DISA Releases VMware vSphere 8.0 STIG Version 1, Release 1

Reading time: 3 minutes

Almost exactly one year after the release of VMware vSphere 8.0 (October 11, 2022), the Defense Information Systems Agency (DISA) made available the first STIG for VMware vSphere 8.0 on Ocotober 31, 2023.

What’s in the STIG

VMware vSphere 8.0 STIG Version 1, Release 1 includes separate STIG files for each component within VMware vSphere. This release of the STIG bundle contains the following:

  • SRG and STIG Readme – Version 3, Release 5 PDF
  • VMware vSphere 8.0 – Version 1 Release 1 – Overview PDF
  • VMware vSphere 8.0 – Version 1 Release 1 – Release Memo PDF
  • VMware vSphere 8.0 STIG Revision History PDF
  • VMware vSphere 8.0 ESXi STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance EAM Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance Envoy Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance Lookup Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance Perfcharts Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance PostgreSQL STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance STS Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance UI Service STIG, Version 1, Release 1
  • VMware vSphere 8.0 vCenter Appliance VAMI Server STIG, Version 1, Release 1
  • VMware vSphere 8.0 Virtual Machine STIG, Version 1, Release 1

Notable Changes

While I haven’t completed an exhaustive review of the contents, I have come across a few notable changes that I think folks should be aware of.

The first changes are related to vSAN encryption. Per VCSA-80-000196 and VCSA-80-000304, encryption during transit and encryption at rest are required for all vSAN clusters. Encryption was not required by the VMware vSphere 7.0 STIGs.

The next notable change that I found is related to authentication and authorization using Active Directory. Per VCSA-80-000298, Active Directory users and groups may not be directly assigned a role with administrative access within the VMware vCenter Server. Instead, the STIG requires that Active Directory users and groups be assigned to VSPHERE.LOCAL groups and then assign those VSPHERE.LOCAL groups to the roles within the VMware vCenter Server.

Per VCSA-80-000089, the vSphere Client session timeout setting can be increased to 15 minutes from the previous setting of 10 minutes under the VMware vSphere 7.0 STIGs.

The final notable change I found relates to SSH access to the VMware vCenter Server Appliance (VCSA). Per VCSA-80-000303, SSH access to the VSCA must be disabled.

Aria Operations Compliance Content

As usual, I will provide updated compliance content for this STIG for use within VMware Aria Operations. In a future blog post, I will give an overview of the compliance content, including the items that are and are not covered.

See Also


Search

Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts