Across multiple industry segments, organizations have a need to comply with one or more regulatory standards and these compliance requirements typically fall within the CIO and IT teams. Auditing and remediation of an environment can be a complex, time-consuming task. The complexity increases with Software Defined Data Center solutions like VMware Cloud Foundation (VCF), that contain a multitude of different products that manage virtualization of storage, compute, and network resources.
To assist customers with achieving compliance, VMware has recently released the VMware Compliance Kit for VMware Cloud Foundation 4.2. This kit provides guidance to assist administrators of a VCF environment in navigating the regulatory compliance waters.
This new compliance kit provides guidance for National Institute of Standards and Technology Special Publication 800-53 Revision 4 (NIST 800-53 R4), which is a catalog of security and privacy controls used for all U.S. federal information systems, except those related to national security. NIST 800-53 R4 is primarily used by federal agencies to architect and manage their information security systems. From a compliance standpoint, there are additional requirements that may be added to this list of regulatory standards, potentially including these within the compliance kit in the future:
- NIST 800-53 R4
- PCI DSS 3.2.1
- SOC 2
- FedRAMP
- HIPAA
- FBI CJIS
- DISA STIG
- NERC CIP
- NIST 800-171/CMMC
- GDPR/ISO 27001:2013
The core software components, such as ESXi, vSAN, NSX-T, and the SDDC Manager, contained with VMware Cloud Foundation are targeted in the kit. For each of these products, audit procedures are provided and associated to a specific standard.
The kit also provides other documents that describe the configurations that a user can perform after VCF is deployed and how to validate a VCF environment. Currently, the kit provides manual guidance and does not include any tools to automate the auditing of an environment, but that is something that is also being considered as a future requirement.
You can download the VCF 4.2 Compliance Kit from the compliance enablement section of the Cloud Platform Tech Zone site. Additional information can also be found online in the VMware Cloud Foundation product documentation. Check these sites frequently, as updates will be posted as new standards are added to the kit.
