VMware vSphere 8 STIG


In the United States Department of Defense (DoD), Security Technical Implementation Guides (STIGs) provide technical, standards-based hardening guidance. Officially published STIGs are mandatory in the DoD and fill a crucial role in systems accreditation as part of the Risk Management Framework (RMF). The VMware vSphere 8 STIG has been submitted, approved, and published by the Defense Information Systems Agency (DISA).

The only official reference for DISA STIGs, once approved and published, is the US Department of Defense web site at https://public.cyber.mil/stigs

Intended Audience

The audience for the VMware vSphere 8 STIG is VMware vSphere 8 customers in the DoD needing to harden or accredit their vSphere environment. Other entities can use this guidance, however there are items that are specific to the DoD that will not be applicable to a non-DoD environment.

There are many engineered data center & hybrid cloud infrastructure products that also work with and host VCF deployments, such as Dell VxRail and HPE SimpliVity. If this is how you consume vSphere you should check with your product’s support for guidance first before implementing this guide.

Support and Compatibility

This guidance is intended for vSphere 8 Update 2 builds only and application of this guidance prior to Update 2 is not supported. If guidance is needed for Update 1 please reference our guidance here:


For information on support for STIGs see:



The guide is available as a download:

Version 1 Release 1: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y23M10_STIG.zip

If you want to link to this content, we maintain a permanent redirect:



Additional automation content for some STIG components can be found at our Github repository:


Filter Tags

Compliance Security vSphere vSphere 8 Document Best Practice Advanced