Support for Security Technical Implementation Guides (STIGs)
search cancel

Support for Security Technical Implementation Guides (STIGs)

book

Article ID: 313142

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Support for Official DISA STIGs, VMware STIG Readiness Guides, and associated example automation for VMware products is provided through a variety of channels depending on the situation. It is important to adhere to the supported scenarios detailed here to avoid issues and unsupported situations.

Supported and Unsupported Scenarios

It is supported to:
  • Harden a VMware product using the latest guidance found in an Official DISA STIG or VMware STIG Readiness Guide when guidance is available for that specific product and version.
It is NOT supported to:
  • Harden a product where the STIG content and product version do not match. For example, applying the vSphere 7 STIG to vSphere 8.
  • Implementing hardening guidance from an unrelated STIG to a product it was not intended for.
  • Request support for a product that is no longer generally supported by VMware. See the VMware Product Lifecycle Matrix for product end of general support dates.
  • Request support with assisting the implementation of any hardening guidance or provide security advice. If implementation assistance is needed please reach out to your account team.
Note: There are many engineered data center & hybrid cloud infrastructure solutions such as Dell VxRail or HPE SimpliVity. If this is how you consume VMware products, check with your solutions support for guidance first before implementing any guidance and confirm doing so is supported.

Types of Support

Content Support: Problems with the text of the guidance found in a STIG.
Examples:
  • Clarification on guidance text or finding statements
  • A command does not work or produce results as expected
  • Spelling or grammar issues in the text
  • Check/Fix text feedback
Product Support: Break/fix type issues encountered when using the features and functionality of a product as found inside a products STIG.
Examples:
  • Enabling Secureboot causes a host not to boot.
  • Hardening a service causes it to not start.
Automation Support: Issues related to running scripts or playbooks found in the VMware DoD Compliance and Automation repository.

Official STIG Support

Content Support

Support for issues related to content in an Official STIG should be addressed by emailing DISA at: [email protected]

A ticket for the issue must be open in order to update the guidance in a future STIG release. DISA will work with VMware to address any tickets needing content updates as necessary.

Product Support

A support request may be opened in these cases if a valid support agreement is in place.

STIG Readiness Guide Support

Content Support

Support for issues related to content in a STIG Readiness Guide should be addressed by emailing: [email protected]

Requests received will be processed on a best effort basis and any needed content updates published in the next content release. In between releases, issues will be documented in a known issues document available in a products folder in this repository.

Product Support

A support request may be opened in these cases if a valid support agreement is in place.

Automation Support

Support for automation examples is community based and provided on a best effort basis.

If an issue is encountered, please check the open and closed issues in the issue tracker for the details of your issue. If you can't find it, or if you're not sure, open a new issue.

A known issues document may also be available for a product and version in that products docs folder.

Support Tips

Before contacting support consider the following:

  • Is this a known issue?
  • Does reverting the change restore functionality?
  • Provide the source of the guidance with version and target product version in the request.
  • Is the latest version of the guidance being referenced?
  • Is this a supported scenario as laid out in this document?

Disclaimer

VMware accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations.

For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner's responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible Authorizing Official.

Furthermore, VMware implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the Department of Defense. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied both at the device hardening level as well as the architectural level. Some of the controls may not be configurable in environments outside the DoDIN.