09/20/2023 | News release | Distributed by Public on 09/20/2023 13:16
Some great news for our existing and prospective customers of VMware Cloud on AWS GovCloud (US) - we are thrilled to announce that VMware Cloud on AWS GovCloud (US) has achieved expanded Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA) as of August 2023. This certification expansion includes both US-East and US-West regions, the i4i.metal instance type as well as VMware HCX in both regions and will enable further adoption of the service by US Public Sector agencies.
VMware's expansion of its DoD IL5 PA for VMware Cloud on AWS GovCloud (US) demonstrates the unwavering commitment to providing secure and innovative cloud solutions to our customers in the government and defense sectors.
Certification Process
VMware CloudTM on AWS GovCloud (US) brings VMware's Software-Defined Data Center (SDDC) software to the AWS GovCloud (US) regions, and with FedRAMP High JAB Authorization and DoD IL5 Authorization, it enables US public sector agencies to securely run production applications across VMware vSphere®-based on-premises and cloud environments with access to AWS services. Jointly engineered by VMware and AWS, this on-demand, scalable service enables IT teams to seamlessly extend, migrate, protect and manage their cloud-based resources with familiar VMware tools. VMware Cloud on AWS GovCloud (US) integrates VMware's flagship compute, storage, and network virtualization products (VMware vSphere®, VMware vSANTM and VMware NSX®) along with VMware vCenter® management, and optimizes it to run on dedicated, elastic, Amazon EC2 bare-metal infrastructure that is fully integrated as part of the AWS GovCloud (US).
However, technology is only a small part of what drives an IL5 authorization. For most regulatory compliance authorizations, including IL5, it is more about HOW that technology is implemented and used. Cloud Service Providers (CSPs) and their Cloud Service Offerings (CSOs) are evaluated for their processes, going deep into how the services are implemented and secured, who has access to the systems, how events in the systems are audited and logged, where deployed systems are physically located, and so on.
As part of this expanded certification authorization, VMware Cloud on AWS GovCloud (US) meets the stringent process and implementation guidelines of DISA IL5, meaning easy and fast access to cloud services for Department of Defense mission owners.
Now let's dive into the details of the DoD IL5 PA certification expansion achieved by VMware Cloud on AWS GovCloud (US) as of August 2023.
Certification Deep Dive - August 2023 expansion
DISA's IL5 certification attests that Cloud Service Providers have built secure cloud offerings fit to process, store and transmit Controlled Unclassified Information (CUI) and Unclassified National Security Information (U-NSI). With the authorization of VMware HCX and i4i.metal instance type at the IL5 level as well as the expansion of VMware Cloud on AWS GovCloud (U.S.) into the US-East and US-West Regions, the U.S. Department of Defense (DoD) customers can now migrate, extend, modernize and protect on-premises workloads into the VMware Cloud on AWS GovCloud(US) as well as utilize universally available disaster recovery solutions, for e.g., VMware Site Recovery Manager. Additionally, customers can now deploy SDDCs in both US-East and US-West regions of VMware Cloud on AWS GovCloud (US).
VMware HCX in IL5 provides DoD mission owners with an application mobility platform that's designed to simplify application migrations and optimize disaster recovery networking across on-premises datacenters and VMware Cloud on AWS. Connectivity between the mission owners' on premises vSphere infrastructure and VMware Cloud on AWS SDDC is established using VMware Transit Connect Service in the mission owners' VMware Cloud on AWS service. VMware Transit Connect provides connectivity to the mission owners' SCCA/VDSS which connects to the DISA BCAP and then to the mission owners' on premises VMware infrastructure. Once network reachability is established between a mission owners' SDDC infrastructure and their on-premises VMware infrastructure, mission owners then use VMware HCX to build a service mesh backed by Suite B encrypted tunnels to build hybrid cloud connectivity for simplified and secure workload mobility.
VMware Cloud on AWS GovCloud (US) BCAP Architecture
The diagram below provides a visual depiction of the reference architecture utilized by VMware Cloud on AWS GovCloud (US) to establish a BCAP connection between DoD Mission Owners and their SDDCs. This includes VMware HCX, VMware Site Recovery Manager, and customer workload traffic.
VMware Cloud on AWS GovCloud (US) Secure Network Configuration
SDDCs utilize VMware NSX to create and manage SDDC networks. VMware NSX provides an agile software-defined infrastructure to build cloud-native application environments. Mission Owners have autonomy in defining the virtual networking within their SDDCs to support DoD IL2, 4, and 5 workloads.
Mission Owners shall ensure the following when establishing network configurations for their SDDC:
VMware Cloud on AWS GovCloud (US) Account Management
VMware Cloud on AWS GovCloud (US) accounts are based on an organization which corresponds to each mission owner that subscribes to VMware Cloud Services.
Organization roles specify the privileges that an organization member has over organization assets. Service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by a user with organization owner privileges.
Mission Owners shall ensure the following when establishing service roles for their SDDC:
VMware Cloud on AWS GovCloud (US) Audit & Logging
Mission owner VMware Cloud on AWS GovCloud (US) Service Organizations and VMware Cloud on AWS GovCloud (US) SDDCs have access to Organization level activity logs for auditing as well as access to SDDC infrastructure level logs for monitoring and auditing SDDC infrastructure components.
As VMware does not have access to Mission Owner workloads, Mission Owners shall ensure the following when establishing logging for their SDDC:
More Information
Beyond GovCloud (US), VMware Cloud on AWS service also holds many global and regional certifications for regulatory compliance, helping to speed migrations and make audits easier for thousands of customers governed by regulatory requirements. You can review all these at the VMware Cloud Trust Center.
For more information about how VMware Cloud on AWS GovCloud (US) can help your public sector organization achieve its mission, please visit the GovCloud website or speak with your VMware account team.
Check These Out