MENU
Products
Solutions
Support and Services
Company
How To Buy
Login
myBroadcom Account:
Login
Register
Forgot Username/Password?
Username
Edit My Profile
myBroadcom
Logout
Language
English
日本語
中文
Login
myBroadcom Account:
Login
Register
Forgot Username/Password?
Username
Edit My Profile
myBroadcom
Logout
English
日本語
中文
Home
VMware Tanzu Software
Compliance Resources
Assessment of Tanzu Platform for Cloud Foundry against NIST
SA-7 USER-INSTALLED SOFTWARE
Tanzu Platform for Cloud Foundry NIST services
Open/Close Topics Navigation
Product Menu
Topics
NIST Controls and VMware Tanzu Platform for Cloud Foundry
AC - Access Control
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
AC-2 ACCOUNT MANAGEMENT
AC-3 ACCESS ENFORCEMENT
AC-4 INFORMATION FLOW ENFORCEMENT
AC-5 SEPARATION OF DUTIES
AC-6 LEAST PRIVILEGE
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
AC-8 SYSTEM USE NOTIFICATION
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-10 CONCURRENT SESSION CONTROL
AC-11 SESSION LOCK
AC-12 SESSION TERMINATION
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-16 SECURITY ATTRIBUTES
AC-17 REMOTE ACCESS
AC-18 WIRELESS ACCESS
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE CONTENT
AC-23 DATA MINING PROTECTION
AC-24 ACCESS CONTROL DECISIONS
AC-25 REFERENCE MONITOR
AU - Audit and Accountability
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
AU-2 AUDIT EVENTS
AU-3 CONTENT OF AUDIT RECORDS
AU-4 AUDIT STORAGE CAPACITY
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-7 AUDIT REDUCTION AND REPORT GENERATION
AU-8 TIME STAMPS
AU-9 PROTECTION OF AUDIT INFORMATION
AU-10 NON-REPUDIATION
AU-11 AUDIT RECORD RETENTION
AU-12 AUDIT GENERATION
AU-13 MONITORING FOR INFORMATION DISCLOSURE
AU-14 SESSION AUDIT
AU-15 ALTERNATE AUDIT CAPABILITY
AU-16 CROSS-ORGANIZATIONAL AUDITING
AT - Awareness and Training
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
AT-2 SECURITY AWARENESS TRAINING
AT-3 ROLE-BASED SECURITY TRAINING
AT-4 SECURITY TRAINING RECORDS
CM - Configuration Management
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM-2 BASELINE CONFIGURATION
CM-3 CONFIGURATION CHANGE CONTROL
CM-4 SECURITY IMPACT ANALYSIS
CM-5 ACCESS RESTRICTIONS FOR CHANGE
CM-6 CONFIGURATION SETTINGS
CM-7 LEAST FUNCTIONALITY
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
CM-9 CONFIGURATION MANAGEMENT PLAN
CM-10 SOFTWARE USAGE RESTRICTIONS
CM-11 USER-INSTALLED SOFTWARE
CP - Contingency Planning
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-2 CONTINGENCY PLAN
CP-3 CONTINGENCY TRAINING
CP-4 CONTINGENCY PLAN TESTING
CP-5 CONTINGENCY PLAN UPDATE
CP-6 ALTERNATE STORAGE SITE
CP-7 ALTERNATE PROCESSING SITE
CP-8 TELECOMMUNICATIONS SERVICES
CP-9 INFORMATION SYSTEM BACKUP
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS
CP-12 SAFE MODE
CP-13 ALTERNATIVE SECURITY MECHANISMS
IA - Identification and Authentication
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
IA-4 IDENTIFIER MANAGEMENT
IA-5 AUTHENTICATOR MANAGEMENT
IA-6 AUTHENTICATOR FEEDBACK
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION
IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION
IA-11 RE-AUTHENTICATION
IR - Incident Response
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
IR-2 INCIDENT RESPONSE TRAINING
IR-3 INCIDENT RESPONSE TESTING
IR-4 INCIDENT HANDLING
IR-5 INCIDENT MONITORING
IR-6 INCIDENT REPORTING
IR-7 INCIDENT RESPONSE ASSISTANCE
IR-8 INCIDENT RESPONSE PLAN
IR-9 INFORMATION SPILLAGE RESPONSE
IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM
MA - Maintenance
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
MA-2 CONTROLLED MAINTENANCE
MA-3 MAINTENANCE TOOLS
MA-4 NONLOCAL MAINTENANCE
MA-5 MAINTENANCE PERSONNEL
MA-6 TIMELY MAINTENANCE
MP - Media Protection
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
MP-2 MEDIA ACCESS
MP-3 MEDIA MARKING
MP-4 MEDIA STORAGE
MP-5 MEDIA TRANSPORT
MP-6 MEDIA SANITIZATION
MP-7 MEDIA USE
MP-8 MEDIA DOWNGRADING
PS - Personnel Security
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
PS-2 POSITION RISK DESIGNATION
PS-3 PERSONNEL SCREENING
PS-4 PERSONNEL TERMINATION
PS-5 PERSONNEL TRANSFER
PS-6 ACCESS AGREEMENTS
PS-7 THIRD-PARTY PERSONNEL SECURITY
PS-8 PERSONNEL SANCTIONS
PE - Physical and Environmental Protection
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
PE-3 PHYSICAL ACCESS CONTROL
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
PE-6 MONITORING PHYSICAL ACCESS
PE-7 VISITOR CONTROL
PE-8 VISITOR ACCESS RECORDS
PE-9 POWER EQUIPMENT AND CABLING
PE-10 EMERGENCY SHUTOFF
PE-11 EMERGENCY POWER
PE-12 EMERGENCY LIGHTING
PE-13 FIRE PROTECTION
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
PE-15 WATER DAMAGE PROTECTION
PE-16 DELIVERY AND REMOVAL
PE-17 ALTERNATE WORK SITE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-19 INFORMATION LEAKAGE
PE-20 ASSET MONITORING AND TRACKING
PL - Planning
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
PL-2 SYSTEM SECURITY PLAN
PL-3 SYSTEM SECURITY PLAN UPDATE
PL-4 RULES OF BEHAVIOR
PL-5 PRIVACY IMPACT ASSESSMENT
PL-6 SECURITY-RELATED ACTIVITY PLANNING
PL-7 SECURITY CONCEPT OF OPERATIONS
PL-8 INFORMATION SECURITY ARCHITECTURE
PL-9 CENTRAL MANAGEMENT
PM - Program Management
PM-1 INFORMATION SECURITY PROGRAM PLAN
PM-2 SENIOR INFORMATION SECURITY OFFICER
PM-3 INFORMATION SECURITY RESOURCES
PM-4 PLAN OF ACTION AND MILESTONES PROCESS
PM-5 INFORMATION SYSTEM INVENTORY
PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE
PM-7 ENTERPRISE ARCHITECTURE
PM-8 CRITICAL INFRASTRUCTURE PLAN
PM-9 RISK MANAGEMENT STRATEGY
PM-10 SECURITY AUTHORIZATION PROCESS
PM-11 MISSION/BUSINESS PROCESS DEFINITION
PM-12 INSIDER THREAT PROGRAM
PM-13 INFORMATION SECURITY WORKFORCE
PM-14 TESTING, TRAINING, AND MONITORING
PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
PM-16 THREAT AWARENESS PROGRAM
RA - Risk Assessment
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
RA-2 SECURITY CATEGORIZATION
RA-3 RISK ASSESSMENT
RA-4 RISK ASSESSMENT UPDATE
RA-5 VULNERABILITY SCANNING
RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
CA - Security Assessment and Authorization
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
CA-2 SECURITY ASSESSMENTS
CA-3 SYSTEM INTERCONNECTIONS
CA-5 PLAN OF ACTION AND MILESTONES
CA-6 SECURITY AUTHORIZATION
CA-7 CONTINUOUS MONITORING
CA-8 PENETRATION TESTING
CA-9 INTERNAL SYSTEM CONNECTIONS
SC - System and Communications Protection
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC-2 APPLICATION PARTITIONING
SC-3 SECURITY FUNCTION ISOLATION
SC-4 INFORMATION IN SHARED RESOURCES
SC-5 DENIAL OF SERVICE PROTECTION
SC-6 RESOURCE AVAILABILITY
SC-7 BOUNDARY PROTECTION
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC-9 TRANSMISSION CONFIDENTIALITY
SC-10 NETWORK DISCONNECT
SC-11 TRUSTED PATH
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-13 CRYPTOGRAPHIC PROTECTION
SC-14 PUBLIC ACCESS PROTECTIONS
SC-15 COLLABORATIVE COMPUTING DEVICES
SC-16 TRANSMISSION OF SECURITY ATTRIBUTES
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
SC-18 MOBILE CODE
SC-19 VOICE OVER INTERNET PROTOCOL
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
SC-23 SESSION AUTHENTICITY
SC-24 FAIL IN KNOWN STATE
SC-25 THIN NODES
SC-26 HONEYPOTS
SC-27 PLATFORM-INDEPENDENT APPLICATIONS
SC-28 PROTECTION OF INFORMATION AT REST
SC-29 HETEROGENEITY
SC-30 CONCEALMENT AND MISDIRECTION
SC-31 COVERT CHANNEL ANALYSIS
SC-32 INFORMATION SYSTEM PARTITIONING
SC-33 TRANSMISSION PREPARATION INTEGRITY
SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS
SC-35 HONEYCLIENTS
SC-36 DISTRIBUTED PROCESSING AND STORAGE
SC-37 OUT-OF-BAND CHANNELS
SC-38 OPERATIONS SECURITY
SC-39 PROCESS ISOLATION
SC-40 WIRELESS LINK PROTECTION
SC-41 PORT AND I/O DEVICE ACCESS
SC-42 SENSOR CAPABILITY AND DATA
SC-43 USAGE RESTRICTIONS
SC-44 DETONATION CHAMBERS
SI - System and Information Integrity
SI-1 SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
SI-2 FLAW REMEDIATION
SI-3 MALICIOUS CODE PROTECTION
SI-4 INFORMATION SYSTEM MONITORING
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
SI-6 SECURITY FUNCTION VERIFICATION
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
SI-8 SPAM PROTECTION
SI-9 INFORMATION INPUT RESTRICTIONS
SI-10 INFORMATION INPUT VALIDATION
SI-11 ERROR HANDLING
SI-12 INFORMATION HANDLING AND RETENTION
SI-13 PREDICTABLE FAILURE PREVENTION
SI-14 NON-PERSISTENCE
SI-15 INFORMATION OUTPUT FILTERING
SI-16 MEMORY PROTECTION
SI-17 FAIL-SAFE PROCEDURES
SA - System and Services Acquisition
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
SA-2 ALLOCATION OF RESOURCES
SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
SA-4 ACQUISITION PROCESS
SA-5 INFORMATION SYSTEM DOCUMENTATION
SA-6 SOFTWARE USAGE RESTRICTIONS
SA-7 USER-INSTALLED SOFTWARE
SA-8 SECURITY ENGINEERING PRINCIPLES
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION
SA-12 SUPPLY CHAIN PROTECTION
SA-13 TRUSTWORTHINESS
SA-14 CRITICALITY ANALYSIS
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
SA-16 DEVELOPER-PROVIDED TRAINING
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN
SA-18 TAMPER RESISTANCE AND DETECTION
SA-19 COMPONENT AUTHENTICITY
SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
SA-21 DEVELOPER SCREENING
SA-22 UNSUPPORTED SYSTEM COMPONENTS
SA-7 USER-INSTALLED SOFTWARE
Last Updated January 02, 2025
VMware Tanzu Platform for Cloud Foundry Compliance
Not applicable.
Control Description
[Withdrawn: Incorporated into CM-11 and SI-7].
Supplemental Guidance
Content feedback and comments
Content feedback and comments