The PCF platform itself is compliant with this requirement. As a distributed-computing cloud-native platform, PCF implements appropriate identification and authentication capabilities for all communications that occur within the platform, between distributed platform jobs, such as Diego, Cloud Controller, UAA, and so on.
Compliance with this requirement for hosted applications and user-provided services is the responsibility of the deployer.
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.