ArcGIS Online user, you won’t have to do anything extra to take advantage of this – everything is already available to you in ArcGIS Online.

How ArcGIS Enterprise is affected

ArcGIS Online and ArcGIS Enterprise organizations have a similar look and feel.  That is no surprise, because the two products share many features and applications.  With this in mind, there is a misconception that now that ArcGIS Online is FedRAMP Moderate authorized, ArcGIS Enterprise soon will be too.  But that is not the case.

Remember when we mentioned earlier that FedRAMP Moderate is a designation for Cloud Service Providers?  For ArcGIS Online, which is a software as a service (SaaS), the designated Cloud Service Provider is Esri.  ArcGIS Enterprise is software installed on infrastructure that you control, meaning there isn’t a singular Cloud Service Provider. You, or the organization running ArcGIS Enterprise on your behalf, are the Cloud Services Provider that must go through the security accreditation process. This means ArcGIS Enterprise itself cannot be authorized under the FedRAMP program. An authorization includes not just the software that is being run, but also the environment in which that software is maintained. ArcGIS Enterprise can only be as secure as the environment in which you install and run it.

Thus, individual ArcGIS Enterprise deployments can be (and have been) set up and run in FedRAMP Moderate environments.  Creating a FedRAMP Moderate compliant ArcGIS Enterprise deployment involves understanding not only where ArcGIS Enterprise is deployed in the cloud but also where the relevant data sources are hosted and the security controls surrounding that data and the rest of the software and cloud services that are used.  Going through that process and accreditation is beyond the scope of this blog. For a deeper conversation, we encourage you to engage with your IT and security teams as well as Esri Professional Services.

We hope this has helped provide a bit of clarity to how ArcGIS Online’s FedRAMP Moderate status affects – or rather, doesn’t – affect ArcGIS Enterprise.  If you have any questions or comments, we’d love to hear from you in the comments below!