We are excited to announce that the FedRAMP PMO authorized ArcGIS Online as FedRAMP Moderate on July 22, 2024, as seen within the FedRAMP Marketplace.
So, what happened to get us to this point, what’s changed, do you need to do anything to take advantage of this higher level of security within ArcGIS Online, and what’s next?
Background
In 2022, ArcGIS Online was operating with a FedRAMP Tailored Low authorization, and our customers were asking for a stronger security assurance level to help protect their information, whether it was a federal agency, global commercial organization, or non-profit. We therefore increased the security controls of our operations to FedRAMP Moderate, were assessed by a 3PAO (an accredited 3rd party auditor) and submitted all evidence to our Authorizing Agency (Department of the Interior) at the end of 2022. After reviewing and validating the information, DOI authorized ArcGIS Online as Agency FedRAMP Moderate on May 8, 2023, and the FedRAMP PMO notified. During this time, FedRAMP also required transition to a new revision of security controls for all providers, from NIST 800-53 Rev 4 to Rev 5. The good news is that it integrated stronger privacy controls as well as adding a whole family of security controls for a more robust supply chain. The combination of increasing our security assurance level and changing to the new security control revision resulted in the FedRAMP PMO authorization taking until now.
What’s Changed?
Customers now have stronger security and privacy assurance which is in alignment for customers of any type to utilize more diverse datasets within ArcGIS Online. You may have noticed that ArcGIS Online was NOT affected by the recent Crowdstrike outage as we ensure strong segmentation of corporate and customer operations of our products, providing the resiliency you see and helping mitigate the scope of supply chain risks.
Customer Actions Required?
The great news is that we made all of these security and privacy advancements transparently to our existing ArcGIS Online implementation – no customer migration to a different implementation is required. Since the utilization of cloud-based services is a shared responsibility between Esri and our customers we suggest reviewing the Customer Responsibility Matrix (requires ArcGIS Login to access), to ensure you are taking advantage of secure customer-managed configuration controls. Once you make any security control changes, we then suggest running the ArcGIS Security & Privacy Adviser tool to ensure your configuration is in alignment with best practices. Note, this tool will be refreshed with a clean new look by the end of July (some of you had a sneak-peek at the UC last week), and additional checks will be added later this year.
What’s Next?
Customer’s utilizing our ArcGIS Online US-based operations already have a map security controls from FedRAMP Moderate to ISO 27001, if they prefer referencing the international standard for assurance purposes. For customer’s utilizing our ArcGIS Online European Union(EU) region for their organization we are actively working on ISO 27001 and expect that certification to be complete before the end of 2025.
- Esri Software Security & Privacy Team
References:
– ArcGIS Online FedRAMP Marketplace Listing
– ArcGIS Trust Center Cloud Security Page
– ArcGIS Online FedRAMP Moderate Customer Responsibility Matrix
– Security & Privacy Adviser Tool
– FedRAMP Moderate to ISO 27001 Mapping
Article Discussion: