Supply Chain Risk Management (SCRM) is becoming a critical component of multiple standards and regulatory bodies and will continue to affect more customers concerned about insuring the Supply Chain for IT hardware and software.
VMware security posture includes a long history of participating in FIPS and Common Criteria standards with the first VMware cryptographic module validated in 2007 and first VMware product being certified in 2008. The VMTA team drives the certification of major VMware products as well as the validation of cryptographic modules used in those and other products. The team also actively participates and contributes to the development of standards and various Protection Profiles by continuously engaging with various Working Groups (WGs) / NIAP Technical Committees (TCs) / International Technical Committees (iTCs).

VMware follows a very comprehensive Security Development Lifecycle (SDL) that is outlined on the Security Development Lifecycle landing page. Individuals concerned about Supply Chain Risk Management should visit the VMware Security Response Center landing page and sign up for Security Advisories. Additionally, visiting our Trust and Assurance landing page will provide additional details covering our Trust and Assurance Framework which contains additional content around security and SCRM.

Several procedures are necessary for VMware to maintain security when distributing the product to a customer’s site. For a valid delivery, the product received must correspond precisely to the product master copy, without tampering, or substitution of a false version. The delivery procedures ensure that the integrity and authenticity of the product are maintained and that they are verifiable by the customer and by VMware after delivery has been completed. The product is delivered via VMware’s websites by electronic distribution only. The end user is supplied with the product, product documentation, and product license.

This is inclusive of patches. Patches are cryptographically signed to ensure authenticity. Before you try to install a patch or update the system verifies the signature. This signature enforces the end-to-end protection of the patch itself and can also address any concerns about patch download, whether installing the patch(es) manually or through an automated tool such as vSphere Lifecycle Manager or vRealize Lifecycle Manager. Cryptographically signed patches extend to VMware vSphere and other product & solution patches securely downloaded from VMware’s website and/or content distribution network.