VMware Tanzu Compliance Documentation

Organizations doing business with federal and regulated agencies must often comply with one or more regulatory standards, such as the National Institute of Standards and Technology (NIST) and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). Ensuring that your Tanzu deployment is in compliance with such standards involves understanding a broader set of considerations including people, processes, and technology.

Compliance is focused on mapping the correlation between security controls and specific requirements. A compliance mapping provides a centralized view to list out many of the required security controls. Those controls are further detailed by including compliance citations for each respective security control as dictated by a domain such as NIST and DISA.

NIST Compliance

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics, standards, and guidelines. Compliance with NIST standards and guidelines has become a top priority in many industries today. Government and private organizations use NIST 800-53 to secure information systems. Cybersecurity and privacy controls are essential to protect organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals from a diverse set of threats. Some of these threats include hostile cyber-attacks, natural disasters, structural failures, and human errors. VMware has enlisted a third-party audit partner to evaluate VMware products and solutions against the NIST 800-53 catalog of controls. For more information, visit the NIST webpage at https://www.nist.gov/cyberframework.

DISA Compliance

The Defense Information Systems Agency (DISA) develops and publishes Security Technical Implementation Guides, or STIGs. DISA STIGs provide technical guidance for hardening systems and reducing threats. The Defense Information Systems Agency (DISA) develops and publishes Security Technical Implementation Guides, or STIGs. DISA STIGs provide technical guidance for hardening systems and reducing threats.

The Defense Information Systems Agency (DISA) is the U.S. Department of Defense (DoD) combat support agency responsible for maintaining the security posture of the DOD Information Network (DODIN). One of the ways DISA accomplishes this task is by developing, disseminating, and mandating the implementation of Security Technical Implementation Guides, or STIGs. In brief, STIGs are portable, standards-based guides for hardening systems. STIGs are mandatory for U.S. DoD IT systems and, as such, provide a vetted, secure baseline for non-DoD entities to measure their security posture. Vendors such as VMware submit suggested security hardening guidance to DISA for evaluation, based on DISA protocols and feedback. Once that process is complete, the official STIG is published on the DISA organization’s web site at https://public.cyber.mil/stigs/.

Compliance Docs for VMware Tanzu Products

VMware provides the following compliance documentation for VMware Tanzu:

For more information about compliance at VMware, see the VMware Trust Center.