VMware vSphere 8 STIG Readiness Guide
In the United States Department of Defense (DoD), Security Technical Implementation Guides (STIGs) provide technical, standards-based hardening guidance. Officially published STIGs are mandatory in the DoD and fill a crucial role in systems accreditation as part of the Risk Management Framework (RMF). VMware has worked with the Defense Information Systems Agency (DISA) to publish many STIGs over the years and will continue to do so. Until VMware vSphere STIG content is officially published by DISA we want to make our submitted content available to the community. More information is available in the overview document provided in the download below.
The only official reference for DISA STIGs, once approved and published, is the US Department of Defense web site at https://public.cyber.mil/stigs/
This guidance is intended for vSphere 8 Update 1 and greater. Please note there are different downloads for Update 1 and Update 2 that must be paired with the corresponding version of vSphere to ensure compatibility and support due to underlying OS changes on the vCenter appliance.
Application of this guidance prior to Update 1 is not supported.
The audience for the VMware vSphere 8 DoD STIG Readiness Guide is VMware vSphere 8 customers in the DoD needing to harden or accredit their vSphere or VCF environments. Other entities can use this guidance, however there are items that are specific to the DoD that will not be applicable to a non-DoD environment. VMware maintains recommended vSphere 8 security hardening baselines at https://via.vmw.com/scg that may be more generally applicable to non-DoD environments.
There are many engineered data center & hybrid cloud infrastructure products that also work with and host VCF deployments, such as Dell VxRail and HPE SimpliVity. If this is how you consume VCF, you should check with your product’s support for guidance first before implementing this guide.
The guide is available as a download:
V1R2 for Update 2: https://core.vmware.com/vmware-vsphere-8-stig-readiness-guide-20230921
V1R1 for Update 1: https://core.vmware.com/vmware-vsphere-8-stig-readiness-guide-20230418
If you want to link to this content we maintain a permanent redirect:
Additional automation content for some STIG components can be found at our Github repository: