VMware SD-WAN on AWS GovCloud (US)™ is a an integrated cloud network service solution jointly developed by Amazon Web Services (AWS) and VMware SD-WAN for Federal customers and their partners which complies with the FedRAMP High baseline and other compliance regimes. This solution enables sites to quickly deploy Enterprise grade access to legacy and cloud applications over both private networks and Internet broadband.
VMware Government Services (VGS) handles the onboarding of VMware SD-WAN on AWS GovCloud (US) services, and the management network provides several features including monitoring, alerting, logging, security, and many more for the GovCloud environment.
Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Government-wide program that promotes the adoption of secure cloud services across the U.S. Federal Government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information
To meet the FedRAMP Authorization requirements, VMware SD-WAN on AWS GovCloud (US) has the following features:
- Federal Information Processing Standards (FIPS) are a set of U.S. Government security requirements for data and its encryption. FIPS are standards and guidelines for Federal computer systems that are developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. For example, FIPS standards cover data encryption such as the Advanced Encryption Standard (AES).
- AWS GovCloud (US) is used to run the VMware SD-WAN service. AWS GovCloud (US) complies with the FedRAMP High baseline and several other federal departments’ policies. AWS GovCloud (US-East) and (US-West) Regions are operated by employees who are U.S. citizens on U.S. soil. AWS GovCloud (US) is only accessible to U.S. entities and root account holders who pass a screening process.
- Multi-Factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as a VCO (VMware Cloud Orchestrator) online account. MFA is one part of the FedRAMP requirement for user authentication. To fully comply with FedRAMP requirements, MFA is implemented with required Government issued identifications, including PIV and CAC cards through the VMware ID Management System (vIDM) for Single Sign-On Architecture (SSO).
- Single Sign-On (SSO) Architecture with a focus on VMware Identity Manager (vIDM) integration: The SD-WAN Orchestrator supports SSO for all Orchestrator user types: Operator, Partner, and Enterprise. Single Sign-On (SSO) is a session and user authentication service that allows SD-WAN Orchestrator users to log in to the SD-WAN Orchestrator with one set of login credentials to access multiple applications. Integrating the SSO service with SD-WAN Orchestrator improves the security of user authentication for SD-WAN Orchestrator users and enables SD-WAN Orchestrator to authenticate users from other OpenID Connect (OIDC)-based Identity Providers (IDPs).
Password Requirements: User passwords are protected with strong encryption mechanisms. Passwords are case sensitive. A mechanism ensures passwords are a minimum of twelve characters, with at least one upper-case letter, lower-case letters, numbers, and special characters. At least one character in the password must change for a new password to be accepted. The user is prevented from re-using their previous 24 passwords. A user must wait at least one day between password changes. A user must change their password within 60 days (about 2 months).
- Only VMware employees who meet the US Citizen on US Soil (USCUSS) can manage and access root account keys to operate the SD-WAN accounts.
The components are described in more detail in the following sections.
To become familiar with the basic configuration and Edge activation, see Activate SD-WAN Edges.