Compliance kits are solutions that build on top of VMware Validated Design to provide guidance for enhanced configurations and audit review. Each compliance kit is specific to a compliance standard, regulation, or framework.
Every compliance kit is designed and validated to tailor security configurations without impacting the ability of VMware Validated Design to meet its design objectives. The kit can assist organizations to secure information systems in a compliance context.
This guidance has been validated and tested. Changes between subsequent releases of VMware Validated Design are designed for stability and optimal upgrade experience. Guidance provided by the VMware Validated Design Compliance Kit is for a specific VMware Validated Design release, but can still be used until a subsequent release is available.
Kit Structure
The kit consists of documents specific to the Standard SDDC implementation of VMware Validated Design.
| Document Name |
Document Description |
Intended Audience |
| Product Applicability Guide |
Attested by an independent, third-party auditor, which describes security capabilities and their corresponding security control mapping. |
|
| Configuration Guide |
Enhanced configurations that can be performed after deployment of the VMware Validated Design for Standard Architecture. This guide mirrors the format and structure of the VMware Validated Design with a layered approach to securing the Software-Defined Data Center standard implementation. |
|
| Audit Guide |
Procedures to validate both built-in and enhanced configurations with a preface composed by an independent, third-party auditor introducing the audit content and its applicability to control testing of a Software-Defined Data Center. |
|
The compliance kit is designed to work holistically. Each document supports the overall blueprint and builds trust across multiple personas that may interact with the life cycle of a system operating within a compliance context: architects, system administrators, system integrators, security professionals, and auditors.
Introducing Security and Compliance outlines security and compliance concepts used in the development of the VMware Validated Design Compliance Kit. For example, considerations such as governance, risk, and compliance, separation of duties, and security architecture to name a few.
The Product Applicability Guide provides an overview of compliance requirements. Each product capability that has compliance applications is documented. Independent, third-party auditor attested the product capabilities and control mappings, to provide the proof of concept specific to the potential applicability of the products to meet compliance requirements. The product capabilities are also mapped to specific security configurations in the Audit Guide.
The VMware Validated Design Configuration Guide evaluates the product capabilities identified in the Product Applicability Guide and distills the information into the security configuration building blocks. All configurations are evaluated against the VMware Validated Design. Built-in configurations are confirmed and excluded from the configuration guide as part of the VMware Validated Design deployment. You must perform the procedures from the guide to ensure that the SDDC performance is not compromised.
The Audit Guide supports the post-implementation process and audit process. It includes procedures to validate both Built-in and Enhanced configurations. The preface to the Audit Guide is composed by an independent third-party auditor evaluating the VMware Validated Design Compliance Kit and attests to its ability to address compliance requirements. It includes concepts required to audit a virtualized environment and tips on how to audit a Software-Defined Data Center. Appendices in the Audit Guide include mapping product capabilities to controls, product capabilities to configurations, configuration items to audit items, audit items to controls, and a comprehensive inventory of configurations designated as Built-in or Enhanced.
Compliance Kit Guidance Documentation Map
The VMware Validated Design Compliance Kit enhances the documentation of the VMware Validated Design for Software-Defined Data Center and must be applied after the SDDC is deployed.
VMware Validated Design Compliance Kit for NIST 800-53 R4
Designed as the baseline for all compliance kits. This kit addresses compliance requirements outlined by NIST 800-53 Release 4. Currently, this kit applies to a subset of products within the VMware Validated Design limited to the following:
-
VMware vSphere (VMware ESXi and VMware vCenter)
-
VMware vSAN
-
VMware NSX for vSphere (NSX-v)
