VMware!SDDC!Product! Applicability!Guide!for!CJIS! v5.2!

Transcription

1 VMwareSDDCProduct ApplicabilityGuideforCJIS v5.2 August2014 v1.0 Product Guide This is the first document in the Compliance Reference Architecture for CJIS. You can find more information on the Framework and download the additional documents from the CJIS Compliance Resources TAB on VMware Solution Exchange here. Applicability

2 Table(of(Contents( EXECUTIVE(SUMMARY(...(5( INTRODUCTION(...(9( OVERVIEW(OF(THE(CJIS(SECURITY(POLICY(AS(IT(APPLIES(TO(CLOUD/VIRTUAL(ENVIRONMENTS(...(12( CLOUD(COMPUTING(AND(VIRTUAL(ENVIRONMENTS(...(14( WHERE(TO(START(J(CONSIDERATIONS(FOR(SYSTEM(OWNERS,(IT(AND(ASSESSORS(...(16( LAWENFORCEMENTCONSIDERATIONS...16 ITCONSIDERATIONS...16 ASSESSMENTCONSIDERATIONS...17 GUIDANCE(FROM(CJIS(SECURITY(POLICY(...(18( VMWARE(TECHNOLOGIES(AND(CJIS(...(22( VMWARE(CJIS(REQUIREMENTS(MATRIX((OVERVIEW)(...(23( CJIS(REQUIREMENTS(MATRIX((BY(VMWARE(SUITE)(...(25( VCLOUDINFRASTRUCTURE...25 VCLOUDNETWORKINGANDSECURITY...29 NSX...33 OPERATIONSMANAGEMENT...38 CJIS(SECURITY(POLICY(...(43( GLOSSARY(OF(TERMS(...(87( ACKNOWLEDGEMENTS(...(89( ABOUTCOALFIRE...89( FIGURE(1:(CJIS(PROGRAM(STRUCTURE(...(9( FIGURE(2:(CJIS(REQUIREMENTS(AND(VMWARE(...(10( FIGURE(3:(VMWARE(+(PARTNER(PRODUCT(CAPABILITIES(FOR(A(TRUSTED(CLOUD(...(11( FIGURE(4:(VIRTUALIZATION(RISK(MITIGATION(...(12( FIGURE(5:(CLOUD(COMPUTING(...(14( FIGURE(6:(VMWARE(SOFTWARE(DEFINED(DATA(CENTER(PRODUCTS(AND(SUITES(...(22( FIGURE(7:(CJIS(SECURITY(REQUIREMENTS(AND(VMWARE(...(23( ( TABLE(1:(HIGHJLEVEL(CJIS(POLICY(AREA(MAPPING(...(7( TABLE(2:(CJIS(REQUIREMENTS(...(24( TABLE(3:(APPLICABILITY(OF(CJIS(CONTROLS(TO(VCLOUD(INFRASTRUCTURE(...(25( TABLE(4:(APPLICABILITY(OF(CJIS(CONTROLS(TO(VCLOUD(NETWORKING(AND(SECURITY(...(29( TABLE(5:(CJIS(CONTROLS(APPLICABILITY(MATRIX(NEED(MORE(SERVICE(COMPOSER(...(34( TABLE(6:(CJIS(CONTROLS(APPLICABILITY(MATRIX(...(39( (

3 Revision(History( ( DATE( REV( AUTHOR( COMMENTS( REVIEWERS( August14, NoahWeisberger InitiallyCreated InternalSME,VMware July MaryBethAngin Updates Compliance&CyberRisk Team Design(Subject(Matter(Experts( Thefollowingpeopleprovidedkeyinputintothisdesign. NAME( (ADDRESS( ROLE/COMMENTS( NoahWeisberger noah.weisberger@coalfire.com( Director Cloud,Virtualization&MobilePractice,Coalfire SatnamPurewal satnam.purewal@coalfire.com( Associate,Coalfire Trademarks( TheVMwareproductsandsolutionsdiscussedinthisdocumentareprotectedbyU.S.andinternationalcopyright andintellectualpropertylaws.vmwareproductsarecoveredbyoneormorepatentslistedat Statesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheir companies. SOLUTION(AREA( VMware(vCloud ( Infrastructure VMware(vCloud (Networking( and(security VMware(NSX VMware(vRealize ( Operations (((formerly( vcenter) KEY(PRODUCTS( VMwareESXi,VMwarevSphere,VMwarevShieldEndpoint,VMware vrealizeserver andvmwarevclouddirector VMwarevCloud NetworkingandSecurityApp,VMwarevCloud NetworkingandSecurityDataSecurity,VMwarevCloud Networkingand SecurityEdgeGateway,VMwarevCloud NetworkingandSecurity Manager VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSX ServiceComposer VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize AutomationCenter,VMwarevRealize LogInsight VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 3 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

4 * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 4 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

5 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 5 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective* Executive(Summary( VMware,theleaderincloudcomputingsoftwareforenterprises,recognizesthetremendousopportunitythat CriminalJusticeInformationServices(CJIS)provideslawenforcementandintelligenceagencieswishingtoleverage VMwaresolutionsfortheirapplications,includingefficiencies,costsavings,cyberdriskmanagement,and compliance.vmwarehasdevelopedareferencearchitectureframework(raf)thatprovidesaconsistentwayfor VMware,itspartners,andorganizationstoassessandevaluatetheimpactofregulationsonvirtualandcloud environments.mostorganizationsbeginthecomplianceprocessbymappingthemandatedrequirementstotheir specificorganizationalneeds.thisisusuallyadifficulttaskthatcanutilizesignificantamountoftimeand resources.tostreamlinetheprocess,vmwarehasestablishedasingleholisticapproachthatcanbeusedto evaluatethevmwareenvironment,partnersolutions,andendusertools. OrganizationscansignificantlyreducethecomplexityandcostofCJISPolicycompliancebyreplacingtraditional nondintegratedsolutionswithintegratedsolutions.vmwarehasmappeditsproductsuitestospecificcjiscontrols whichaddresstheissuesofcomplianceforcjis.asmostorganizationsknow,thereisnosingleproductthatcan meetallofanorganization sneeds.toaddressthisgap,vmware,togetherwiththevmwarepartnerecosystem deliverscompliancedorientedsolutions,enablingcjiscompliancebyautomatingthedeployment,provisioningand operationofregulatedenvironments.vmwareprovidesthesolutionreferencearchitecture,cjisspecificguidance andsoftwaresolutionsthatbusinessesrequiretoachievecontinuouscompliance,alongwithbreakthroughspeed, efficiencyandagilityfortheirdeployments.thesesolutionsdirectlyaddressagencyneedsfor: * Costandinfrastructureefficiency * Simplifiedmanagementandreporting * Infrastructuretransparency * EffectiveCyberdRiskManagement * Abilitytoenableandmaintainasecureandcompliantenvironment TheVMwareComplianceRAF(ReferenceArchitectureFramework)providesaprogrammaticapproachtomap VMwareandpartnerproductstoregulatorycontrols,fromanindependentauditorperspective.Theresultis valuableguidancethatincorporatesbestpractices,design,configurationanddeploymentguidancewith independentauditoroversightandvalidation. VMwarerecognizesthatsecurityandcompliancearecriticalareasthatmustbeaddressedbyallorganizations accessingcriminaljusticeinformation(cji).bystandardizinganapproachtocomplianceandexpandingthe approachtoincludepartners,vmwareprovidescustomersaprovensolutionthatmorefullyaddressestheir complianceneeds.thisapproachprovidesmanagement,itarchitects,administrators,andauditorsahighdegree oftransparencyintorisks,solutions,andmitigationstrategiesformovingcriticalapplicationstothecloudina secureandcompliantmanner.thisisespeciallyimportantwhenthepenaltiesfornoncomplianceareextremely highduetothesensitivityofcji.failingtocomplywiththecjismandatedrequirementscouldmeanrevocationof accessorfines. Complianceisdefinedasasetofrequirementsnecessarytomeetasetofminimumcontrols,establishedbythe regulatorygroup.compliancewithallapplicablecontrolscanbechallengingwhenbalancedwiththefactthat criminaljusticeinformationneedstobeavailable24/7inorderforlawenforcement,nationalsecurity,andthe intelligencecommunitypartnerstoprotecttheunitedstateswhilepreservingcivilliberties.thefederalbureauof Investigation(FBI)establishedtheCriminalJusticeInformationServices(CJIS)Divisionin1992tomeetthis

6 challenge.today,cjisisfbi slargestdivisionandprocessesmillionsoftransactionsonadailybasis,withresponse timesrangingfromminutestoseconds. 1 TheCJISDivisionisresponsibleformanyinformationtechnologydbased systemslikethenationalcrimeinformationcenter(ncic),nationalinstantcriminalbackgroundchecksystem (NICS),InterstateIdentificationIndex(III),NationalDataExchange(NdDEx),UniformCrimeReporting(UCR) Program,andtheNextGenerationIdentification(NGI).Thesesystemsprovidestate,local,andfederallaw enforcementandcriminaljusticeagencieswithtimelyandsecureaccesstocritical,personalinformationsuchas fingerprintrecords,criminalhistories,andsexoffenderregistrations. CJISsystemsareaccessedbyCriminalJusticeAgencies(CJA)andNoncriminalJusticeAgencies(NCJA).PertheCJIS Policy,aCJAisacourtorgovernmentalagencythatallocatesbudgettotheadministrationofcriminaljusticeand performstheadministrationofcriminaljusticepursuanttoastatuteorexecutiveorder.examplesofcjas: * * * Policeagencies Correctionalinstitutions PublicdefenderDivisions Inmanycases,theseCJA sarelookingtoleveragethecostsavingsandefficiencieswhichvirtualizationprovides, whileprovidingandmanagingrealdtimeaccesstocriminaljusticeinformation.anexampleofthiswouldbethe patrolofficerneedingtoperformacriminalinformationlookuporopenwarrantsearchfromhispatrolvehicle, leveragingavirtualdesktopenvironmenttokeepallcjicontainedwithinthedatacenter/cloudenvironment. AnNCJAisdefinedasanentitythatprovidesservicesoraccesstocriminaljusticeinformation,suchascivil fingerprintdbasedbackgroundchecks,forpurposesotherthantheadministrationofcriminaljustice.ncja scanbe eitherpublicorprivateentities,andmainlyusecjiforhiring,licensing,andscreeningpurposes.thefollowing organizationsareexamplesoftypicalncjas: * PrivateBackgroundCheckServiceProviders * Licensingdivisions * Schools * Healthcareadministrations JustaswithCJA s,ncja salsohaverequirementsforefficienciesandeffectiveresourcemanagement,whichcan begreatlyenabledbythevmwarevirtualizedinfrastructuremodel,whilemaintainingcompliancewiththecjis programinordertoaccesscjiorchri.anexampleofthiswouldbeaserviceproviderthatwishestoprovide criminalbackgroundcheckservicestootherorganizationsusingawebportal,andwishestovirtualizetheir backenddatacenterinfrastructure. WiththehighvolumeoftransactionsprocesseddailybytheCJISdatabases,itisessentialthatallaccessis authorizedforcriticalandsensitiveinformationatcjis.forthisreason,thereisaneedforapolicytogovern accesstothecjisdatabase. TheCJISPolicywasenactedtofillthisvoid.Thepremiseistoprovideappropriatecontrolstoprotectthefull lifecycleofcriminaljusticeinformation(cji),whetheratrestorintransitbydefiningtheminimumrequirements forthecreation,viewing,modification,transmission,dissemination,storage,anddestructionofcjidata.cjirefers 1 (2013(CJIS(Annual(Report( VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 6 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

7 toalldataprovidedforlawenforcementandcivilagenciestoperformtheirmissions,includingbiometric,identity history,biographic,property,andcase/incidentdata.theintentisprotectingcjiuntilitisreleasedtothepublicvia authorizeddisseminationoritispurgedordestroyedinaccordancewithapplicablerecordretentionrules. VMwareispreparedtohelpagenciescomplywiththemandatedrequirementsthroughtheuseofVMware ProductsandSuites.Also,VMware'stechnologypartners'solutionswithintheVMwareComplianceSolution Frameworkmaybeusedtoprovideadditionalcapabilitiesandmoreeffectivelymanagetheprocessofachieving& maintainingcjiscompliancewiththegreatestsecurity,agilityandcostsavings ForthesereasonsVMwarehasenlisteditsAuditPartnerstoengageinaprogrammaticapproachtoevaluate VMwareproductsandsolutionsforCJIScontrolcapabilitiesandthentodocumentthesecapabilitiesintoasetof referencearchitecturedocuments.thefirstofthesedocumentsinthecjisreferencearchitecturesolutionsetis thisdocument,thevmwarecjisproductapplicabilityguide,whichcontainsamappingofthevmwareproducts andfeaturesthatshouldbeconsideredforachievingcjiscompliance.subsequentdocumentsinthisserieswill includethevmwarecjisarchitecturedesignguide,andthevmwarecjislabvalidatedreferencearchitecture. FormoreinformationonthesedocumentsandthegeneralapproachtocomplianceissuespleasereviewVMware's( Approach(to(Compliance. ThisdocumentpresentsdifferentVMwareapplicationsavailabletoorganizationsthatuse(orareconsidering using)virtualizationandcloudtosupportacjiscompliantenvironment.tothatend,coalfirehighlightedthe specificcjisrequirementsthattheseapplicationsaddress,orwhichshouldbeconsideredinanevaluationofthe initialsourcingoftechnologiestobuildacjiscompliantenvironment. Thefollowingtablerepresents atdadglance thehighdlevelapplicabilitymappingforthevmwareproducts includedinthisanalysis,indexedtothe12cjistopdlevelcontrolgroups,andpresentedingreaterdetailbelow. Table(1:(HighJlevel(CJIS(Policy(Area(Mapping( * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 7 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

8 ThecontrolsselectedforthispaperarefromCJISversion5.2.Ithasbeenreviewedandauthoredbyourstaffof CJISauditorsinconjunctionwithVMware. ' ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 8 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

9 Introduction( The*CJIS*Security*Policy*integrates*presidential*directives,*federal*laws,*FBI*directives*and*the*criminal*justice* community s*apb*decisions*along*with*nationally*recognized*guidance*from*the*national*institute*of*standards*and* Technology.**The*Policy*is*presented*at*both*strategic*and*tactical*levels,*is*periodically*updated*to*reflect*the*security* requirements*of*evolving*business*models,*and*features*modular*sections*enabling*more*frequent*updates*to*address* emerging*threats*and*new*security*measures.**the*security*criteria*provided*by*the*policy*assists*agencies*with* designing*and*implementing*systems*to*meet*a*uniform*base*level*of*risk*and*security*protection*while*enabling* agencies*the*latitude*to*institute*more*stringent*security*requirements*and*controls*based*on*their*business*model* and*local*needs.** The*CJIS*Policy*applies*to*every*individual contractor,*private*entity,*noncriminal*justice*agency*representative,*or* member*of*a*criminal*justice*entity with*access*to,*or*who*operates*in*support*of,*criminal*justice*services*and* information.*the*cjis*security*policy*from*version*5.0*forward*is*publically*available*and*can*be*posted*and*shared* without*restrictions.**cjis*5.2*is*the*current*version*and*is*maintained*by*the*fbi*cjis*division*information*security* Officer*(FBI*CJIS*ISO).*** * Compliance*with*the*CJIS*Policy*mandate*was*implemented*in*a*phased*approach.**Unique*and*strong*passwords* were*step*one*with*a*deadline*to*comply*by*september*2010.*the*next*step*was*the*requirement*to*implement* Advanced*Authentication*(AA)*(i.e.*twoYfactor*or*multiYfactor*authentication).*AA*requires*an*additional*authenticator* beyond*the*login*id*and*password.**additional*authenticators*can*be*found*with*biometric*systems,*userybased*public* key*infrastructure*(pki),*smart*cards,*and*software*tokens.*many*local*law*enforcement*agencies*were*not*able*to* meet*the*original*implementation*deadline*of*february*2013,*which*resulted*in*an*extension*to*september*2013.**the* extension*still*did*not*provide*ample*time*for*most*agencies*to*comply*so*the*deadline*was*extended*again*to* September*2014.**There*is*not*likely*to*be*another*extension*and*the*penalties*for*not*complying*include*revocation*of* access,*fines*or*both.*compliance*is*determined*through*audits*once*every*three*years*by*the*cjis*audit*unit*(cau).* The*CJIS*Policy*has*a*shared*management*philosophy*with*federal,*state,*local,*and*tribal*law*enforcement.*The* following*figure*provides*a*visual*categorization*of*functions*and*roles:** Figure(1:(CJIS(Program(Structure( Per*the*Roles*and*Responsibilities*outlined*in*3.2*of*the*CJIS*Policy,*the*CJIS*System*Agencies*(CSA)*are* responsible*for*establishing*and*administering*an*information*technology*security*program*throughout*the*csa s* user*community.*for*example,*in*texas*the*department*of*public*safety*serves*as*the*csa*for*the*state*of*texas.* ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 9 ( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

10 The*head*of*the*CSA*will*execute*a*signed*written*user*agreement*with*the*FBI*CJIS*Division*stating*its*willingness*to* demonstrate*conformity*with*this*policy*before*accessing*and*participating*in*cjis*records*information*programs.* Each*agency*shall*allow*the*FBI*to*periodically*test*the*ability*to*penetrate*the*FBI s*network*through*the*external* network*connection*or*system.** TheCSAisresponsibleforappointingaCJISSystemsOfficer(CSO)whoisresponsiblefortheadministrationofthe CJISnetworkfortheagency.TheCSOapprovesaccesstoFBICJISsystemsandensurestheCJISDivisionoperating proceduresarefollowedbyallusersoftherespectiveservicesandinformation.althoughtheroleofcsocannot beoutsourcedaccordingtothecjispolicy,theresponsibilitiescanbedelegatedtosubordinateagencies.eachcsa isrequiredtoauditlocalagencieseverythreeyearstoensurecompliancebycjasandncjas. Complianceandsecurityaretopconcernsforlawenforcementandintelligenceagenciesworkingtomeetthe requirementsoutlinedinthecjispolicy.vmwarehelpsagenciesaddressthesechallengesbyprovidingbundled solutions(suites)thataredesignedforspecificusecases.theseusecasesaddressquestionslike HowcanIbe CJIScompliantinaVMwaresupportedenvironment? byprovidinghelpfulinformationforvmwarearchitects,the compliancecommunity,andthirdparties.whileeverycompliancesolutionisunique,vmwarecanprovidea solutionthataddressesapproximately56%ofcjistechnicalcontrolsrequiredforcompliance.figure2below showstheproportionoftechnicalrequirementsaddressedbyvmwareinrelationtothetotalnumberof requirementsthatarenondtechnicalororganizationalresponsibility. Figure(2:(CJIS(Requirements(and(VMware( CJISRequirements OrganizationResponsibilityd NonTechnical VMWareTechnicalProducts ( ( * ' VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 10( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

11 Figure'3:'VMware'+'Partner'Product'Capabilities'for'a'Trusted'Cloud' Due*to*the*common*capabilities*of*the*VMware*products*and*features*across*all*of*the*CJI*Use*Cases,*understanding* the*relationship*of*these*products*and*features*to*the*twelve*cjis*control*areas*is*fundamental*and*most*broadly* accommodated*in*this*document*with*more*use*case*specific*guidance,*which*will*be*represented*in*the*forthcoming* Architecture*Design*Guide.*RegardlessoftheUseCaseoroperatingenvironmentmodel,theCJIScontrolareas representabroaddbased,balanced,informationsecurityprogramthataddressesthemanagement,operational, andtechnicalaspectsofprotectingfederalinformationandinformationsystems.themanagement,operational, andtechnicalcontrols(i.e.,safeguardsorcountermeasures)areprescribedforaninformationsysteminorderto protecttheconfidentiality,integrity,andavailabilityofthesystemanditsinformation.theoperationalsecurity controlsareimplementedandexecutedprimarilybypeople(asopposedtosystems).themanagementcontrols focusonthemanagementofriskandthemanagementofinformationsystemsecurity.thetechnicalsecurity controlsareimplementedandexecutedprimarilybytheinformationsystemthroughmechanismscontainedinthe hardware,software,orfirmwarecomponentsofthesystem. Acomprehensiveassessmentofthemanagement,operationalandtechnicalcontrolsthathavebeenselectedfor the informationsystem isrequiredaspartoftheauthorizationprocess.thisassessmentmustdeterminethe extenttowhichallselectedcontrolsareimplementedcorrectly,operatingasintended,andproducingdesired outcomeswithrespecttomeetingthesecurityrequirementsforthesystem.anunderstandingofcjiscontrolsas implementedwithvmwarelendsitselftonotonlyharmonizingtheongoingcomplianceoftheprivatecloud environmentbutalsothesharedresponsibilityforcomplianceinthepubliccloudenvironment.thiscommonset ofwelldunderstoodpoliciesandproceduresimplementedinacommonvmwaresoftwaredefineddatacenter architecturesacrossprivateandpubliccloudenablesnotonlythehybridcloudtobecomerealitybutopensup tremendousopportunitiesfortightercontrolandagility. * ' * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 11( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

12 Overview(of(the(CJIS(Security(Policy(as(it(Applies(to(Cloud/Virtual( Environments( Complianceandsecurityaretopconcernsforlawenforcementandintelligenceagenciesworkingtomeetthe requirementsoutlinedinthecjispolicy.failingtocomplywiththerequirementsofthepolicycouldresultinloss ofaccessthatiscriticaltoperformdailydutiesineffectiveandefficientmanner.itcouldalsoimpactthesafetyof thepublictheyaretryingtoprotect.failingtocomplycouldmeanheavyfinesthatcouldputastrainonalready limitedbudgets.vmwarehasmappedproductsuitestocjisrequirementswhichreducesthetimeandresources requiredtoevaluatedifferentsolutions. VariousstateshavecontactedtheFBICJISISOtorequestguidanceoncomplianceinvirtualenvironments.TheCJIS Divisionunderstandthebenefitsofvirtualizationbutalsorequiresafoundationofsecurityprotectionmeasures.In AppendixGoftheCJISPolicy,thebenefitsandvulnerabilitiesareidentifiedandsoarethemitigatingfactors: (Figure(4:(Virtualization(Risk(Mitigation( BENEFITS( VULNERABILITIES( MITIGATIONS( * Makebetteruseofunderd utilizedserversby consolidatingtofewer machinessavingon hardware,environmental costs,management,and administrationoftheserver infrastructure. * Legacyapplicationsunableto runonnewerhardware and/oroperatingsystemscan beloadedintoavirtual environment replicatingthe legacyenvironment. * Providesforisolatedportions ofaserverwheretrustedand untrustedapplicationscanbe ransimultaneously enabling hotstandbysforfailover. * Enablesexistingoperating systemstorunonshared memorymultiprocessors. * Systemmigration,backup, andrecoveryareeasierand moremanageable. * HostDependent. * Ifthehostmachinehasaproblem thenallvmscouldpotentially terminate. * Compromiseofthehostmakesit possibletotakedowntheclient servershostedontheprimary hostmachine. * Ifthevirtualnetworkis compromisedthentheclientis alsocompromised. * Clientshareandhostsharecanbe exploitedonbothinstances. Potentiallythiscanleadtofiles beingcopiedtothesharethatfill upthedrive. * * Environmentandaccesstothe physicalenvironment. * Configurationandpatch managementofthevirtual machineandhost,i.e.keep operatingsystemsand applicationpatchesuptodate onbothvirtualmachinesand hosts. * Installtheminimum applicationsneededonhost machines. * Practiceisolationfromhost andvirtualmachine. * Installandkeepupdated antivirusonvirtualmachines andthehost. * Segregationofadministrative dutiesforhostandversions. * Auditloggingaswellas exportingandstoringthelogs outsidethevirtual environment. * Encryptingnetworktraffic betweenthevirtualmachine andhostidsandips VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 12( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

13 monitoring. * Firewalleachvirtualmachine fromeachotherandensure thatonlyallowedprotocols willtransact. * * Not*every*consumer*of*FBI*CJI*services*will*encounter*all*of*the*policy*areas*therefore*the*circumstances*of* applicability*are*based*on*individual*agency/entity*configuration*and*usage.*there*are*116*requirements*mandated*in* the*policy*of*which*72*will*be*the*responsibility*of*the*individual*agency/entity.**the*remaining*44*can*be*met*through* a*combination*of*vmware*and*the*individual*agency/entity s*controls.*** CJIScompliancewassetinamandatereleasedbytheFBIonJanuary1,2011.Thecurrentversion5.2wasreleased onaugust9,2013.ithasbeenapprovedbythecjisadvisorypolicyboard.itcanbefoundat: * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 13( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

14 Cloud(Computing(and(Virtual(Environments( Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomove applicationsandevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloud computing. Thereareavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsare importantastheyserveasthebasisformakingbusiness,security,andauditdeterminations.vmwaredefines cloudorutilitycomputingasthefollowing( cloud/faqs.html): Cloud'computing'is'an'approach'to'computing'that'leverages'the'efficient'pooling'of'on6demand,' self6managed'virtual'infrastructure,'consumed'as'a'service.'sometimes'known'as'utility' computing,'clouds'provide'a'set'of'typically'virtualized'computers'which'can'provide'users'with'the' ability'to'start'and'stop'servers'or'use'compute'cycles'only'when'needed,'often'paying'only'upon' usage.. ' Figure(5:(Cloud(Computing( Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveral generallyacceptedservicemodels.thesedefinitionsarelistedbelow: ( * Private(Cloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonpremiseoroffdpremise. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 14( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

15 VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 15( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective* * Public(Cloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroupand isownedbyanorganizationthatsellscloudservices. * Hybrid(Cloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)that remainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplication portability;forexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,an organizationcangetthebestofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneeded whilemaintainingcriticalassetsonpremise. * Community(Cloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonpremiseoroff premise. Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtoitshighlyregulatedandcritical applications,itmaywanttostartbyasking: * Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? * WhatservicemodelisusedfortheCJISdataenvironment(SaaS,PaaS,IaaS)? * Whatdeploymentmodelwillbeadopted? * Isthecloudplatformatrustedplatform? The*last*point*is*critical*when*considering*moving*highly*regulated*applications*to*a*cloud*platform.*CJIS*does*not* endorse*or*prohibit*any*specific*service*and*deployment*model,*and*the*appropriate*choice*of*service*and* deployment*models*will*be*driven*by*customer*requirementsa*among*which*the*concept*of*leveraging*a*trusted* platform*for*the*cloudybased*solution*is*a*consideration*which*ideally,*will*be*taken*into*account.* * VMware*is*the*market*leader*in*virtualization,*the*key*enabling*technology*for*cloud*computing.**VMware s*vcloud* Suite*is*the*trusted*cloud*platform*that*customers*use*to*realize*the*many*benefits*of*cloud*computing*including*safely* deploying*business*critical*applications.** Togetstarted,VMwarerecommendsthatallnewcustomersundertakeacomplianceassessmentoftheircurrent environment.vmwareoffersfreecompliancecheckersthatarebasedonvmware svrealizeconfiguration Managersolutions.Customerscansimplypointthecheckeratatargetenvironmentandexecuteacompliance assessmentrequest.theresultantcompliancereportprovidesadetailed rulebyrule indicationofpassorfailure againstagivenstandard.where*compliance*problems*are*identified,*customers*are*directed*to*a*detailed*knowledge* base*for*an*explanation*of*the*problem*posed*by*a*particular*rule*and*information*about*potential*remediation.*to downloadthefreecompliancecheckersclickonthefollowinglink: TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: * VMware(Cloud(Computing(Overview( * (VMware s(vcloud(architecture(toolkit(( * IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram, please usatcompliancejsolutions@vmware.com.

16 Where(to(Start(J(Considerations(for(System(Owners,(IT(and(Assessors( Migrating*a*traditional*IT*infrastructure*to*a*virtual*or*cloud*environment*has*a*significant*impact*on*an*organization* that*extends*beyond*information*technology.***security*and*compliance*continue*to*remain*top*concerns*for* management,*it*departments,*and*auditors.**all*three*functions*should*be*represented*and*engaged*to*consider* carefully*the*benefits*and*risks*of*any*it*virtualization*or*cloud*projects.*the*move*to*cloud*and*virtual*environments* has*many*technical*considerations,*but*it*should*also*be*a*business*decision.**organizations*should*review*the* benefits*and*risks*of*their*current*environment*and*compare*them*to*the*different*cloud*deployment*models*and* service*models.( Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofavirtual and/orcloudenvironment. Law(Enforcement(Considerations( 1.* WhenwasthelasttimeyouhadaCJISaudit?Whoconductedit?Didyoupass?Whenisyournextaudit? 2.* Howdoyouseparateapplicationsthathold/handleCJI(CriminalJusticeInformation)fromthosethatdon't? 3.* Howdoyouhandletheprocessingofpaymentsforcitations? 4.* Whatarethemissioncriticalapplicationsyouruninthefieldanddispatchcenters?(CAD(ComputerAided Dispatch),RMS(RecordsManagementService),AVL(AutomaticVehicleLocator),VideoRecordingDevice,LPR (LicensePlateReader) 5.* HowdoyouensureyoumaintaincontinuouscompliancewiththeCJISrequirements? 6.* Howmanyserversinyourdatacenter?VM's?Howaretheyconnected? 7.* AreyouusingAdvancedAuthenticationtoday?Ifso,whatareyouusing? 8.* WhatCADsoftwaredoyouuse?Howoftendoyouupdateit?Whatversionareyouusingnow? 9.* WhatRMSsoftwaredoyouuse?Howoftendoyouupdateit?Whatversionareyouusingnow? 10.* DoyoumaintainaconnectiontoaStateAuthorityortoaRegionalAuthorityforNCICdata? 11.* Whatdoyouknowaboutasoftwaredefinedenterprise? 12.* Howmanypatrolvehiclesinyourfleet? 13.* DoeseveryvehiclehaveaMDT/MCT(MobileDataTerminal/MobileComputerTerminal)? 14.* Whattypeofdevicesandoperatingsystemdoyouuseinyourpatrolcar? 15.* Howdoyoumanagetheendpointdevicesinthepatrolvehicles? 16.* Howdoyoumaintainnetworkcommunicationswhenvehiclesareinthefleet? 17.* Aretheredisconnects?Ifso,whathappensduringthedisconnect? 18.* Dotheyneedtostayconnectedthroughouttheday? 19.* Areyouusingcellularforconnectivity?(Somebigcitiesarestillusingradiowithlessthan19.2kbps connections) 20.* AreyouusinganAPNserviceorDataLinkfromyourcarrier? 21.* DoyouuseaVPNtoday?Ifso,whatkind? 22.* Haveyouconsolidated911services?Ifso,how? 23.* Haveyouconsolidateddispatchservices?Ifso,how? 24.* Howmanydispatchers/dispatchlocations? 25.* Howmanyadministrativestaff? 26.* HowmanyITstaff? 27.* Howdoyoumaintainconnectivitytodispatchcentersduringadisaster? 28.* Whatdisasterplanninghaveyoucompletedtoprotectthedispatchcenters? 29.* Whatdoyouseeastheshortdcomingsofyourcurrentmobileenvironment? 30.* Howdoyouthinkyourofficerswouldanswerthatquestion? IT(Considerations( 1.* HowdoestheITOperationsplanaddressthecompany sstrategicandoperationalgoals? VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 16( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

17 2.* Whatmanualprocessesareinplacethatcanbeautomated? 3.* WhataretheskillsandcapabilitiesoftheITDepartment? 4.* Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5.* WhichITinitiativescurrentlyunderwaycouldimpacttheCJISsystemboundary? 6.* Howisencryptioncurrentlyusedtolimitrisk? 7.* Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourdataresides)? 8.* AretheresecondarysystemsthatmighthaveCJIdata? 9.* HowhassecurityandcomplianceaffectedITOperations? VMwareJSpecific(Assessment(Considerations( 1.* WhatcertificationsdoesyourteamhaveinVMwareproductsorsolutions? 2.* Areyouworkingwithanauditpartnertohelpassessandmanagerisk&complianceconsiderations? 3.* HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 4.* HowlonghavetheybeenworkingwithVMwarearchitectures? 5.* Whatreferencesdotheyhaveforconductingsimilarassessments? * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 17( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

18 Guidance(from(CJIS(Security(Policy( VMwarehasidentifiedthecontrolsintheCJISSecurityPolicythathighlightsomeofthecriticalrequirementsand guidancethatindividualagencies/entitiesarerequiredtoaddressaspartoftheirdeployments.vmwarehasalso providedinformationregardinghowvmwaretoolsaredesignedtohelporganizationsaddressthesecontrols. TheCJISSecurityPolicyisdividedinto12policyareas.Eachpolicyareaprovidesbothstrategicreasoningand tacticalimplementationrequirementsandstandards.componentapplicabilityalignmentwithineachpolicyarea helpagenciesrelatethepolicytotheirownagencycircumstances. Policy(Area(1requiresformalagreementstobeinplacepriortotheexchangeofanyCJI.Italsorequiresthe establishmentofproceduresforhandlingandstorageofinformationsoitisprotectedfromunauthorized disclosure,alterationormisuse.thecsaheadisrequiredtosignawrittenuseragreementwiththefbicjis Divisionstatingtheirwillingnesstodemonstrateconformitywiththepolicybeforeaccessingandparticipatingin CJISrecordsinformationprograms. Policy(Area(2requiresbasicsecurityawarenesstrainingwithinsixmonthsofinitialassignment,andbiennially thereafterforallpersonnelwhohaveaccesstocji.itdetailstherequiredsecuritytrainingbasedontypeofaccess. Policy(Area(3requiresCSAstoestablishanoperationalincidenthandlingcapabilityforagencyinformationsystems thatincludesadequatepreparation,detection,analysis,containment,recovery,anduserresponseactivitiesas wellastrack,document,andreportincidentstoappropriateagencyofficialsand/orauthorities.csaiso sto ensurelasosinstitutethecsaincidentresponsereportingproceduresatthelocallevel. Policy(Area(4requiresagenciestoimplementauditandaccountabilitycontrolstoincreasetheprobabilityof authorizedusersconformingtoaprescribedpatternofbehavior. Policy(Area(5requiresanagencytocreate,modify,disable,anddeleteaccountsonatimelybasis.Agenciesare requiredtovalidateaccountsatleastannually. Policy(Area(6requiresagenciestoidentifysystemusersandprocessesactingonbehalfofusersandauthenticate theidentitiesofthoseusersorprocessesasaprerequisitetoallowingaccesstoagencyinformationsystemsor services. Policy(Area(7requiresonlyqualifiedandauthorizedindividualshaveaccesstoinformationsystemcomponentsfor purposesofinitiatingchanges,includingupgrades,andmodifications. Policy(Area(8requiresmediaprotectionpolicyandproceduresaredocumentedandimplementedtoensurethat accesstoelectronicandphysicalmediainallformsisrestrictedtoauthorizedindividuals. Policy(Area(9requiresthedocumentationandimplementationofphysicalprotectionpolicyandproceduresto ensurecjiandinformationsystemhardware,software,andmediaarephysicallyprotectedthroughaccesscontrol measures. Policy(Area(10requiresapplicationsandservicestohavethecapabilitytoensuresystemintegritythroughthe detectionandprotectionagainstunauthorizedchangestosoftwareandinformation Policy(Area(11requiresformalauditstobeconductedtoensurecompliancewithapplicablestatues,regulations, andpolicies. VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 18( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

19 Policy(Area(12definesrequiresforallpersonnelwhohaveaccesstounencryptedCJI.Thefollowingtable summarizesthecjisrequirementsthatcanbemetwiththevmwaresuiteofproducts. * Table(2:(CJIS(Control(Applicability(Mapping( CJIS' Policy' Requirement' Addressed'by'VMware' 5.1' Policy'Area'1:'Information'Exchange'Agreements* * 5.1.1' Information*Exchange* Yes* ' Information*Handling* Yes* ' State*and*Federal*Agency*User*Agreements* No* ' Criminal*Justice*Agency*User*Agreements* No* ' Interagency*and*Management*Control*Agreements* No* ' Private*Contractor*User*Agreements*and*CJIS*Security* No* Addendum* ' Agency*User*Agreements* No* ' Outsourcing*Standards*for*Channelers* No* ' Outsourcing*Standards*for*NonBChannelers* No* 5.1.2' Monitoring,*Review,*and*Delivery*of*Services* No* ' Managing*Changes*to*Service*Providers* Yes* 5.1.3' Secondary*Dissemination* No* 5.1.4' Secondary*Dissemination*of*NonBCHRI*CJI* No* 5.2' Policy'Area'2:'Security'Awareness'Training* * ' All*Personnel* No* ' Personnel*with*Physical*and*Logical*Access* No* ' Personnel*with*Information*Technology*Roles* No* 5.2.2' Security*Training*Records* No* 5.3' Policy'Area'3:'Incident'Response* * 5.3.1' Reporting*Information*Security*Events* Yes* ' FBI*CJIS*Division*Responsibilities** No* ' CSA*ISO*Responsibilities* No* 5.3.2' Management*of*Information*Security*Incidents* No* ' Incident*Handling* Yes* ' Collection*of*Evidence** No* 5.3.3' Incident*Response*Training* No* 5.3.4' Incident*Monitoring* Yes* 5.4' Policy'Area'4:'Auditing'and'Accountability* * 5.4.1' Auditable*Events*and*Content*(Information*Systems)** Yes* ' Events* Yes* ' Content** Yes* 5.4.2' Response*to*Audit*Processing*Failures* Yes* 5.4.3' Audit*Monitoring,*Analysis,*and*Reporting* No* 5.4.4' Time*Stamps* Yes* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 19( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

20 5.4.5' Protection*of*Audit*Information* Yes* 5.4.6' Audit*Record*Retention** Yes* 5.4.7' Logging*NCIC*and*III*Transactions* No* 5.5' Policy'Area'5:'Access'Control* * 5.5.1' Account*Management* Yes* 5.5.2' Access*Enforcement* Yes* ' Least*Privilege* Yes* ' System*Access*Control* Yes* ' Access*Control*Criteria* Yes* ' Access*Control*Mechanisms* Yes* 5.5.3' Unsuccessful*Login*Attempts* Yes* 5.5.4' System*Use*Notification* Yes* 5.5.5' Session*Lock* Yes* 5.5.6' Remote*Access* Yes* ' Personally*Owned*Information*Systems* No* ' Publicly*Accessible*Computers* No* 5.5.7' Wireless*Access*Restrictions* No* ' All*802.11x*Wireless*Protocols* No* ' Legacy*802.11*Protocols* No* ' Cellular*Risk*Mitigations* No* ' Voice*Transmissions*Over*Cellular*Devices* No* ' Mobile*Device*Management*(MDM)** No* ' Bluetooth* No* 5.6' Policy'Area'6:'Identification'and'Authentication* * 5.6.1' Identification*Policy*and*Procedures* Yes* ' Use*of*Originating*Agency*Identifiers*in*Transactions*and* Yes* Information*Exchanges* 5.6.2' Authentication*Policy*and*Procedures* Yes* ' Standard*Authenticators* No* ' Password* Yes* ' Advanced*Authentication*Policy*and*Rationale* Yes* ' Advanced*Authentication*Decision*Tree* No* 5.6.3' Identifier*and*Authenticator*Management* No* ' Identifier*Management* Yes* ' Authenticator*Management* Yes* 5.6.4' Assertions* No* 5.8' Policy'Area'7:'Configuration'Management' * 5.7.1' Access*Restrictions*for*Changes* No* ' Least*Functionality* Yes* ' Network*Diagram* Yes* 5.7.2' Security*of*Configuration*Documentation* No* 5.8' Policy'Area'8:'Media'Protection* * 5.8.1' Media*Storage*and*Access* No* 5.8.2' Media*Transport* No* ' Electronic*Media*in*Transit* No* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 20( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

21 ' Physical*Media*in*Transit* No* 5.8.3' Electronic*Media*Sanitization*and*Disposal* No* 5.8.4' Disposal*of*Physical*Media* No* 5.9' Policy'Area'9:'Physical'Protection* * ' Security*Perimeter* No* ' Physical*Access*Authorizations* No* ' Physical*Access*Control* No* ' Access*Control*for*Transmission*Medium* No* ' Access*Control*for*Display*Medium* No* ' Monitoring*Physical*Access* No* ' Visitor*Control* No* ' Delivery*and*Removal* No* 5.9.2' Controlled*Area* No* 5.10' Policy'Area'10:'System'and'Communications' Protection'and'Information'Integrity* * ' Information*Flow*Enforcement* Yes* ' Boundary*Protection* Yes* ' Encryption* Yes* ' Intrusion*Detection*Tools*and*Techniques* Yes* ' Voice*over*Internet*Protocol* No* ' Cloud*Computing* Yes* ' Facsimile*Transmission*of*CJI* No* ' Partitioning* Yes* ' Virtualization* Yes* ' Patch*Management* Yes* ' Malicious*Code*Protection* Yes* ' Spam*and*Spyware*Protection* No* ' Personal*Firewall* No* ' Security*Alerts*and*Advisories* Yes* ' Information*Input*Restrictions* No* 5.11' Policy'Area'11:'Formal'Audits* * ' Triennial*Compliance*Audits*by*the*FBI*CJIS*Division* No* ' Triennial*Security*Audits*by*the*FBI*CJIS*Division* No* ' Audits*by*the*CSA* No* ' Special*Security*Inquiries*and*Audits* No* 5.12' Policy'Area'12:'Personnel'Security* * ' Minimum*Screening*Requirements*for*Individuals* No* Requiring*Access*to*CJI* ' Personnel*Screening*for*Contractors*and*Vendors* No* ' Personnel*Termination* No* ' Personnel*Transfer* No* ' Personnel*Sanctions* No* VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 21( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001' respective*

22 VMWARE(PRODUCT(APPLICABILITY(GUIDE(FOR(CJIS VMware(Technologies(and(CJIS( VMware*provides*an*extensive*portfolio*of*products*designed*to*help*organizations*support*security*and*compliance*needs.* While*every*environment*has*unique*needs,*VMware*can*provide*a*comprehensive*mix*of*solutions*with*features*that*are* designed*to*assist*with*cjis*compliance.**those*solutions *functionality,*features,*and*applicability*to*specific*cjis* requirements*are*addressed*in*detail*in*the*following*sections.* SOLUTION(AREA VMwarevCloud Infrastructure VMwarevCloud Networking andsecurity VMwareNSX VMwarevRealize Operations (formerly vcenter) KEY(PRODUCTS VMwareESXi,VMwarevSphere,VMwarevShieldEndpoint,VMware vrealizeserver andvmwarevclouddirector VMwarevCloud NetworkingandSecurityApp,VMwarevCloud Networking andsecuritydatasecurity,vmwarevcloud NetworkingandSecurityEdge Gateway,VMwarevCloud NetworkingandSecurityManager VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSXService Composer VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize AutomationCenter,VMwarevRealize LogInsight TodeterminetheproductsandfeaturesavailablewithVMwareSuitespleaserefertoVMware.com:vCloud(Suite(5.5(( vcloud(networking(and(security(suite(5.5(,vrealize(operations(management(suite(6.0,(nsx(6.0( Figure(6:(VMware(Software(Defined(Data(Center(Products(and(Suites( ( VMWARE(PRODUCT(APPLICABILITY(GUIDE(22( ( VMware,(Inc.(3401(Hillview(Avenue(Palo(Alto(CA(94304(USA(Tel(877J486J9273(Fax(650J427J5001( Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecovered byoneormorepatentslistedathttp:// jurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.

23 VMware(CJIS(Requirements(Matrix((Overview)( VMwarehascreatedaCJISRequirementsMatrixtoassistorganizationswithanunderstandingofVMwaresolutions, VMwarePartnersolutions(wheretheyoverlap),andtheremainingcustomerresponsibilitiesthatmustbeaddressed separatelybythecustomerthroughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthat thevastmajorityofcjissecurityrequirementscanbeaddressedthroughthevmwaresuitesand/orvmwarepartner solutions. CJIS*Policy*requires*116*controls*to*be*met*in*order*to*be*considered*compliant.**These*controls*can*be*divided*into* technical*(66)*and*nontechnical*controls*(50).**vmware*is*currently*able*to*address*44*of*the*66*technical*controls*with* VMware*products*and*partner*products.**Additionally,*there*are*6*nontechnical*control*requirement*where*VMware*can* support*and*facilitate*the*required*program*areas.* TheremaininggapsinaddressingCJISSecurityrequirementsmaybefilledbythecustomerthroughothertools(i.e. approvingcustomers policies,keepinganupdatednetworkdiagram,approvingchanges,etc.) Figure(7:(CJIS(Security(Requirements(and(VMware( CJISRequirements OrganizationResponsibilityd NonTechnical ( VMWareTechnicalProducts VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 23( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

24 Table(3:(CJIS(Requirements( CJIS(SECURITY(POLICY(REQUIREMENT( #(OF(CJIS(ASSESSMENT(TESTS( TESTS(ADDRESSED(IN( VMWARE'S(PRODUCTS( Information(Exchange(Agreements( 12 1 Security(Awareness(and(Training( 5 0 Incident(Response( 9 4 Auditing(and(Accountability( 10 8 Access(Control( Identification(and(Authentication( 14 8 Configuration(Management( 4 2 Media(Protection( 7 0 Physical(Protection( 10 0 System(and(Communications(Protection(and( Information(Integrity( Formal(Audits( 4 0 Personnel(Security( 5 0 TOTAL( 116( 44( * * * VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 24( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'

25 CJIS(Requirements(Matrix((By(VMware(Suite)( vcloud(infrastructure(( ForthepurposesoftheVMwareApplicabilityGuideforCJIS,vCloudInfrastructureincludesvSphere(ESXi,vCenterServer) andvclouddirector.vsphereprovidesthefoundationofthevirtualarchitectureallowingfortheoptimizationofitassets. vclouddirectorextendsthefoundationofthevspherevirtualarchitecturebyenablingorganizationstobuildsecure clouds*and*fine*tune*for*security*and*compliance*inprivate,multidtenant,mixeddmode,andhybridclouds.asvcloud leveragesthevspherearchitecture,thevspherecomponentsintegratetocreateasinglevcloudthatcanbeoptimizedfor securityandcomplianceconsiderations.whileitencompassesmanyfeaturesforstorage,businesscontinuity,and automation;forthepurposesofthiscjisreferencearchitecture,thecriticalcomponentsthatapplytocjisforvcloud Infrastructureincludethefollowingcomponents: * * * * ESXi( ESXiisatype1hypervisor(baremetal)thatisthefundamentalbuildingblockforvirtualizingphysicalcompute resourcesforcloudcomputingmodels.esxiserversareclusteredwithinthevsphereconstruct,whichoffersmany featuressuchasloadbalancingandhighavailability.theesxikernelhasasmallfootprint,noserviceconsoleandcan limitcommunicationtovcenteraccessonly. vshield(endpoint(j(withintegrationofother3rdpartyendpointsolutions(suchasantidvirus),vshieldendpoint improvestheperformancebyoffloadingkeyantivirusandantidmalwarefunctionstoasecuredvirtualmachineand eliminatingtheantivirusagentfootprintandoverheadinvirtualmachines.( vrealize(server vcenterserverisaserver(virtualorphysical)thatprovidesunifiedmanagementfortheentire virtualinfrastructureandunlocksmanykeyvspherecapabilities.vcenterservercanmanagethousandsofvirtual machinesacrossmultiplelocationsandstreamlinesadministrationwithfeaturessuchasrapidprovisioningand automatedpolicyenforcement. vcloud(director((vcd)dvcdpoolsdatacenterresourcesincludingcompute,storageandnetwork,alongwiththeir relevantpoliciesintovirtualdatacenters.fullyencapsulated,multidtiervirtualmachineservicesaredeliveredas vapps,usingtheopenvirtualizationformat(ovf).endusersandtheirassociatedpoliciesarecapturedin organizations.withprogrammaticandpolicydbasedpoolingofinfrastructure,usersandservices,vmwarevcloud Directorenforcespolicies,whichenableCJISdatatobesecurelyprotected,andnewvirtualmachinesand applicationstobesecurelyprovisionedandmaintained. ThefollowingproductmatrixexplainswhichCJIScontrolsareapplicabletovCloudInfrastructure.Italsoexplainshow vcloudsuiteenablesuserstomeetcjisrequirements.thecontrolshighlightedinboldarethosethathavebeenselected forthecjisbaseline. Table(4:(Applicability(of(CJIS(Controls(to(vCloud(Infrastructure( POLICY(AREA( CONTROLS( ADDRESSED( CJIS(CONTROLS(APPLICABILITY(MATRIX( VCLOUD(INFRASTRUCTURE(DESCRIPTION( Information(Exchange( vrealizessosupportsintegrationwithroledbasedaccesscontrol systems,whichsupportstheagencyneedtodefineroles& responsibilitiesforinclusionininformationexchangeagreements, whicharerequiredforaccesstocjidata. Security(Awareness N/A N/A VMWARE(PRODUCT(APPLICABILITY ( GUIDE( 25( VMware,Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877I486I9273'Fax'650I427I5001'