The compliance kits is a solution that builds on top of VMware Cloud Foundation and leverages security fundamentals. The kit address the top ten most frequently requested compliance standards, regulations, and frameworks.

The compliance kit is designed and validated to tailor security configurations without impacting the ability of VMware Cloud Foundation to meet its design objectives. The kit can assist organizations to secure information systems in a compliance context.

This guidance has been validated and tested against certain product versions. Changes between subsequent releases of VMware Cloud Foundation are designed for stability and optimal upgrade experience. Guidance provided by the Compliance Kit for VMware Cloud Foundation is for a specific VMware Cloud Foundation release, but can still be used until a subsequent kit release is available. This guidance is not backward-compatible and must not be trimmed down into component products. In many cases, the Software-Defined Data Center stack provided by VMware Cloud Foundation requires to avoid some security configurations that could be implemented within individual component product implementations.

Compliance Kit for VMware Cloud Foundation Structure

The compliance kit consists of documents specific to the standard architecture model of VMware Cloud Foundation.

Document Name

Document Description

Intended Audience

Security and Compliance Configuration for VMware Cloud Foundation

Non-default configurations can be performed post deployment of VMware Cloud Foundation for Standard Architecture.

  • System Integrator

  • Cloud Administrator

  • Infrastructure Administrator

VMware Cloud Foundation Audit Guide

Procedures to validate both default and non-default configurations with a preface composed by an independent, third-party auditor introducing the audit content and its applicability to control testing of a Software-Defined Data Center.

  • Security Professional

  • Auditor

VMware Cloud Foundation Audit Guide Appendix

Includes actual configuration values for the different compliance standards. Use in conjunction with the configuration guide to adjust values configured in the procedures to a desired compliance standard.

Includes audit procedures for auditors examining an environment for compliance readiness.

  • System Integrator

  • Cloud Administrator

  • Infrastructure Administrator

  • Security Professional

  • Auditor

The compliance kit is designed to work holistically. Each document supports the overall blueprint and builds trust across multiple persona that may interact with the life cycle of a system operating within a compliance context: architect, system administrator, system integrator, security professional, and auditor.

Introducing Security and Compliance for VMware Cloud Foundation outlines security and compliance concepts used in the development of the VMware Cloud Foundation, Compliance Kit. For example, considerations such as governance, risk, and compliance, separation of duties, and security architecture to name a few.

The Security and Compliance Configuration Guide for VMware Cloud Foundation outlines the steps to implement non-default configurations. Default configurations are confirmed and excluded from the configuration guide as part of the VMware Cloud Foundation post deployment steps. You must perform the procedures from the guide to ensure that the SDDC performance is not compromised.

The Audit Guide supports the post-implementation process and audit process. It includes procedures to validate both default and non-default configurations. The preface to the Audit Guide is composed by an independent third-party auditor evaluating VMware Cloud Foundation, compliance kit and attests to its ability to address compliance requirements. It includes concepts required to audit a virtualized environment and tips on how to audit a Software-Defined Data Center. In theVMware Cloud Foundation Audit Guide Appendix, mappings between configurations and compliance controls provide a comprehensive inventory of configurations designated as default or non-default.

VMware Cloud Foundation Compliance Kit

Compliance kits apply to core products in VMware Cloud Foundation:

  • VMware ESXi™

  • VMware vCenter Server®

  • VMware vSAN™

  • VMware NSX-T™ Data Center

  • VMware Cloud Foundation™ SDDC Manager