Organizations doing business with federal and regulated agencies must often comply with one or more regulatory standards. Ensuring that your VMware Tanzu deployment is in compliance with such standards involves understanding a broader set of considerations that cover people, processes, and technology.

Compliance is focused on mapping the correlation between security controls and specific requirements. A compliance mapping provides a centralized view to list out many of the required security controls. Those controls are further detailed by including compliance citations for each respective security control as dictated by a domain such as the National Institute of Standards and Technology (NIST), Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG), Cybersecurity and Infrastructure Security Agency (CISA), and Supply-chain Levels for Software Artifacts (SLSA).

NIST
NIST is a non-regulatory government agency that develops technology, metrics, standards, and guidelines. Compliance with NIST standards and guidelines has become a top priority in many industries today. Government and private organizations use NIST 800-53 to secure information systems. Cybersecurity and privacy controls are essential to protect organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals from a diverse set of threats. Some of these threats include hostile cyber-attacks, natural disasters, structural failures, and human errors. Tanzu has enlisted a third-party audit partner to evaluate certain Tanzu products and solutions against the NIST 800-53 catalog of controls.
DISA STIG
DISA develops and publishes Security Technical Implementation Guides, or STIGs. DISA STIGs provide technical guidance for hardening systems and reducing threats. DISA is the U.S. Department of Defense (DoD) combat support agency responsible for maintaining the security posture of the DoD Information Network (DODIN). One of the ways DISA accomplishes this task is by developing, disseminating, and mandating the implementation of STIGs. In brief, STIGs are portable, standards-based guides for hardening systems. STIGs are mandatory for U.S. DoD IT systems and, as such, provide a vetted, secure baseline for non-DoD entities to measure their security posture. Tanzu submits suggested security hardening guidance for certain Tanzu products to DISA for evaluation, based on DISA protocols and feedback. Once that process is complete, the official STIG is published on the DISA organization’s web site at https://public.cyber.mil/stigs/.
SLSA and CISA

The Tanzu Build Service component in Tanzu Application Platform v1.8 and Tanzu Application Catalog follow SLSA Level 3 recommendations when building and delivering applications.

CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. CISA dictates certain requirements and principles for manufacturers, software vendors, and organizations of different industries to help them strengthen their security posture and facilitate managing cybersecurity risks. Tanzu Application Catalog meets CISA recommendations for VEX documents.

Compliance docs for Tanzu products

Tanzu provides compliance documentation for the following component products and product versions:

Product Compliance Docs
Tanzu Application Catalog Security frameworks and industry best practices in Tanzu Application Catalog
Tanzu Application Platform

Overview of security and compliance in Tanzu Application Platform v1.9 (v1.8 | v1.7 | v1.6 | v1.5)

Generate SLSA attestations with Tanzu Build Service (TAP v1.9) (TAP v1.8)

Tanzu Application Service

Tanzu Application Service 2.13 Compliance and Hardening

Assessment of Tanzu Application Service against NIST SP 800-53(r4) Controls

Compliance Scanner for VMware Tanzu

Tanzu Kubernetes Grid

Tanzu Kubernetes Grid 2.5 Compliance and Hardening (v2.4 | v2.3 | v2.2)

vSphere with Tanzu STIG Hardening Overview for vSphere with Tanzu

More information about compliance

For more information about Tanzu and government agencies, see the Tanzu public sector page. For information about compliance at VMware by Broadcom generally, see the VMware Trust Center.

For information about the different regulatory standards, see their respecitve web sites: