WIXLIB

Mapping of FedRAMP Tailored LI‐SaaS Baseline to ISO 27001 Security ControlsThis document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions oftheir implementation, or provide a self‐attestation that their implementation meets the intent of the securityrequirements. All required and conditional controls are tested by an approved assessor annually. ArcGIS Online does notundergo a separate ISO 27001 certification as the FedRAMP authorization meets requirements for equivalent or bettersecurity assurance.Revision HistoryVersionDate7/20/2018DescriptionInitial mapping of NIST 800‐53 Rev4 security controls in‐scope of Li‐SaaS authorizations (such as ArcGIS Online) to InternationalStandards Organization (ISO) 27001 security controls. Sourcedocuments are as follows:NIST 800-53 Rev4FedRAMP Tailored Low Security ControlsAuthor1Esri Software Security &Privacy1/22/201511/14/2017NISTFedRAMP

FedRAMP Tailored LI‐SaaS Baseline Mapping to ISO 27001NoNIST 800‐53ISO 27001 ControlControl ��228AT‐19101112AT‐2AT‐3AT‐4AU‐11314NIST 800‐53 Control NameTailoring ActionA.5.1.1, A.5.1.2,Access Control Policy & ProceduresA.6.1.1, A.9.1.1,A.12.1.1, A.18.1.1,A.18.2.2A.9.2.1, A.9.2.2,Account ManagementA.9.2.3, A.9.2.5, A.9.2.6AttestA.6.2.2, A.9.1.2,A.9.4.1, A.9.4.4,A.9.4.5, A.13.1.1,A.14.1.2, A.14.1.3,A.18.1.3A.9.4.2Access EnforcementDocument and AssessUnsuccessful Login AttemptsNSO, AttestA.6.2.1, A.6.2.2,A.13.1.1, A.13.2.1,A.14.1.2A.11.2.6, A.13.1.1,A.13.2.1NoneRemote AccessDocument and AssessUse of External Information SystemsAttestPublicly Accessible ContentDocument and AssessSecurity Awareness and Training Policy Attestand ProceduresSecurity Awareness TrainingRole‐Based Security TrainingSecurity Training RecordsAudit and Accountability Policy .5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.7.2.2, A.12.2.1A.7.2.2*NoneA.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2NoneA.12.4.1*Audit EventsContent of Audit RecordsAttestDocument and Assess15AU‐5NoneResponse to Audit Processing FailuresDocument and Assess16AU‐6Audit Review, Analysis, and ReportingDocument and Assess1718AU‐8AU‐9Time StampsProtection of Audit CA‐2 (1)A.12.4.1, A.16.1.2,A.16.1.4A.12.4.4A.12.4.2, A.12.4.3,A.18.1.3A.12.4.1, A.12.4.3A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.14.2.8, A.18.2.2,A.18.2.3A.14.2.8, A.18.2.2,A.18.2.3Additional Control TailoringCommentsDocument and AssessNSO ‐ for non‐privileged users. Attestation ‐for privileged users related to multi‐factoridentification and authentication.Audit GenerationAttestSecurity Assessment and Authorization AttestPolicies and ProceduresSecurity AssessmentsDocument and AssessSecurity Assessments IndependentAssessorsAttestPage 1ControlMapping

NoNIST 800‐53ISO 27001 ControlControl ID23CA‐3A.13.1.2, A.13.2.1,A.13.2.2System InterconnectionsDocument and Assess Condition: There are connection(s) to(Conditional)external systems. Connections (if any) shallbe authorized and must:1) Identify the interface/connection.2) Detail what data is involved and itssensitivity.3) Determine whether the connection is one‐way or bi‐directional.4) Identify how the connection is secured.24CA‐5NonePlan of Action and MilestonesAttest25CA‐6NoneSecurity AuthorizationDocument and Assess26CA‐7NoneContinuous MonitoringDocument and Assess27CA‐9NoneInternal System ConnectionsDocument and Assess Condition: There are connection(s) to(Conditional)external systems. Connections (if any) shallbe authorized and must:1) Identify the interface/connection.2) Detail what data is involved and itssensitivity.3) Determine whether the connection is one‐way or bi‐directional.4) Identify how the connection is secured.28CM‐1Configuration Management Policy and AttestProcedures2930CM‐2CM‐4A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2NoneA.14.2.3Baseline ConfigurationSecurity Impact AnalysisAttestDocument and Assess31CM‐6NoneConfiguration SettingsDocument and Assess3233CM‐7CM‐8A.12.5.1*A.8.1.1, A.8.1.2AttestDocument and Assess34CP‐135CP‐9Information System BackupDocument and Assess36IA‐137IA‐2A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.12.3.1, A.17.1.2,A.18.1.3A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.9.2.1Least FunctionalityInformation System ComponentInventoryContingency Planning Policy andProceduresNIST 800‐53 Control NameTailoring ActionAdditional Control TailoringCommentsAttestation ‐ for compliance with FedRAMPTailored LI‐SaaS Continuous MonitoringRequirementsAttestIdentification and Authentication Policy Attestand ProceduresIdentification and Authentication(Organizational Users)Page 2NSO, AttestNSO ‐ for non‐privileged users. Attestation ‐for privileged users related to multi‐factoridentification and authentication. Includespecific description of management ofservice accounts.ControlMapping

NoNIST 800‐53ISO 27001 ControlControl ID38IA‐2 (1)A.9.2.139IA‐2 (12)A.9.2.14041IA‐4IA‐5Identifier ManagementAuthenticator Management42IA‐5 (1)43IA‐5 (11)A.9.2.1A.9.2.1, A.9.2.4,A.9.3.1, A.9.4.3A.9.2.1, A.9.2.4,A.9.3.1, A.9.4.3A.9.2.1, A.9.2.4,A.9.3.1, A.9.4.344IA‐6A.9.4.2Authenticator Feedback45IA‐7A.18.1.5Cryptographic Module Authentication Attest46IA‐8A.9.2.147IA‐8 (1)A.9.2.1Identification and Authentication (Non‐ AttestOrganizational Users)Identification and Authentication (Non‐ Document and Assess Condition: Must document and assess forOrganizational Users) Acceptance of (Conditional)privileged users. May attest to this controlPIV Credentials from Other Agenciesfor non‐privileged users. FedRAMP requiresa minimum of multi‐factor authenticationfor all Federal privileged users, if acceptanceof PIV credentials is not supported. Theimplementation status and details of howthis control is implemented must be clearlydefined by the CSP.48IA‐8 (2)A.9.2.1Identification and Authentication (Non‐ Document and Assess Condition: Must document and assess forOrganizational Users) Acceptance of (Conditional)privileged users. May attest to this controlThird‐Party Credentialsfor non‐privileged users. FedRAMP requiresa minimum of multi‐factor authenticationfor all Federal privileged users, if acceptanceof PIV credentials is not supported. Theimplementation status and details of howthis control is implemented must be clearlydefined by the CSP.49IA‐8 (3)A.9.2.1Identification and Authentication (Non‐ AttestOrganizational Users) Acceptance ofFICAM‐Approved ProductsNIST 800‐53 Control NameTailoring ActionIdentification and AuthenticationDocument and Assess(Organizational Users) NetworkAccess to Privileged AccountsIdentification and AuthenticationDocument and Assess(Organizational Users) Acceptance of (Conditional)Personal Identity Verification (PIV)CredentialsAdditional Control TailoringCommentsCondition: Must document and assess forprivileged users. May attest to this controlfor non‐privileged users. FedRAMP requiresa minimum of multi‐factor authenticationfor all Federal privileged users, if acceptanceof PIV credentials is not supported. Theimplementation status and details of howthis control is implemented must be clearlydefined by the CSP.AttestAttestAuthenticator Management AttestPassword‐Based AuthenticationAuthenticator Management FED, Document andHardware Token‐Based Authentication Assess (Conditional)FED ‐ for Federal privileged users. Condition ‐Must document and assess for privilegedusers. May attest to this control for non‐privileged users.Document and AssessPage 3ControlMapping

NoNIST 800‐53ISO 27001 ControlControl ID50IA‐8 (4)A.9.2.151IR‐15253IR‐2IR‐4Incident Response TrainingIncident HandlingAttestDocument and Assess5455IR‐5IR‐6A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1A.18.1.1, A.18.2.2A.7.2.2*A.16.1.4, A.16.1.5,A.16.1.6NoneA.6.1.3, A.16.1.2Incident MonitoringIncident ReportingAttestDocument and Assess5657IR‐7IR‐8NoneA.16.1.1Incident Response AssistanceIncident Response PlanAttestAttest58IR‐9NoneInformation Spillage ResponseAttest59MA‐1System Maintenance Policy andProceduresAttest60MA‐2A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.11.2.4*, A.11.2.5*Controlled MaintenanceDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.6162MA‐4MA‐5NoneNoneNon‐local MaintenanceMaintenance PersonnelAttestDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.63MP‐1Media Protection Policy andProceduresAttest64MP‐2A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.8.2.3, A.8.3.1,A.11.2.9Media AccessDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.65MP‐6A.8.2.3, A.8.3.1,A.8.3.2, A.11.2.7Media SanitizationDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.66MP‐7A.8.2.3, A.8.3.1Media UseDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.67PE‐1Physical and Environmental Protection AttestPolicy and Procedures68PE‐2A.5.1.1, A.5.1.2,A.6.1.1, A.12.1.1,A.18.1.1, A.18.2.2A.11.1.2*Physical Access AuthorizationsDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.69PE‐3A.11.1.1, A.11.1.2,A.11.1.3Physical Access ControlDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.70PE‐6NoneMonitoring Physical AccessDocument and Assess Condition: Control is not inherited from a(Conditional)FedRAMP‐authorized PaaS or IaaS.NIST 800‐53 Control NameTailoring ActionAdditional Control TailoringCommentsIdentification and Authentication (Non‐ AttestOrganizational Users) Use of FICAM‐Issued ProfilesIncident Response Policy andAttestProceduresPage 4Attestation ‐ Specifically attest to US‐CERTcompliance.Attestation ‐ Specifically describeinformation spillage response processes.ControlMapping