List of VMware Products for CMMC
The following VMware products support a holistic CMMC compliance solution:
VMware Software Defined Data Center (SDDC)
vRealize Suite
Business Continuity Products
Software Defined Data Center (SDDC)
VMware ESXi (ESXi)
Logs logon attempts.
Limits concurrent sessions on web clients, and virtual machine consoles.
Supports integration with external authentication solutions such as Active Directory.
VMware NSX-T (NSX-T)
Session lockouts are enforceable and require users to re-authenticate after a session time-out. Account lockout threshold can be altered.
Restricts network traffic based on system security classification, which can be defined using static objects and dynamic objects. Access control for objects can be restricted based on security rules and tags, as well as through configuration policies and firewall polices to manage internal information flow.
Comes with 13 pre-defined roles that can be assigned to enable role-based access control. In addition, new roles can be developed, based on an inventory of functionality, to be used as custom roles. This capability can support both separation of duties, as well as the concept of least privilege.
VMware vCenter (vCenter)
Supports access control configuration, via single sign-on or Active Directory services to implement session timeout, logon attempts, account lockout threshold, account lockout duration, minimum password age, and requiring re-authentication.
Limits concurrent sessions on web clients, and virtual machine consoles.
Super user capabilities in vCenter are a combination of privileges, which can be assigned to administrator roles. Assignment of elevated privileges can be restricted to only those users that are approved as designated system administrators.
Remote access to vCenter via SSH, or web client or API over HTTPS, can be configured as the secure communication protocol. The vCenter appliance runs on Linux and can be restricted to only accept HTTPS. Session identifiers are invalidated after session termination.
VMware vSAN (vSAN)
Access to data storage in vSAN is managed by roles within vCenter. vSAN introduced a new role to enable or disable encryption that can be applied to restrict non-cryptographic user access from configuring this feature.
Controls and enforces session lockouts which require users to re-authenticate after a session time-out.
VMware Realize Suite
VMware vRealize Automation (vRA)
Supports multiple roles to separate user functionality from system management functionality, as well as the capability to support the principle of lease privilege user access control.
VMware vRealize Log Insight (vRLI)
vRLI supports role-based access control (RBAC) to access the data collected. Data collection is supported on TCP, as well as secure TCP which offers protection from unauthorized disclosure. vRLI further offers the ability to manage data sets that can limit one user’s access to specific sources based on need to know.
Syslogs can be forwarded to various SIEM tools that store and encrypt logs while offering non-repudiation. Using third party software, vRLI can be configured to support non-repudiation of log entries and monitor access to logs to ensure transactions are reputable. The access restriction would be applied at the operating system (OS) and manage access to the underlying file system or database since Super Users administering the OS would be able to access log information.
VMware vRealize Operations Manager (vROPs)
Outbound plugin notifications are available in Vrops. These have to be configured to enforce the flow of data to a third-party system. Remote access to vROPS is restricted by default. vROPS appliance remote access can only be enabled to use SSH via the vCenter VM Console. vROPS user interface is only accessible via a secure URL. Upon session termination, session identifiers are invalidated.
