Many people have been interested in knowing when vSphere 4 will achieve Common Criteria certification, as was the case for ESX 3.0 and vCenter 2.0 and as will be the case for ESX/ESXi 3.5 and vCenter 2.5. Common Criteria is important for government and defense customers, since it is often a requirement for many of their IT environments, but it is also valuable for other customers, since it represents an objective measure of a software product’s security. Having Common Criteria certification, especially at the higher levels, is often used by security professionals and auditors as a way to gauge whether or not a product should be considered for use in security-sensitive environments, such as credit-card transaction systems.
I am happy to report that VMware vSphere 4 has begun the Common Criteria certification process for vSphere 4.0 at EAL4+. This specifically includes: ESX 4.0, ESXi 4.0, and vCenter 4.0. We have received the letter of intent from the security consulting firm hired by VMware for the evaluation; unfortunately, we cannot post it here, but interested customers should contact their sales representatives directly if they want to see a copy of it.
As you might be aware, the journey towards final certification can be a long one, due to the extensive documentation requirements and rigorous tests that the products must undergo. We’ll provide updates at major milestones of the certification process, but the expectation is that final certification will be achieved in the 2nd half of 2010.