Appendix A Mappings¶
The tables in this appendix include all the NIST SP 800-53 Revision 5 controls (Table A-1) and NIST Cybersecurity Framework subcategories (Table A-2) listed in Section 4.2.8—those provided by individual components of the solution—and also list additional subcategories and controls provided by the solution as a whole, not an individual component.
Table A‑1 List of NIST SP 800-53 Revision 5 Controls Addressed by Solution
ID |
Control Description |
---|---|
Access Control (AC) |
|
AC-3 |
Access Enforcement |
AC-4 |
Information Flow Enforcement |
AC-17 |
Remote Access |
AC-20 |
Use of External Information Systems |
Audit and Accountability (AU) |
|
AU-2 |
Audit Events |
AU-3 |
Content of Audit Records |
AU-4 |
Audit Storage Capacity |
AU-5 |
Response to Audit Processing Failures |
AU-6 |
Audit Review, Analysis, and Reporting |
AU-7 |
Audit Reduction and Report Generation |
AU-8 |
Time Stamps |
AU-9 |
Protection of Audit Information |
AU-10 |
Non-Repudiation |
AU-11 |
Audit Record Retention |
AU-12 |
Audit Generation |
Security Assessment and Authori zation (CA) |
|
CA-7 |
Continuous Monitoring |
Configu ration Management (CM) |
|
CM-3 |
Configuration Change Control |
CM-4 |
Security Impact Analysis |
CM-8 |
Information System Component Inventory |
CM-9 |
Configuration Management Plan |
CM-10 |
Software Usage Restrictions |
Identification and Authentication (IA) |
|
IA-2 |
Identification and Authentication (Organizational Users) |
IA-3 |
Device Identification and Authentication |
IA-4 |
Identifier Management |
IA-5 |
Authenticator Management |
IA-7 |
Cryptographic Module Authentication |
Maintenance (MA) |
|
MA-2 |
Controlled Maintenance |
MA-3 |
Maintenance Tools |
MA-4 |
Nonlocal Maintenance |
MA-5 |
Maintenance Personnel |
MA-6 |
Timely Maintenance |
Risk Assessment (RA) |
|
RA-3 |
Risk Assessment |
RA-5 |
Vulnerability Scanning |
Systemand Services Acquisition (SA) |
|
SA-18 |
Tamper Resistance and Detection |
System and Communications Protection (SC) |
|
SC-2 |
Application Partitioning |
SC-3 |
Security Function Isolation |
SC-7 |
Boundary Protection |
SC-8 |
Transmission Confidentiality and Integrity |
SC-12 |
Cryptographic Key Establishment and Management |
SC-13 |
Cryptographic Protection |
SC-15 |
Collaborative Computing Devices |
SC-16 |
Transmission of Security Attributes |
SC-28 |
Protection of Information at Rest |
System and Information Integrity (SI) |
|
SI-2 |
Flaw Remediation |
SI-4 |
Information System Monitoring |
SI-7 |
Software, Firmware, and Information Integrity |
Table A‑2 List of NIST Cybersecurity Framework Subcategories Addressed by Solution
Cybersecurity Framework Subcategory Identifier |
Cybersecurity Framework Subcategory Name |
---|---|
Identify (ID) |
|
ID.AM-2 |
Software platforms and applications within the organization are inventoried. |
Protect (PR) |
|
PR.AC-1 |
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes. |
PR.AC-3 |
Remote access is managed. |
PR.AC-5 |
Network integrity is protected (e.g., network segregation, network segmentation). |
PR.AC-6 |
Identities are proofed and bound to credentials and asserted in interactions. |
PR.AC-7 |
Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the privacy risks and other organizational risks). |
PR.DS-1 |
Data-at-rest is protected. |
PR.DS-2 |
Data-in-transit is protected. |
PR.DS-3 |
Assets are formally managed throughout removal, transfers, and disposition. |
PR.DS-6 |
Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
PR.IP-3 |
Configuration change control processes are in place. |
PR.IP-4 |
Backups of information are conducted, maintained, and tested. |
PR.IP-9 |
Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. |
PR.IP-12 |
A vulnerability management plan is developed and implemented. |
PR.MA-1 |
Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. |
PR.PT-1 |
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. |
PR.PT-4 |
Communications and control networks are protected. |
Detect (DE) |
|
DE.AE-1 |
A baseline of network operations and expected data flows for users and systems is established and managed. |
DE.AE-2 |
Detected events are analyzed to understand attack targets and methods. |
DE.AE-3 |
Event data are collected and correlated from multiple sources and sensors. |
DE.AE-4 |
Impact of events is determined. |
DE.AE-5 |
Incident alert thresholds are established. |
DE.CM-1 |
The network is monitored to detect potential cybersecurity events. |
DE.CM-7 |
Monitoring for unauthorized personnel, connections, devices, and software is performed. |
Appendix B List of Acronyms¶
A&A |
Assessment & Authorization |
ACL |
Access Control List |
ADCS |
Active Directory Certificate Services |
AWS |
Amazon Web Services |
BGP |
Border Gateway Protocol |
BIOS |
Basic Input/Output System |
CA |
Certificate Authority |
CloudSPF |
Cloud Security Policy Framework |
COSO |
Committee of Sponsoring Organizations of the Treadway Commission |
CRADA |
Cooperative Research and Development Agreement |
CSA |
Cloud Security Alliance |
DCG |
Data Center Group |
DD VE |
Data Domain Virtual Edition |
DFW |
Distributed Firewall |
DHCP |
Dynamic Host Configuration Protocol |
DISA |
Defense Information Systems Agency |
DLR |
Distributed Logical Router |
DNS |
Domain Name System |
ECMP |
Equal-Cost Multi-Path |
ESG |
Edge Services Gateway |
FAIR |
Factor Analysis of Information Risk |
FedRAMP |
Federal Risk and Authorization Management Program |
FIPS |
Federal Information Processing Standard |
FISMA |
Federal Information Security Modernization Act |
FOIA |
Freedom of Information Act |
FT |
Fault Tolerance |
GB Gb |
Gigabyte Gigabit |
GKH |
Good Known Host |
GRC |
Governance, Risk, and Compliance |
HIPAA |
Health Insurance Portability and Accountability Act |
HSM |
Hardware Security Module |
HTBC |
HyTrust BoundaryControl |
HTCA |
HyTrust CloudAdvisor |
HTCC |
HyTrust CloudControl |
HTDC |
HyTrust DataControl |
HTKC |
HyTrust KeyControl |
I/O |
Input/Output |
IaaS |
Infrastructure as a Service |
ICSV |
IBM Cloud Secure Virtualization |
IEEE |
Institute of Electrical and Electronics Engineers |
Intel AES-NI |
Intel Advanced Encryption Standard – New Instructions |
Intel CIT |
Intel Cloud Integrity Technology |
Intel TPM |
Intel Trusted Platform Module |
Intel TXT |
Intel Trusted Execution Technology |
Intel VT |
Intel Virtualization Technology |
IPsec |
Internet Protocol Security |
ISO |
International Organization for Standardization |
IT |
Information Technology |
KMIP |
Key Management Interoperability Protocol |
LAG |
Link Aggregate |
MLE |
Measured Launch Environment |
N/A |
Not Applicable |
NCCoE |
National Cybersecurity Center of Excellence |
NFS |
Network File System |
NIST |
National Institute of Standards and Technology |
NISTIR |
National Institute of Standards and Technology Internal Report |
NSX-V |
NSX for vSphere |
NTP |
Network Time Protocol |
OS |
Operating System |
PC |
Personal Computer |
PCI DSS |
Payment Card Industry Data Security Standard |
PIP |
Published Internet Protocol |
PSC |
Platform Services Controller |
RMF |
Risk Management Framework |
SDDC |
Software-Defined Data Center |
SFP+ |
Enhanced Small Form-Factor Pluggable |
SIEM |
Security Information and Event Management |
SMTP |
Simple Mail Transfer Protocol |
SNMP |
Simple Network Management Protocol |
SOC |
Service Organization Control |
SP |
Special Publication |
SRM |
Site Recovery Manager |
SSL |
Secure Sockets Layer |
STIG |
Security Technical Implementation Guide |
TLS |
Transport Layer Security |
TOR |
Top-of-Rack |
U.S. |
United States |
UDLR |
Universal Distributed Logical Router |
UDP |
User Datagram Protocol |
USB |
Universal Serial Bus |
vCS |
vCenter Server |
VDS |
vSphere Distributed Switch |
VIB |
vSphere Installation Bundle |
VLAN |
Virtual Local Area Network |
VLTi |
Virtual Link Tunnel Interconnect |
VM |
Virtual Machine |
VMM |
Virtual Machine Manager |
VMX |
Virtual Machine Extensions |
VPN |
Virtual Private Network |
vR |
vSphere Replication |
vRA |
vRealize Automation |
vRB |
vRealize Business for Cloud |
vRLI |
vRealize Log Insight |
vRO |
vRealize Orchestrator |
vROPS |
vRealize Operations Manager |
VTEP |
VXLAN Tunnel Endpoint |
VUM |
vSphere Update Manager |
VVD |
VMware Validated Design |
VXLAN |
Virtual Extensible Local Area Network |
Appendix C Glossary¶
All significant technical terms used within this document are defined in other key documents, particularly NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation [B1]. As a convenience to the reader, terms critical to understanding this volume are provided in this glossary.
Attestation |
The process of providing a digital signature for a set of measurements securely stored in hardware, and then having the requester validate the signature and the set of measurements. |
Cloud workload |
A logical bundle of software and data that is present in, and processed by, a cloud computing technology. |
Geolocation |
Determining the approximate physical location of an object, such as a cloud computing server. |
Hardware root of trust |
An inherently trusted combination of hardware and firmware that maintains the integrity of information. |
Trusted compute pool |
A physical or logical grouping of computing hardware in a data center that is tagged with specific and varying security policies. Within a trusted compute pool, the access and execution of applications and workloads are monitored, controlled, audited, etc. Also known as a trusted pool. |
Appendix D References¶
- B1
M. Bartock et al., Trusted geolocation in the cloud: Proof of concept implementation, NIST Internal Report 7904, Gaithersburg, MD, Dec. 2015, 59 pp. Available: https://doi.org/10.6028/NIST.IR.7904.
- B2
“National Cybersecurity Center of Excellence (NCCoE) trusted geolocation in the cloud building block,” Federal Register, vol. 82, no. 90, May 11, 2017, pp. 21979-21980. Available: https://www.govinfo.gov/content/pkg/FR-2017-05-11/pdf/2017-09502.pdf.
- B3
Joint Task Force, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, Gaithersburg, MD, Sep. 2012, 95 pp. Available: https://doi.org/10.6028/NIST.SP.800-30r1.
- B4
Joint Task Force, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, Gaithersburg, MD, Dec. 2019, 183 pp. Available: https://doi.org/10.6028/NIST.SP.800-37r2.
- B5
Risk management – Guidelines, ISO 31000:2018, Feb. 2018. Available: https://www.iso.org/iso-31000-risk-management.html.
- B6
COSO, “Enterprise risk management – Integrating with strategy and performance,” COSO, Jun. 2017. Available: https://www.coso.org/Pages/erm.aspx.
- B7
J. Freund and J. Jones, Measuring and Managing Information Risk: A FAIR Approach. Oxford, England: Butterworth-Heinemann, 2014.
- B8
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Gaithersburg, MD, Apr. 16, 2018, 55 pp. Available: https://doi.org/10.6028/NIST.CSWP.04162018.
- B9
Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Revision 4, Gaithersburg, MD, Apr. 2013, 462 pp. Available: https://doi.org/10.6028/NIST.SP.800-53r4.
- B10
VMware, “Architecture and design: VMware validated design for management and workload consolidation 4.2,” VMware, Palo Alto, CA, Mar. 27, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-consolidated-architecture-design.pdf.
- B11
VMware, “Deployment for region A: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Feb. 13, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-regiona-deployment.pdf.
- B12
VMware, “Operational verification: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Mar.27, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-operational-verification.pdf.
- B13
VMware, “Planning and preparation: VMware validated design for software-defined data center 4.2,” VMware, Palo Alto, CA, Feb. 13, 2018. Available: https://docs.vmware.com/en/VMware-Validated-Design/4.2/vmware-validated-design-42-sddc-planning-preparation.pdf.