Many organizations are required to reference a standardized control framework when assessing the security and compliance of their information systems. Standardized control frameworks are intended to provide a model for how to protect information and data systems from threats, including malicious third parties, structural failures, and human error. One very comprehensive and commonly referenced framework is NIST Special Publication 800-53(r4). Adherence to these controls is required for many government agencies in the United States, as well as for many private enterprises that operate within regulated markets, such as healthcare or finance. For example, the HIPAA regulations that govern the required protections for Personal Health Information (PHI) may be cross-referenced to the NIST SP 800-53(r4) control set.
These pages provide an assessment of the VMware Tanzu Application Service platform against the NIST SP 800-53(r4) controls, and provides guidance for how deployers may achieve compliance when using a shared responsibility model. Responsibility for any particular control may be assigned to the underlying IaaS infratructure, the Tanzu Application Service platform, the deployed application, or the organization.
This document covers the VMware Tanzu Application Service, and assumes the use of BOSH and Tanzu Operations Manager. In addition, we assume the platform has been deployed in a manner consistent with the corresponding IaaS reference architecture.