VMware SDDC Product Audit Guide for NIST 800-53v4


This Product Audit Guide (PAG) provides an evaluation of VMware products that make up and support the Software-Defined Data Center (SDDC), and how they may support NIST 800-53 Revision 4 (NIST 800-53v4) controls. These products virtualize and abstract the physical technology layers such as compute, storage, and network, the essence of an SDDC. The changing technology landscape that is modernizing the data center is also modernizing the virtual desktop environment and mobile device management while making inroads to consolidate and automate Information Technology (IT) resources. VMware prioritizes data protection and system security features within the SDDC.

The VMware Compliance Solutions team developed a framework that incorporates SDDC product capabilities aligned to NIST 800-53 compliance controls. These standards have then been used to illustrate how VMware products and their capabilities apply to other industry frameworks.

VMware engaged Tevora, an independent third-party IT audit firm, to conduct a review of the SDDC and VMware Cloud™ solution’s alignment to PCI DSS. This document is the culmination of Tevora’s discussions with VMware product teams to perform a thorough evaluation of VMware product capabilities mapped to NIST 800-53 requirements.

This guidance evolves. Please check back for the the latest versions.


  • VMware vSphere
  • VMware vCenter Server
  • VMware ESXi
  • VMware Cloud Foundation
  • VMware vSAN
  • VMware NSX
  • VMware NSX-T
  • VMware vRealize Operations Manager
  • VMware vRealize Log Insight
  • VMware vRealize Network Insight
  • VMware vRealize Orchestrator
  • VMware Cloud Director
  • VMware Workspace ONE Access


This Product Applicability Guide is available as a download:



Filter Tags

Cloud Foundation ESXi Site Recovery Manager vCenter Server VMware Cloud vSAN vSphere vSphere+ Document