Assessment of Pivotal Cloud Foundry against NIST SP 800-53(r4) Controls
Many organizations are required to reference a standardized control framework when assessing the security and compliance of their information systems. Standardized control frameworks are intended to provide a model for how to protect information and data systems from threats, including malicious third parties, structural failures, and human error. One very comprehensive and commonly referenced framework is NIST Special Publication 800-53(r4). Adherence to these controls is required for many government agencies in the United States, as well as for many private enterprises that operate within regulated markets, such as healthcare or finance. For example, the HIPAA regulations that govern the required protections for Personal Health Information (PHI) may be cross-referenced to the NIST SP 800-53(r4) control set.
These pages provide an assessment of the Pivotal Cloud Foundry PAS platform against the NIST SP 800-53(r4) controls, and provides guidance for how deployers may achieve compliance when using a shared responsibility model. Responsibility for any particular control may be assigned to the underlying IaaS infratructure, the PAS platform, the deployed application, or the organization.
This document covers the Pivotal Cloud Foundry PAS, and assumes the use of BOSH and Ops Manager. In addition, we assume the platform has been deployed in a manner consistent with the corresponding IaaS reference architecture.
- AC - Access Control
- AU - Audit and Accountability
- AT - Awareness and Training
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PS - Personnel Security
- PE - Physical and Environmental Protection
- PL - Planning
- PM - Program Management
- RA - Risk Assessment
- CA - Security Assessment and Authorization
- SC - System and Communications Protection
- SI - System and Information Integrity
- SA - System and Services Acquisition