VMware vSphere 7.0 STIG Readiness Guide: An Overview
The United States (U.S.) Department of Defense (DoD) Defense Information Systems Agency (DISA) has not officially released a Security Technical Implementation Guide (STIG) for VMware vSphere 7.0, but VMware has provided a guide called the “VMware vSphere 7.0 STIG Readiness Guide” to assist with compliance. This guide is based on years of experience helping the DoD create official DISA STIG releases for previous VMware vSphere product versions. While the guide is not an official STIG, it provides valuable information to help ensure an environment is compliant and passes certification should an official DISA STIG be released in the future.
The VMware vSphere 7.0 STIG Readiness Guide includes the following components:
1. Virtual Machine (VM)
2. ESX
3. vCenter Application
Each component has a set of alerts, symptoms, and recommendations to help ensure compliance. The content can be downloaded from the Downloads page on this website.
Automated Compliance Checks
I have attempted to include automated compliance checks for as many of these components as possible. However, due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components, only a subset of the compliance checks are included. The excluded checks have been noted within the notes for each of the VMware Aria Operations Alerts.
List of Excluded Compliance Checks:
1. Configuration settings for vCenter Server and ESXi hosts
2. Network security settings for vSphere networks
3. Virtual machine configuration settings
4. vSphere Replication Manager settings
5. vSphere Update Manager settings
6. vSphere Backup and Recovery settings
7. vSphere Performance Management settings
8. vSphere Resource Management settings
9. vSphere Automation settings
10. vSphere Security Settings
It is important to note that the VMware vSphere 7.0 STIG Readiness Guide is not an official DISA STIG, and it should not be viewed as “as good as a STIG.” A published STIG includes technical validation, review of requirement fulfillment, accuracy, and style, risk acceptance, and is digitally signed by the RME and posted on cyber.mil. Except for products that already have published STIGs, there is no explicit or implied DISA approval of the provided content.
In conclusion, the VMware vSphere 7.0 STIG Readiness Guide provides valuable information to help ensure compliance with DoD SRGs and pass certification should an official DISA STIG be released in the future. While it is not an official STIG, it can be a useful resource for those looking to improve their vSphere environment’s security posture.