VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP VMwareSDDCProduct ApplicabilityGuidefor FedRAMP,v1.0 February,2014 v1.0 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for FedRAMP. You can find more information on the Framework and download the additional documents from the VMware FedRAMP Compliance Resources on VMware Solution Exchange.
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP TableofContents EXECUTIVESUMMARY...3 INTRODUCTION...4 OFFICIALFEDRAMPGUIDANCEASITAPPLIESTOCLOUDENVIRONMENTS...6 CLOUDCOMPUTING...10 WHERETOSTARTBCONSIDERATIONSFORSYSTEMOWNERS,ITANDASSESSORS...12 VMWAREPRODUCTSANDFEDRAMP...14 VMWAREFEDRAMPREQUIREMENTSMATRIX(OVERVIEW)...16 FEDRAMPREQUIREMENTSMATRIX(BYVMWARESUITE)...18 VCLOUDSUITE5.5...18 VCLOUDNETWORKINGANDSECURITYSUITE5.5...20 VCENTEROPERATIONSMANAGEMENTSUITE5.8...22 VMWARENSXSUITE6.0...25 DESIGNGUIDE/ 2
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP ExecutiveSummary TheFederalRiskAuthorizationandManagementProgram(FedRAMP)wascreatedtoprovideastreamlinedand standardizedprocessalongwitha doonce,usemanytimes approachtotheauthorizationofcommercialcloudservices. ThisprogramenablesUSGovernmentagenciestotakefulladvantageofthebenefitsofmigratingtheirITassetsand infrastructuretothecloud,astheyworktomeetthegoalsofthefederalcloudcomputingstrategypublishedbythewhite HouseinFebruary2011.FedRAMP,whichisgovernedbyaJointAuthorizationBoard(JAB)thatconsistsof representativesfromthedepartmentofhomelandsecurity(dhs),thegeneralservicesadministration(gsa),andthe DepartmentofDefense(DoD)isalsoendorsedbytheU.S.government sciocouncilincludingtheinformationsecurity andidentitymanagementcommittee(isimc). TheFedRAMPprogramprovidesanavenueforCloudServiceProviders(CSPs)toobtainaprovisionalAuthorizationTo Operate(p`ATO)afterundergoinganindependentthird`partysecurityassessmentthathasbeenreviewedbytheJAB.By assessingsecuritycontrolsoncandidateplatforms,andprovidingp`atosonplatformsthathaveacceptablerisk, FedRAMPsignificantlyreducesthetimeandcosttoagenciesbyremovingtheassessmentandauthorizationrequirements oftheunderlyingcloudvendorservicesonasystem`by`systembasis.thisminimizestheworkeachconsumerof FedRAMPCloudresourcesmustundergotoreceiveanactualATOfortheworkloadsrunningapplicationsthatprocess sensitivedataandtransactions. VMware,theleaderincloudcomputingsoftwareforenterprisesandcloudhostingserviceprovidersalike,recognizesthe tremendousopportunitythatfedrampprovidescustomerswishingtoleveragevmwarevcloud`poweredfedramp environmentsforhostingtheirenterpriseapplications.foranentitywishingtohostapplicationsinafedramp`accredited VMwarevCloudhostingprovider,orforthevCloudhostingprovideritself,itisbeneficialtounderstandwhichfeaturesof thevmwarestackmayapplyingainingandmaintainingfedrampcompliance.inadditiontovmwareproductsandsuites VMwaresTechnologyPartnerssolutionsmayalsobeusedtoprovidethisgoalofongoingFedRAMPaccreditationwith thegreatestsecurity,agilityandcostsavings. ForthesereasonsVMwarehasenlisteditsAuditPartnerssuchasCoalfire,aFedRAMP`approved3rdPartyAssessment Organization(3PAO),toengageinaprogrammaticapproachtoevaluateVMwareproductsandsolutionsforFedRAMP controlcapabilitiesandthentodocumentthesecapabilitiesintoasetofreferencearchitecturedocuments.thefirstof thesedocumentsinthefedrampreferencearchitecturesetisthisdocument,theproductapplicabilityguide,which containsamappingofthevmwareproductsandfeaturesthatshouldbeconsideredforimplementingfedrampcontrols. ThenexttwodocumentsintheFedRAMPReferenceArchitectureset,theArchitectureDesignGuideandtheValidated ReferenceArchitecture,willprovideguidanceonthekeyconsiderationsfordesigningavCloudenvironmentforFedRAMP, aswellasalabvalidationexerciseanalyzinganinstanceofthisreferencearchitecturewhichutilizestheconceptsand approachesoutlinedtherein. Inaddition,VMwareandCoalfireareengagedwithVMwareTechnologyPartnerstoanalyzetheirproductsandsolutions (availableonvmwaresolutionexchange)withthegoalofprovidingcontinuingexamplestotheindustry.inanongoing effort,vmwareandcoalfirewillutilizethisinformationtocreatenew"joint"referencearchitecturesbasedonthevmware ReferenceArchitectureforFedRAMPwherepartnerproductsandsolutionsarecombinedandlabvalidatedtofurtherease adoptionforcio s,itmanagers,architects,itauditorsandsecuritypractitionersinvolvedwithavmwarevcloudsuite5.5 basedcloudcomputingarchitecture.seefigure3inthisdocumentforthecompliancesolutioncategories. ThisstudyinvestigateddifferentVMwareapplicationsavailabletoorganizationsthatuse(orareconsideringusing) virtualizationandcloudtosupportafedrampcompliantenvironment.tothatend,coalfirehighlightedthespecific FedRAMPrequirementstheseapplications(partially)addressorshouldbeconsideredinanevaluationoftheinitial sourcingoftechnologiestobuildafedrampcompliantenvironment.thecontrolsselectedfor[?]thispaperarefromthe DESIGNGUIDE/ 3
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP NISTSP800`53Rev3andtheFedRAMPSecurityControlsBaselinev1.1.Ithasbeenreviewedandauthoredbyourstaff offedrampauditorsinconjunctionwithvmware. Ifyouhaveanycommentsregardingthiswhitepaper,wewelcomeanyfeedbackatvmware@coalfire.comor compliancebsolutions@vmware.com. Introduction Complianceandsecuritycontinuetobetopconcernsfororganizationsthatplantomoveanyoralloftheirenterprise` computingenvironmenttothecloud.vmwarehelpsorganizationsaddressthesechallengesbyprovidingbundled solutions(suites)thataredesignedforspecificusecases.theseusecasesaddressquestionslike HowcanIbe FedRAMPcompliantinaVMwaresupportedvCloudhostingenvironment? byprovidinghelpfulinformationforvmware architects,thecompliancecommunity,andthirdparties. TheFedRAMPcompliantPublicCloudUseCase(SeesectiononCloudComputinginthisdocumentforCloudUseCases) isfocusedonthevcloudserviceproviderintendingtooperateafedrampcompliantpubliccloud.duetothenatureof thepubliccloudusecasethisdocumentisprimarilyconcernedwithguidingreadersintheassemblyofvmware componentswithintheproviderlayer.thislayeriscomprisedoffourvmwareproductsuites`vcloud,vcloudnetworking andsecurity(vcns),vcenteroperations(vcops)andnsx.theseproductsuitesaredescribedindetailinthispaper andintheaforementionedsubsequentcompaniondocuments.theusecasealsoprovidesreaderswithamappingofthe specificfedrampcontrolstovmware sproductsuite,partnersolutions,andorganizationsinvolvedinfedramp compliantcloudservices.whileeverycloudisunique,vmwareanditspartnerscanprovideasolutionthataddressesover 19%ofFedRAMPModeraterequirementswith70%?TBDofcoverageamongtechnicalandoperationalcontrols. FedRAMPisbasedontheNISTSP800`53Rev3setofcontrols(notethatRev4ofthesecontrolsiscurrentlyavailablebut withoutcorrespondingfedrampguidance).whilethisdocumentisintendedtoprovideguidancesolelywithinthepublic CloudUseCaseitcanalsobebeneficialtothosewhoseekguidanceonbuildingaFISMAModerate(NISTSP800`53 Rev3)PrivateCloudenvironment.AnotherversionoftheReferenceArchitecturewrittenspecificallyfortheFISMA ModeratePrivateCloudUseCaseisexpectedtobereleasedlaterin2014. DuetothecommonalitiesoftheVMwareproductsandfeaturesacrossalloftheCloudUseCases,understandingtheir relationshiptotheseventeenfedrampcontrolareasisfundamentalandmostbroadlyaccommodatedinthisdocument with more Use Case specific guidance represented in the Architecture Design Guide. Regardless of the Use Case or operating environment model the FedRAMP control areas represent a broad`based, balanced, information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems. The management, operational, and technical controls (i.e., safeguards or countermeasures) are prescribedforaninformationsysteminordertoprotecttheconfidentiality,integrity,andavailabilityofthesystemandits information.theoperationalsecuritycontrolsareimplementedandexecutedprimarilybypeople(asopposedtosystems). The management controls focus on the management of risk and the management of information system security. The technical security controls are implemented and executed primarily by the information system through mechanisms containedinthehardware,software,orfirmwarecomponentsofthesystem. Acomprehensiveassessmentofthemanagement,operationalandtechnicalcontrolsthathavebeenselectedforthe informationsystem isrequiredaspartoftheauthorizationprocess.thisassessmentmustdeterminetheextenttowhich allselectedcontrolsareimplementedcorrectly,operatingasintended,andproducingdesiredoutcomeswithrespectto meetingthesecurityrequirementsforthesystem.anunderstandingofbothfismamoderateandfedrampcontrolsas implementedwithvmwareanditstechnologypartnerssolutionslendsitselftoharmonizingtheongoingcomplianceofthe privatecloudenvironmentbutalsothesharedresponsibilityforcomplianceinthepubliccloudenvironment.thiscommon setofwell`understoodpoliciesandproceduresimplementedinacommonvmwaresoftwaredefineddatacenter architecturesacrossprivateandpubliccloudenablesnotonlythehybridcloudtobecomerealitybutopensup tremendousopportunitiesfortightercontrolandagilitywithregardtotheprinciplesputforthinthecontinuousdiagnostics DESIGNGUIDE/ 4
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP andmitigationprogramasoutlinedbydepartmentofhomelandsecurityandcoveredinsection#neednumbered SECTIONSinthisdocument. Figure1FedRAMPRequirementsandVMware(neednewGraphicwithNISTCAPS) Figure2:FedRAMPRequirementsandApplicableControlFamilies Controls AccessControl Auditand Accountability Configuration Management Systemand Communication Protection Operationaland TechnicalFedRAMP DESIGNGUIDE/ 5
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP Figure3:VMware+PartnerProductCapabilitiesforaTrustedCloud OfficialFedRAMPGuidanceasitappliestoCloud environments TheFederalRiskAuthorizationManagementProgram(FedRAMP)istheresultofclosecollaborationwithcybersecurity andcloudexpertsfromgsa,nist,dhs,dod,nsa,omb,thefederalciocouncilanditsworkinggroups,aswellas privateindustry.thegoalistoprovideastreamlinedprocessforthesecurityassessmentandauthorizationofcommercial cloudservices.thisprocessallowsasingleprovisionalauthorization(p`ato)ofthecloudserviceofferingtobeleveraged byanyfederalagencywithoutrequiringthemtore`assessthehostinginfrastructureonaper`systembasis. CSPsmustimplementtheFedRAMPsecurityrequirementsintheirenvironmentandhireaFedRAMP`approvedthirdparty assessmentorganization(3pao)toperformanindependentassessmenttoauditthecloudsystemandprovideasecurity assessmentpackageforreview.inordertomaintainaprovisionalauthorizationthecloudserviceprovidermust implementacontinuousmonitoringprogram.thisiscriticaltoensuringthesecuritycontrolsoutlinedinthenistsp800` 53Rev3baselineandtheadditionalFedRAMPparametersareeffectivelyimplemented. TheFedRAMPsecuritycontrolsbaselineisbasedontheNISTSP800`53Rev3controlsthatprovidedetailed Management,OperationalandTechnicalcontrolguidanceformeetingthesecurityrequirementsestablishedbyFederal InformationSystemManagementAct(FISMA).InadditiontotheFISMAcompliancerequirementsoutlinedintheNIST controlsbaseline,fedramprequirementshavebeenwrittenforkeycontrolsandcontrolenhancements. Table1:FedRAMPControlsBaseline DESIGNGUIDE/ 6
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP NIST800B53rev3 ControlFamily Identifiers NIST800B53rev3 ControlFamily Class FedRAMPModerate Baseline AC AccessControl Technical 17(24) AT AwarenessandTraining Operational 4 AU AuditandAccountability Technical 12(9) CA Certification,Accreditation, andsecurityassessment Management 6(2) CM ConfigurationManagement Operational 9(12) CP ContingencyPlanning Operational 9(15) IA Identificationand Authentication Technical 8(10) IR IncidentResponse Operational 8(4) MA Maintenance Operational 6(6) MP MediaProtection Operational 6(5) PE Physicaland EnvironmentalProtection Operational 18(5) PL Planning Management 5 PS PersonnelSecurity Operational 8 RA RiskAssessment Management 4(5) SA SystemandServices Acquisition Management 12(7) SC Systemand Communications Protection Technical 24(16) SystemandInformation Integrity Operational 12(9) SI EThenumberinparenthesesinthelastcolumnincludesthecontrolenhancementsrequiredbythe FedRAMPModerateBaseline ForCloudServiceProviders,deployingandmaintaininganinfrastructurethatmeetstherequirementsestablishedinthe NISTandFedRAMPbaselinerequirescentralizedmanagementandcontrolofallcomponentsincludingvirtual applications,platforms,andnetworkdevices. TheFederalRiskAuthorizationManagementProgram(FedRAMP)specificallybeganprovidingformalizedguidancefor cloudandvirtualenvironmentsinjune,2012.theseguidelineswerebasedonindustryfeedback,rapidadoptionof virtualizationtechnology,andthemovetocloud. Figure4:OfficialguidanceonsecurityinFedRAMPCloudenvironments DESIGNGUIDE/ 7
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP NIST800B53 TheobjectiveofNISTSpecialPublication800`53istoprovideasetofsecuritycontrolsthatcansatisfythebreadthand depth of security requirements levied on information systems and organizations and that is consistent with and complementarytootherestablishedinformationsecuritystandards. ThecatalogofsecuritycontrolsprovidedinSpecialPublication800`53canbeeffectivelyusedtodemonstratecompliance withavarietyofgovernmental,organizational,orinstitutionalsecurityrequirements.itistheresponsibilityoforganizations toselecttheappropriatesecuritycontrols,toimplementthecontrolscorrectly,andtodemonstratetheeffectivenessofthe controlsinsatisfyingtheirstatedsecurityrequirements.thesecuritycontrolsinthecatalogfacilitatethedevelopmentof assessmentmethodsandproceduresthatcanbeusedtodemonstratecontroleffectivenessinaconsistentandrepeatable manner thus contributing to the organization s confidence that there is ongoing compliance with its stated security requirements. TheNIST800`53presentsthefundamentalconceptsassociatedwithsecuritycontrolselectionandspecificationincluding: (i)thestructureofsecuritycontrolsandtheorganizationofthecontrolsinthecontrolcatalogn(ii)securitycontrolbaselinesn (iii) the identification and use of common security controlsn (iv) security controls in external environmentsn (v) security controlassurancenand(vi)futurerevisionstothesecuritycontrols,thecontrolcatalog,andbaselinecontrols. Security controls described in this publication have a well`defined organization and structure. For ease of use in the security control selection and specification process, controls are organized into eighteen families. Each security control family contains security controls related to the security functionality of the family. In addition, there are three general classesofsecuritycontrols:management,operational,andtechnical. FedRAMP CloudcomputingtechnologyallowstheFederalGovernmenttoaddressdemandfromcitizensforbetter,fasterservices andtosaveresources,consolidateservices,andimprovesecurity.theessentialcharacteristicsofcloudcomputing``on` demandprovisioning,resourcepooling,elasticity,networkaccess,andmeasuredservices``providethecapabilitiesfor agenciestodramaticallyreduceprocurementandoperatingcostsandgreatlyincreasetheefficiencyandeffectivenessof services. Agencieshaverealizedthebenefitsofthistechnologyandareintegratingitintotheirinformationtechnologyenvironment. OnDecember9,2010ntheOfficeofManagementandBudget(OMB)releasedthe25PointImplementationPlantoReform FederalInformationTechnologyManagement,establishingtheCloudFirstpolicyandrequiringagenciestousecloud` basedsolutionswheneverasecure,reliable,cost`effectivecloudoptionexists.thefederalriskandauthorization ManagementProgram(FedRAMP)wasestablishedbyamemorandumissuedbyOMBonDecember8,2011,Security AuthorizationofInformationSystemsinCloudComputingEnvironments(FedRAMPPolicyMemo)toprovideacost` effective,risk`basedapproachfortheadoptionanduseofcloudservices.akeyelementtosuccessfulimplementationof cloudcomputingisasecurityprogramthataddressesthespecificcharacteristicsofcloudcomputingandprovidesthelevel ofsecuritycommensuratewithspecificneedstoprotectgovernmentinformation.effectivesecuritymanagementmustbe basedonriskmanagementandnotonlyoncompliance.byadheringtoastandardizedsetofprocesses,procedures,and controls,agenciescanidentifyandassessrisksanddevelopstrategiestomitigatethem. ThepurposeofFedRAMPisto: Ensurethatcloudbasedserviceshaveadequateinformationsecurityn Eliminateduplicationofeffortandreduceriskmanagementcostsnand Enablerapidandcost`effectiveprocurementofinformationsystems/servicesforFederalagencies. FedRAMPwasdevelopedincollaborationwiththeNationalInstituteofStandardsandTechnology(NIST),theGeneral ServicesAdministration(GSA),theDepartmentofDefense(DOD),andtheDepartmentofHomelandSecurity(DHS). Manyothergovernmentagenciesandworkinggroupsparticipatedinreviewingandstandardizingthecontrols,policiesand procedures. DESIGNGUIDE/ 8
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP ThemajorparticipantsintheFedRAMPprocessare: Federalagencycustomer hasarequirementforcloudtechnologythatwillbedeployedintoitssecurity environmentandisresponsibleforensuringfedrampcompliance CloudServiceProvider(CSP) iswillingandabletofulfillagencyrequirementsandtomeetsecurityrequirements JointAuthorizationBoard(JAB) reviewsthesecuritypackagesubmittedbythecspandgrantsaprovisional AuthoritytoOperate(ATO) 3rdPartyAssessorOrganization(3PAO) validatesandatteststothequalityandcomplianceofthecspprovided securitypackage FedRAMPProgramManagementOffice(PMO) managestheprocessassessment,authorization,and continuousmonitoringprocess ACSPfollowstheprocessforaprovisionalauthorizationunderFedRAMPandusesa3PAOtoassessandreviewits securitycontrolimplementations.cspsthenprovidedocumentationofthetestresultsinacompletedassessmentpackage tothefedramppmo.thesecuritypackageisthenreviewedbythejabandifacspsystempresentsanacceptable levelofrisk,aprovisionalauthorizationisgranted.agenciescanthenleveragetheprovisionalatoandgranttheirown ATOwithoutconductingduplicativeassessments. FedRAMPContinuousMonitoringStrategy&Guide FedRAMP assessment process requires that monitoring activities be conducted continuously, quarterly, annually, every three years and every five years. These activities include required activities from the CSP and required activities of a 3PAO.ThecontinuousmonitoringprogramunderFedRAMPisdesignedtoprovidemoretransparencyintotheongoing securitypostureoftheauthorizedcloudenvironmentorserviceenvironmentisacceptable. TheOMBmemorandumM`10`15,issuedonApril21,2010,changedfromstaticpoint`in`timesecurityauthorization processestoongoingassessmentandauthorizationthroughoutthesystemdevelopmentlifecycle.consistentwiththis newdirectionfavoredbyombandsupportedinnistguidelines,fedramphasdevelopedanongoingassessmentand authorizationprogram ContinuousMonitoringStrategy&Guide forthepurposeofreauthorizingcloudserviceproviders (CSP)annually.Traditionally,thisprocesshasbeenreferredtoas ContinuousMonitoring asnotedinnistsp800`137 InformationSecurityContinuousMonitoringforFederalInformationSystemsandOrganizations.OtherNISTdocuments suchasnistsp800`37,revision1referto ongoingassessmentofsecuritycontrols.itisimportanttonotethatboththe terms ContinuousMonitoring and OngoingSecurityAssessments meanessentiallythesamethingandshouldbe interpretedassuch. Monitoringsecuritycontrolsispartoftheoverallriskmanagementframeworkforinformationsecurityandisarequirement forcspstomaintaintheirfedrampprovisionalauthorization.afterasystemreceivesafedrampprovisional Authorization,itispossiblethatthesecuritypostureofthesystemcouldchangeovertimeduetochangesinthehardware orsoftwareonthecloudserviceoffering,oralsoduetothediscoveryandprovocationofnewexploits.performingongoing securityassessmentsdetermineswhetherthesetofdeployedsecuritycontrolsinaninformationsystemremainseffective inlightofnewexploitsandattacks,andplannedandunplannedchangesthatoccurinthesystemanditsenvironmentover time.ongoingassessmentandauthorizationprovidesfederalagenciesusingcloudservicesamethodofdetecting changestothesecuritypostureofasystemforthepurposeofmakingrisk`baseddecisions..ongoingduediligenceand reviewofsecuritycontrolsenablesthesecurityauthorizationpackagetoremaincurrentwhichallowsagenciestomake informedriskmanagementdecisionsastheyusecloudservices.toreceivereauthorizationofafedrampprovisional Authorizationfromyeartoyear,CSPsmustmonitortheirsecuritycontrols,assessthemonaregularbasis,and demonstratethatthesecuritypostureoftheirserviceofferingiscontinuouslyacceptable. FedRAMPContinuousMonitoringStrategy&GuideisintendedtoprovideCSPswithguidanceandinstructionsonhowto implementtheircontinuousmonitoringprogram.certaindeliverablesandartifactsrelatedtocontinuousmonitoringthat FedRAMPrequiresfromCSP sarediscussedinthisdocument. DESIGNGUIDE/ 9
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP CloudComputing Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomoveapplications andevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloudcomputing. There areavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsareimportantastheyserveasthe basisformakingbusiness,security,andauditdeterminations.vmwaredefinescloudorutilitycomputingasthefollowing (http://www.vmware.com/solutions/cloud`computing/public`cloud/faqs.html): CloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofonPdemand,selfPmanagedvirtual infrastructure,consumedasaservice.sometimesknownasutilitycomputing,cloudsprovideasetoftypicallyvirtualized computerswhichcanprovideuserswiththeabilitytostartandstopserversorusecomputecyclesonlywhenneeded, oftenpayingonlyuponusage.. Figure5:CloudComputing Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveralgenerally acceptedservicemodels.thesedefinitionsarelistedbelow: PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonpremiseoroff`premise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroup andisownedbyanorganizationthatsellscloudservices. HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)that remainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplication DESIGNGUIDE/ 10
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP portabilitynforexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,an organizationgetsthebestofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneededwhile maintainingcriticalassetsonpremise. CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonpremiseoroff premise. TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: VMwareCloudComputingOverview VMware svcloudarchitecturetoolkit Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtoitshighlyregulatedandcriticalapplications, itmaywanttostartbyasking: Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? Whatservicemodelisusedforthecardholderdataenvironment(SaaS,PaaS,IaaS)? Whatdeploymentmodelwillbeadopted? Isthecloudplatformatrustedplatform? ThelastpointiscriticalwhenconsideringmovinghighlyregulatedapplicationstoacloudplatformFedRAMPdoesnot endorseorprohibitanyspecificserviceanddeploymentmodel.theappropriatechoiceofserviceanddeploymentmodels shouldbedrivenbycustomerrequirements,andthecustomer schoiceshouldincludeacloudsolutionthatisimplemented usingatrustedplatform. VMwareisthemarketleaderinvirtualization,thekeyenablingtechnologyforcloudcomputing.VMware svcloudsuite5.5 isthetrustedcloudplatformthatcustomersusetorealizethemanybenefitsofcloudcomputingincludingsafelydeploying businesscriticalapplications. IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram,please emailusatcompliance`solutions@vmware.com DESIGNGUIDE/ 11
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP WheretoStartBConsiderationsforSystemOwners,ITand Assessors MigratingatraditionalITinfrastructuretoavirtualorcloudenvironmenthasasignificantimpactonanorganizationthat extendsbeyondinformationtechnology.securityandcompliancecontinuetoremaintopconcernsformanagement,it departments,andauditors.allthreeareasshouldberepresentedandengagedforanyitvirtualizationorcloudprojectsto confirmthatbusiness,itoperations,andcomplianceteamscarefullyconsiderthebenefitsandrisks. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofavirtual and/orcloudenvironment. ITConsiderations 1. HowdoestheITOperationsplanaddressthecompany sstrategicandoperationalgoals? 2. Whatmanualprocessesareinplacethatcanbeautomated? 3. WhataretheskillsandcapabilitiesoftheITDepartment? 4. Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5. WhichITinitiativescurrentlyunderwaycouldimpacttheFedRAMPsystemboundary? 6. Howisencryptioncurrentlyusedtolimitrisk? 7. Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourdataresides)? 8. HowhassecurityandcomplianceaffectedITOperations? AssessmentConsiderations 1. Whatpriorexperiencedoestheauditorhavewithvirtual/cloudenvironments(ThirdPartyAssessment Organization(3PAO))? 2. Hasthe3PAOsuccessfullyassessedFedRAMPenvironments? 3. WhatcertificationsdotheyhaveinVMwareproductsorsolutions? 4. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 5. Whatthoughtleadershipandguidancehasthe3PAOpublished? 6. Whataretherisksandmitigationtechniquesthe3PAObelievesareappropriateforFedRAMPenvironments? 7. HowlonghavetheybeenworkingwithVMwarearchitectures? 8. Whatreferencesdotheyhaveforconductingsimilarassessments? 9. Isthe3PAOassignedtotheauditengagementcompanyknowledgeableaboutthebasiccomponents,systems, andsoftwareinavmwarecloud? DESIGNGUIDE/ 12
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP GuidancefromtheFederalRiskAuthorizationManagement Program VMwarehasidentifiedtheFedRAMPcontrolsthathighlightsomeofthecriticalrequirements/guidancethatorganizations arerequiredtoaddressaspartoftheirdeployments.vmwarehasalsoprovidedinformationregardinghowvmwaretools aredesignedtohelporganizationsaddressthesecontrols. CloudcomputingtechnologyallowstheFederalGovernmenttoaddressdemandfromcitizensforbetter,fasterservices andtosaveresources,consolidateservices,andimprovesecurity.theessentialcharacteristicsofcloudcomputing``on` demandprovisioning,resourcepooling,elasticity,networkaccess,andmeasuredservices``providethecapabilitiesfor agenciestodramaticallyreduceprocurementandoperatingcostsandgreatlyincreasetheefficiencyandeffectivenessof services. AgenciescanthenleveragetheProvisionalATOandgranttheirownATOwithoutconductingduplicativeassessments.In priorcloudfismacomplianceprojects,certaincontrolshaveproventobechallengingforserviceproviderstomeet.before youdecidetoinitiatearequesttoparticipateinfedramp,gothroughthechecklistintable3`1link?andmakesurethat youaretrulyabletomeettheserequirements.consultwithyourlegalteamandtechnicalstaff(e.g.systems administrators,databaseadministrators,networkengineersetc.)todetermineifyouhavetherightcontrolsinplaceand havetheabilitytomanagethem. ChecklistforCSPsgettingreadyfortoundergotheFedRAMPprocess 1. Youhavetheabilitytoprocesselectronicdiscoveryandlitigationholds 2. Youhavetheabilitytoclearlydefineanddescribeyoursystemboundaries 3. GuidetoUnderstandingFedRAMP 4. Youcanidentifycustomerresponsibilitiesandwhattheymustdotoimplementcontrols 5. Systemprovidesidentification&2`factorauthenticationfornetworkaccesstoprivilegedaccounts 6. Systemprovidesidentification&2`factorauthenticationfornetworkaccesstonon`privilegedaccounts 7. Systemprovidesidentification&2`factorauthenticationforlocalaccesstoprivilegedaccounts 8. Youcanperformcodeanalysisscansforcodewrittenin`house(non`COTSproducts) 9. Youhaveboundaryprotectionswithlogicalandphysicalisolationofassets 10. Youhavetheabilitytoremediatehighriskissueswithin30days,mediumriskwithin90days 11. Youcanprovideaninventoryandconfigurationbuildstandardsforalldevices 12. Systemhassafeguardstopreventunauthorizedinformationtransferviasharedresources 13. Cryptographicsafeguardspreserveconfidentialityandintegrityofdataduringtransmission DESIGNGUIDE/ 13
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP VMwareproductsandFedRAMP VMwareprovidesanextensivesuiteofproductsdesignedtohelporganizationssupportsecurityandcomplianceneeds. Whileeveryenvironmenthasuniqueneeds,thefollowingFedRAMPComplianceStackprovidesacomprehensivemixof VMwaresolutionswithfeaturesthataredesignedtoassistwithFedRAMPcompliance.Thesolutions functionality, features,andspecificnist800`53rev3andfedrampbaselinecontrolsv1.1requirementsareaddressedindetailinthe followingsections. VMWAREPRODUCTS ProductComponentsorFeatures vcloudsuite5.5 vsphereincludng: ESXi,vShieldEndpoint,vCenter,vCenterUpdateManager,vCenterOrchestrator, vmotion,storagevmotion,highavailability,dataprotectionandreplication,host Profiles vclouddirectorincluding: ElasticVirtualDatacenters,Multi`TenancyandServiceCatalog vcloudnetworkingandsecurity Suite5.5 Edge,AppFirewall,VXLAN,andDataSecurity vcenteroperationsmanagement Suite5.8 VMwarevCenterOperationsManager,VMware vcenterconfigurationmanager,vmwarevfabric Hyperic, VMwarevCenterInfrastructureNavigator,andVMwarevCenterChargeback Manager NSX6.0 LogicalSwitching,LogicalRouting,LogicalFirewall,VXLAN,NSX6.0EdgeGateway (LoadBalancing,DHCP,VPN),NSX6.0API TodeterminetheproductsandfeaturesavailablewithVMwareSuitespleaserefertoVMware.com: vcloudsuite5.5vcloudnetworkingandsecuritysuite5.5,vcenteroperationsmanagementsuite6.0,nsx6.0 DESIGNGUIDE/ 14
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP Figure6:VMwareProductsSuiteNeedaNewGraphicherewithNSXcouldbeaFigure7withNSX DESIGNGUIDE/ 15
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP VMwareFedRAMPRequirementsMatrix(Overview) VMwarehascreatedaFedRAMPRequirementsMatrixtoassistorganizationswithanunderstandingofVMwaresolutions, VMwarePartnersolutions(wheretheyoverlap),andtheremainingcustomerresponsibilitiesthatmustbeaddressed separatelybythecustomerthroughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthatthe vastmajorityofnist800`53rev3andfedrampbaselinecontrolsv1.1requirementscanbeaddressedthroughthe VMwareSuitesand/orVMwarepartnersolutions. ThefollowingdiagramshowsanexampleofacloudenvironmentthathasbeendeployedusingtheVMwareFedRAMP suitesandvmwarepartnerproducts. TheremaininggapsinaddressingFedRAMPrequirementsmaybefilledbythecustomerthroughothertools(i.e. approvingcustomers policies,keepinganupdatednetworkdiagram,approvingchanges,etc.) Figure7:FedRAMPRequirementsandVMwareSameasFigure1?NeedNISTCAPSgraphic DESIGNGUIDE/ 16
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP Table2:NIST800B53Rev3andFedRAMPBaselineControlsv1.1Requirements PIE CHART NIST800B 53REV3ANDFEDRAMP BASELINECONTROLSV1.1 REQUIREMENT AccessControl AwarenessandTraining #OF FEDRAMP ASSESSMENT TESTS TESTS ADDRESSED IN VMWARES SUITES?? 41 3 38 4 0 4 AuditandAccountability SecurityAssessmentandAuthorization ConfigurationManagement ContingencyPlanning IdentificationandAuthentication IncidentResponse Maintenance MediaProtection PhysicalandEnvironmentalProtection Planning PersonnelSecurity RiskAssessment SystemandServicesAcquisition SystemandCommunicationProtection SystemandInformationIntegrity TOTAL Note:Controltotalsdonotaddupto298 duetooverlappingfeaturesofvmware productsandpartnerproducts 21 5 16 8 0 8 21 20 1 24 0 24 18 0 18 12 0 12 12 0 12 11 0 11 23 0 23 5 0 5 8 0 8 9 0 9 19 0 19 40 19 21 21 12 9 297 59 238 DESIGNGUIDE/ 17
VMWAREPRODUCTAPPLICABILITYGUIDEFORFEDRAMP DESIGNGUIDE/ 18 FedRAMPRequirementsMatrix(ByVMwareSuite) vcloudsuite5.5 ForthepurposesoftheVMwareApplicabilityGuideforFedRAMP,thevCloudSuite5.5includesvSphere(ESXi,vCenter Server),vCenterOrchestrator,vCenterUpdateManagerandvCloudDirector.vSphereprovidesthefoundationofthe virtualarchitectureallowingfortheoptimizationofitassets.vclouddirectorextendsthefoundationofthevspherevirtual architecturebyenablingorganizationstobuildsecurecloudsandoptimizingsecurityandcomplianceinprivate,multi` tenant,mixed`mode,andhybridclouds.asvcloudleveragesthevspherearchitecture,thevspherecomponentsintegrate tocreateasinglevcloudthatcanbeoptimizedforsecurityandcomplianceconsiderations.whileitencompassesmany featuresforstorage,businesscontinuity,andautomationnforthepurposesofthisfedrampreferencearchitecture,the criticalcomponentsthatapplytofedrampforvcloudincludethefollowingsixcomponents ESXiHosts,vShield Endpoint,vCenterServer,vCenterOrchestrator,vCenterUpdateManagerandvCloudDirector. ESXi ESXiisatype1hypervisor(baremetal)thatissignificantlydifferentthantheESXarchitecture andoffersimprovementsinsecurity.theesxikernelhasasmallfootprint,noserviceconsoleandcan limitcommunicationtovcenteraccessonly.thisfedrampreferencearchitectureisonlyapplicableto ESXiarchitecturesbecausetheESXiarchitectureandtheESXarchitecturesarequitedifferent. vshieldendpointbwithintegrationofother3rdpartyendpointsolutions(suchasanti`virus),vshield Endpointimprovestheperformancebyoffloadingkeyantivirusandanti`malwarefunctionstoasecured virtualmachineandeliminatingtheantivirusagentfootprintandoverheadinvirtualmachines. vcenterserver vcenterserverisaserver(virtualorphysical)thatprovidesunifiedmanagementfor theentirevirtualinfrastructureandunlocksmanykeyvspherecapabilities.vcenterservercanmanage thousandsofvirtualmachinesacrossmultiplelocationsandstreamlinesadministrationwithfeatures suchasrapidprovisioningandautomatedpolicyenforcement. vcenterorchestrator(vco) vcoisavirtualappliancethatautomatestasksforvmwarevsphereand enablesorchestrationbetweenmultiplesolutions.vmwarevcenterorchestratorallowsadministratorsto automaticallycreateworkflowsthatcapturebestpracticesandmanualworkflowsandcreates automated,repeatablesolutions. vcenterupdatemanager(vum) vumautomatestracking,patchingandupdatingforvspherehosts (ESXihostsandclusters),VMtools,andVMwarevirtualappliances.Itprovidesacentralized,automated, actionablepatchcompliancemanagementsolutiontoconfirmthatallvmwarecomponentsareupdated andtoenforcethelatestsecuritypatches. vclouddirector(vcd)`vcdpoolsdatacenterresourcesincludingcompute,storageandnetwork, alongwiththeirrelevantpoliciesintovirtualdatacenters.fullyencapsulatedmulti`tiervirtualmachine servicesaredeliveredasvapps,usingtheopenvirtualizationformat(ovf).endusersandtheir associatedpoliciesarecapturedinorganizations.withprogrammaticandpolicy`basedpoolingof infrastructure,usersandservices,vmwarevclouddirectorenforcespolicies,whichenablefedramp datatobesecurelyprotected,andnewvirtualmachinesandapplicationstobesecurelyprovisionedand maintained. ThefollowingproductmatrixexplainswhichFedRAMPcontrolsareapplicabletovCloudSuite5.5.Italsoexplainshow vcloudsuiteenablesuserstomeetfedramprequirements.thecontrolshighlightedinboldarethosethathavebeen selectedforthefedrampbaseline.
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP Table3:ApplicabilityofFedRAMPControlstovCloudSuite5.5 NIST800M 53REV3ANDFEDRAMPBASELINECONTROLSV1.1V2.0APPLICABILITYMATRIX NIST800M 53CONTROL FAMILY CONTROLS ADDRESSED VCLOUDSUITE5.5 DESCRIPTION AccessControl AC$5,AC$6, ThevCloudSuite5.5canbeconfiguredtolimitaccesstotheCustomerenvironmentsthroughavarietyof ways.byprovidingacentralizedinterface,vsphereclientandvcenterserverscanreducethecustomer environmentsbyminimizingthenetworkmanagementandlimitingaccesstocriticalcomponentsinthe Customerenvironments.Forexample,thevSphereenvironmentallowsuserstolockdowneachESXi serversothatitcanonlybeaccessedviathevcenterserver.vcocanalsobeusedtoautomateand enforcestandardizedrules,accounts,profiles,andsecuritysettingsinorderthatscopeisnotimpactedas newmachinesaredynamicallyaddedorremoved. Additionally,directaccesstocomponentscanbereduced(suchaslock$downmode)tominimizetherisk ofanydirectconsoleorshellaccess.integratingintovspherecomponentssuchasvum,cloudsusingthe vclouddirectorenvironmentcanbeusedtopushoutcriticalsecurityupdatestoallowthelatestsecurity configurationstobeenforced.hardeningguidelineshavebeendevelopedspecificallyforthecloud environment. vcloudandvspherehavebuiltinaccesscontrolsystemsinplacesothateachvirtualcomponentcanonly beaccessedbyauthorizedusers.systemscanbeaccesseddirectlywithlocalaccounts,orcanbe managedcentrallythrougharolebasedaccesscontrolsystemsenforcedbyvsphereandintegratedinto centralizedaccesscontrolsystem. AllaccesstovirtualdeviceswithinthevCloudandvSphereenvironmentcanenforceindividualaccess. Minimumusernamesandpasswordrequirementscanbesetonmanysystemsnatively(suchastheESXi host).othervirtualcomponentscanbeconfiguredtousecentralizedauthenticationservers(suchas ActiveDirectory)whichcanenforceadditionalcontrolsforpasswordrotation,lockout,durationetc. AuditandAccountability AU$2,AU$3,AU$6(1), AU$8,AU$12, vcloudandvspherehastheabilitytologaccesstocomponentswithintheenvironment.individualaccess tocomponentscanbetracked,logged,andenforced.audittrailscancaptureevent,time,action,and othercriticalrequirementsthatarerequiredformonitoring.logscanbecentrallyconsolidated,reviewed, andretainedforanalysis.allsystemscanbeconfiguredwithtimesynchronization,normallybyenforcing primaryandsecondaryntpserversinthecloudenvironment. Systemand Communications Protection SC$4,SC$6,SC$7,SC$ 30 ThevCenterOrchestrator(vCO)canbeusedtoconfigurenewvirtualcomponentstocommunicateonly withintheenvironmentinwhichtheywereintended.vcocanreducethemanualconfigurationprocesses whicharepronetousererrorandmisconfigurationinalarge,dynamicenvironment.
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP vcloudnetworkingandsecuritysuite5.5 ForthepurposesoftheVMwareApplicabilityGuideforFedRAMP,thesuiteisagroupofproductsthatdeliveravirtualized securitymodelspecificallydesignedtoovercomethetraditionalchallengesofmanagingsecurityinavirtualenvironment. vcloudnetworkingandsecurityprovidesasoftwarebasedapproachtoapplicationanddatasecurityinvirtualandcloud environments,whichhavetraditionallybeenenforcedprimarilythroughphysicalsecurityappliances.thevcloud NetworkingandSecuritySuite5.5consistsofthefollowingfive(5)products: AppFirewall? ProtectsapplicationsinavirtualdatacenteragainstnetworkJbasedthreatsbyprovidingafirewallthatis hypervisorjbasedandapplicationjaware.vcloudnetworkingandsecurityapphasvisibilityofintrajvm communication,andenforcespolicies,firewallrulesbasedonlogicalgroups,andworkloads. DataLeakPrevention AddstoSensitiveDataDiscoveryacrossvirtualizedresourcesallowingtheorganizationstoidentifyand securedifferenttypesofsensitivedata.forfedramp,itprovidesawaytosearchforcardholderdata andtoidentifyhostsandunauthorizedstoresofdata. EdgeGateway Enhancesprotectionofavirtualdatacenterperimeterbyprovidinggatewaysecurityservicesincluding carefulinspectionfirewall,sitejtojsitevpn,loadbalancing,dynamichostconfigurationprotocol (DHCP),andNetworkAddressTranslation(NAT).ItalsohastheabilitytointegratewiththirdJpartyIDS solutions. Manager Managerisamanagementapplication,whichincludesallvCloudNetworkingandSecurityproducts. ManageristightlyintegratedwithvCenterandthebroaderVMwaremanagementportfolio. ThefollowingproductmatrixexplainswhichFedRAMPcontrolsareapplicabletothevCloudNetworkingandSecuritySuite 5.5.ItalsoexplainshowvCloudNetworkingandSecurityassistsusersinmeetingFedRAMPrequirements.Thecontrols highlightedinboldarethosethathavebeenselectedforthefedrampbaseline.
VMWAREAPPLICATIBILITY GUIDE 21 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP Table4:NIST800:53Rev3andFedRAMPBaselineControlsv1.1v2.0ApplicabilityMatrix NIST800: 53REV3ANDFEDRAMPBASELINECONTROLSV1.1V2.0APPLICABILITYMATRIX NIST800: 53CONTROL FAMILY CONTROLSADDRESSED VCNSSUITEDESCRIPTION AccessControl ACI05,ACI6 vcloudnetworkingandsecurityhasbuiltinaccesscontrolsystemsinplacesothateach virtualcomponentcanonlybeaccessedbyauthorizedusers.systemscanbeaccessed directlywithlocalaccounts,orcanbemanagedcentrallythrougharolebasedaccesscontrol systemsenforcedbyvsphereandintegratedintocentralizedaccesscontrolsystem. vcloudnetworkingandsecuritysupportsauthenticationbasedonjobclassificationand function(rbac),andcanbeconfiguredtorequirethatonlytheappropriateadministrators andsupportpersonnelhaveaccesstovcloudnetworkingandsecuritycomponentsand operations.managerprovidesacentralizedsolutiontomanageandenforcesecurityprofiles acrossalargedistributedenvironment. Auditand Accountability AUI2,AUI3,AU:6(1),AUI8, AUI12 vcloudnetworkingandsecurityappandedgegatewayhavetheabilitytologaccessto componentswithinthevirtualenvironmentusingsyslog.individualaccesstocomponents canbetracked,logged,andenforced.audittrailscancaptureevent,time,action,andother criticalrequirementsrequiredformonitoring.logscanbecentrallyconsolidated,reviewed, andretainedforanalysis.allsystemscanbeconfiguredwithtimesynchronization,normally byenforcingprimaryandsecondaryntpserversinthevsphereenvironment. Systemand Communications Protection SCI4,SCI6,SCI7,SCI 7(3)(4)(5)(6)(7)(8)(12)(13)(18), SCI8,SCI8(1),SCI11,SCI13, SCI13(1),SCI30,SCI32 vcloudnetworkingandsecuritymanagerprovidescentralizedmanagementandcanbeused toenforcetheapprovalprocessforchangestonetworkconnections.edgegatewayandapp cancontrolhowcardholderdataflowsoveranetwork,anddataleakpreventioncanbeused tomonitorthatthosecontrolsareoperatingeffectively.rolesandresponsibilitiesfor managementcanbeenforcedanddefinedinmanagerandintegratedintootherrbac solutions.edgegatewaycanbeusedasafirewalltoseparatewirelessnetworksfromthe virtualinfrastructure.bothedgegatewayandappperformstatefulinspection(dynamic filtering).appandedgegatewayalsosupportcommentfields,whichcanusedtodocument thejustificationforeveryopenportandservice.managercanbeusedtoviewcurrent configurationsandallowanadministratortocompareittoanapprovedconfiguration\this facilitatesconfirmationthatrunningconfigurationsfilesforappandedgegatewayare securedandmatchtheapprovedconfigurations. vcloudnetworkingandsecuritycanprovidesegmentationforcloudenvironmentsby segmentingvirtualmachines,portgroups,andenforcingperimetersecurity.edgegateway providesgatewaysecurityservicesincludingastatefulinspectionfirewall,whichprotectsthe networkfromtrafficintoandoutofthevirtualizedinfrastructure.appprovidesvisibilityand controlforintraivmcommunication.dataleakpreventioncanbeusedtoproactivelysearch andidentifystoresofcreditcarddataandgatherdatatovalidateorenforcesegmentation.
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP vcenteroperationsmanagementsuite5.8 ForthepurposeoftheVMwareApplicabilityGuideforFedRAMP,the vcenteroperationsmanagementsuite6.0 includes vcenteroperationsmanager,vcenterconfigurationmanager,vcenterinfrastructure,andvcenterinfrastructure Navigator.ThevCenterOperationsManagementSuite6.0enablesITorganizationstogainbettervisibilityandactionable intelligencetoproactivelyfacilitateservicelevels,optimumresourceusage,andconfigurationcomplianceindynamic virtualandcloudenvironments. vcenteroperationsmanager(vcops) Usespatentedanalyticsandintegratedapproachto operationsmanagementinordertoprovidetheintelligenceandvisibilityrequiredtoproactivelymaintain servicelevels,optimumresourceusage,andconfigurationcomplianceindynamicvirtualandcloud environments. vcenterconfigurationmanager(vcm) Automatesconfigurationmanagementacrossvirtualand physicalserversanddesktops,increasingefficiencybyeliminatingmanual,errorwprone,andtimew consumingwork.thisenablesenterprisestomaintaincontinuouscompliancebydetectingchangesand comparingthemtoconfigurationandsecuritypolicies. DescriptionofvCenterInfrastructure? vcenterinfrastructurenavigator Automaticallydiscoversandvisualizesapplicationand infrastructuredependencies.itprovidesvisibilityintotheapplicationservicesrunningoverthevirtualw machineinfrastructureandtheirinterrelationshipsfordaywtowdayoperationalmanagement. ThefollowingproductmatrixexplainswhichFedRAMPcontrolsareapplicabletothevCenterOperationsManagement (vcops)suite.thefollowingisthedetaileddescriptionofthecontrolsthatmaybemetthroughthesuite.thecontrols highlightedinboldarethosethathavebeenselectedforthefedrampbaseline. WeneedtomakesurethereisvCOpsvCloudConnectorcontentformappingofvCloudLayerstovAppsaswellas InfrastructureNavigatorcapabilitiestomaptheapplicationsoftware " VMWAREAPPLICATIBILITY GUIDE 22 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP Table5:NIST800:53Rev3andFedRAMPBaselineControlsv1.1v2.0ApplicabilityMatrix NIST800: 53REV3ANDFEDRAMPBASELINECONTROLSV1.1V2.0APPLICABILITYMATRIX NIST800: 53CONTROL FAMILY CONTROLS ADDRESSED DESCRIPTION AccessControl ACI5,ACI6 AccesstovCOPscanbecontrolledthroughMicrosoftActiveDirectory.ThiswillallowvCOPstohelpthe usermeetthefedramprequirementsforaccesscontroltothecustomerenvironment. AuditandAccountability AUI2,AUI3,AU:6(1), AUI8,AUI12 vcopshastheabilitytomonitoraccesscontrolstothecustomerenvironmentandtherebymonitor compliancewithfedramprequirements.specifically,vcopswillassessandreportonthefollowing: # LocalanddomainIlevelusers(Windows)anduserswithuniqueusernames(UNIX,Linuxand MACOS). # Systempasswordpoliciesforexpiration,length,standards,creationsettings,accessattempts, (canalsoremediate) # Changestouseraccounts,credentialstores,andidentifierobjectstoprovidevisibilityand controloversystemaccess # Useraccessacrossallthesystemsinthedatacenteratonce # Disableandremoveaccessforterminateduseraccounts # Inactiveaccounts(whichitcanalsodisableandremoveaccessfortheseuseraccounts) # Thestatusofmaintenanceaccountsandtoconfirmthattheyaredisabledandconfiguredto onlybeusedduringthetimesspecified. # Loginpolicies,toincludelockoutsettingsandautoIlogoutsettings,andremediatingasneeded. Assessment,reportingandremediationareconductedinaccordancewithschedulingthrough vcops. vcopswillassess,reportandremediatethefollowing: # Configurationsofthesystemauditingandloggingservicestosupportproperloggingacross systemcomponents. # vcmcollectsauditlogentriestoprovideasingleviewofevents. # Useraccessaudittrailsbyensuringproperpermissionsforlogfilesandtheirdirectoriesand alertonchangestocriticalaudittrails. vcopshastheabilitytotracksystemchangesacrossthousandsofdatapointsand,inconjunctionwith nativeauditing,canbeusedtotrackaccountactivityandsystemmodifications. vcopscanassessandreportonsyslogconfigurationdetailsonunixandlinuxsystemsthatspecify remotelogserverswithinthenetwork. vcopscanbealsousedtoassess,report,andremediateauditloggingforvmwarecomponentsand guestoperatingsystems. ChangeswithinthevirtualenvironmentarecapturedbyvCOPsandcanbedisplayedinvCM.vCMcan VMWAREAPPLICATIBILITY GUIDE 23 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
VMWARESOLUTIONGUIDE 24 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP NIST800: 53REV3ANDFEDRAMPBASELINECONTROLSV1.1V2.0APPLICABILITYMATRIX NIST800: 53CONTROL FAMILY CONTROLS ADDRESSED DESCRIPTION collectauditlogentrieswithinanorganizationvdctoallowanorganizationasingleviewofeventswithin theirenvironment.vcmisalsoabletocontroluseraccesstoaudittrailswithinanorganizationby providingproperpermissionsforlogfilesandtheirdirectories. Configuration Management CMI2,CM:2(1)(3)(5), CMI3,CMI4(2),CMI5, CM:5(1)(2)(6),CMI6, CM:6(1)(3),CMI7, CMI7(1)(3),CMI8, CM:8(1)(3)(5) Securityhardeningandtheenforcementofconfigurationstandardsaredifficultinanyenvironmentand havehistoricallyreliedonmanualprocesses.thevcopssuitehastheabilitytoassessbothphysical andvirtualmachinesinthecloudcomputingarchitectureandreporttheircompliancewithavarietyof configurationconcerns.vcopshastheabilitytoconsistentlycheckthecompliancestatusofmachines withintheenvironmentcriticalfortheconfigurationmanagementandhardeningofsystems.itemssuch asdefaultsystemsettings,systemsecurityhardeningandbaseilining,uniprovisionandunapproved softwareorservices,andreportunnecessaryfunctionsfromsystems.vcopsallowsthecustomerto customizeanynumberofcompliancetemplatescreatedtomeetregulatoryandbestpracticesstandards including,butnotlimitedtocis,isoi27001/27002,sansandnist.thisfunctionwillallowforthe simplebaselineofstandardsandsecurityconfiguration. vcopswithvcmisabletoassess,download,anddeploypatchestowindows,unix,linux,andmac operatingsystems.assessmentsarecustomizableandcanbesettoverifycriticalpatchesinthepast 30days. ChangeswithinthevirtualenvironmentarecapturedbyvCOPsandcanbedisplayedinvCM.Each changemadetotheconfigurationsettingsisdocumentedandlogged.ifachangeismadewithoutthe properapprovalitisalertedwithasimplerollbackprocedureandthechangeisreversed.vcopsare abletotrackchangesbothmadethroughthestandardchangeprocessoroutofbandchanges conducteddirectlyonthevmsorthroughanothertool. vcmconfiguredtousethe VMwarevCloud5.5HardeningGuide templatetoreportonconfiguration settingsinthevirtualenvironment,aswellasthereportingresultsforacleanscanoftheenvironment withallappropriateconfigurationscorrectlyapplied. SystemandInformation Integrity SII2,SII3,SII 3(1)(2)(3),SII4,SII 4(2)(4)(5),SI:6,SII7, SII7(1) vcopscanperformfileintegritymonitoring(fim)withinthecloudcomputingarchitectureforcritical filesand/ordirectories.alertscanalsobeestablishedtoalertpersonnelofanychangesmadeor attemptedandevenremediateasneeded. vcopsdoesnothaveabuiltinantiivirussolution,butitcanbeusedtoassesandreporttheantiivirus stateofthesystems.thisallowsadeterminationthatallsystemshaveantiivirussoftwareinstalledand runningwiththeupdatedsignaturefiles.vcopscanremediateantiivirusproblemsbyinstallingthe customerapprovedantiivirussoftwareonsystemswhereitisnotinstalledstarting/enablingthesoftware services.
VMWAREAPPLICATIBILITY GUIDE 25 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP VMwareNSXSuite6.0Needinformationclarifyingfeaturesvs.products.ShouldServiceComposerbelisted? ForthepurposesoftheVMwareApplicabilityGuideforFedRAMP,theNSX6.0suiteofproductsincludesLogicalSwitching,LogicalRouting,LogicalFirewall, LogicalLoadBalancer,NSX6.0API,NSX6.0Gateway,andLogicalVPN.TheVMwarenetworkvirtualizationsolutionaddressescurrentchallengeswithphysical networkinfrastructureandbringsflexibility,agilityandscalethroughvxlanibasedlogicalnetworks.alongwiththeabilitytocreateonidemandlogicalnetworks usingvxlan,thevcloudnetworkingandsecurityedgegatewayhelpsusersdeployvariouslogicalnetworkservicessuchasfirewall,dhcp,natandload balancingonthesenetworks.thisispossibleduetoitsabilitytodecouplethevirtualnetworkfromthephysicalnetworkandthenreproducethepropertiesand servicesinthevirtualenvironment. LogicalSwitching ThelogicalswitchingcapabilityintheNSX6.0platformprovidescustomerstheabilitytospinupisolatedlogicalL2networkswiththesame flexibilityandagility,asitistospinupvirtualmachines.therearethreemaincomponentsthathelpdecoupletheunderlinephysicalnetwork fabricandprovidenetworkabstraction,nsx6.0manager,controllercluster,userworldagentandvxlantunnelendpoint. LogicalRouting TherearetwomodesofroutingsupportedintheNSX6.0platformDistributedRoutingandCentralizedRouting.Thedistributedrouting capabilityinthensx6.0platformprovidesanoptimizedandscalablewayofhandlingeastiwesttrafficwithinadatacenter.therearemultiple componentsforthelogicalroutingdnsx6.0manager,logicalroutercontrolvm,logicalrouterkernelmodule,controllercluster,nsx6.0 EdgeServicesRouter,RoutingDeployments,PhysicalRouterasNextHop,EdgeServicesasNextHop,andaScalableTopology. LogicalFirewall TheVMwareNSX6.0platformincludesdistributedkernelenabledfirewallingwithlinerateperformance,virtualizationandidentityawarewith activitymonitoring,amongothernetworksecurityfeaturesnativetonetworkvirtualizationsuchasnetworkisolationandsegmentation. LogicalLoadBalancer Thisserviceoffersdistributionworkloadacrossmultipleservers,aswellashighIavailabilityofapplications.TheNSX6.0loadbalancingservice isspeciallydesignedforcloudwithfullyprogrammableviaapiandsamesinglecentralpointofmanagement/monitoringasothernsx6.0 networkservices. NSX6.0API TheAPIinterfaceoftheNSX6.0managerhelpsautomatedeploymentandmanagementoflogicalroutersandswitchesthroughaCloud managementplatform. NSX6.0Gateway ThegatewayisavirtualappliancethatperformsLogicalroutingfunctions.NSX6.0Edgeservicesrouterprovidesthetraditionalcentralized routingsupportinthensx6.0platform.alongwiththeroutingservicesnsx6.0edgealsosupportsothernetworkservicesthatincludedhcp, NAT,Loadbalancingetc. ThefollowingproductmatrixexplainswhichFedRAMPcontrolsareapplicabletotheNSXSuite6.0.ItalsoexplainshowNSXSuiteassistsusersinmeeting FedRAMPrequirements.ThecontrolshighlightedinBoldarethosethathavebeenselectedfortheFedRAMPBaseline.
VMWARESOLUTIONGUIDE 26 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedathttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc. intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP Table6:NIST800:53Rev3andFedRAMPBaselineControlsv1.1v2.0ApplicabilityMatrixNeedMoreServiceComposer NIST800: 53REV3ANDFEDRAMPBASELINECONTROLSV1.1V2.0APPLICABILITYMATRIX NIST800: 53CONTROL FAMILY CONTROLS ADDRESSED VMWARENSX6.0 DESCRIPTION AccessControl ACI04 VMwareNSX6.0allowsforpreIdefinednetworkrulesandpoliciesenablingmoreeffectiveinformation flowenforcementatthenetworklayer. Configuration Management CMI2,CM:2(1)(3)(5), CMI3,CMI4(2),CMI5, CM:5(1)(2)(6),CMI6, CM:6(1)(3),CMI7, CMI7(1)(3),CMI8, CM:8(1)(3)(5) NSX6.0networkvirtualizationprogrammaticallycreates,snapshots,deletes,andrestoressoftwareI basedvirtualnetworks.thevirtualizationofnetworkingservicesanddevicessuchaslayer2 switching,l3routing,loadbalancingandfirewallservices,allowscloudserviceprovidestocreate compliantbaselineconfigurationsofnetworkingservicesandarchitectureandmaintainthemunder configurationcontrol.thesecanthenbedeployedtofederalagencycustomerswithouttheriskof misconfigurationorlengthyreplicationofeffortinprovisioningnetworkservices. Systemand Communications Protection SCI4,SCI5,SC:6,SCI 7,SC:7(3)(4)(5)(6)( 7)(8)(12)(13)(18),SC: 11,SCI13,SC:13(1), SCI14,SCI19 NetworkvirtualizationthroughNSX6.0allowsforpreIdefinedLayer2toLayer7services.Thisadds anadditionallayerofseparationwithinmultiitenanthostingservicesandmostimportantlyreducesthe riskofmisconfigurationofnetworkservicesandpotentialexposureofsensitiveinformationanddatato unauthorizednetworksorpersonnel. NSX6.0providesLoadBalancingasaservicewithinthenetworkingsuite.Thisserviceenables workloaddistributionacrossphysicalserversaswellasdynamicscalabilityforhighbandwidth. VMwareNSX6.0NetworkVirtualizationsuiteprovidesthefollowingserviceswhichcanbeconfigured tosupportboundaryprotection,networksegmentationandtrustedpatchrequirementsforfederal customers: LogicalLayer2 EnablingextensionofaL2segment/IPSubnetanywhereinthefabric irrespectiveofthephysicalnetworkdesign. DistributedL3Routing RoutingbetweenIPsubnetscanbedoneinalogicalspacewithout trafficgoingouttothephysicalrouter.thisroutingisperformedinthehypervisorkernelwitha minimalcpu/memoryoverhead.thisfunctionalityprovidesanoptimaldataipathforroutingtraffic withinthevirtualinfrastructure.similarlythensx6.0edgeprovidesamechanismtodofulldynamic routepeeringusingospf,bgp,isiiswiththephysicalnetworktoenableseamlessintegration. DistributedFirewall SecurityenforcementisdoneatthekernelandVNIClevelitself.This enablesfirewallruleenforcementinahighlyscalablemannerwithoutcreatingbottlenecksonto physicalappliances.thefirewallisdistributedinkernelandhencehasminimalcpuoverheadand canperformatlineirate. LogicalLoad:balancing SupportforL4IL7loadbalancingwithabilitytodoSSLtermination. SSLVPNservicestoenableL2VPNservices. SystemandInformation Integrity SI:6, VirtualizationofthenetworklayersdevicesandservicesprovidestheabilitytomonitorandenforcepreI definedarchitectureincludingvirtualnetworkdevicesandservices.intheeventofasecurity functionalityfailure,nsx6.0networkvirtualizationprogrammaticallycreates,snapshots,deletes,and restoressoftwareibasedvirtualnetworks.
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP Disclaimer: VMwaresolutionsaredesignedtohelporganizationsaddressvariousregulatorycompliancerequirements.Thisdocumentisintendedtoprovidegeneral guidancefororganizationsthatareconsideringvmwaresolutionstohelpthemaddresssuchrequirements.vmwareencouragesanyorganizationthatis consideringvmwaresolutionstoengageappropriatelegal,business,technical,andauditexpertisewithintheirspecificorganizationforreviewofregulatory compliancerequirements.itistheresponsibilityofeachorganizationtodeterminewhatisrequiredtomeetanyandallrequirements.theinformation containedinthisdocumentisforeducationalandinformationalpurposesonly.thisdocumentisnotintendedtoprovidelegaladviceandisprovided ASIS. VMwaremakesnoclaims,promisesorguaranteesabouttheaccuracy,completeness,oradequacyoftheinformationcontainedherein.Nothingthatyouread inthisdocumentshouldbeusedasasubstitutefortheadviceofcompetentlegalcounsel. Acknowledgements: VMwarewouldliketorecognizetheeffortsoftheVMwareCenterforPolicy&Compliance,VMwarePartnerAlliance,and thenumerousvmwareteamsthatcontributedtothispaperandtotheestablishmentofthevmwarecompliance Program.VMwarewouldalsoliketorecognizetheCoalfireSystemsInc.VMwareTeam www.coalfire.com/partners/vmwarefortheirindustryguidance.coalfire,aleadingfedrampfirm,providedfedramp guidanceandcontrolinterpretationalignedtonist800u53rev3andfedrampbaselinecontrolsv1.1v.2.0andthe ReferenceArchitecturedescribedherein. The$information$provided$by$Coalfire$Systems$and$contained$in$this$document$is$for$educational$and$informational$ purposes$only.$coalfire$systems$makes$no$claims,$promises$or$guarantees$about$the$accuracy,$completeness,$or$ adequacy$of$the$information$contained$herein.$ AboutCoalfire CoalfireSystemsisaleading,independentinformationtechnologyGovernance,RiskandCompliance(ITGRC)firmthat providesitaudit,riskassessmentandcompliancemanagementsolutions.foundedin2001,coalfire hasofficesin Dallas,Denver,LosAngeles,NewYork,SanFrancisco,SeattleandWashington,D.C.,andcompletesthousandsof projectsannuallyinretail,financialservices,healthcare,governmentandutilities.coalfire hasdevelopedanew generationofcloudubaseditgrctoolsunderthenavis brandthatclientsusetoefficientlymanageitcontrolsandkeep pacewithrapidlychangingregulationsandbestpractices.coalfire ssolutionsareadaptedtorequirementsunderemerging dataprivacylegislation,thenist800u53rev3andfedrampbaselinecontrolsv1.1,glba,ffiec,hipaa/hitech, NERCCIP,SarbanesUOxleyandFISMA.Formoreinformation,visitwww.coalfire.com. # # VMWAREAPPLICATIBILITY GUIDE 27 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877:486:9273Fax650:427:5001www.vmware.com Copyright 2011VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat http://www.vmware.com/go/patents.vmwareisaregisteredtrademarkortrademarkofvmware,inc.intheunitedstatesand/orotherjurisdictions.allothermarksandnamesmentionedhereinmaybetrademarksoftheirrespective companies.