Assess Tanzu Application Platform against the NIST 800-53 Moderate Assessment
This topic provides you with an assessment of Tanzu Application Platform (commonly known as TAP) against the NIST SP 800-53 Revision 4 Moderate baseline controls. This translates to FISMA Moderate and CNSSI 1253 Mod/Mod/Mod for use in US Federal systems accreditation.
The Moderate baseline applies to only technical controls. Organizational policy controls, physical security, media policies, and similar are excluded as they are not applicable to Tanzu Application Platform. These excluded controls are still relevant to the system at large and must be inherited from existing accreditations or otherwise addressed.
The initial iteration of this assessment delineates responsible parties. Incremental updates will add more details about implementation and updates to 800-53 Revision 5.
| Name | Title | Responsible Party | Notes |
|---|---|---|---|
| AC-2(1) | Automated System Account Management | Customer | Implemented on customer identity store. The customer must employ automated mechanisms to support the management of information system accounts used to access their Tanzu Application Platform installation. |
| AC-2(2) | Removal of Temporary / Emergency Accounts | Customer | Implemented on customer identity store. If the customer chooses to use temporary or emergency accounts, they must ensure that the system automatically deactivates or removes the account following an organization-defined time period. |
| AC-2(3) | Deactivate Inactive Accounts | Customer | Implemented on customer identity store. The customer must automatically deactivate inactive accounts used to access their Tanzu Application Platform installation following an organization-defined time period of inactivity. |
| AC-2(4) | Automated Audit Actions | Customer | Implemented on customer identity store. The customer must automatically audit account creation, modification, enabling, deactivating, and removal actions associated with accounts used to access their Tanzu Application Platform installation and must notify an organization-defined personnel or role. |
| AC-3 | Access Enforcement | Customer | The customer must federate their IdP with Tanzu Application Platform to enforce approved access authorizations to their Tanzu Application Platform installation. |
| AC-4 | Information Flow Enforcement | Customer | The customer is responsible for enforcing approved authorizations for controlling the flow of information between Tanzu Application Platform and interconnected systems, based on organization-defined information flow control policies, for example, a SIEM. Tanzu Application Platform does not restrict intra-service or inter-system communication. Future versions of Tanzu Application Platform will include this feature using service mesh architecture or similar methods. |
| AC-6 | Least Privilege | Shared | The customer is responsible for enforcing least privilege by ensuring Tanzu Application Platform users have the minimum permissions necessary to perform their job function. Tanzu Application Platform is responsible for providing RBAC functionality to enforce least privilege. |
| AC-6(1) | Authorize Access to Security Functions | Shared | The customer is responsible for explicitly authorizing access to organization-defined security functions and security-relevant information as it relates to their Tanzu Application Platform installation. Tanzu Application Platform is responsible for providing the RBAC functionality necessary to restrict which users can access security functions and security-related information. |
| AC-6(5) | Privileged Accounts | Shared | The customer must restrict privileged Tanzu Application Platform accounts to organization-defined personnel or roles. Tanzu Application Platform is responsible for providing the RBAC functionality for customers to restrict privileged Tanzu Application Platform accounts to organization-defined personnel or roles. |
| AC-6(9) | Auditing Use of Privileged Functions | Shared | The customer is responsible for configuring Tanzu Application Platform and underlying Kubernetes to send log streams to their SIEM tool for log analysis to be capable of auditing the execution of privileged functions. Tanzu Application Platform is responsible for generating logs pertaining to the execution of privileged functions that can be ingested by the customer SIEM tool for analysis. |
| AC-6(10) | Prohibit Non-Privileged Users from Executing Privileged Functions | Tanzu Application Platform | This functionality is inherent to Tanzu Application Platform/Kubernetes RBAC and can’t be configured otherwise. |
| AC-7 AC-7a AC-7b |
Unsuccessful Logon Attempts | Customer | Implemented on customer identity provider. The customer is responsible for configuring their IdP to enforce a limit of consecutive invalid logon attempts by a user during an organization-defined time period which locks the user’s account for an organization-defined time period, or until released by an administrator. |
| AC-8 AC-8a AC-8a.1 AC-8a.2 AC-8a.3 AC-8a.4 AC-8b AC-8c AC-8c.1 AC-8c.2 AC-8c.3 |
System Use Notification | Customer | Implemented on customer identity provider. Customer must configure their IdP to display the system use notification banner before login. |
| AC-11 AC-11a AC-11b |
Session Lock | Customer | The customer must configure sessions locks on user workstations used to access their Tanzu Application Platform installation. Tanzu Application Platform does not have a concept of session locks and relies on sessions locks applied by the user’s workstation. Tanzu Application Platform provides logout functionality in place of session locking. |
| AC-11(1) | Pattern-Hiding Displays | Customer | The customer must configure sessions locks on user workstations used to access their Tanzu Application Platform installation. This includes hiding the user’s private session with a publicly available image. Tanzu Application Platform does not have a concept of session locks and relies on sessions locks applied by the user’s workstation. Tanzu Application Platform provides logout functionality in place of session locking. |
| AC-12 | Session Termination | Shared | Implemented on customer identity provider. The customer is responsible for configuring IdP token TTL and refresh policies that apply to Tanzu Application Platform sessions. Tanzu Application Platform enforces token policies and cannot be configured otherwise. |
| AC-14 AC-14a |
Permitted Actions Without Identification or Authentication | Shared | The customer is responsible for identifying organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. For production installations, Tanzu Developer Portal must be configured with OIDC authentication and guest access deactivated. |
| AC-17(1) | Automated Monitoring / Control | Customer | “Remote Access” is defined as outside-the-org endpoints like remote workers over VPN. This is outside the scope of Tanzu Application Platform. The customer is responsible for all aspects regarding “remote access” to Tanzu Application Platform. |
| AC-17(2) | Protection of Confidentiality / Integrity Using Encryption | Customer | “Remote Access” is defined as outside-the-org endpoints like remote workers over VPN. This is outside the scope of Tanzu Application Platform. The customer is responsible for implementing cryptographic mechanisms to protect the confidentiality and integrity of “remote access” sessions to Tanzu Application Platform. |
| AC-17(3) | Managed Access Control Points | Customer | “Remote Access” is defined as outside-the-org endpoints like remote workers over VPN. This is outside the scope of Tanzu Application Platform. The customer is responsible for routing all “remote accesses” to Tanzu Application Platform through an organization-defined number of managed network access control points. |
| AC-19 AC-19 AC-19b |
Access Control for Mobile Devices | Customer | The customer is responsible for all aspects regarding mobile devices which grant access to Tanzu Application Platform. |
| AU-3 | Content of Audit Records | Tanzu Application Platform | The Tanzu Application Platform application must be capable of generating audit logs that contain the minimum content required by the customer consuming the application. |
| AU-3(1) | Additional Audit Information | Customer | Implemented on customer SIEM. The customer is responsible for parsing Tanzu Application Platform logs on their SIEM to extract organization-defined extra information. |
| AU-4 | Audit Storage Capacity | Customer | Implemented on customer Kubernetes. Tanzu Application Platform logs are all captured by Kubernetes logging. The customer is responsible for configuring their Kubernetes hosts with record storage capacity to ensure that there is adequate storage of logs generated by Tanzu Application Platform clusters. |
| AU-5 AU-5a AU-5b |
Response to Audit Processing Failures | Customer | Implemented on customer Kubernetes. Tanzu Application Platform audit records are collected and managed by Kubernetes and are out of Tanzu Application Platform scope. The customer is responsible for configuring their Kubernetes hosts to account for audit processing failures and to alert the appropriate personnel responsible to take appropriate action. |
| AU-7 AU-7a AU-7b |
Audit Reduction and Report Generation | Customer | Implemented on customer Kubernetes and SIEM Tanzu Application Platform audit records are collected and managed by Kubernetes. The customer is responsible for ensuring that Kubernetes ships Tanzu Application Platform audit records to a central SIEM for review and analysis. |
| AU-7(1) | Automatic Processing | Customer | Implemented on customer Kubernetes and SIEM Tanzu Application Platform audit records are collected and managed by Kubernetes. The customer is responsible for ensuring that Kubernetes ships Tanzu Application Platform audit records to a central SIEM for review and analysis. |
| AU-8 AU-8a AU-8b |
Time Stamps | Tanzu Application Platform | Tanzu Application Platform components pull their system time from the container OS and the Kubernetes host and cannot be configured otherwise. Tanzu Application Platform components log statements include UTC timestamps and cannot be configured otherwise. |
| AU-8(1) AU-8(1)(a) AU-8(1)(b) |
Synchronization With Authoritative Time Source | Customer | The customer is responsible for configuring authoritative time sources on K8 clusters. |
| AU-9 | Protection of Audit Information | Customer | Tanzu Application Platform audit records are collected and managed by Kubernetes. The customer is responsible for protecting Kubernetes and Kubernetes logging configurations from unauthorized access, modification, and deletion. |
| AU-12 AU-12a AU-12b AU-12c |
Audit Generation | Shared | Tanzu Application Platform audit records are collected and managed by Kubernetes. The customer is responsible for ensuring that Kubernetes ships Tanzu Application Platform audit records to a central SIEM for review and analysis. Tanzu Application Platform cannot be configured to audit specific information. Tanzu Application Platform logs verbosely and lets the customer filter out what is relevant to them using their SIEM. Tanzu Application Platform logging cannot be deactivated. |
| CM-7 CM-7a CM-7b |
Least Functionality | Shared | The customer is responsible for configuring Tanzu Application Platform to provide only essential capabilities. Tanzu Application Platform is responsible for providing customers with the capability to deactivate non-essential features not required by the customer. The customer must restrict the use of functions, ports, protocols, and services for the Tanzu Application Platform installation. Tanzu Application Platform is responsible for ensuring that functions, ports, protocols, and services are limited to those explicitly required for the application to operate. |
| CM-7(2) | Prevent Program Execution | Tanzu Application Platform | As an extension of CM-7, Least Functionality, this control is a responsibility of Tanzu Application Platform. Tanzu Application Platform only consists of containers with purposeful services with no extra programs running or bloat. This cannot be configured by the customer. |
| CM-7(4)(b) | Unauthorized Software/Denylisting | Tanzu Application Platform | Tanzu Application Platform service containers do not implement a deny-by-exception policy to prohibit the execution of unauthorized software programs. Tanzu Application Platform service containers are built to provide stripped-down services and do not include extra programs or bloat. Tanzu Application Platform can provide a SBOM to compare against customer organization policies on disallowed software. |
| IA-2 | Identification and Authentication (Organizational Users) | Shared | The customer is responsible for configuring Tanzu Application Platform to use their IdP which is capable of uniquely identifying and authenticating organizational users. Tanzu Application Platform is responsible for providing customers with the capability to integrate their IdP to allow Tanzu Application Platform to uniquely identify organizational users. |
| IA-2(1) | Network Access to Privileged Accounts | Customer | Implemented on customer identity provider. The customer is responsible for implementing multifactor authentication on their IdP for network access to privileged accounts. |
| IA-2(2) | Network Access to Non-Privileged Accounts | Customer | Implemented on customer identity provider. The customer is responsible for implementing multifactor authentication on their IdP for network access to non-privileged accounts. |
| IA-2(3) | Local Access to Privileged Accounts | N/A | Tanzu Application Platform does not use local accounts. All access occurs over a network connection. |
| IA-2(8) | Network Access to Privileged Accounts - Replay Resistant | Tanzu Application Platform | Tanzu Application Platform is responsible for ensuring that all connections to the customer IdP are over TLS 1.2+. |
| IA-2(11) | Remote Access - Separate Device | Customer | The customer is responsible for all aspects of MFA and MFA devices used to authenticate to their Tanzu Application Platform installation, including using remote access. |
| IA-2(12) | Acceptance of Piv Credentials | Customer | Implemented on customer identity provider. The customer is responsible for implementing CAC/PIV credentials with their IdP. |
| IA-3 | Device Identification and Authentication | Customer | The customer is responsible for uniquely identifying and authenticating organization-defined specific and/or types of devices before establishing a local, remote, or network connection. |
| IA-4e | Identifier Management | Customer | Implemented on customer identity provider. The customer is responsible for configuring IdP token TTL and refresh policies that apply to Tanzu Application Platform sessions. Tanzu Application Platform enforces token policies and cannot be configured otherwise. |
| IA-5(1) IA-5(1)(a) IA-5(1)(b) IA-5(1)(c) IA-5(1)(d) IA-5(1)(e) IA-5(1)(f) |
Password-Based Authentication | Customer | Implemented on customer identity store. The customer is responsible for all aspects of password-based authentication to their IdP, using their identity store. Tanzu Application Platform does not employ password-based authentication itself. |
| IA-5(2) IA-5(2)(a) IA-5(2)(b) IA-5(2)(c) IA-5(2)(d) |
PKI-Based Authentication | Customer | Implemented on customer identity provider. The customer is responsible for all aspects of PKI-based authentication on the IdP used to access their Tanzu Application Platform installation. |
| IA-5(11) | Hardware Token-Based Authentication | Customer | The customer is responsible for ensuring hardware token-based authentication employs mechanisms that satisfy organization-defined token quality requirements. |
| IA-6 | Authenticator Feedback | Customer | Implemented on customer identity provider. The customer is responsible for ensuring their IdP obscures feedback of authentication information during the authentication process. |
| IA-7 | Cryptographic Module Authentication | Customer | Implemented on customer identity provider. The customer is responsible for ensuring their IdP implements FIPS 140-2 validated cryptographic modules. |
| IA-8 | Identification and Authentication(Non-Organizational Users) | Customer | Implemented on customer identity provider. The customer is responsible for ensuring that their IdP uniquely identifies and authenticates non-organizational Tanzu Application Platform users, or processes acting on behalf of non-organizational users. |
| IA-8(1) | Acceptance of Piv Credentials from Other Agencies | Customer | Implemented on customer identity provider. The customer is responsible for configuring their IdP to accept and electronically verify Personal Identity Verification(PIV) credentials from other federal agencies. |
| IA-8(2) | Acceptance of Third-Party Credentials | Customer | Implemented on customer identity provider. The customer is responsible for configuring their IdP to accept only FICAM-approved third-party credentials. |
| IA-8(3) | Use of FICAM-Approved Products | Customer | Implemented on customer identity provider. The customer is responsible for employing only FICAM-approved information system components on their IdP to accept third-party credentials. |
| IA-8(4) | Use of FICAM-Issued Profiles | Customer | Implemented on customer identity provider. The customer is responsible for ensuring their IdP conforms to FICAM-issued profiles. |
| SC-2 | Application Partitioning | Tanzu Application Platform | Tanzu Application Platform does not isolate user and management functionality on separate network interfaces, instances, CPUs, or similar. Tanzu Application Platform relies on different roles and Kubernetes RBAC to keep user and management functionality distinct. |
| SC-4 | Information in Shared Resources | Tanzu Application Platform | Tanzu Application Platform creates dedicated Kubernetes namespaces upon deployment. Kubernetes namespaces prevent unauthorized and unintended information transfer using shared system resources. |
| SC-5 | Denial of Service Protection | Customer | The customer is responsible for ensuring that organizational DoS protections at the network layer include the Tanzu Application Platform installation. |
| SC-7 SC-7a SC-7b SC-7c |
Boundary Protection | Customer | The customer is responsible for the configuration and management of boundary protection devices. |
| SC-7(4)(c) | External Telecommunications Services | Customer | The customer is responsible for external telecommunication services used to establish connections to their Tanzu Application Platform installation. |
| SC-7(5) | Deny by Default / Allow by Exception | Shared | Tanzu Application Platform does not implement “deny by default” network policies. This might be mitigated by network-level access controls configured by the customer. |
| SC-7(7) | Prevent Split Tunneling for Remote Devices | Customer | The customer is responsible for all configuration of remote devices used to access Tanzu Application Platform. |
| SC-8 | Transmission Confidentiality and Integrity | Tanzu Application Platform | Tanzu Application Platform is responsible for ensuring all communications occur over TLS 1.2+. |
| SC-8(1) | Cryptographic or Alternate Physical Protection | Tanzu Application Platform | Tanzu Application Platform is responsible for ensuring all communications occur over TLS 1.2+. |
| SC-10 | Network Disconnect | Tanzu Application Platform | Tanzu Application Platform tears down TCP connections and deallocates system resources following the expiration of a session token and cannot be configured otherwise. |
| SC-12 | Cryptographic Key Establishment and Management | Tanzu Application Platform | Tanzu Application Platform is responsible for providing customers with the ability to manage trust stores. |
| SC-13 | Cryptographic Protection | Tanzu Application Platform | Tanzu Application Platform is responsible for implementing FIPS 140 validated cryptographic modules and providing the customer with a means to enable “FIPS Mode”. |
| SC-21 | Secure Name / Address Resolution Service (Recursive or Caching Resolver) | Customer | Tanzu Application Platform inherits the DNSSEC capabilities of the organization resolvers it is configured to use. The customer is responsible for configuring the Tanzu Application Platform and Kubernetes infrastructure to use DNSSEC-capable resolvers. |
| SC-23 | Session Authenticity | Tanzu Application Platform | Tanzu Application Platform is responsible for ensuring all communications occur over TLS 1.2+. |
| SC-28 | Protection of Information at Rest | Customer | Tanzu Application Platform does not natively provide encryption for data at rest, but instead relies on the underlying Kubernetes persistent volumes for appropriate cryptographic protections. The customer is responsible for deploying Tanzu Application Platform to Kubernetes with persistent volumes for appropriate cryptographic protections. |
| SC-39 | Process Isolation | Tanzu Application Platform | Tanzu Application Platform container OS enforces the use of separate execution domains for each executing process and cannot be configured otherwise. The underlying Kubernetes host isolates each container from the other. |
| SI-2c | Flaw Remediation | Tanzu Application Platform | The customer is responsible for keeping the Tanzu Application Platform installation up to date, to within org-defined standards. Tanzu Application Platform does not automatically update itself. |
| SI-3(2) | Automatic Updates | N/A | Tanzu Application Platform does not include malicious code protection mechanisms therefore automatic update to such mechanisms does not apply. |
| SI-7(1) | Integrity Checks | Tanzu Application Platform | Tanzu Application Platform performs a hash check when images are downloaded, and a cryptographic signature validation at runtime. This cannot be configured otherwise. |
| SI-10 | Information Input Validation | Tanzu Application Platform | Tanzu Application Platform is responsible for performing input validation of user-supplied input to Tanzu Application Platform. |
| SI-11 SI-11a SI-11b |
Error Handling | Tanzu Application Platform | Tanzu Application Platform limits error message verbosity but does display errors to users. Given the development/coding nature of Tanzu Application Platform, deployment errors and similar must be raised to the user so they can be corrected. |
| SI-16 | Memory Protection | Tanzu Application Platform | Tanzu Application Platform container OS protects its memory from unauthorized code execution and cannot be configured otherwise. The underlying Kubernetes host also isolates container memory pages. |
