Appendix A Mappings

The tables in this appendix include all the NIST SP 800-53 Revision 5 controls (Table A-1) and NIST Cybersecurity Framework subcategories (Table A-2) listed in Section 4.2.8—those provided by individual components of the solution—and also list additional subcategories and controls provided by the solution as a whole, not an individual component.

Table A‑1 List of NIST SP 800-53 Revision 5 Controls Addressed by Solution

ID

Control Description

Access Control (AC)

AC-3

Access Enforcement

AC-4

Information Flow Enforcement

AC-17

Remote Access

AC-20

Use of External Information Systems

Audit and Accountability (AU)

AU-2

Audit Events

AU-3

Content of Audit Records

AU-4

Audit Storage Capacity

AU-5

Response to Audit Processing Failures

AU-6

Audit Review, Analysis, and Reporting

AU-7

Audit Reduction and Report Generation

AU-8

Time Stamps

AU-9

Protection of Audit Information

AU-10

Non-Repudiation

AU-11

Audit Record Retention

AU-12

Audit Generation

Security Assessment and Authori zation (CA)

CA-7

Continuous Monitoring

Configu ration Management (CM)

CM-3

Configuration Change Control

CM-4

Security Impact Analysis

CM-8

Information System Component Inventory

CM-9

Configuration Management Plan

CM-10

Software Usage Restrictions

Identification and Authentication (IA)

IA-2

Identification and Authentication (Organizational Users)

IA-3

Device Identification and Authentication

IA-4

Identifier Management

IA-5

Authenticator Management

IA-7

Cryptographic Module Authentication

Maintenance (MA)

MA-2

Controlled Maintenance

MA-3

Maintenance Tools

MA-4

Nonlocal Maintenance

MA-5

Maintenance Personnel

MA-6

Timely Maintenance

Risk Assessment (RA)

RA-3

Risk Assessment

RA-5

Vulnerability Scanning

Systemand Services Acquisition (SA)

SA-18

Tamper Resistance and Detection

System and Communications Protection (SC)

SC-2

Application Partitioning

SC-3

Security Function Isolation

SC-7

Boundary Protection

SC-8

Transmission Confidentiality and Integrity

SC-12

Cryptographic Key Establishment and Management

SC-13

Cryptographic Protection

SC-15

Collaborative Computing Devices

SC-16

Transmission of Security Attributes

SC-28

Protection of Information at Rest

System and Information Integrity (SI)

SI-2

Flaw Remediation

SI-4

Information System Monitoring

SI-7

Software, Firmware, and Information Integrity

Table A‑2 List of NIST Cybersecurity Framework Subcategories Addressed by Solution

Cybersecurity Framework Subcategory Identifier

Cybersecurity Framework Subcategory Name

Identify (ID)

ID.AM-2

Software platforms and applications within the organization are inventoried.

Protect (PR)

PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.

PR.AC-3

Remote access is managed.

PR.AC-5

Network integrity is protected (e.g., network segregation, network segmentation).

PR.AC-6

Identities are proofed and bound to credentials and asserted in interactions.

PR.AC-7

Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the privacy risks and other organizational risks).

PR.DS-1

Data-at-rest is protected.

PR.DS-2

Data-in-transit is protected.

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition.

PR.DS-6

Integrity checking mechanisms are used to verify software, firmware, and information integrity.

PR.IP-3

Configuration change control processes are in place.

PR.IP-4

Backups of information are conducted, maintained, and tested.

PR.IP-9

Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

PR.IP-12

A vulnerability management plan is developed and implemented.

PR.MA-1

Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.

PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

PR.PT-4

Communications and control networks are protected.

Detect (DE)

DE.AE-1

A baseline of network operations and expected data flows for users and systems is established and managed.

DE.AE-2

Detected events are analyzed to understand attack targets and methods.

DE.AE-3

Event data are collected and correlated from multiple sources and sensors.

DE.AE-4

Impact of events is determined.

DE.AE-5

Incident alert thresholds are established.

DE.CM-1

The network is monitored to detect potential cybersecurity events.

DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software is performed.

Appendix B List of Acronyms

A&A

Assessment & Authorization

ACL

Access Control List

ADCS

Active Directory Certificate Services

AWS

Amazon Web Services

BGP

Border Gateway Protocol

BIOS

Basic Input/Output System

CA

Certificate Authority

CloudSPF

Cloud Security Policy Framework

COSO

Committee of Sponsoring Organizations of the Treadway Commission

CRADA

Cooperative Research and Development Agreement

CSA

Cloud Security Alliance

DCG

Data Center Group

DD VE

Data Domain Virtual Edition

DFW

Distributed Firewall

DHCP

Dynamic Host Configuration Protocol

DISA

Defense Information Systems Agency

DLR

Distributed Logical Router

DNS

Domain Name System

ECMP

Equal-Cost Multi-Path

ESG

Edge Services Gateway

FAIR

Factor Analysis of Information Risk

FedRAMP

Federal Risk and Authorization Management Program

FIPS

Federal Information Processing Standard

FISMA

Federal Information Security Modernization Act

FOIA

Freedom of Information Act

FT

Fault Tolerance

GB

Gb

Gigabyte

Gigabit

GKH

Good Known Host

GRC

Governance, Risk, and Compliance

HIPAA

Health Insurance Portability and Accountability Act

HSM

Hardware Security Module

HTBC

HyTrust BoundaryControl

HTCA

HyTrust CloudAdvisor

HTCC

HyTrust CloudControl

HTDC

HyTrust DataControl

HTKC

HyTrust KeyControl

I/O

Input/Output

IaaS

Infrastructure as a Service

ICSV

IBM Cloud Secure Virtualization

IEEE

Institute of Electrical and Electronics Engineers

Intel AES-NI

Intel Advanced Encryption Standard – New Instructions

Intel CIT

Intel Cloud Integrity Technology

Intel TPM

Intel Trusted Platform Module

Intel TXT

Intel Trusted Execution Technology

Intel VT

Intel Virtualization Technology

IPsec

Internet Protocol Security

ISO

International Organization for Standardization

IT

Information Technology

KMIP

Key Management Interoperability Protocol

LAG

Link Aggregate

MLE

Measured Launch Environment

N/A

Not Applicable

NCCoE

National Cybersecurity Center of Excellence

NFS

Network File System

NIST

National Institute of Standards and Technology

NISTIR

National Institute of Standards and Technology Internal Report

NSX-V

NSX for vSphere

NTP

Network Time Protocol

OS

Operating System

PC

Personal Computer

PCI DSS

Payment Card Industry Data Security Standard

PIP

Published Internet Protocol

PSC

Platform Services Controller

RMF

Risk Management Framework

SDDC

Software-Defined Data Center

SFP+

Enhanced Small Form-Factor Pluggable

SIEM

Security Information and Event Management

SMTP

Simple Mail Transfer Protocol

SNMP

Simple Network Management Protocol

SOC

Service Organization Control

SP

Special Publication

SRM

Site Recovery Manager

SSL

Secure Sockets Layer

STIG

Security Technical Implementation Guide

TLS

Transport Layer Security

TOR

Top-of-Rack

U.S.

United States

UDLR

Universal Distributed Logical Router

UDP

User Datagram Protocol

USB

Universal Serial Bus

vCS

vCenter Server

VDS

vSphere Distributed Switch

VIB

vSphere Installation Bundle

VLAN

Virtual Local Area Network

VLTi

Virtual Link Tunnel Interconnect

VM

Virtual Machine

VMM

Virtual Machine Manager

VMX

Virtual Machine Extensions

VPN

Virtual Private Network

vR

vSphere Replication

vRA

vRealize Automation

vRB

vRealize Business for Cloud

vRLI

vRealize Log Insight

vRO

vRealize Orchestrator

vROPS

vRealize Operations Manager

VTEP

VXLAN Tunnel Endpoint

VUM

vSphere Update Manager

VVD

VMware Validated Design

VXLAN

Virtual Extensible Local Area Network

Appendix C Glossary

All significant technical terms used within this document are defined in other key documents, particularly NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation [B1]. As a convenience to the reader, terms critical to understanding this volume are provided in this glossary.

Attestation

The process of providing a digital signature for a set of measurements securely stored in hardware, and then having the requester validate the signature and the set of measurements.

Cloud workload

A logical bundle of software and data that is present in, and processed by, a cloud computing technology.

Geolocation

Determining the approximate physical location of an object, such as a cloud computing server.

Hardware root of trust

An inherently trusted combination of hardware and firmware that maintains the integrity of information.

Trusted compute pool

A physical or logical grouping of computing hardware in a data center that is tagged with specific and varying security policies. Within a trusted compute pool, the access and execution of applications and workloads are monitored, controlled, audited, etc. Also known as a trusted pool.

Appendix D References

B1

M. Bartock et al., Trusted geolocation in the cloud: Proof of concept implementation, NIST Internal Report 7904, Gaithersburg, MD, Dec. 2015, 59 pp. Available: https://doi.org/10.6028/NIST.IR.7904.

B2

“National Cybersecurity Center of Excellence (NCCoE) trusted geolocation in the cloud building block,” Federal Register, vol. 82, no. 90, May 11, 2017, pp. 21979-21980. Available: https://www.govinfo.gov/content/pkg/FR-2017-05-11/pdf/2017-09502.pdf.

B3

Joint Task Force, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, Gaithersburg, MD, Sep. 2012, 95 pp. Available: https://doi.org/10.6028/NIST.SP.800-30r1.

B4

Joint Task Force, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, Gaithersburg, MD, Dec. 2019, 183 pp. Available: https://doi.org/10.6028/NIST.SP.800-37r2.

B5

Risk management – Guidelines, ISO 31000:2018, Feb. 2018. Available: https://www.iso.org/iso-31000-risk-management.html.

B6

COSO, “Enterprise risk management – Integrating with strategy and performance,” COSO, Jun. 2017. Available: https://www.coso.org/Pages/erm.aspx.

B7

J. Freund and J. Jones, Measuring and Managing Information Risk: A FAIR Approach. Oxford, England: Butterworth-Heinemann, 2014.

B8

NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Gaithersburg, MD, Apr. 16, 2018, 55 pp. Available: https://doi.org/10.6028/NIST.CSWP.04162018.

B9

Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Revision 4, Gaithersburg, MD, Apr. 2013, 462 pp. Available: https://doi.org/10.6028/NIST.SP.800-53r4.

B10

VMware, “Architecture and design: VMware validated design for management and workload consolidation 4.2,” VMware, Palo Alto, CA, Mar. 27, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-consolidated-architecture-design.pdf.

B11

VMware, “Deployment for region A: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Feb. 13, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-regiona-deployment.pdf.

B12

VMware, “Operational verification: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Mar.27, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-operational-verification.pdf.

B13

VMware, “Planning and preparation: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Feb. 13, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-planning-preparation.pdf.