Hi John Mitchell,
Out of the box, ArcGIS Enterprise (and more specifically, Portal for ArcGIS) is designed with a number of different user bases in mind. At it's heart, Portal for ArcGIS is meant to help users share geographic content and information - it's a social sharing tool. Some organizations have more stringent requirements than others, and we try to accomodate the needs of our all of our various user bases in the design.
What this means is that each ArcGIS Enterprise site may be unique in how it's implemented. There are responsiblities that we (Esri) must meet in terms of coding standards, implementation guidance and administrative options we provide, as well as configuration and governance responsibilites that administrators of a given ArcGIS Enterprise site must meet in turn. In the end, when properly configured, standards are applied, and adhereance is measurable, a level of compliance is met. Esri has achived this level in house. Examples of configurable options that Esri provides but must be user configured include (but aren't limited to) requring TLS only for all communications, configuration of allowed encryption algorithms, defining password complexity requirements, and defining allowed CORS whitelists. Items the organization is responsbile for include the acquisition and usage of trusted certificates at both the GIS and web tiers (the front end, where the web adaptor/reverse proxy/WAF/web gateway), web server configuration configuration consderations to reduce information exposure (like custom error messages and removing technology identifying banners (like X-Powered-By asp.net). Other considerations an administrator is responsible for include data classification, configuration of enterprise user and role stores (eg: configuring the Portal to work with a SAML provider that is capable of providing MFA) etc.
For instance, our Esri Managed Cloud Services Advanced Plus offering is a FedRAMP Moderate compliant offering. FedRAMP is a security authorization framework developed by the Federal Government along with industry professionals to align requirements for cloud service providers with that of the NIST framework and containing mappings to ISO/IEC 27001 &15408 and NIST special publication 800-53. ArcGIS Online has itself achieved FedRAMP Tailored Low certification.
From our side, Esri utilizes the BSIMM (Building Security in Maturity Model as the backbone to measure our efforts to immerse security throughout our development life cycle. We also incorporate OWASP best practices into our training and our SDLC.
For our customers, Esri has deliniated responses to the Cloud Security Alliance Cloud Controls Matrix for both EMCS Advanced Plus and ArcGIS Online offerings. The CCM consists of answers to a number of questions auditors and users who have questions regarding how various compliance instruments are implemented in a given offering.
While not explicitly mapped, you can see how the answers in our CCM attestation documents map to the controls described in the ASV you've attached, with the understanding that we've achieved measurable compliance for FedRAMP standards by accreddited auditors. For instance, the controls mentioned in V1.1 (Secure Software Development Lifecycle Requirements) relate to controls discussed under control IDs BCR (Business Continuity & Operational Resilience).
As you can see, the answer to this kind of question isn't really binary - there's not a real Yes/No answer. That's because there's a lot of variables in play regarding Esri as a software provider and our SDLC activities and an administrator or organization's roadmap to achieving a compliance benchmark.
Feedback regarding ArcGIS Online and Esri's product compliance initiatives are welcome and may be directed to Esri's Software Security and Privacy Team at SoftwareSecurity@esri.com.
