Organizations doing business with federal and regulated agencies must often comply with one or more regulatory standards. Ensuring that your VMware Tanzu deployment is in compliance with such standards involves understanding a broader set of considerations that cover people, processes, and technology.
Compliance is focused on mapping the correlation between security controls and specific requirements. A compliance mapping provides a centralized view to list out many of the required security controls. Those controls are further detailed by including compliance citations for each respective security control as dictated by official agencies and other bodies.
Tanzu provides security and compliance resources and documentation for the following Tanzu component products.
| Tanzu and security | Tanzu for the public sector |
| Security-related blogs, whitepapers, and other resources for Tanzu. | Information about Tanzu for government agencies |
| Tanzu Application Platform | Tanzu Build Service |
Overview of security and compliance in Tanzu Application Platform. |
Generate SLSA attestations with Tanzu Build Service in Tanzu Application Platform. |
| Tanzu Application Service | Tanzu Application Service |
| Tanzu Application Service 6.0 compliance and hardening. Earlier versions are available. | Assessment of Tanzu Application Service against NIST SP 800-53(r4) Controls. |
| Compliance Scanner for VMware Tanzu | Tanzu Application Catalog |
| Compliance Scanner for Tanzu provides platform operators and auditors with an assessment of Linux VMs running on stemcells in Tanzu Operations Manager. | Security frameworks and industry best practices in Tanzu Application Catalog. |
| Tanzu Kubernetes Grid | vSphere with Tanzu |
| Tanzu Kubernetes Grid 2.5 compliance and hardening. Earlier versions are available. | STIG hardening overview for vSphere with Tanzu. |
| VMware Trust Center | |
| General information about security and compliance at VMware by Broadcom. |
External resources
Different Tanzu components comply with or provide guidance about how to comply with the following standards.
- NIST
- The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics, standards, and guidelines. Compliance with NIST standards and guidelines has become a top priority in many industries today. Government and private organizations use NIST 800-53 to secure information systems. Cybersecurity and privacy controls are essential to protect organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals from a diverse set of threats. Some of these threats include hostile cyber-attacks, natural disasters, structural failures, and human errors. Tanzu has enlisted a third-party audit partner to evaluate certain Tanzu products and solutions against the NIST 800-53 catalog of controls.
- DISA STIG
- The Defense Information Systems Agency Security Technical Implementation Guides (DISA) develops and publishes Security Technical Implementation Guides, or STIGs. DISA STIGs provide technical guidance for hardening systems and reducing threats. DISA is the U.S. Department of Defense (DoD) combat support agency responsible for maintaining the security posture of the DoD Information Network (DODIN). One of the ways DISA accomplishes this task is by developing, disseminating, and mandating the implementation of STIGs. In brief, STIGs are portable, standards-based guides for hardening systems. STIGs are mandatory for U.S. DoD IT systems and, as such, provide a vetted, secure baseline for non-DoD entities to measure their security posture. Tanzu submits suggested security hardening guidance for certain Tanzu products to DISA for evaluation, based on DISA protocols and feedback. Once that process is complete, the official STIG is published on the DISA organization’s web site at https://public.cyber.mil/stigs/.
- SLSA and CISA
-
The Tanzu Build Service component in some Tanzu Application Platform versions and Tanzu Application Catalog follow Supply-chain Levels for Software Artifacts (SLSA) Level 3 recommendations when building and delivering applications.
The Cybersecurity and Infrastructure Security Agency (CISA) is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. CISA dictates certain requirements and principles for manufacturers, software vendors, and organizations of different industries to help them strengthen their security posture and facilitate managing cybersecurity risks. Tanzu Application Catalog meets CISA recommendations for VEX documents.
