Some great news for our existing and prospective customers of VMware Cloud on AWS GovCloud (US) – we are thrilled to announce that VMware Cloud on AWS GovCloud (US) has achieved expanded Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA) as of August 2023. This certification expansion includes both US-East and US-West regions, the i4i.metal instance type as well as VMware HCX in both regions and will enable further adoption of the service by US Public Sector agencies.
VMware’s expansion of its DoD IL5 PA for VMware Cloud on AWS GovCloud (US) demonstrates the unwavering commitment to providing secure and innovative cloud solutions to our customers in the government and defense sectors.
Certification Process
VMware CloudTM on AWS GovCloud (US) brings VMware’s Software-Defined Data Center (SDDC) software to the AWS GovCloud (US) regions, and with FedRAMP High JAB Authorization and DoD IL5 Authorization, it enables US public sector agencies to securely run production applications across VMware vSphere®-based on-premises and cloud environments with access to AWS services. Jointly engineered by VMware and AWS, this on-demand, scalable service enables IT teams to seamlessly extend, migrate, protect and manage their cloud-based resources with familiar VMware tools. VMware Cloud on AWS GovCloud (US) integrates VMware’s flagship compute, storage, and network virtualization products (VMware vSphere®, VMware vSANTM and VMware NSX®) along with VMware vCenter® management, and optimizes it to run on dedicated, elastic, Amazon EC2 bare-metal infrastructure that is fully integrated as part of the AWS GovCloud (US).
However, technology is only a small part of what drives an IL5 authorization. For most regulatory compliance authorizations, including IL5, it is more about HOW that technology is implemented and used. Cloud Service Providers (CSPs) and their Cloud Service Offerings (CSOs) are evaluated for their processes, going deep into how the services are implemented and secured, who has access to the systems, how events in the systems are audited and logged, where deployed systems are physically located, and so on.
As part of this expanded certification authorization, VMware Cloud on AWS GovCloud (US) meets the stringent process and implementation guidelines of DISA IL5, meaning easy and fast access to cloud services for Department of Defense mission owners.
Now let’s dive into the details of the DoD IL5 PA certification expansion achieved by VMware Cloud on AWS GovCloud (US) as of August 2023.
Certification Deep Dive – August 2023 expansion
DISA’s IL5 certification attests that Cloud Service Providers have built secure cloud offerings fit to process, store and transmit Controlled Unclassified Information (CUI) and Unclassified National Security Information (U-NSI). With the authorization of VMware HCX and i4i.metal instance type at the IL5 level as well as the expansion of VMware Cloud on AWS GovCloud (U.S.) into the US-East and US-West Regions, the U.S. Department of Defense (DoD) customers can now migrate, extend, modernize and protect on-premises workloads into the VMware Cloud on AWS GovCloud(US) as well as utilize universally available disaster recovery solutions, for e.g., VMware Site Recovery Manager. Additionally, customers can now deploy SDDCs in both US-East and US-West regions of VMware Cloud on AWS GovCloud (US).
VMware HCX in IL5 provides DoD mission owners with an application mobility platform that’s designed to simplify application migrations and optimize disaster recovery networking across on-premises datacenters and VMware Cloud on AWS. Connectivity between the mission owners’ on premises vSphere infrastructure and VMware Cloud on AWS SDDC is established using VMware Transit Connect Service in the mission owners’ VMware Cloud on AWS service. VMware Transit Connect provides connectivity to the mission owners’ SCCA/VDSS which connects to the DISA BCAP and then to the mission owners’ on premises VMware infrastructure. Once network reachability is established between a mission owners’ SDDC infrastructure and their on-premises VMware infrastructure, mission owners then use VMware HCX to build a service mesh backed by Suite B encrypted tunnels to build hybrid cloud connectivity for simplified and secure workload mobility.
VMware Cloud on AWS GovCloud (US) BCAP Architecture
The diagram below provides a visual depiction of the reference architecture utilized by VMware Cloud on AWS GovCloud (US) to establish a BCAP connection between DoD Mission Owners and their SDDCs. This includes VMware HCX, VMware Site Recovery Manager, and customer workload traffic.
VMware Cloud on AWS GovCloud (US) Secure Network Configuration
SDDCs utilize VMware NSX to create and manage SDDC networks. VMware NSX provides an agile software-defined infrastructure to build cloud-native application environments. Mission Owners have autonomy in defining the virtual networking within their SDDCs to support DoD IL2, 4, and 5 workloads.
Mission Owners shall ensure the following when establishing network configurations for their SDDC:
- All inbound/outbound Mission Owner SDDC communication shall flow through VMware Transit Connect.
- Transit Gateway Peering shall be configured between VMware Transit Connect and the Mission Owner’s Transit Gateway or VPC attachment to Mission Owner’s SCCA/VDSS.
VMware Cloud on AWS GovCloud (US) Account Management
VMware Cloud on AWS GovCloud (US) accounts are based on an organization which corresponds to each mission owner that subscribes to VMware Cloud Services.
Organization roles specify the privileges that an organization member has over organization assets. Service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by a user with organization owner privileges.
Mission Owners shall ensure the following when establishing service roles for their SDDC:
- Restrictive roles such as NSX Cloud Admin (Delete Restricted) or NSX Cloud Auditor shall be assigned along with the role of organization member to prevent modification.
- The NSX Cloud Admin role shall be limited to as few individuals as operationally possible to prevent unauthorized network configurations.
- NSX Cloud Auditor – This role can view NSX service settings and events but cannot make any changes to the service.
- NSX Cloud Admin – This role can perform all tasks related to deployment and administration of the NSX service.
- The NSX Cloud Admin role can establish external connections to a Mission Owner SDDC. Mission Owners shall follow their internal access control, audit & accountability, configuration management, incident response and systems and communications protections policies and procedures to reduce the risk of unauthorized external connections.
- Mission Owners shall restrict access to their Cloud Services Portal/VMware Cloud on AWS GovCloud (US) Console by setting up Allow/Block lists based on specific the IP ranges. This allows users to restrict access to CSP to only trusted IP address ranges. Additionally, DoD Mission Owners can implement a Remote Desktop or Bastion Host solution for remote access into the Cloud Services Portal (CSP). For more security, DoD Mission Owners shall enable whitelisting to limit CSP connections to only approved IP ranges.
VMware Cloud on AWS GovCloud (US) Audit & Logging
Mission owner VMware Cloud on AWS GovCloud (US) Service Organizations and VMware Cloud on AWS GovCloud (US) SDDCs have access to Organization level activity logs for auditing as well as access to SDDC infrastructure level logs for monitoring and auditing SDDC infrastructure components.
As VMware does not have access to Mission Owner workloads, Mission Owners shall ensure the following when establishing logging for their SDDC:
- Verify NSX Manager logs are sent to a centralized server and can be used as part of the organization’s security incident tracking and analysis. VMware provides SDDC logs to Mission Owners via AWS S3 Buckets which can be ingested by DoD Mission Owners SIEM of choice.
- Verify that non-privileged users are prevented from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
- Verify NSX Manager audit records are off-loaded to a different system.
- Verify the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time.
- Configure incident response monitoring and alerting to detect changes to SDDC networking.
More Information
Beyond GovCloud (US), VMware Cloud on AWS service also holds many global and regional certifications for regulatory compliance, helping to speed migrations and make audits easier for thousands of customers governed by regulatory requirements. You can review all these at the VMware Cloud Trust Center. Also check out the IL5 tenant configuration guide as well.
For more information about how VMware Cloud on AWS GovCloud (US) can help your public sector organization achieve its mission, please visit the GovCloud website or speak with your VMware account team.
Check These Out